Barnes and Noble tonight confirmed it was hacked, and that its customers’ personal information may have been accessed by the intruders. The cyber-break-in forced the bookseller to take its systems offline this week to clean up the mess. See our update at the end of this piece. Our original report follows.

Bookseller Barnes and Noble’s computer network fell over this week, and its IT staff are having to restore servers from backups.

The effects of the collapse were first felt on Sunday, with owners of B&N’s Nook tablets discovering they were unable to download their purchased e-books to their gadgets nor buy new ones. That is to say, if they had bought an e-book and hadn’t downloaded it to their device before B&N’s cloud imploded, they would be unable to open and read the digital tome. The bookseller’s Android and Windows 10 apps were similarly affected.

It soon became clear the problem was quite serious when some cash registers in Barnes and Noble’s physical stores also briefly stopped working.

[…]

Shortly after this article was published, Barnes & Noble confirmed in an email to customers that it was hacked. The biz said it found out over the weekend, on October 10, that miscreants had broken into its computer systems, adding that customers’ personal information stored on file may have been accessed or taken by the intruders. This info includes names, addresses, telephone numbers, and purchase histories.

Source: Confirmed: Barnes & Noble hacked, systems taken offline for days, miscreants may have swiped personal info • The Register

German authorities said Thursday that what appears to have been a misdirected hacker attack caused the failure of IT systems at a major hospital in Duesseldorf, and a woman who needed urgent admission died after she had to be taken to another city for treatment.

The Duesseldorf University Clinic’s systems have been disrupted since last Thursday. The hospital said investigators have found that the source of the problem was a hacker attack on a weak spot in “widely used commercial add-on software,” which it didn’t identify.

As a consequence, systems gradually crashed and the hospital wasn’t able to access data; emergency patients were taken elsewhere and operations postponed.

The hospital said that that “there was no concrete ransom demand.” It added that there are no indications that data is irretrievably lost and that its IT systems are being gradually restarted.

A report from North Rhine-Westphalia state’s justice minister said that 30 servers at the hospital were encrypted last week and an extortion note left on one of the servers, news agency dpa reported. The note — which called on the addressees to get in touch, but didn’t name any sum — was addressed to the Heinrich Heine University, to which the Duesseldorf hospital is affiliated, and not to the hospital itself.

Duesseldorf police then established contact and told the perpetrators that the hospital, and not the university, had been affected, endangering patients. The perpetrators then withdrew the extortion attempt and provided a digital key to decrypt the data. The perpetrators are no longer reachable, according to the justice minister’s report.

Prosecutors launched an investigation against the unknown perpetrators on suspicion of negligent manslaughter because a patient in a life-threatening condition who was supposed to be taken to the hospital last Friday night was sent instead to a hospital in Wuppertal, a roughly 32-kilometer (20-mile) drive. Doctors weren’t able to start treating her for an hour and she died.

Source: German Hospital Hacked, Patient Taken to Another City Dies | SecurityWeek.Com

EMV is the international protocol standard for smartcard payment and is used in over 9 billion cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages. We formalize a comprehensive symbolic model of EMV in Tamarin, a state-of-the-art protocol verifier. Our model is the first that supports a fine-grained analysis of all relevant security guarantees that EMV is intended to offer. We use our model to automatically identify flaws that lead to two critical attacks: one that defrauds the cardholder and another that defrauds the merchant. First, criminals can use a victim’s Visa contactless card for high-value purchases, without knowledge of the card’s PIN. We built a proof-of-concept Android application and successfully demonstrated this attack on real-world payment terminals. Second, criminals can trick the terminal into accepting an unauthentic offline transaction, which the issuing bank should later decline, after the criminal has walked away with the goods. This attack is possible for implementations following the standard, although we did not test it on actual terminals for ethical reasons. Finally, we propose and verify improvements to the standard that prevent these attacks, as well as any other attacks that violate the considered security properties. The proposed improvements can be easily implemented in the terminals and do not affect the cards in circulation.

Source: [2006.08249] The EMV Standard: Break, Fix, Verify