Aloha point-of-sale terminal, sold on eBay, yields security surprises

Breaches involving point of sale (POS) systems in retail stores and the hospitality sector are all-too-common, and Aloha POS has been mentioned on this blog in some past breaches.  Now Jeremy Kirk reports: Matt Oh, a senior malware researcher with HP, recently bought a single Aloha point-of-sale terminal — a brand of computerized cash register widely used in the hospitality industry — on eBay for $200. Oh found an eye-opening mix of default passwords, at least one security flaw and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system. […] “What we found was that the overall state of security of the system was very poor,” he wrote in a blog post describing his analysis. Read more on Computerworld.

Possible security breach affecting members of the Waipahu Aloha Clubhouse

A statement from the Hawaii Department of Health: For Immediate Release: October 25, 2012 12-052 POSSIBLE SECURITY BREACH AT WAIPAHU ALOHA CLUBHOUSE Department of Health advises consumers to take precautionary action against identity theft HONOLULU — The Hawai‘i State Department of Health (DOH) is notifying members of the Waipahu Aloha Clubhouse of a possible security breach in a computer file that stored personal information on Clubhouse members. The breach was discovered on September 25, 2012, when an employee observed unusual activity on a computer suggesting that someone may have been remotely accessing it without authorization. “We very much regret that this incident occurred and the impact it may have on our Waipahu Clubhouse members,” said Dr. Bill Sheehan, Chief of the Adult Mental Health Division. “As soon as we discovered this possible security breach, the department acted quickly and ordered a forensic examination of the computer. Although we have no evidence of the information being used for a wrongful or unlawful purpose, the department is taking every precaution to notify all those affected. Immediate steps were also taken to prevent this from reoccurring.” Approximately 600 former and registered members of the Waipahu Aloha Clubhouse are being notified by mail of the possible security breach. The Clubhouse, located at 94-091 Waipio Point Access Road, serves adults living with severe and persistent mental illness and provides daily activities and programs to support individuals on their journey to recovery and self-sufficiency. Information contained on the computer dated back to 1997 and included Waipahu Aloha Clubhouse member’s names, birthdates, addresses, phone numbers, consumer record numbers, and some social security numbers. No medical records were stored on the computer. To date, DOH is unaware of any illegal activity resulting from the information breach. “Many of the affected Waipahu Aloha Clubhouse members may have changed their mailing addresses since registering with the program as far back as 1997. Because we may not be able to reach these families by mail, we hope the public will help us to get the word out,” said Dr. Bill Sheehan. All Waipahu Aloha Clubhouse members are advised to place a fraud alert on their credit files and notify the police if they find any suspicious credit activity. Anyone needing further information may call the DOH Adult Mental Health Division toll-free at 1-866-890-6394. Helpful website resources on identity theft include and Clubhouses are a program of the DOH Community Mental Health Center System. The System provides comprehensive, coordinated, integrated, and culturally competent mental health services to individuals 18 years of age and older with severe and persistent mental illness. Currently there are eight active Clubhouses providing critical services in Hawai‘i, and more than 300 worldwide. ### h/t, Star Advertiser

