Costco Wholesale Corporation has warned customers in notification letters sent this month that their payment card information might have been stolen while recently shopping at one of its stores. BleepingComputer reports: Costco discovered the breach after finding a payment card skimming device in one of its warehouses during a routine check conducted by Costco personnel. The company removed the device, notified the authorities, and is now working with law enforcement agents who are investigating the incident. "We recently discovered a payment card skimming device at a Costco warehouse you recently visited," Costco told potentially impacted customers in breach notification letters. "Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating."

Costco added that individuals impacted by this incident might have had their payment information stolen if those who planted the card theft device were able to gain access to the info before the skimmer was found and removed. "If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card number, card expiration date, and CVV," Costco revealed. The retailer advised the customers to monitor their bank and credit card statements for fraudulent charges and report suspicious transactions to relevant financial institutions. Data breach notification letters sent to affected individuals did not disclose the total number of impacted customers or the warehouse location where the skimmer device was found.

About 10,000 enterprise servers running Palo Alto Networks' GlobalProtect VPN are vulnerable to a just-patched buffer overflow bug with a severity rating of 9.8 out of a possible 10. From a report: Security firm Randori said on Wednesday that it discovered the vulnerability 12 months ago and for most of the time since has been privately using it in its red team products, which help customers test their network defenses against real-world threats. The norm among security professionals is for researchers to privately report high-severity vulnerabilities to vendors as soon as possible rather than hoarding them in secret. CVE-2021-3064, as the vulnerability is tracked, is a buffer overflow flaw that occurs when parsing user-supplied input in a fixed-length location on the stack. A proof-of-concept exploit Randori researchers developed demonstrates the considerable damage that can result.

"Our team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more," researchers from Randori wrote on Wednesday. "Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally." Over the past few years, hackers have actively exploited vulnerabilities in a raft of enterprise firewalls and VPNs from the likes of Citrix, Microsoft, and Fortinet, government agencies warned earlier this year. Similar enterprise products, including those from Pulse Secure and Sonic Wall, have also come under attack. Now, Palo Alto Networks' GlobalProtect may be poised to join the list.

Google researchers caught hackers targeting users in Hong Kong exploiting what were at the time unknown vulnerabilities in Apple's Mac operating system. According to the researchers, the attacks have the hallmarks of government-backed hackers. From a report: On Thursday, Google's Threat Analysis Group (TAG), the company's elite team of hacker hunters, published a report detailing the hacking campaign. The researchers didn't go as far as pointing the finger at a specific hacking group or country, but they said it was "a well resourced group, likely state backed."

"We do not have enough technical evidence to provide attribution and we do not speculate about attribution," the head of TAG Shane Huntley told Motherboard in an email. "However, the nature of the activity and targeting is consistent with a government backed actor." Erye Hernandez, the Google researcher who found the hacking campaign and authored the report, wrote that TAG discovered the campaign in late August of this year. The hackers had set up a watering hole attack, meaning they hid malware within the legitimate websites of "a media outlet and a prominent pro-democracy labor and political group" in Hong Kong. Users who visited those websites would get hacked with an unknown vulnerability -- in other words, a zero-day -- and another exploit that took advantage of a previously patched vulnerability for MacOS that was used to install a backdoor on their computers, according to Hernandez.

Over the weekend, the hacking group Fail0verflow claimed to have obtained PS5 root keys allow them to decrypt the console's firmware. "Additionally, Andy Nguyen (a security engineer at Google who's better known under his handle, theflow0) managed to access the PS5's debug settings menu on a retail PS5 over the weekend, too," adds The Verge. Is this the first steps towards jailbreaking Sony's latest console? The Verge's Chaim Gartenberg reports: The two exploits are particularly notable due to the level of access they theoretically give to the PS5's software. Decrypted firmware -- which is possible through Fail0verflow's keys -- would potentially allow for hackers to further reverse engineer the PS5 software and potentially develop the sorts of hacks that allowed for things like installing Linux, emulators, or even pirated games on past Sony consoles.

For now, the two exploits won't result in much of a change for PS5 owners -- there's no sudden PS5 jailbreak available today, and neither Nguyen nor Fail0verflow have published the details of their respective hacks -- nor is it even clear if they ever will. Nguyen has already said that he has "no plans for disclosure" of his hack, while Wololo.net notes that Fail0verflow held off on publishing its PS4 hacks last console generation until Sony patched things, meaning that it's possible none of this will lead to concrete changes in the PS5 hacking scene.

