29
Jul 15

Windows 10 Shares Your Wi-Fi With Contacts

Starting today, Microsoft is offering most Windows 7 and Windows 8 users a free upgrade to the software giant’s latest operating system — Windows 10. But there’s a very important security caveat that users should know about before transitioning to the new OS: Unless you opt out, Windows 10 will by default prompt to you share access to WiFi networks to which you connect with any contacts you may have listed in Outlook and Skype — and, with an opt-in, your Facebook friends.

msoptoutThis brilliant new feature, which Microsoft has dubbed Wi-Fi Sense, doesn’t share your WiFi network password per se — it shares an encrypted version of that password. But it does allow anyone in your Skype or Outlook or Hotmail contacts lists to waltz onto your Wi-Fi network — should they ever wander within range of it or visit your home (or hop onto it secretly from hundreds of yards away with a good ‘ole cantenna!).

I first read about this over at The Register, which noted that Microsoft’s Wi-Fi Sense FAQ seeks to reassure would-be Windows 10 users that the Wi-Fi password will be sent encrypted and stored encrypted — on a Microsoft server. According to PCGamer, if you use Windows 10’s “Express” settings during installation, Wi-Fi Sense is enabled by default.

“For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts’ phone if they use Wi-Fi Sense and they’re in range of the Wi-Fi network you shared,” the FAQ reads.

The company says your contacts will only be able to share your network access, and that Wi-Fi Sense will block those users from accessing any other shared resources on your network, including computers, file shares or other devices. But these words of assurance probably ring hollow for anyone who’s been paying attention to security trends over the past few years: Given the myriad ways in which social networks and associated applications share and intertwine personal connections and contacts, it’s doubtful that most people are aware of who exactly all of their social network followers really are from one day to the next.

Update, July 30, 12:35 p.m. ET: Ed Bott over at ZDNet takes issue with the experience described in the stories referenced above, stating that while Wi-Fi Sense is turned on by default, users still have to explicitly choose to share a network. “When you first connect to a password-protected Wi-Fi network, you choose if you want to share access to that network with your contacts,” Bott writes. Nevertheless, many users are conditioned to click “yes” to these prompts, and shared networks will be shared to all Facebook, Outlook, and Skype contacts (users can’t pick individual contacts; the access is shared with all contacts on a social network). Updated the lead to clarify that users are prompted to share. Continue reading →


27
Jul 15

The Wheels of Justice Turn Slowly

On the evening March 14, 2013, a heavily-armed police force surrounded my home in Annandale, Va., after responding to a phony hostage situation that someone had alerted authorities to at our address. I’ve recently received a notice from the U.S. Justice Department stating that one of the individuals involving in that “swatting” incident had pleaded guilty to a felony conspiracy charge.

swatnet“A federal investigation has revealed that several individuals participated in a scheme to commit swatting in the course of which these individuals committed various federal criminal offenses,” reads the DOJ letter, a portion of which is here (PDF). “You were the victim of the criminal conduct which resulted in swattings in that you were swattted.”

The letter goes on to state that one of the individuals who participated in the scheme has pleaded guilty to conspiracy charges (Title 18, Section 371) in federal court in Washington, D.C.

The notice offers little additional information about the individual who pleaded guilty or about his co-conspirators, and the case against him is sealed. It could be the individual identified at the conclusion of this story, or someone else. In any case, my own digging on this investigation suggests the government is in the process of securing charges or guilty pleas in connection with a group of young men who ran the celebrity “doxing” Web site exposed[dot]su (later renamed exposed[dot]re).

As I noted in a piece published just days after my swatting incident, the attack came not long after I wrote a story about the site, which was posting the Social Security numbers, previous addresses, phone numbers and credit reports on a slew of high-profile individuals, from the director of the FBI to Kim Kardashian, Bill Gates and First Lady Michelle Obama. Many of those individuals whose personal data were posted at the site also were the target of swatting attacks, including P. Diddy, Justin Timberlake and Ryan Seacrest.

The Web site exposed[dot]su featured the personal data of celebrities and public figures.

The Web site exposed[dot]su featured the personal data of celebrities and public figures.

Continue reading →


22
Jul 15

Spike in ATM Skimming in Mexico?

Several sources in the financial industry say they are seeing a spike in fraud on customer cards used at ATMs in Mexico. The reason behind that apparent increase hopefully will be fodder for another story. In this post, we’ll take a closer look at a pair of ATM skimming devices that were found this month attached to a cash machine in Puerto Vallarta — a popular tourist destination on Mexico’s Pacific coast.

On Saturday, July 18, 2015, municipal police in Puerto Vallara arrested a man who had just replaced the battery in a pair of skimming devices he or an associate had installed at an ATM in a busy spot of the town. This skimming kit targeted certain models of cash machines made by Korean ATM manufacturer Hyosung, and included a card skimming device as well as a hidden camera to record the victim’s ATM card PIN.