Risky business: Remote Desktop opened the door for Aloha hackers

When nine restaurants in Louisiana and Mississippi filed lawsuits against Radiant Systems and its Louisiana distributor, they may have represented only the tip of a substantial iceberg of hacks affecting restaurants that used Radiant Systems’ Aloha POS system.  It seems that the scope of the problem is first coming to the public’s attention approximately one and a half years after the hacking incidents started. Breaches in Other Parts of the Country During a two-month period in late 2008, a Spicy Pickle franchise in Michigan was hacked and 150 customers’ card data were stolen and misused. The franchise closed in June 2009, reportedly unable to recover from the loss of customer confidence after the breach. At around the same time in 2008, Ted’s Cafe Escondido in Oklahoma also reported being hacked. Although both breaches were reported at the time on, the POS system they were using was not reported in the media.  Unbeknownst to me at the time,  a forum member on commented on both breaches by noting both restaurants used the Aloha system. There was no indication in the forum member’s report, however, as to whether the restaurants  had removed any remote access software that was suspected of creating the vulnerability to hacks or whether the restaurants had used commercial grade firewalls. Hacks Started in Early 2008 Also flying completely under my radar at the time, in December 2008, WKZO News reported this about the Spicy Pickle hack: Co-owner Terry Henderson says the FBI’s been investigating fraud cases across the country for seven months and they were just the latest victims. “There’s a similar thread to all of it and it keeps leading to one particular software manufacturer,” says Henderson, adding that he’s not at liberty to say which manufacturer that is. “It’s a popular software that’s used by thousands of restaurants throughout the country.” Continuing to work backwards to see what else I had missed, I found that in August 2008, WAFB and the Associated Press had reported that a rash of hacks involving Louisiana restaurants began in March 2008. And although Aloha’s name did not appear in any media reports on affected restaurants, when the Secret Service met with Louisiana restauranteurs in August 2008, they may have specifically mentioned the Aloha system. Another poster on the forum wrote on August 19, 2008: I spoke to someone who attended the meeting outlined in the Associated Press article. The meeting was set up by the Lousiana (sic) Restaurant Association and was attended by the Secret Service agent on the case, a US Attorney and a represtative (sic) from Visa. During the meeting it was presented that the 15 breaches occured (sic) were all Aloha POS systems. It was stated that he hackers were able to breach the systems as the Remote support software were all using the same User Name and Password (this is against PCI requirements). The hackers installed a “sniffer” program that would capture credit card data on the Local LAN (ie private network). So it seems as if suspicions about Aloha were being raised over a year ago but were not specifically mentioned in media coverage. Radiant’s Response In August 2008, within days of the Secret Service and Visa representatives meeting with Louisiana restauranteurs, Aloha sent a data security alert to its customers. The alert said, in part: Radiant Systems has been working with Visa on an emerging issue that could cause POS systems to be compromised. The specific vulnerability is related to Remote Desktop being enabled on BOH servers, POS terminals, and routers, which may allow intruders to gain access to POS systems. Once intruders gain access they could install malware such as packet sniffers to capture card holder data. Remote access to POS systems is critical to supporting sites, but can also provide a method for unauthorized users to obtain access to systems and potentially sensitive credit card data. Configuring and managing access to POS systems is extremely important. The alert then provided specific steps Aloha clients should take to configure their systems securely including: Disable Remote Desktop on routers, BOH servers, and POS terminals, if this remote access tool is not used to support the site. Use Command Center as the single means of remote access for Aloha POS systems to ensure the highest level of site security. Command Center has a number of inherent features that significantly increase your ability to support sites, and also significantly decrease the risks associated with accessing sites. Alternative measures were described for those who chose to leave remote access tools enabled. Their alert may well have prevented more restaurants from being hacked, but may be small comfort to the allegedly many restaurants who had already suffered hacks resulting in lost business, fines by Visa and Mastercard, and the cost of forensic audits and IT consultants.  Whether the juries will agree with the restaurant-plaintiffs or with Radiant Systems remains to be seen, but it would seem that some jurors are in for a real earful on security.

MLB to investigate Shohei Ohtani medical record leak

Ryan Falla reports: Just days after LA Angels signed Shohei Ohtani we began to see news regarding a surprise revelation; Shohei Ohtani is dealing with a minor UCL sprain. […] Reports that the MLB is investigating this matter began with Buster Olney breaking the news on Twitter the morning of December 14th. There’s no reason to assume the leak came from a rival ball-club, but at the same time it’s hard to imagine anyone outside the MLB would leak Ohtani’s medical records. Read more on Halo Hangout. There are just so many possibilities here that until the investigation is concluded, it’s hard to know how to code this one at all. Is it an insider at a club? Did a club get hacked? Did someone shoot off their mouth at home about something that should have remained confidential? We’ll have to wait to learn more…..

Update on Wendy’s breach

Wendy’s issued its first quarter report for 2016 this week, and a section of its press release on the report addresses its data breach: Update on investigation into unusual credit card activity As previously reported, the Company engaged cybersecurity experts earlier this year to conduct a comprehensive investigation into unusual credit card activity at some Wendy’s restaurants. Investigation into this activity is nearing completion. Based on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015. These findings also indicate that the Aloha point of sale system has not been impacted by this activity. The Aloha system is already installed at all Company-operated restaurants and in a majority of franchise-operated restaurants, with implementation throughout the North America system targeted by year-end 2016. The Company expects that it will receive a final report from its investigator in the near future. The Company has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants. The Company continues to work through a defined process with the payment card brands, its investigator and federal law enforcement authorities to complete the investigation. Based upon the investigation to date, approximately 50 franchise restaurants are suspected of experiencing, or have been found to have, unrelated cybersecurity issues. The Company and affected franchisees are working to verify and resolve these issues.