New submitter Computershack shares a report from the BBC: A global police operation has dealt a devastating blow to one of the most prolific cyber-crime gangs in history. The co-ordinated action against the REvil gang was announced on Monday by Romanian police, the US Department of Justice (DOJ) and Europol. The raid, which took place both on and offline, led to the arrests of two alleged hackers in Romania and one accused cyber-criminal from Ukraine. REvil has been blamed for major hacks on global businesses in recent years. The US also announced that it had successfully retrieved more than $6 million in cryptocurrency from the gang in a so-called 'claw back' hacking operation.

Robinhoood was hacked last week by someone who socially engineered a customer service representative to gain access to the email addresses of more than 5 million customers, the full names of 2 million other customers, and other data from a much smaller group of customers, the company said in a blog post published Monday. The hacker then allegedly attempted to extort the company. Motherboard reports: "The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems," Robinhood wrote in the blog post. "At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people."

"We also believe that for a more limited number of people -- approximately 310 in total -- additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed," it added. "We are in the process of making appropriate disclosures to affected people." Robinhood wrote that "the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.â

An investor group led by buyout firms Advent International, Permira Advisers and others agreed to take McAfee private in a deal that values the cybersecurity software maker at more than $14 billion including debt. From a report: The private equity consortium will pay $26 a share in cash, according to a statement Monday. Crosspoint Capital Partners, Canada Pension Plan Investment Board, GIC Pvt Ltd. and a wholly owned subsidiary of the Abu Dhabi Investment Authority are also part of the group of buyers. The purchase price represents a premium of about 23% over McAfee's closing share price of $21.21 on Nov. 4, the day before Bloomberg News first reported details of the potential deal. The shares were up less than 1% Monday morning in New York to $25.55. McAfee has total debt of about $4 billion, according to data compiled by Bloomberg. Founded by cybersecurity entrepreneur John McAfee in 1987, the company was a pioneer in developing antivirus software for personal computers. McAfee left in 1994, and was found dead in a Spanish prison cell in June this year, hours after Spain's National Court approved his extradition to the U.S. over multiple tax fraud charges.

Chinese officials said last week that a foreign intelligence agency hacked several of its airlines in 2020 and stole passenger travel records. From a report: The hacking campaign was disclosed last week by officials from the Ministry of State Security, China's civilian intelligence, security, and secret police agency. The hacking campaign was discovered after one of China's airlines reported a security breach to MSS officials in January 2020. Investigators said they linked the hacks to a custom trojan that the attackers used to exfiltrate passenger details and other data from this first target. A subsequent investigation found other airlines compromised in the same way. "After an in-depth investigation, it was confirmed that the attacks were carefully planned and secretly carried out by an overseas spy intelligence agency," the MSS said in a press release distributed via state news channels last Monday. The MSS did not formally attribute the attack to any foreign agency or country.

So apparently three Stanford professors are offering some tough-love to young people in the tech community. Mehran Sahami first worked at Google when it was still a startup (recruited to the company by Sergey Brin). Currently a Stanford CS professor, Sahami explained in 2019 that "I want students who engage in the endeavor of building technology to think more broadly about what are the implications of the things that they're developing — how do they impact other people? I think we'll all be better off."

Now Sahami has teamed up with two more Stanford professors to write a book calling for "a mature reckoning with the realization that the powerful technologies dominating our lives encode within them a set of values that we had no role in choosing and that we often do not even see..."

At a virtual event at Silicon Valley's Computer History Museum, the three professors discussed their new book, System Error: Where Big Tech Went Wrong and How We Can Reboot — and thoughtfully and succinctly distilled their basic argument. "The System Error that we're describing is a function of an optimization mindset that is embedded in computer science, and that's embedded in technology," says political scientist Jeremy Weinstein (one of the book's co-authors). "This mindset basically ignores the competing values that need to be 'refereed' as new products are designed. It's also embedded in the structure of the venture capital industry that's driving the growth of Silicon Valley and the growth of these companies, that prioritizes scale before we even understand anything about the impacts of technology in society. And of course it reflects the path that's been paved for these tech companies to market dominance by a government that's largely been in retreat from exercising any oversight."

Sahami thinks our technological landscape should have a protective infrastructure like the one regulating our roads and highways. "It's not a free-for all where the ultimate policy is 'If you were worried about driving safely then don't drive.'" Instead there's lanes and traffic lights and speed bumps — an entire safe-driving infrastructure which arrived through regulation." Or (as their political science professor/co-author Rob Reich tells the site), "Massive system problems should not be framed as choices that can be made by individual consumers."

