[ISN] Credit Card Breach at Mandarin Oriental

http://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-oriental/ By Brian Krebs Krebs on Security March 4, 2015 In response to questions from KrebsOnSecurity, upscale hotel chain Mandarin Oriental Hotel Group today confirmed that its hotels have been affected by a credit card breach. Reached for comment about reports from financial industry sources about a pattern of fraudulent charges on customer cards that had all recently been used at Mandarin hotels, the company confirmed it is investigating a breach. “We can confirm that Mandarin Oriental has been alerted to a potential credit card breach and is currently conducting a thorough investigation to identify and resolve the issue,” the company said in an emailed statement. “Unfortunately incidents of this nature are increasingly becoming an industry-wide concern. The Group takes the protection of customer information very seriously and is coordinating with credit card agencies and the necessary forensic specialists to ensure our guests are protected.” Mandarin isn’t saying yet how many of the company’s two-dozen or so locations worldwide may be impacted, but banking industry sources say the breach almost certainly impacted most if not all Mandarin hotels in the United States, including locations in Boston, Florida, Las Vegas, Miami, New York, and Washington, D.C. Sources also say the compromise likely dates back to just before Christmas 2014. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] This Article Was Written With the Help of a ‘Cyber’ Machine

http://www.wsj.com/articles/is-the-prefix-cyber-overused-1425427767 By DANNY YADRON and JENNIFER VALENTINO-DEVRIES The Wall Street Journal March 4, 2015 These days, CyberPatriots go to CyberCamps. Washington wonks ponder a Cyber Red Cross. Last week, the Director of National Intelligence told Congress a “cyber Armageddon” is unlikely. This week, CBS Corp. will premiere the latest iteration of its long-running cops and crime franchise, “CSI: Cyber,” whose protagonist describes herself as cybercop and is based, the network says, on a real-life cyberpsychologist. For some, it is cyber-overload. Stop using the word,” Alex Stamos, the chief information security officer at Yahoo Inc. told a “Cybersecurity for a New America” conference in Washington last week. Earlier, Mr. Stamos quipped on Twitter that he had won “CyberBingo” at his table after a conference speaker warned of a “Cyber Pearl Harbor,” a term popularized by former Defense Secretary Leon Panetta in 2012. Mr. Stamos isn’t brushing off computer intrusions in his quest to hack away at “cyber” usage. As the guy in charge of keeping prying eyes out of one of the world’s most popular websites, you could say he is obsessed with them. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Tesla worried customers will get hurt hacking the Model S

http://www.rawstory.com/rs/2015/03/tesla-worried-customers-will-get-hurt-hacking-the-model-s/ By Thomas Halleck Posted with permission from International Business Times March 4, 2015 Tesla Motors Inc. warned investors that its stock could be negatively affected by customers hacking its Model S and other cars and injuring themselves in the process. The company also said that safety issues with the lithium ion batteries used to power its electric vehicles also pose a risk that could negatively affect business. Tesla released a number of potential risks to its business last week, including the high cost of producing the Model S sedan and unforeseen production delays, which could cause the company to miss projected sales and revenue figures. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] ‘CSI: Cyber’ review: Hackwork

http://www.nj.com/entertainment/tv/index.ssf/2015/03/csi_cyber_review_patricia_arquette_cbs.html By Vicki Hyman NJ Advance Media for NJ.com March 04, 2015 Thank goodness Patricia Arquette just won an Oscar, because otherwise I’d really have nothing to say about “CSI: Cyber.” The newest “CSI” franchise, which debuts on CBS tonight at 10 p.m., is about the FBI’s cyber crime division, comes with all the series’ high-tech visual flourishes and stars “Boyhood” star Arquette, who, um, just won an Oscar. Yeah. Oh! This time, the Who theme song is “I Can See For Miles.” I’m not saying “CSI: Cyber” isn’t worth watching. I’m just saying there’s not a heck of a lot to say about it. (The original flavor “CSI” is still plugging away after 15 years, while the Miami and New York franchises lasted 10 and 9 seasons, respectively. The latest entry is a bit different in that there’s a lot of people peering at computer screens instead of into microscopes. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Uber’s epic DB blunder is hardly an exception. GitHub is awash in passwords

http://arstechnica.com/security/2015/03/ubers-epic-db-blunder-is-hardly-an-exception-github-is-awash-in-passwords/ By Dan Goodin Ars Technica March 4, 2015 Recent revelations that Uber stored a sensitive database key on a publicly accessible GitHub page generated its share of amazement and outrage. Some Ars readers called for the immediate termination of the employees responsible or for the enactment of new legal penalties for similar blunders in the future. Left out of the discussion was a point Ars first tried to drive home more than two years ago. To wit, GitHub and other public code repositories are awash with personal credentials posted by tens of thousands, or possibly even millions, of people, some of whom work for extremely sensitive organizations. A case in point are GitHub entries that appear to include everything needed to log into many Secure File Transfer Protocol accounts. One GitHub search revealed almost 269,000 entries like the one pictured above, showing the domain name or IP address, username, and password needed to log in to each account. Similar searches generated almost two million entries for WordPress accounts. A quick scan of the results shows that many of them represent no security threat at all, since the password fields are blank or the credentials belong to non-existent accounts or accounts that are accessible only to users already connected to the local network. But a mind-numbingly large percentage of the results appear to provide credentials for accounts on production servers. Whether percentage is 33, 25, or even 10, it’s way too high. It wouldn’t be surprising if many of the credentials offered shell accounts that ran with highly privileged administrator rights. To protect the careless, this post won’t reveal the specific search terms used, even though they are extremely easy for readers figure out on their own or to find on Twitter, in blog posts, or in other venues. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail