Other

Other37 Comments
4
Mar 13

KrebsOnSecurity Wins Awards

I recently returned from San Francisco, which last week hosted the annual RSA Security conference. I had the pleasure of moderating a panel discussion on Raising the Costs of Compromise with some very smart guys, and also shared a stage with several security authors who were recognized for their contributions to infosec media.

Bruce Schneier, Jack Daniel & Krebs. Image: Alan Shimel.

Bruce Schneier, Jack Daniel & Krebs. Image: Alan Shimel.

Krebsonsecurity.com was honored with the “Blog That Best Represents the Industry,” award at the RSA Security Blogger Meetup. This was the third year in a row that judges bestowed that honor on this blog. Krebsonsecurity.com also won the award for “Most Educational Security Blog.”

Paul Dotcom won for “Best Security Podcast”; J4VV4D’s Blog earned the “Most Entertaining Security Blog” award; Sophos’s Naked Security Blog took home the “Best Corporate Security Blog” prize; and the “Single Best Blog Post or Podcast of the Year” went to Forbes’ Andy Greenberg, for Meet the Hackers Who Sell Spies the Tools to Crack Your PC (And Get Paid Six-Figure Fees). Finally, security blogger Jack Daniel was the latest greybeard inducted into the Security Bloggers Hall of Fame (Bruce Schneier and I shared that honor last year, which is why we’re both pictured on stage flanking Jack in this shot from last week).

Yours truly also was named one of 10 winners of the SANS Institute‘s “Top Cyber Security Journalist” award. I am truly honored for the recognition, and want to thank all the loyal readers of this blog for their constant encouragement and support.

Other / Target: Small Businesses29 Comments
28
Jan 13

Big Bank Mules Target Small Bank Businesses

A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions.

I have written about more than 80 organizations that were victims of cyberheists, and a few recurring themes have emerged from nearly all of these breaches. First, a majority of the victim organizations banked at smaller institutions. Second, virtually all of the money mules — willing or unwitting individuals recruited to help launder the stolen funds — used accounts at the top five largest U.S. banks.

The attack on Niles Nursing Inc. provides a textbook example. On Monday, Dec. 17, 2012, computer crooks logged into the company’s online banking accounts using the controller’s credentials and tunneling their connection through his hacked PC. At the beginning of the heist, the miscreants added 11 money mules to Niles’ payroll, sending them automated clearing house (ACH) payments totaling more than $58,000, asking each mule to withdraw their transfers in cash and wire the money to individuals in Ukraine and Russia.

nilesmulespartNiles’ financial institution — Ft. Lauderdale, Fla. based Optimum Bank — evidently saw nothing suspicious about 11 new employees scattered across five states being added to its customer’s payroll overnight. From the bank’s perspective, the user submitting the payroll batch logged in to the account with the proper credentials and with the same PC that was typically used to administer the account. The thieves would put through another two fraudulent payment batches over next two days (the bank blocked the last batch on the 19th).

In total, the attackers appear to have recruited at least two dozen money mules to help haul the stolen loot. All but two of the mules used or opened accounts at four out of five of the nation’s top U.S. banks, including Bank of America, Chase, Citibank, and Wells Fargo. No doubt these institutions together account for a huge percentage of the retail banking accounts in America today, but interviews with mules recruited by this crime gang indicate that they were instructed to open accounts at these institutions if they did not already have them.

ANALYSIS

I’ve spoken at numerous financial industry conferences over the past three years to talk about these cyberheists, and one question I am almost always asked is, “Is it safer for businesses to bank at larger institutions?” This is a tricky question to answer because banking online remains a legally and financially risky affair for any business, regardless of which bank it uses. Businesses do not enjoy the same fraud protections as consumers; if a Trojan lets the bad guys siphon an organization’s online accounts, that victim organization is legally responsible for the loss. The financial institution may decide to reimburse the victim for some or all of the costs of the fraud, but that is entirely up to the bank.

What’s more, it is likely that fewer cyberheists involving customers of Top 5 banks ever see the light of day, principally because the larger banks are in a better financial position to assume responsibility for some or all of the loss (provided, of course, that the victim in return agrees not to sue the bank or disclose the breach publicly).

I prefer to answer the question as if I were a modern cyberthief in charge of selecting targets. The organized crooks behind these attacks blast out tens of millions of booby-trapped emails daily, and undoubtedly have thousands of stolen online banking credentials to use at any one time. There are more than 7,000 financial institutions in the United States…should I choose a target at one of the top 10 banks? These institutions hold a majority of the financial industry’s assets, and they’re accustomed to moving huge sums of money around each day.

On the other hand, their potential for fraud is almost certainly orders of magnitude greater than at smaller institutions. That would suggest that it may be easier for these larger institutions to justify antifraud expenditures. That incentive to enact antifraud protections is even greater because these institutions have huge numbers of retail customers, a channel in which they legally eat the loss from unauthorized account activity.

Continue reading →

Latest Warnings / Other / Time to Patch29 Comments
8
Jan 13

Adobe, Microsoft Ship Critical Security Updates

Adobe and Microsoft today separately issued updates to fix critical security vulnerabilities in their products. Adobe pushed out fixes for security issues in Acrobat, Adobe Reader and its Flash Player plugin. Microsoft released seven patches addressing at least a dozen security holes in Windows and other software, although it failed to issue an official patch for a dangerous flaw in its Internet Explorer Web browser that attackers are now actively exploiting.

Two of the patches that Microsoft issued today earned a “critical” rating, signifying that these vulnerabilities could be exploited to fully compromise vulnerable Windows systems without any help from users. Microsoft called special attention to two critical bugs in its XML Core Services component; the company said it is likely that malware or miscreants will figure out a way to exploit these flaws in active attacks sometime within the next 30 days.

Unfortunately, Microsoft did not offer an official fix for a critical Windows flaw that malware and miscreants are already exploiting. In late December, Microsoft acknowledged that attackers were using a previously undocumented security hole in Internet Explorer versions 6 through 8 to break into Windows PCs. Microsoft later issued a stopgap “FixIt” tool to help lessen the vulnerability on affected systems, but researchers last week demonstrated that the FixIt tool only blocked some methods of attacking the flaw, leaving other ways unguarded. Meanwhile, a working copy of the exploit has been folded into Metasploit, a free penetration testing tool.

Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys, said the zero-day IE vulnerability affects 90% of the IE install base at this time.

“Microsoft is not providing a patch today, though they have provided a Fix-It for the issue,” Kandek wrote in a blog post. “The vulnerability should be tracked closely, as a large percentage of enterprises still run the affected versions.”

Users who wish to continue browsing the Web with IE should upgrade to IE9 if possible (IE10 on Windows 8 also is not vulnerable). Users still on Windows XP will not be able to update to IE9, but may be able to derive some protection from the FixIt tool and by using Microsoft’s EMET tool. XP users may be better off, however, browsing with Firefox or Chrome with some type of script blocking and/or sandbox in place. More information on how to use EMET and script blocking options is available in my Tools for a Safer PC primer. More details about today’s updates from Microsoft can be found at the Microsoft Security Response Center blog and in the security bulletin summaries for each patch.

The Adobe Flash patch fixes at least one critical vulnerability in the media player plugin. Updates are available for all supported versions of Flash, including for Windows, Mac, Linux and Android. See the chart below for the latest version number broken down by operating system.

Continue reading →

A Little Sunshine / Other64 Comments
2
Jan 13

Does Your Alarm Have a Default Duress Code?

Sometimes it takes a security scare to help improve your overall security posture. Case in point: Over the holidays, I learned that our alarm system — one of the most widely used home security systems in America — contains a default code that disables the alarm. Although entering this code simultaneously alerts the police that an intruder is in the house, it also could give thieves just enough time to get away with your valuables without alerting the neighbors.

Safewatch Pro3000

Safewatch Pro3000

Over the holidays, I lost my keychain. On said chain was a very expensive key fob for unlocking and starting our car, the keys to our front door, and a remote control that arms and disarms the alarm system. For several days, the wife and I searched frantically and repeatedly for the keys. Needless to say, I didn’t leave the house the whole time. In the hopes of perhaps disabling the alarm keyfob myself, I downloaded the user manual for my alarm system (a Safewatch Pro 3000), but I could not figure out a way to complete the process.

After of the fourth day of failing to locate the missing keys, we decided it was time to call a locksmith and ADT, our alarm company. The ADT technician arrived promptly and was extremely fast, courteous and helpful. But he said he couldn’t remove the fob without plugging in an external keyboard that he had on hand.

As he worked, I asked him about a feature of the alarm system that I’d read about in the manual: A duress code. Simply put, a duress code is a secondary, covert signal designed to be entered on the alarm keypad in the event that an attacker or robber ambushes you at home and forces you to disarm the system. A duress code will appear to disarm the system, but it will also send a silent panic alert to the ADT monitoring station that a potentially hostile intruder has entered the home.

I asked the technician how difficult it would be to set up a duress code for my system. He informed me that there was already one programmed into my unit, and that ADT technicians routinely set all systems like mine with the same default duress code: 2-5-8-0, the four digits that run straight down the middle of the keypad. Continue reading →

Other42 Comments
28
Dec 12

Happy 3rd Birthday KrebsOnSecurity.com!

It’s difficult to believe I’ve been doing this solo thing for so long, but as a thoughtful reader just reminded me, Dec. 29 marks the third anniversary of the KrebsOnSecurity.com blog!

3rdThis past year, KrebsOnSecurity featured nearly 200 blog posts, entries that have generated some 5,700 reader comments. Reader feedback and comments add tremendous value to this site, and are frequently the source of inspiration for future blog posts. Thank you for sharing your knowledge and experience with the rest of us!

Readers sometimes ask why I am not writing about the latest report or story-du-jour. The short answer is that this is precisely why I remain an independent investigative reporter: To be able to focus on subjects and topics that few others are examining, and to do original reporting. That will continue to be my goal going into 2013.

Some readers have been especially generous: So far this year KrebsOnSecurity.com has received more than 40 donations via the PayPal Donate! button in the sidebar. Several readers (particularly Aleksey and Alek) have been extremely generous with their time in helping with professional translations of certain Russian texts.

My work in 2012 involved numerous public speaking engagements, including talks and/or keynotes in Halifax, Qatar, Alabama, California, Connecticut, Illinois, New Hampshire, New York, Oregon and Pennsylvania.

I look forward to continuing my investigative reporting on cybercrime, cybersecurity, and the underground economy. Most of all, I look forward to your continued readership and support. Thank you, Happy Holidays, and a very Happy New Year to all.

Other / Security Tools / Time to Patch28 Comments
13
Nov 12

Microsoft Patches 19 Security Holes

Microsoft today issued six software updates to fix at least 19 security holes in Windows and other Microsoft products. Thirteen of those vulnerabilities earned a “critical” rating, which means miscreants or malicious code could leverage them to break into vulnerable systems without any help from users.

Of note in these patches is a critical update for Internet Explorer 9 that fixes three flaws in IE (these bugs do not exist in older versions of IE, according to Microsoft). Other critical updates address extremely dangerous flaws in core Windows components, such as the Windows shell and Windows Kernel; these vulnerabilities are present in nearly all supported versions of Windows.

All of the critical updates earned the most dire marks on Microsoft’s “exploitability index,” which tries assess the likelihood that attackers will devise remote code execution attacks and denial of service exploits within 30 days of a security bulletin release.

Also included among the critical patches is an update for Microsoft’s .NET Framework. I mention this one separately because in the few times I’ve had troubles after applying Windows security updates, a .NET Framework patch has always been part of the mix. My update this time around went fine (albeit a tad slowly) on a Windows 7 system, but if you experience any issues applying these patches, please leave a note in the comments section below.

Other vulnerabilities addressed in today’s update batch include flaws in Microsoft Excel and Microsoft Internet Information Services (IIS). A summary of the bulletins released today is available at this link. Wolfgang Kandek, chief technology officer at Qualys, has put together a readable blog post with some additional thoughts on the severity and relative urgency of today’s patches.

Update, 8:34 p.m.. ET: Several readers have pointed my attention to problems with a non-security update released with today’s batch: KB2750841. According to this thread, KB2750841 seems to be causing issues for users of OpenDNS. This workaround from OpenDNS forum user “gotroot” appears to have worked for most users experiencing problems.

Other / Web Fraud 2.038 Comments
22
Oct 12

Service Sells Access to Fortune 500 Firms

An increasing number of services offered in the cybercrime underground allow miscreants to purchase access to hacked computers at specific organizations. For just a few dollars, these services offer the ability to buy your way inside of Fortune 500 company networks.

