What is it with all the security breaches these days! Do you remember Harvard hacked or the two popular card readers vulnerable to attacks we’ve told you about last month? These are not fake stories and what I am about to tell you is even scarier. On Monday, Hannaford Bros. grocery chain announced that a security breach in they systems and exposed 4.2 million credit/debit cards that have been used during the authorization process.

The security breach affected 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. Until now the company is aware of 1,800 cases of fraud.

The funny thing is that we all heard about it (the official statement) on Monday, March 17 while the company has been aware of these problems from February 27. More to it, the investigators went a little deeper and found out that the breach started on December 7. The math is simple: took them more than three months to find it out. The U.S. Secret Services are working on it, but declined to comment about the crime.

“We have taken aggressive steps to augment our network security capabilities. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.” Hannaford president and CEO Ronald C. Hodge said in the official statement on Monday. (AP reported)

If you live in the area you’ve purchased or you know someone that did from these guys go ahead and check up your statements or alert others.

Cambridge University’s computer security lab have discovered vulnerabilities for two popular card readers Ingenico i3300 and Dione Xtreme, that make them an easy pray to attackers, because they fail to protect the card details and the PIN number.

This means that fraudsters with common technical skills could easily use a data-tapping circuit that could be placed between the inserted card and the reading circuit, allowing to record the account number or the PIN. With these details an attacker would have everything need to clone the card and then withdraw cash from an ATM machine abroad.

The three researchers that worked on the case Saar Drimer, Steven J Murdoch and Ross Anderson are not in very good relations with the banks, mainly because they are trying to demonstrate that chip and PIN systems have security issues. The big issue is that the data that is transmitted between the PED and the card are not encrypted.

“The attacks that we’ve shown have demonstrated that it’s easy to get the PIN as well as the card data out of chip and PIN terminal - and this means that simply holding your hand over the terminal is no good, in other words the customer cannot defend himself or herself no matter how astute and careful they are - therefore surely the banks need to take responsibility.” said Professor Ross Anderson in an interview to NewsNight.

Though the findings are real, the Scottish PED maker Ingenico assured customers that the products the Cambridge University researchers talk about are among the most secure on the market and that they helped reducing credit-card fraud by 47% year-by-year. They also mentioned that the way Anderson and his team hacked the PEDs is not as basic as they suggested and the “method is therefore not reproducible on a large scale, nor does it take into account the fraud monitoring used throughout the industry.”

I think Ingenico is running from responsibility and here’s the “How secure is Chip and PIN?” video from NewsNight that demonstrates what Professor Anderson and his staff found out.

After the airport firewall problem we’ve told you about last year, and the $500,000 prize to improve airport security we have something else for you. It’s TSA Gangstaz` funny video on airport security. With ingenious and clever lyrics that’s what I call awesome. Just make sure your boss won’t hear it as it’s not really “safe for work”.

“Belt buckle money clip coins keys wallet purse/put some cheese on it run it through.”

You like it?

Now that’s good thinking. New-York based company, Clear, would like to hear our opinions on airport security and timing for checking in. They are offering a $500,000 prize, the “Clear prize”, to anyone that can come up with an idea that will make airport security checks quicker and simpler for passengers.

If you want to win (yes you/me are entitled) then you’d better come up with something that will make it 15% quicker and would cost less than 25cents per passenger.

Rumors say that a solution could be mass spectroscopy that can easily trace forbidden substances including explosives and drugs. Another one they may be thinking of is terrahertz scanning that can see far beyond the naked eye.

photo by nedrichards

If until now we all thought that Apple’s Mac computers are almost unreachable by viruses or malware software things are changing. Security software firm Sophos and its Asia Pacific head of technology Paul Ducklin said that OSX/RSPlug-A Trojan horse is one of the first pieces of Mac malware written by cyber criminals.

The Trojan horse changes DNS servers on your Apple Mac computer and you’re redirected to a website that sells pornography or probably medications. In this way the hijacker is making a lot of money, while the user blames the connection.

Another threat to Mac users are “scareware” and it’s software that claims to find security threats and nail them for free. You get the opposite.

Source (photo by Sparkes)

You know the saying “it can happen to the best of us”? Though Harvard is not the most secured place in the world, we expected better security from them. Apparently, the Harvard Graduate School of Arts and Sciences website has been hacked and the content is now leaked on BitTorrent.

“This is the backup of gsas.harvard.edu. We have release it because we want demonstration the insecurity of harvard’s server. [….] Maybe you don’t like it but this is to demonstrate that persons like tgatton(admin of the server) in they don’t know how to secure a website.”is what you can read in the .nfo file. I guess the hacker made his point, even if it’s sloppy English.

The Pirate Bay are already tracking a 125MB zip file that is supposed to be a server backup of the site with a full directory structure, before the hit. It contains three databases, joomla.slq the main database, contacts.sql which is a database of contacts and hgs.sql which may not be that important. Another bad thing is that the file is supposed to contain passwords, too.

Right now GSAS is down, so I can only speculate they are trying to fix this major security breach. Can you imagine how Thomas Gatton (the admin) is feeling right now, because he’s a Systems Administrator and User Support Specialist at Harvard.

photo by Micke-fi

The concerns of online security are not as big as they should, mainly because everyone thinks their passwords are good enough, they have an anti-virus and that’s it. However the fun thing about that is that in a recent report by security soft maker AVG, men consider themselves much better than women when it comes to online security.

AVG global security strategist Larry Bridwell said that “My gut feeling, because I’m a man, is that it is one of those societal gender things”. It looks like confidence doesn’t translate into safety but hey, this could be another man thing, because security threats are gender-equal.

“Men were exceptionally confident in their own security prowess, and only 4 percent of them said they didn’t know what kind on online protection they had in place. “

The results are from a study that included 1,400 adults in the UK. How do you feel about that? Do you think (you men) are better than women at online security?

via ArsTechnica

For those who don’t trust the security softwares has appeared a solution to protect their computers against USB transmitted malware. It is called the USB Security Lock and it is a physical device that actually locks your USB ports. Besides protecting the computer for viruses, it prevents illegal access to confidential information.

The USB Security Lock works very simple. It places a blocker inside the USB port. The blocker prevents access to the USB port by any way. It can be removed only using the Security Lock device. Available for $9.9, the USB Security Lock can be purchased here.

Last week we had a ring that you could use to weak up in the morning without disturbing anyone else. It looks like Yanko Design is really into making extremely nice looking gadgets, because they have a new useful piece of gadget. It’s a ring you wear on your finger that locks all your programs when the distance between you and your computer is higher than a certain distance. A great gadget to keep all those work colleagues that need to take a peak on your hard work.

The design is from Yang Hai and we can’t stand without asking: can the guy tweak wedding rings to do the same thing? Right now it’s just a design, but since it’s a very functional concept we might see it live soon. [Yanko Design]

What about this guys? How safe would you feel to board on a plane after you see this on the main screen of an airport? Sweet!

from Flickr