Forbes Breach Email Statistics

Total of 1,056,986 E-mail’s Found are unique. Total of 111,735 E-mail Providers 564  FORBES.COM 844 .GOV 14,572 .EDU Below is a list of all email providers that have 2 or more in the breach. (full list here) Article: [407769] [181617] [86667] [25032] [20092] [17472] [11368] [9842] [7922] [7454] [6940] [6338] [6302] [5130] [4199] [4158] [4009] [3439] [3199] [2992] [2942] [2590] [2512] [2435] [2376] [2173] [1766] [1649] [1564] [1525] [1458] [1272] [1191] [1132] [984] [915] [904] [868] [863] [863] [826] [762] [735] [729] [699] [651] [604] [603] [518] GMAIL.COM: [510] [491] [485] [454] [450] [441] [436] [436] [429] [426] [424] [414] [412] [407] [403] [395] [389] [387] [364] [345] [337] [330] [326] [321] YAHOO.COM: [318] [309] [305] [303] [302] [287] [286] [282] [282] [282] [282] [279] [271] [264] [262] [259] [255] [253] [251] [244] [240] [235] [233] [227] [226] [225] [223] [216] [211] [208] [208] [208] [208] [203] [202] [199] [195] [193] AOL.COM: [191] [189] [188] [187] [187] [187] [186] [183] [183] [182] [182] [181] [180] [179] [177] [174] [174] [173] [172] [169] [168] [165] [164] [162] [160] [159] [158] [156] [156] [153] [152] [152] [151] [150] [150] [150] [147] [145] [144] [144] [144] [142] [142] [140] [138] [137] [136] HOTMAIL.COM: [136] [135] [134] [133] [133] [132] [131] [131] [131] [129] [129] [127] [126] [125] [124] [121] [121] [121] [121] [120] [119] [119] [117] [116] [115] [115] [114] [114] [111] [110] [110] [109] [108] [108] [108] [107] [106] [106] [105] [105] [104] [104] [103] [103] [102] [102] [101] [100] [99] [99] [99] [98] [98] [98] [98] [96] [96] [94] [94] [94] [94] [91] [90] [90] [90] [89] [88] [88] [87] [87] [87] [86] [86] [85] [85] [85] [84] [84] [84] [84] [84] [83] [83] [83] [82] [82] [81] [81] [80] [80] [79] [78] [78] [77] [77] [77] [76] [76] [75] [75] [74] [74] [74] [73] [73] [73] [72] [71] [70] [70] [69] [69] [68] [68] [68] [68] [68] [67] [67] [66] [66] [66] [65] [65] [65] [64] [64] [62] [62] [61] [61] [60] [59] [59] [59] [59] [59] [59] [58] [58] [58] [58] [58] [57] [56] [56] [55] [55] [55] LIVE.COM: [54] [54] [54] [54] [54] [53] [53] [53] [53] [53] [52] [52] [52] [52] [51] [51] [51] [51] [51] [51] [51] [51] [50] [50] [50] [50] [50] [50] [49] [49] [49] [48] [48] [48] [48] [48] [48] [48] [48] [48] [48] [48] [47] pzu-doradca.kobierzyce: [47] [47] [47] [47] [47] [47] [47] [45] [45] [45] [45] [45] [45] [45] [45] [45] [45] [45] [45] [45] [45] [44] [44] [44] [44] [44] [44] [44] [43] [43] [43] [43] [43] [43] [43] [43] [43] [42] [42] [42] [42] [42] [41] [41] [41] [41] [41] [41] [41] [41] [41] [41] [40] [40] [40] [40] [40] [40] [40] [39] [39] [39] [39] wegiel-plock.wielun: [39] [39] [39] [39] [39] [39] [39] [39] [39] [39] [39] [38] [38] [38] [38] [38] [38] [38] [38] [38] [38] program-motywacyjny.mazowsze: [38] [38] [38] [38] [38] [38] [38] [38] [37] [37] [37] [37] czesci-fadroma.lowicz: [37] [37] [37] COMCAST.NET: [37] domy-z-bali.kutno: [37] [36] [36] [36] [36] [36] [36] [36] [36] [36] [36] [36] [36] [36] [36] osk-wloclawek.podhale: [36] [36] [36] [35] mycie-para.sanok: [35] [35] [35] [35] [35] [35] [35] wczasy-egipt.tgory: [35] [34] [34] [34] [34] […]