Here’s a look at the hidden camera installed over the compromised card reader. Would you have noticed anything amiss here?

hyosung-frontatm
The tiny pinhole camera was hidden in a molded plastic fascia designed to fit over top of the area directly above the PIN pad. The only clue that something is wrong here is a gap of about one millimeter between the PIN capture device and the actual ATM. Check out the backside of the false front:

The backside of the false fascia shows the location of the hidden camera.

The backside of the false fascia shows the location of the hidden camera.

The left side of the false fascia (as seen from the front, installed) contains the battery units that power the video camera:

Swapping the batteries out got this skimmer scammer busted. No wonder they included so many!

Swapping the batteries out got this skimmer scammer busted. No wonder they included so many!

Continue reading →


21
Jul 15

Experian Hit With Class Action Over ID Theft Service

Big-three credit bureau Experian is the target of a class-action lawsuit just filed in California. The suit alleges that Experian negligently violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves.

experianThe lawsuit comes just days after a judge in New Hampshire handed down a 13-year jail sentence against Hieu Minh Ngo, a 25-year-old Vietnamese man who ran an ID theft service variously named Superget.info and findget.me.

Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures — a company that Experian acquired in 2012. He got access to some 200 million consumer records by posing as a private investigator based in the United States, and for nearly ten months after Experian acquired Court Ventures, Ngo continued paying for his customers’ data searches via cash wire transfers from a bank in Singapore.

Ngo’s service sold access to “fullz,” the slang term for packages of consumer data that could be used to commit identity theft in victims’ names. The government says Ngo made nearly $2 million from his scheme. According to the Justice Department, the IRS has confirmed that 13,673 U.S. citizens, whose stolen personal information was sold on Ngo’s websites, have been victimized through the filing of $65 million in fraudulent individual income tax returns.

The class action lawsuit, filed July 17, 2015 in the U.S. District Court for the Central District of California, seeks statutory damages for Experian’s alleged violations of, among other statutes, the Fair Credit Reporting Act (FCRA). The plaintiffs also want the court to force Experian to notify all consumers affected by Ngo’s service; to provide them free credit monitoring services; to disgorge all profits made from Ngo’s service; and to establish a fund (in an amount to be determined) to which victims can apply for reimbursement of the time and out-of-pocket expenses they incurred to remediate the identity theft and fraud caused by customers of Ngo’s ID theft service. Continue reading →


19
Jul 15

Online Cheating Site AshleyMadison Hacked

Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hookup service, whose slogan is “Life is short. Have an affair.”

ashleymadison

The data released by the hacker or hackers — which self-identify as The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.

Reached by KrebsOnSecurity late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s Web links were no longer responding.

“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”

Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.

The compromise comes less than two months after intruders stole and leaked online user data on millions of accounts from hookup site AdultFriendFinder.

In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed. Continue reading →


17
Jul 15

CVS Probes Card Breach at Online Photo Unit

Nationwide pharmacy chain CVS has taken down its online photo center CVSphoto.com, replacing it with a message warning that customer credit card data may have been compromised. The incident comes just days after Walmart Canada said it was investigating a potential breach of customer card data at its online photo processing store.

cvsphoto

“We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised,” CVS said in a statement that replaced the photo Web site’s normal homepage content. “As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience. Customer registrations related to online photo processing and CVSPhoto.com are completely separate from CVS.com and our pharmacies. Financial transactions on CVS.com and in-store are not affected.” Continue reading →


15
Jul 15

The Darkode Cybercrime Forum, Up Close

By now, many of you loyal KrebsOnSecurity readers have seen stories in the mainstream press about the coordinated global law enforcement takedown of Darkode[dot]me, an English-language cybercrime forum that served as a breeding ground for botnets, malware and just about every other form of virtual badness. This post is an attempt to distill several years’ worth of lurking on this forum into a narrative that hopefully sheds light on the individuals apprehended in this sting and the cybercrime forum scene in general.

To tell this tale completely would take a book the size of The Bible, but it’s useful to note that the history of Darkode — formerly darkode[dot]com — traces several distinct epochs that somewhat neatly track the rise and fall of the forum’s various leaders. What follows is a brief series of dossiers on those leaders, as well as a look at who these people are in real life.

ISERDO

Darkode began almost eight years ago as a pet project of Matjaz Skorjanc, a now-36-year-old Slovenian hacker best known under the hacker alisas “Iserdo.” Skorjanc was one of several individuals named in the complaints published today by the U.S. Justice Department.

Butterfly Bot customers wonder why Iserdo isn't responding to support requests. He was arrested hours before.

Butterfly Bot customers wonder why Iserdo isn’t responding to support requests. He was arrested hours before.

Iserdo was best known as the author of the ButterFly Bot, a plug-and-play malware strain that allowed even the most novice of would-be cybercriminals to set up a global cybercrime operation capable of harvesting data from thousands of infected PCs, and using the enslaved systems for crippling attacks on Web sites. Iserdo was arrested by Slovenian authorities in 2010. According to investigators, his ButterFly Bot kit sold for prices ranging from $500 to $2,000.

