NewEgg hit by card-stealing code injected into shopping code

The popular computer and electronics Web retailer NewEgg has apparently been hit by the same payment-data-stealing attackers who targeted TicketMaster UK and British Airways. The attackers, referred to by researchers as Magecart, managed to inject 15 lines of JavaScript into NewEgg’s webstore checkout that forwarded credit card and other data to a server with a domain name that made it look like part of NewEgg’s Web infrastructure. It appears that all Web transactions over the past month were affected by the breach.

Details of the breach were reported by the security research firms RiskIQ (which exposed the code behind the British Airways attack) and Volexity Threat Research today. The attack was shut down by NewEgg on September 18, but it appears to have been actively siphoning off payment data since August 16, according to reports from the security researchers. Yonathan Klijnsma, head researcher at RiskIQ, said that the methods and code used are virtually identical to the attack on British Airways—while the Ticketmaster breach was caused by code injected from a third-party service provider, both the BA breach and the NewEgg attack were the result of a compromise of JavaScript libraries hosted by the companies themselves.

The domain used by the attack, neweggstats.com, was hosted on a server at the Dutch hosting provider WorldStream and had a certificate. The domain was registered through Namecheap on August 13, using a registration privacy protection company in Panama. The domain’s TLS certificate was purchased through Comodo on the same day. The Comodo certificate was likely the most expensive part of the attackers’ infrastructure.

Read 4 remaining paragraphs | Comments

Russian surveillance plane got shot down by Syria—and Russia blames Israel

Four-engine military propellor plane.

On Monday night, a Russian Air Force Ilyushin IL-20 “Coot-A” electronic intelligence and radar reconnaissance aircraft monitoring the Idlib province of Syria was mistakenly shot down by Syrian air defense forces after an Israeli air strike on facilities in Latakia, Syria. The Russian aircraft went down in the Mediterranean, about 27 kilometers (17 miles) off the Syrian coast near Latakia, with a loss of all 15 crewmembers aboard. Russian President Vladimir Putin said the downing was the result of a “chain of tragic accidental circumstances.” But the Russian Defense Ministry has laid the blame for the downing on the Israelis, saying that they failed to provide enough warning to the Russians to give the IL-20 an opportunity to steer clear of danger.

“The Israeli pilots used the Russian plane as cover and set it up to be targeted by the Syrian air defense forces,” a Russian Defense Ministry spokesperson said. “As a consequence, the Il-20, which has a radar cross-section much larger than the F-16, was shot down by an S-200 system missile.” The Russians also claimed Israel only warned them a minute before the attack.

Russian Army General Sergei Shoigu told Israeli Defense Minister Avigdor Liberman in a phone call that the fault for the reconnaissance plane’s downing “rests entirely with the Israeli side.”

Read 11 remaining paragraphs | Comments

Construction to begin on 36 megawatt Moroccan wind farm for Bitcoin mining

A rendering of wind turbines and a computing center in Morocco

Morocco has a lot of prime real estate for wind energy along its southern coast. But without robust transmission lines to move electricity from there to more populated centers, a traditional wind energy company might wait years for a grid connection before it could start making money.

But if you’re connected to the Internet, one option might be to build a grid-isolated wind farm and use it locally while you wait for a connection to the rest of the grid. In Soluna’s case, the money-making byproduct that makes local use worth it is mining Bitcoin.

Soluna, a bitcoin-mining company, is going to start construction on a 36 megawatt (MW) wind farm near Dakhla, Morocco, in January 2019, company spokesperson Yoav Reisler told Ars. The company has the rights to 37,000 acres of land, which could eventually accommodate up to 900MW of wind capacity.

Read 10 remaining paragraphs | Comments

Russians tried to hack Swiss lab testing samples from Skripal attack

Article intro image

Last Friday, Dutch officials revealed that they had arrested and expelled two alleged Russian intelligence agents who were caught attempting to hack into the Spiez Laboratory, a Swiss national laboratory that is home to the Swiss Federal Institute for NBC (Nuclear, Biological, and Chemical) Protection.

The Spiez lab was testing two sets of samples that were of interest to the Russian government on behalf of the Organization for the Prohibition of Chemical Weapons (OPCW): the “Novichok” agent used in an attack in the UK against former Russian spy Sergei Skripal and his daughter Yulia and samples from a poison gas attack in Syria. The OPCW’s headquarters is in The Hague in the Netherlands, which may explain why the attack on the Spiez lab was launched from there.

The incident, reported both by Joep Dohmen of the Dutch newspaper NRC Handelsblad and by Thomas Knellwolf and Titis Plattner of the Swiss newspaper Tages Anzeiger, occurred this spring. The circumstances of the arrests were not shared. An investigation carried out jointly by the two papers found that the pair were arrested as the result of a joint operation by multiple European intelligence services in Europe, including the Dutch Military Intelligence and Security Service (MIVD). The Swiss intelligence service, the NDB, issued a statement confirming a “case of Russian spies discovered in The Hague and then expelled.”