1749 French based Sites Defaced by CwGhost.

content/images/gallery/random3/capture_2.png has come across a very interesting hack and mass deface that has left 1749 French based websites all with the same page. The deface page features the below message first then several pictures of graphic nature then has 4 youtube videos attemtping to explian the reasons behind these attacks. the attacks have been all carried out by a hacker using the handle Azerbaijanian Hacker CwGhost. [](<iframe width=)?autoplay=0">[](<iframe width=)?autoplay=0">[](<iframe width=)?autoplay=0">[](<iframe width=)?autoplay=0"> Message in the defacings. HackedbyCwGhost Your System Has Been Hacked uid=0(root) gid=0(root) groupes=0(root) Azerbaijanian Hacker CwGhost Greetz: [ CaLLDeRooN ] The 26th of February Khojaly Genocide Day Génocide de Khojaly commis par les Arméniens contre les civils Azerbaïdjanais At night from February 25 to 26 the Armenian armed forces occupied the town of Khojaly. The occupation was carried out with active support of several units of the Russian Army’s 366th regiment. Occupation of Khojaly was followed with unprecedented brutalities against the civilian population. In a few hours the aggressors killed 613 innocent and unarmed people. Among them were 106 women, 83 children. 56 people were killed with special brutality. 8 families were totally exterminated. 25 children were totally, and 130 children were partly orphaned. 476 people became disabled persons (of them 76 were minors). 1275 people were taken into hostage and even though afterwards most of the hostages were released from captivity, the fates of 150 of them are still unknown. 26 February Khojaly Genocide Is a Special Day in Azerbaijan’s history.We will never forget this day. / Full list of sites that have been defaced. Source: […]

Julie’s Place hack: an all-too-familiar story by now

This breach was first reported earlier this month, but I seem to have missed it: About 100 people found out over the last couple weeks that someone else had accessed their bank account, taking their money and leaving them stunned. […] After being flooded with reports of fraud, the Leon County Sheriff’s Office began to investigate and found that the computer system at the restaurant Julie’s Place had been hacked and someone, somewhere had full access. Read more on WCTV. In follow-up coverage today in the Tallahassee Democrat, the owner reportedly claims that he was told that the breach involved an Aloha POS-specific malware: The company that provided the Aloha card terminal also found evidence of where the intruder got past the system’s firewall and was able to remotely access the terminal and steal the customers’ information. “They found malware that was specifically for this Aloha system,” he said of the technicians’ evaluation. Since then, he has had the entire system changed out and security features upgraded to prevent a recurrence. Radiant Systems’ Response contacted Radiant Systems, manufacturers of the Aloha POS systems, about the statement that the malware was “Aloha-specific” in any way. Ernie Floyd, Director of Data Security and Compliance for Radiant stated that there was no unusual or Aloha-specific malware, and that as in other cases, when cybercriminals find systems with remote access software in listening mode, they then probe for the presence of payment applications that would indicate that card data might be available. If they find it, they then upload the malware to scrape the card data. In the case of Julie’s Place, Floyd said that the system had PCAnywhere in listening mode and no commercial-grade firewall. Floyd says that although it was not available at the time of this particular breach, the company has a developed two-factor authentication tool for support services. According to him, the firm and its resellers have really been trying to educate restauranteurs that having PA-DSS validated software is simply not sufficient if there is no commercial grade software or if the rest of the environment is in shambles. Breaches in the Hospitality Sector Are Up Floyd also confirmed my impression that breaches in the hospitality sector are up this year. At a Visa symposium in June, attendees were reportedly informed that although Q1 was a slow quarter in terms of breach reports, Q2 was more active than any quarter in 2009. A Trustwave SpiderLabs representative also reported that by August, they had already conducted more post-breach forensic evaluations than they had for the entire year in 2009. Trustwave SpiderLabs typically handles about half of all forensic evaluations in the hospitality sector.