Sahami also thinks breaking up big tech monopolies would just leaves smaller "less equipped" companies to deal with the same problems — but that positive changes in behavior might instead come from government scrutiny. But Reich also wants to see professional ethics (like the kind that are well-established in biomedical fields). "In the book we point the way forward on a number of different fronts about how to accelerate that..."

And he argues that at colleges, just one computing-ethics class isn't enough. "Ethics must be embedded through the entire curriculum."

"Suspected foreign hackers have breached nine organizations in the defense, energy, health care, technology and education sectors," reports CNN, citing their exclusive glimpse at findings from security firm Palo Alto Networks.

At least one of the breached organizations is in the U.S., they add, and in cooperation with America's National Security Agency (or NSA), security researchers "are exposing an ongoing effort by these unidentified hackers to steal key data from U.S. defense contractors and other sensitive targets." It's the type of cyber espionage that security agencies in both the Biden and Trump administrations have aggressively sought to expose before it does too much damage. The goal in going public with the information is to warn other corporations that might be targeted and to burn the hackers' tools in the process... [T]he hackers have stolen passwords from some targeted organizations with a goal of maintaining long-term access to those networks, Ryan Olson, a senior Palo Alto Networks executive, told CNN. The intruders could then be well placed to intercept sensitive data sent over email or stored on computer systems until they are kicked out of the network.

Olson said that the nine confirmed victims are the "tip of the spear" of the apparent spying campaign, and that he expects more victims to emerge. It's unclear who is responsible for the activity, but Palo Alto Networks said some of the attackers' tactics and tools overlap with those used by a suspected Chinese hacking group... Cybersecurity firm Mandiant earlier this year revealed that China-linked hackers had been exploiting a different software vulnerability to breach defense, financial and public sector organizations in the US and Europe....

In the activity revealed by Palo Alto Networks, the attackers are exploiting a vulnerability in software that corporations use to manage their network passwords. CISA and the FBI warned the public in September that hackers were exploiting the software flaw and urged organizations to update their systems. Days later, the hackers tracked by Palo Alto Networks scanned 370 computer servers running the software in the US alone, and then began to exploit the software. Olson encouraged organizations that use the Zoho software to update their systems and search for signs of a breach.

Federal officials told CNN the revelation of the hacking activity is evidence of their close work with cybersecurity firms to stay on top of threats.

SolarWinds investors have sued the software company's directors, alleging they knew about and failed to monitor cybersecurity risks to the company ahead of a breach that created a vulnerability in thousands of its customers' systems. Reuters reports: The lawsuit filed in Delaware on Thursday appears to be the first based on records shareholders demanded from the company after Reuters reported last December that malicious code inserted into one of the company's software updates left U.S. government agencies and companies exposed. The lawsuit names a mix of current and former directors as defendants. Led by a Missouri pension fund, the investors allege that the board failed to implement procedures to monitor cybersecurity risks, such as requiring the company's management to report on those risks regularly. They are seeking damages on behalf of the company and to reform the company's policies on cybersecurity oversight.

While they wrestle with the immediate danger posed by hackers today, US government officials are preparing for another, longer-term threat: attackers who are collecting sensitive, encrypted data now in the hope that they'll be able to unlock it at some point in the future. MIT Technology Review reports: The threat comes from quantum computers, which work very differently from the classical computers we use today. Instead of the traditional bits made of 1s and 0s, they use quantum bits that can represent different values at the same time. The complexity of quantum computers could make them much faster at certain tasks, allowing them to solve problems that remain practically impossible for modern machines -- including breaking many of the encryption algorithms currently used to protect sensitive data such as personal, trade, and state secrets. While quantum computers are still in their infancy, incredibly expensive and fraught with problems, officials say efforts to protect the country from this long-term danger need to begin right now.

Faced with this "harvest now and decrypt later" strategy, officials are trying to develop and deploy new encryption algorithms to protect secrets against an emerging class of powerful machines. That includes the Department of Homeland Security, which says it is leading a long and difficult transition to what is known as post-quantum cryptography. [...] DHS recently released a road map for the transition, beginning with a call to catalogue the most sensitive data, both inside the government and in the business world. [Tim Maurer, who advises the secretary of homeland security on cybersecurity and emerging technology] says this is a vital first step "to see which sectors are already doing that, and which need assistance or awareness to make sure they take action now." The US, through NIST, has been holding a contest since 2016 that aims to produce the first quantum-computer-proof algorithms by 2024 [...].