The service I examined for this post currently is renting access to nearly 17,000 computers worldwide, although almost 300,000 compromised systems have passed through this service since its inception in early 2010. All of the machines for sale have been set up by their legitimate owners to accept incoming connections via the Internet, using the Remote Desktop Protocol (RDP), a service built into Microsoft Windows machines that gives the user graphical access to the host PC’s desktop. Businesses often turn on RDP for server and desktop systems that they wish to use remotely, but if they do so using a username and password that is easily guessed, those systems will soon wind up for sale on services like this one.

Pitching its wares with the slogan, “The whole world in one service,” Dedicatexpress.com advertises hacked RDP servers on several cybercrime forums. Access is granted to new customers who contact the service’s owner via instant message and pay a $20 registration fee via WebMoney, a virtual currency. The price of any hacked server is calculated based on several qualities, including the speed of its processor and the number of processor cores, the machine’s download and upload speeds, and the length of time that the hacked RDP server has been continuously available online (its “uptime”).

Though it is not marketed this way, the service allows users to search for hacked RDP servers by entering an Internet address range, an option that comes in handy if you are looking for computers inside of specific organizations. For instance, I relied on a list of the IP address ranges assigned to the companies in the current Fortune 500 listing (special thanks to online banking security vendor Greenway Solutions for their help on this front).

I made it about halfway through the list of companies in the Fortune 100 with names beginning in “C” when I found a hit: A hacked RDP server at Internet address space assigned to networking giant Cisco Systems Inc. The machine was a Windows Server 2003 system in San Jose, Calif., being sold for $4.55 (see screenshot below). You’ll never guess the credentials assigned to this box: Username: “Cisco,”; password: “Cisco”. Small wonder that it was available for sale via this service. A contact at Cisco’s security team confirmed that the hacked RDP server was inside of Cisco’s network; the source said that it was a “bad lab machine,” but declined to offer more details.

A hacked Win 2003 Server installation at Cisco Systems was on sale for $4.55.

Continue reading →

Latest Warnings / Other / The Coming Storm60 Comments
29
Aug 12

Researchers: Java Zero-Day Leveraged Two Flaws

New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack.

Esteban Guillardoy, a developer at the security firm Immunity Inc., said the underlying vulnerability has been around since July 28, 2011.

“There are 2 different zero-day vulnerabilities used in this exploit,” Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of this bug class is that it provides 100% reliability and is multi-platform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353).”

ONE BILLION USERS AT RISK?

How many systems are vulnerable? Oracle Corp., which maintains Java, claims that more than 3 billion devices run Java. But how many of those systems run some version of Java 7 (all versions of Java 7 are vulnerable; this flaw does not exist in Java 6 versions).

To get an idea, I asked Secunia, whose Personal Software Inspector program runs on millions of PCs. Secunia said that out of a random sampling of 10,000 PSI users, 34.2 percent had some version of Java 7 installed. In the same data set, 56.4 percent of users had an update of Java 6 installed. Assuming that Secunia’s 10,000 user sample is representative of the larger population of computer users, more than a billion devices could be vulnerable to attack via this exploit.

Continue reading →

How to Break Into Security / Other23 Comments
7
Aug 12

How to Break Into Security, Miller Edition

For this fifth edition in a series of advice columns for folks interested in learning more about security as a craft or profession, I interviewed Charlie Miller, a software bug-finder extraordinaire and principal research consultant with Accuvant LABS.

Probably best known for his skills at hacking Apple‘s products, Miller spent five years at the National Security Agency as a “global network exploitation analyst.” After leaving the NSA, Miller carved out a niche for himself as an independent security consultant before joining Accuvant in May 2011.

BK: How did your work for the NSA prepare you for a job in the private sector? Did it offer any special skill sets or perspectives that you might otherwise not have gotten in the private sector?

Miller: Basically, it provided on the job training.  I got paid a decent salary to learn information security and practice it at a reasonable pace.  It’s hard to imagine other jobs that would do that, but if you have a lot of free time, you could simulate such an experience.