Reports of San Antonio restaurant hacks may be overblown

When Aldaco’s Stone Oak on Sonterra Blvd. in San Antonio revealed that it had been hacked by someone believed to be overseas, owner Blanca Aldaco stated that they used the most current versions of the Aloha POS by Radiant Systems. Rumors started swirling shortly thereafter that a number of restaurants in the tight-knit restaurant community who use the Aloha POS had also been hacked, but when the dust started settling, it appears that so far, only Aldaco’s and possibly one other restaurant may be affected. San Antonio resident R Brooks tells that he found out about the breach the hard way — when his card was declined while shopping. He contacted Security Service Federal Credit Union and was told that a compromise had occurred and that MasterCard had flagged his account. A spokesperson for the credit union informs that they canceled and replaced 350 customers’ cards last week. Most of the card replacements were made proactively, but 50 of their customers had reported fraudulent charges on their cards. All of the cards involved in the replacement had been compromised by the Aldaco’s breach and the credit union is not aware of any other establishments being hacked. One other local establishment believes that they may have been hacked, too. Local Coffee’s owner tells that he was notified by one of his customers last Friday that their card had been compromised after they had used it there. That customer’s credit union, Randolph-Brooks, had reportedly notified them that they were canceling the customer’s debit card because there had been some fraudulent charges on debit cards that had been used at a few restaurants in the area. “Friday was one of our best days ever in terms of business, and then this happened,” the owner told Responding quickly to protect their customers, Local Coffee stopped using their system immediately, called the police to report the incident, and like Aldaco’s, reverted to dial-up. They also posted a notice on its web site: We believe our business has had a breach of data likely to be very similar to another Stone Oak Business. We are working with the SAPD Fraudulent Unit, Radiant Systems, RBS WorldPay and Aloha to further investigate where this breach occurred and to ensure it cannot happen in the future. This is a much larger operation and not the result of any wrong doings by an LC employee. We are frustrated if this has impacted our loyal customers and inconvenienced them in anyway. Please contact the credit card company immediately that was used at our location to ensure your account has not been compromised and request a new card for security (it seems to be affecting only debit cards, but still call to verify). LC has the latest versions of Aloha software in order to maintain compliance and prevent any compromise of data. This was unfortunately something we could not have seen happening. Until we are more than 100% this situation is resolved we have gone to dial-up for authorization to prevent further breeches, so please bare with us for the small inconvenience this may have, but our customers security is extremely important. We will continue to update our customers with any information we find out in regards to this situation, so you are confident with the steps we are taking to prevent this in the future. The buzz that multiple restaurants using Radiant Systems’ Aloha POS had all been hacked may be a result of a number of hacks of restaurants in Louisiana last year, but two other restaurants specifically mentioned to as having been hacked both deny that they have had any problems and Radiant’s local reseller says that they haven’t heard from any other customers that they’ve been hacked. The San Antonio detective investigating the reports did not return a phone call seeking additional information. Nor did Randolph-Brooks Federal CU return a call asking for additional information. In an interview with Jimmy Fortuna, Vice-President of Product Development for Radiant Systems, Fortuna informed that Radiant’s San Antonio reseller, Forum Systems Group, will be hosting a symposium in San Antonio at the Airport Hilton on Thursday for small business owners to talk about the changing threat landscape and how small businesses can protect themselves. “Small businesses often believe that threats don’t include them because they’re too small to care about,” Fortuna said, “but 80% of attacks in the past year have been on small businesses.” Fortuna sees the current situation as an opportunity to educate owners while people are motivated and paying attention to security. Radiant’s Aloha POS is a very popular software in the San Antonio area, and according to Fortuna, industry reports indicate that other vendors’ products are getting attacked as often as Radiant’s. As for me, having spent two days trying to track down the reports to confirm or disconfirm them, I’m just sorry I’m not in San Antonio right now, as it looks like they have a fantastic assortment of restaurants and a wonderful coffee establishment that made me drool just looking at their coffee menu. If I get any more reports of hacked restaurants in the San Antonio that are confirmed, I’ll post them.

Aldaco’s issues credit card breach alert

Aldaco’s has posted a notice on its web site, as noticed and first reported by Dear Customers, Our business has been another senseless victim of breach of data. Authorities have investigated and have clearly determined that the breach was not the result of any wrong doings by an in-house employee or management. We have cooperated fully, and will continue to cooperate, with the US Secret Service, the SAPD Fraudulent Unit, Capital One Merchant Services and Capital One Financial Institution. We are upset that this has happened, and most of all, we are very angry that our valued customers may experience any compromise or violation as well. Aldaco’s has always taken the utmost precautions with security programs and have always maintained latest versions of Aloha and the adequate software to comply and prevent any compromise of data. This, unfortunately, was unforeseen. We have sought professional advice and all precautions have been taken. One major step, our credit card system has reversed to DIAL-UP and we are no longer on the internet for authorizations — we are guaranteed that this situation is under 100% control. If the credit card(s) that you use when you visit Aldaco’s Stone Oak have not been compromised as of yet… PLEASE CANCEL YOUR CARD IMMEDIATELY AND REQUEST A NEW ONE. […] What’s interesting to me about their notice, apart from their very human approach of expressing anger about the situation and their simple proactive advice to cancel cards even if they have not yet been misused, is that they specifically name their POS software. Note and Correction: It seems that Kristina De Leon of WOIA may have had the story first and adds more to the story: Aldaco’s Mexican Cuisine at Stone Oak has a note on the front door apologizing to customers. Some of those customers are now getting charges from as far away at Italy. “They know that it was a breach, and they know that the breach came from Russia, that’s for sure,” explained Blanca Aldaco. “So, we are working with our I.T. guy. They’re definitely looking into. Hopefully, they can figure out what the IP address is.” The U.S. Secret Service and the San Antonio Police Department’s Fraud Unit is also investigating. Neither would comment, but News 4 WOAI learned they are trying to track down the overseas hacker.