As more organizations begin to consider the looming threat, a small and energetic industry has sprouted up, with companies already selling products that promise post-quantum cryptography. But DHS officials have explicitly warned against purchasing them, because there is still no consensus about how such systems will need to work. "No," the department stated unequivocally in a document (PDF) released last month. "Organizations should wait until strong, standardized commercial solutions are available that implement the upcoming NIST recommendations to ensure interoperability as well as solutions that are strongly vetted and globally acceptable."

One cybersecurity expert says the cyberattack on the Newfoundland and Labrador health-care system may be the worst in Canadian history, and has implications for national security. CBC News reports: David Shipley, the CEO of a cybersecurity firm in Fredericton, said he's seen similar breaches before, but usually on a smaller scale. "We've never seen a health-network takedown this large, ever," Shipley said in an interview with CBC News. "The severity of this is what really sets it apart." Discovered on Saturday morning, the cyberattack has delayed thousands of appointments and procedures this week, including almost all non-emergency appointments in the Eastern Health region. After refusing to confirm the cause of the disruption for days, Health Minister John Haggie said Wednesday the system has been victim of a cyberattack. Sources have told CBC News the security breach is a ransomware attack, a type of crime in which hackers gain control of a system and hand back the reins only when a ransom has been paid. [...]

Shipley said he normally argues against giving in to ransom demands but the provincial government might have to pay up in this instance since lives are at stake. The government has not confirmed there has been a ransom demand. On Thursday morning, staff at the Health Sciences Centre in St. John's were told the system used to manage patient health and financial information at the hospital is back online. The system -- called Meditech -- only has information from before last weekend, and will need to be updated. It isn't yet clear what the restoration of the system will mean for services at the hospital, or if the system is back online in other parts of the province.

wiredmikey shares a report from SecurityWeek: The U.S. government wants to find the people responsible for the Colonial Pipeline ransomware attack (and many others) and it's putting up multi-million rewards for data on the operators behind the DarkSide extortion campaign. The Department of State on Thursday offered up to $10 million for information leading to the identification or location of senior members of the DarkSide gang that caused major gas disruptions earlier this year. In addition, the U.S. State Department is offering a reward of up to $5 million for information leading to the arrest and/or conviction in any country "of any individual conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident." "In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cyber criminals," it added. "The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware."

Microsoft has started warning Windows 11 users that certain features in the operating system are failing to load due to an expired certificate. The certificate expired on October 31st, and Microsoft warns that some Windows 11 users aren't able to open apps like the Snipping Tool, touch keyboard, or emoji panel. From a report: A patch is available to fix some of the issues, but it's currently in preview, meaning you have to install it manually from Windows Update. The patch, KB4006746, will fix the touch keyboard, voice typing, emoji panel, and issues with the getting started and tips sections of Windows 11. You'll be able to find this patch by checking for updates in the Windows Update section of Settings in Windows 11. Microsoft's patch doesn't address the problems with the Snipping Tool app, though. "To mitigate the issue with Snipping Tool, use the Print Screen key on your keyboard and paste the screenshot into your document," recommends Microsoft. "You can also paste it into Paint to select and copy the section you want."

The bots convincingly and effortlessly help hackers break into Coinbase, Amazon, PayPal, and bank accounts. From a report: The call came from PayPal's fraud prevention system. Someone had tried to use my PayPal account to spend $58.82, according to the automated voice on the line. PayPal needed to verify my identity to block the transfer. "In order to secure your account, please enter the code we have sent your mobile device now," the voice said. PayPal sometimes texts users a code in order to protect their account. After entering a string of six digits, the voice said, "Thank you, your account has been secured and this request has been blocked. Don't worry if any payment has been charged to your account: we will refund it within 24 to 48 hours. Your reference ID is 1549926. You may now hang up," the voice said.

But this call was actually from a hacker. The fraudster used a type of bot that drastically streamlines the process for hackers to trick victims into giving up their multi-factor authentication codes or one-time passwords (OTPs) for all sorts of services, letting them log in or authorize cash transfers. Various bots target Apple Pay, PayPal, Amazon, Coinbase, and a wide range of specific banks. Whereas fooling victims into handing over a login or verification code previously would often involve the hacker directly conversely with the victim, perhaps pretending to be the victim's bank in a phone call, these increasingly traded bots dramatically lower the barrier of entry for bypassing multi-factor authentication.

A top U.S. cybersecurity official offered a dire warning to members of Congress on Wednesday, saying the "American way of life" faces serious risks amid the drumbeat of ransomware attacks and physical threats to the nation's critical infrastructure. From a report: Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, known as CISA, told the House Homeland Security Committee Wednesday that "ransomware has become a scourge on nearly every facet of our lives, and it's a prime example of the vulnerabilities that are emerging as our digital and our physical infrastructure increasingly converge." Her appearance, aside National Cyber Director Chris Inglis, comes as the private sector and governments have grappled with pervasive cyberattacks during the last 12 months. Some attacks, including the Colonial Pipeline breach in May, have led to gas shortages, disrupted supply chains and exposed federal systems to significant compromise.