In May 2010, I wrote a story titled Accused Mariposa Botnet Operators Sought Jobs at Spanish Security Firm, which detailed how several of Skorjanc’s alleged associates actually applied for jobs at Panda Security, an antivirus and security firm based in Spain. At the time, Skorjanc and his buddies were already under the watchful eye of the Spanish police.

MAFI

Following Iserdo’s arrest, control of the forum fell to a hacker known variously as “Mafi,” “Crim” and “Synthet!c,” who according to the U.S. Justice Department is a 27-year-old Swedish man named Johan Anders Gudmunds. Mafi is accused of serving as the administrator of Darkode, and creating and selling malware that allowed hackers to build botnets. The Justice Department also alleges that Gudmunds operated his own botnet, “which at times consisted of more than 50,000 computers, and used his botnet to steal data from the users of those computers on approximately 200,000,000 occasions.”

Mafi was best known for creating the Crimepack exploit kit, a prepackaged bundle of commercial crimeware that attackers can use to booby-trap hacked Web sites with malicious software. Mafi’s stewardship over the forum coincided with the admittance of several high-profile Russian cybercriminals, including “Paunch,” an individual arrested in Russia in 2013 for selling a competing and far more popular exploit kit called Blackhole.

Paunch worked with another Darkode member named “J.P. Morgan,” who at one point maintained an $800,000 budget for buying so-called “zero-day vulnerabilities,” critical flaws in widely-used commercial software like Flash and Java that could be used to deploy malicious software.

Darkode admin "Mafi" explains his watermarking system.

Darkode admin “Mafi” explains his watermarking system.

Perhaps unsurprisingly, Mafi’s reign as administrator of Darkode coincided with the massive infiltration of the forum by a number of undercover law enforcement investigators, as well as several freelance security researchers (including this author).

As a result, Mafi spent much of his time devising new ways to discover which user accounts on Darkode were those used by informants, feds and researchers, and which were “legitimate” cybercriminals looking to ply their wares.

For example, in mid-2013 Mafi and his associates cooked up a scheme to create a fake sales thread for a zero-day vulnerability — all in a bid to uncover which forum participants were researchers or feds who might be lurking on the forum.

That plan, which relied on a clever watermarking scheme designed to “out” any forum members who posted screen shots of the forum online, worked well but also gave investigators key clues about the forum’s hierarchy and reporting structure.

logsruhroh

Mafi worked closely with another prominent Darkode member nicknamed “Fubar,” and together the two of them advertised sales of a botnet crimeware package called Ngrbot (according to Mafi’s private messages on the forum, this was short for “Niggerbot.” The password databases from several of Mafi’s accounts on hacked cybercrime forums included variations on the word “nigger” in some form). Mafi also advertised the sale of botnets based on “Grum” a spam botnet whose source code was leaked in 2013. Continue reading →


15
Jul 15

ID Theft Service Proprietor Gets 13 Years

A Vietnamese man who ran an online identity theft service that sold access to Social Security numbers and other personal information on more than 200 million Americans has been sentenced to 13 years in a U.S. prison.

Vietnamese national Hieu Minh Ngo was sentenced to 13 years in prison for running an identity theft service.

Vietnamese national Hieu Minh Ngo was sentenced to 13 years in prison for running an identity theft service.

Hieu Minh Ngo, 25, ran an ID theft service variously named Superget.info and findget.me. Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures, a subsidiary of the major consumer credit bureau Experian.

Ngo’s service sold access to “fullz,” the slang term for packages of consumer data that could be used to commit identity theft in victims’ names. The government says Ngo made nearly $2 million from his scheme.

The totality of damage caused by his more than 1,300 customers is unknown, but it is clear that Ngo’s service was quite popular among ID thieves involved in filing fraudulent tax refund requests with the U.S. Internal Revenue Service (IRS). According to the Justice Department, the IRS has confirmed that 13,673 U.S. citizens, whose stolen PII was sold on Ngo’s websites, have been victimized through the filing of $65 million in fraudulent individual income tax returns. Continue reading →


14
Jul 15

Adobe, MS, Oracle Push Critical Security Fixes

This being the second Tuesday of the month, it’s officially Patch Tuesday. But it’s not just Microsoft Windows users who need to update today: Adobe has released fixes for several products, including a Flash Player bundle that patches two vulnerabilities for which exploit code is available online. Separately, Oracle issued a critical patch update that plugs more than two dozen security holes in Java. Continue reading →


13
Jul 15

Third Hacking Team Flash Zero-Day Found

For the third time in a week, researchers have discovered a zero-day vulnerability in Adobe’s Flash Player browser plugin. Like the previous two discoveries, this one came to light only after hackers dumped online huge troves of documents stolen from Hacking Team — an Italian security firm that sells software exploits to governments around the world.

News of the latest Flash flaw comes from Trend Micro, which said it reported the bug (CVE-2015-5123) to Adobe’s Security Team. Adobe confirmed that it is working on a patch for the two outstanding zero-day vulnerabilities exposed in the Hacking Team breach.

We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program.

flashpotus

Continue reading →