Read 7 remaining paragraphs | Comments

Russia, China become battle buddies at Vostok 2018

Russian Ministry of Defense

The last time that Russia mounted a military exercise the size of this week’s Vostok 2018 event, “Russia” was the Soviet Union, Leonid Brezhnev was General Secretary, and Ronald Reagan had just been elected president of the United States. That was 1981, at the height of the Cold War. Now, with a distinct chill in relations with the United States well underway, the Russian Federation has put over 300,000 troops in the field—alongside tens of thousands of tanks, helicopters, and weapons of every sort—for a huge war game in Russia’s far eastern reaches. And the country has invited the Chinese People’s Liberation Army to play along, as well as the Mongolian General Purpose Force.

Vostok 2018 wrapped up on September 14, but it started a whole new wrinkle in international affairs. Russia and China have agreed to continue to conduct joint military exercises, as the interests of Russia and China (once far apart) begin to align in response to US military power and a bellicose President Donald Trump. The photos provided by the Russian Ministry of Defense illustrate a military bromance. Presidents Putin and Xi had a breakfast of blinis together in Vladivostok.

Read 4 remaining paragraphs | Comments

Unpatched systems at big companies continue to fall to WannaMine worm

Article intro image

In May of 2017, the WannaCry attack—a file-encrypting ransomware knock-off attributed by the US to North Korea—raised the urgency of patching vulnerabilities in the Windows operating system that had been exposed by a leak of National Security Agency exploits. WannaCry leveraged an exploit called EternalBlue, software that leveraged Windows’ Server Message Block (SMB) network file sharing protocol to move across networks, wreaking havoc as it spread quickly across affected networks.

The core exploit used by WannaCry has been leveraged by other malware authors, including the NotPetya attack that affected companies worldwide a month later, and Adylkuzz, a cryptocurrency-mining worm that began to spread even before WannaCry. Other cryptocurrency-mining worms followed, including WannaMine—a fileless, all-PowerShell based, Monero-mining malware attack that threat researchers have been tracking since at least last October. The servers behind the attack were widely published, and some of them went away.

But a year later, WannaMine is still spreading. Amit Serper, head of security research at Cybereason, has just published research into a recent attack on one of his company’s clients—a Fortune 500 company that Serper told Ars was heavily hit by WannaMine. The malware affected “dozens of domain controllers and about 2,000 endpoints,” Serper said, after gaining access through an unpatched SMB server.

Read 5 remaining paragraphs | Comments

“Bulk interception” by GCHQ (and NSA) violated human rights charter, European court rules

Ultramodern public building.

In a set of rulings today, the European Court of Human Rights found that the mass surveillance scheme used by the GCHQ—the United Kingdom’s signals intelligence agency—violated the European Convention on Human Rights (ECHR), unlawfully intruding on the private and family life and freedom of expression of British and European citizens. And the case included consideration of intelligence collected by the US National Security Agency shared with GCHQ.

The Court found that sharing intelligence information gathered from bulk surveillance—as GCHQ does with the NSA and other members of the “Five Eyes” intelligence and security alliance—does not violate the human rights charter. But the judges did warn that using such intelligence sharing to bypass restrictions on surveillance of a member state’s own citizens would be a violation of the charter.

In the ruling, the judges found that there was insufficient oversight through the UK’s Investigatory Powers Tribunal (the UK equivalent of the US’ Foreign Intelligence Surveillance Court) over the UK’s bulk interception, filtering, and search of communications by the GCHQ. The judges also found that there were insufficient safeguards put in place to govern access to communications data. While the case has no direct impact on US intelligence gathering, the case could have a ripple effect because of the close connections between US and UK intelligence and law enforcement organizations.

Read 7 remaining paragraphs | Comments

AT&T and Verizon want to manage your identity across websites and apps

A smartphone app showing an option to confirm or deny a login attempt.

The four major US mobile carriers have unveiled a system that would let them manage your logins across any third-party website or app that hooks into it.

Project Verify” from a consortium of AT&T, Verizon Wireless, T-Mobile US, and Sprint, was unveiled in a demo yesterday. It works similarly to other multi-factor authentication systems by letting users approve or deny login requests from other websites and apps, reducing the number of times users must enter passwords. The carriers’ consortium is putting the call out to developers of third-party apps and websites, who can contact the consortium for information on linking to the new authentication system.

“The Project Verify app can be preloaded or downloaded to the user’s mobile device,” a video describing the technology says. “And then when they face a login screen on their favorite sites and apps, they select the verify option. That’s it—Project Verify does the rest.”

Read 12 remaining paragraphs | Comments