Easterly's testimony came after CISA issued a binding operational directive that would create a catalog of known exploited cybersecurity vulnerabilities and would require federal agencies to fix these flaws within specific time frames. It would apply to all software and hardware on federal information systems, including those managed by an agency or hosted by third parties. While the directive would only apply to federal agencies, Easterly said in a statement she wants every organization to adopt the directive "and prioritize mitigation of vulnerabilities listed in CISA's public catalog." Representative John Katko, a Republican from New York, said, "The volume of alerts, advisories, and directives goes to show the pervasiveness of vulnerabilities affecting owners and operators of critical infrastructure, and federal networks." Inglis said that privately owned critical infrastructure, which accounts for 85% of the total, is "increasingly core to the government's imperative to protect and provide for national security."

An anonymous reader quotes a report from ZDNet: LFX supports projects and empowers open source teams by enabling them to write better, more secure code, drive engagement, and grow sustainable software ecosystems," the Linux Foundation says. Now, to address the growing threat of software supply chain attacks, the foundation is upgrading its LFX Security module to deal with these attacks. Jim Zemlin, the Linux Foundation's executive director, announced this new tooling today at the Linux Foundation Membership Summit.

Enhanced and free to use, LFX Security makes it easier for open source projects to secure their code. Specifically, the LFX Security module now includes automatic scanning for secrets-in-code and non-inclusive language, adding to its existing automated vulnerability detection capabilities. Software security firm BluBracket is contributing this functionality to the LFX as part of its mission to make software safer and more secure. This functionality builds on contributions from open source developer security company Snyk, helping make LFX the leading vulnerability detection platform for the open source community. [...] LFX Security will be further scaled out in 2022, helping to solve challenges for hundreds of thousands of critical open source projects under the Open Source Security Foundation. LFX Security is free and available now.

The National Bank of Pakistan (NBP) has suffered what two sources have described to The Record as a "destructive" cyberattack. From a report: The incident, which took place on the night between Friday and Saturday, impacted the bank's backend systems and affected servers used to interlink the bank's branches, the backend infrastructure controlling the bank's ATM network, and the bank's mobile apps. While the attack crippled some of these systems, no funds were reported missing, according to the bank and people familiar with the attack and the current investigation. "Immediate steps were taken to isolate the affected systems," the bank said in a statement on Saturday. Recovery efforts were in full swing over the weekend, and by Monday, NBP reported that more than 1,000 branches opened and catered to customers as normal and that all ATMs nationwide had been fully restored.

"Virtually all compilers -- programs that transform human-readable source code into computer-executable machine code -- are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected," warns cybersecurity expert Brian Krebs in a new report. An anonymous reader shares an excerpt: Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis). Specifically, the weakness involves Unicode's bi-directional or "Bidi" algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic -- which is read right to left -- and English (left to right). But computer systems need to have a deterministic way of resolving conflicting directionality in text. Enter the "Bidi override," which can be used to make left-to-right text read right-to-left, and vice versa.

"In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient," the Cambridge researchers wrote. "For these cases, Bidi override control characters enable switching the display ordering of groups of characters." Bidi overrides enable even single-script characters to be displayed in an order different from their logical encoding. As the researchers point out, this fact has previously been exploited to disguise the file extensions of malware disseminated via email. Here's the problem: Most programming languages let you put these Bidi overrides in comments and strings. This is bad because most programming languages allow comments within which all text -- including control characters -- is ignored by compilers and interpreters. Also, it's bad because most programming languages allow string literals that may contain arbitrary characters, including control characters.

"So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty," said Ross Anderson, a professor of computer security at Cambridge and co-author of the research. "That's bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. This vulnerability is, as far as I know, the first one to affect almost everything." The research paper, which dubbed the vulnerability "Trojan Source," notes that while both comments and strings will have syntax-specific semantics indicating their start and end, these bounds are not respected by Bidi overrides. [...] Anderson said such an attack could be challenging for a human code reviewer to detect, as the rendered source code looks perfectly acceptable. "If the change in logic is subtle enough to go undetected in subsequent testing, an adversary could introduce targeted vulnerabilities without being detected," he said. Equally concerning is that Bidi override characters persist through the copy-and-paste functions on most modern browsers, editors, and operating systems.