BK: The U.S. Government, among others, is starting to dedicate some serious coin to cybersecurity. Should would-be cyber warriors be looking to the government as a way to get their foot in the door of this industry? Or does that option tend to make mainly sense for young people?

Miller: For me, it made sense at the beginning, but there are some drawbacks.  The most obvious drawback is government pay isn’t as competitive as the private industry.  This isn’t such a big deal when you’re starting out, but I don’t think I could work for the government anymore for this reason.  Because of this, many people use government jobs as a launching point to higher paying jobs (like government contracting).  For me, I found it very difficult to leave government and enter a (non govt contracting) industry.  I had 5 years of experience that showed up as a couple of bullet points on my resume.  I couldn’t talk about what I knew, how I knew it, experience I had, etc. I had a lot of trouble getting a good job after leaving NSA.

BK: You’ve been a fairly vocal advocate of the idea that companies should not expect security researchers to report bugs for free. But it seems like there are now a number of companies paying (admittedly sometimes nominal sums) for bugs, and there are several organizations that pay quite well for decent vulnerabilities. And certainly you’ve made a nice chunk of change winning various hacking competitions. Is this a viable way for would-be researchers to make a living? If so, is it a realistic rung to strive for, or is bug-hunting for money a sort of Olympic sport in which only the elite can excel?

Miller: In some parts of the world, it is possible to live off bug hunting with ZDI-level payments.  However, given the cost of living in the US, I don’t think it makes sense.  Even if you mix in occasional government sales, it would be a tough life living off of bug sales.  If I thought it was lucrative, I’d being doing it!  For me, it is hard to imagine making more than I do now as a consultant by selling bugs, and the level of risk I’d have to assume would be much higher.

Continue reading →

Other / Target: Small Businesses38 Comments
3
Aug 12

Uptick in Cyber Attacks on Small Businesses

New data suggests that cyber attacks aimed at small businesses have doubled over the past six months, a finding that dovetails with my own reporting on companies that are suffering six-figure losses from sophisticated cyber heists.

According to Symantec, attacks against small businesses rose markedly in the first six months of 2012 compared to the latter half of 2011. In its June intelligence report, the security firm found that 36 percent of all targeted attacks (58 per day) during the last six months were directed at businesses with 250 or fewer employees. That figure was 18 percent at the  end of Dec. 2011.

“There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against larger ones,” said Paul Wood, a security intelligence manager at Symantec. “It almost seems attackers are diverting their resources directly from the one group to the other.”

I’m seeing the same uptick, and have been hearing from more small business victims than at any time before — often several times per week.

In the second week of July, for example, I spoke with three different small companies that had just been hit by cyberheists (one of the victims asked not to be named, and the other didn’t want their case publicized). On July 10, crooks who’d broken into the computers of a fuel supplier in southern Georgia attempted to transfer $1.67 million out of the company’s accounts. When that failed, they put through a fraudulent payroll batch totaling $317,000, which the victim’s bank allowed.

The bank, First National Bank of Coffee County, managed to claw back an unusually large amount — approximately $260,000. The fuel company hired an outside forensics firm to investigate, and found that the trouble started on July 9, when the firm’s controller clicked a link embedded in an image in an email designed to look as though it was sent by the U.S. Postal Service and alerting the recipient about a wayward parcel. The link in the image loaded content from a site hosting the BlackHole exploit kit, which downloaded the ZeuS Trojan to the controller’s PC.

Interestingly, the fuel company and its bank said one of the money mules that the attackers recruited to help launder the stolen funds turned out to be an employee of Wells Fargo from Alabama. Many money mules are simply not the brightest bulbs, and it is usually difficult to prove that they weren’t scammed as well (because more often than not, the mules end up losing money).  But one would think people who work for banks should be at least be aware of these schemes, and held to a higher standard. What’s more, if this mule wasn’t complicit then he probably suspected something wasn’t right, because he had the funds sent to an account he controlled at a local credit union in Birmingham — rather than an account at Wells Fargo.

By the way, this is the second time I’ve encountered a money mule working at a major bank. Last year, I tracked down a woman at PNC Bank in Maryland who was hired by a mule recruitment gang and later helped move nearly $4,500 from a victim business in North Carolina to cybercriminals in Ukraine. She claimed she did not understand what she had done until I contacted her.

Continue reading →

← Older Entries