Other


14
Jan 15

Adobe, Microsoft Push Critical Security Fixes

Microsoft on Tuesday posted eight security updates to fix serious security vulnerabilities in computers powered by its Windows operating system. Separately, Adobe pushed out a patch to plug at least nine holes in its Flash Player software.

brokenwindowsLeading the batch of Microsoft patches for 2015 is a drama-laden update to fix a vulnerability in Windows 8.1 that Google researchers disclosed just two days ago. Google has a relatively new policy of publicly disclosing flaws 90 days after they are reported to the responsible software vendor — whether or not that vendor has fixed the bug yet. That 90-day period elapsed over the weekend, causing Google to spill the beans and potentially help attackers develop an exploit in advance of Patch Tuesday.

For its part, Microsoft issued a strongly-worded blog post chiding Google for what it called a “gotcha” policy that leaves Microsoft users in the lurch. Somehow I doubt this is the last time we’ll see this tension between these two software giants. But then again, who said patching had to be boring? For a full rundown of updates fixed in today’s release, see this link. Continue reading →


12
Jan 15

KrebsOnSecurity Wins Ntl’ Journalism Award

I put this out on Twitter last Friday but wanted to note it here in the blog as well: The National Press Foundation graciously announced last week that it plans to award me its Chairman’s Citation, which “confers recognition on individuals whose accomplishments fall outside the traditional categories of excellence.”

npfI’m truly honored by this award, and more than a little humbled by the pedigree of its previous winners. The NPF’s Chairman’s Citation was last awarded in 2012 to the late, great New York Times reporter Anthony Shadid, who died in Syria that same year. Shadid, a two-time Pulitzer Prize winner, was also a former Washington Post reporter. Likewise, the award was presented in 2010 to Colbert King, a Pulitzer Prize-winning columnist at The Post.

This honor also gives me another opportunity and platform for proselytizing to media colleagues about the merits and rewards of being an independent journalist. Some of my reporter friends probably get sick of hearing it from me, but there has never been a more important time for reporters who are passionate about creating original, impactful content to consider going it alone. A diversity of authoritative (and accountable) voices on important topics keeps the mainstream media honest and on its toes. More crucially, it helps inspire and cultivate the next generation of the Fourth Estate.

A hearty “THANK YOU” to the NPF for this recognition, and to the faithful readers here who make this all worthwhile!


5
Jan 15

Who’s Attacking Whom? Realtime Attack Trackers

It seems nearly every day we’re reading about Internet attacks aimed at knocking sites offline and breaking into networks, but it’s often difficult to visualize this type of activity. In this post, we’ll take a look at multiple ways of tracking online attacks and attackers around the globe and in real-time.

A couple of notes about these graphics. Much of the data that powers these live maps is drawn from a mix of actual targets and “honeypots,” decoy systems that security firms deploy to gather data about the sources, methods and frequency of online attacks. Also, the organizations referenced in some of these maps as “attackers” typically are compromised systems within those organizations that are being used to relay attacks launched from someplace else.

The Cyber Threat Map from FireEye recently became famous in a 60 Minutes story on cyberattacks against retailers and their credit card systems. This graphic reminds me of the ICBM monitors from NORAD, as featured in the 1984 movie War Games (I’m guessing that association is intentional). Not a lot of raw data included in this map, but it’s fun to watch.

FireEye's "Cyber Threat Map"

FireEye’s “Cyber Threat Map”

My favorite — and perhaps the easiest way to lose track of half your workday (and bandwidth) comes from the folks at Norse Corp. Their map — IPViking — includes a wealth of data about each attack, such as the attacking organization name and Internet address, the target’s city and service being attacked, as well as the most popular target countries and origin countries.

Norse's IPViking attack map is fun to watch, but very resource-intensive.

Norse’s IPViking attack map is eye candy-addictive, but very resource-intensive.

Continue reading →


30
Dec 14

Banks: Card Breach at Some Chick-fil-A’s

Sources at several U.S. financial institutions say they have traced a pattern of credit card fraud back to accounts that all were used at different Chick-fil-A fast food restaurants around the country. Chick-fil-A told KrebsOnSecurity that it has received similar reports and is working with IT security firms and law enforcement in an ongoing investigation.

Photo: Robert Du Bois

Photo: Robert Du Bois

KrebsOnSecurity first began hearing from banks about possible compromised payment systems at Chick-fil-A establishments in November, but the reports were spotty at best. Then, just before Christmas, one of the major credit card associations issued an alert to several financial institutions about a breach at an unnamed retailer that lasted between Dec. 2, 2013 and Sept. 30, 2014.

One financial institution that received that alert said the bank had nearly 9,000 customer cards listed in that alert, and that the only common point-of-purchase were Chick-fil-A locations.

“It’s crazy because 9,000 customer cards is more than the total number of cards we had impacted in the Target breach,” the banking source said, speaking on condition of anonymity.

The source said his institution saw Chick-fil-A locations across the country impacted, but that the bulk of the fraud seemed concentrated at locations in Georgia, Maryland, Pennsylvania, Texas and Virginia.

Reached for comment about the findings, Chick-fil-A issued the following statement:

“Chick-fil-A recently received reports of potential unusual activity involving payment cards used at a few of our restaurants.  We take our obligation to protect customer information seriously, and we are working with leading IT security firms, law enforcement and our payment industry contacts to determine all of the facts.”

“We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so.  If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts — any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card.  If our customers are impacted, we will arrange for free identity protection services, including credit monitoring.”

Continue reading →


29
Dec 14

Happy 5th Birthday, KrebsOnSecurity!

It’s hard to believe, but KrebsOnSecurity turns five years old today! How time flies!

5reflectProbably the most rewarding part about being an independent reporter (for my part, anyway) is watching your readership grow and mature into a community that not only adds perspective and balance but also helps educate other readers.

I’m very proud of the community that’s sprung up around this site, and I’m extremely grateful for all of the support and encouragement from you, Dear Reader. A few dozen readers have sent PayPal or Bitcoin donations, but most have supported this site with their time, expertise and tips (keep those coming, please).

So, from the bottom of my heart, a big THANK YOU and high five to all of you! I wish you all a very happy, healthy and prosperous 2015. Here’s to another five great years!

Leaving aside the pieces in my All About Skimmers series, here are some of the most-read, exclusive posts from the past 365 days:

Lorem Ipsum: Of Good and Evil, Google and China

A Peek Inside a Professional Carding Shop

Who’s Selling Credit Cards from Target?

Are Credit Monitoring Services Worth it?

Antivirus is Dead: Long Live Antivirus

Target Hackers Broke in Via HVAC Company

A First Look at the Target Intrusion, Malware

Banks: Credit Card Breach at Home Depot

The Scrap Value of a Hacked PC, Revisited (oldie but a goodie)


26
Dec 14

Cowards Attack Sony PlayStation, Microsoft xBox Networks

A gaggle of young misfits that has long tried to silence this Web site now is taking credit for preventing millions of users from playing Sony Playstation and Microsoft Xbox Live games this holiday season.

The group, which calls itself LizardSquad, started attacking the gaming networks on or around Christmas Day. Various statements posted by self-described LizardSquad members on their open online chat forum — chat.lizardpatrol.com — suggest that these misguided individuals launched the attack for no other reason than because they thought it would be amusing to annoy and disappoint people who received new Xbox and Playstation consoles as holiday gifts.

Such assaults, known as distributed denial-of-service (DDoS) attacks — harness the Internet connectivity of many hacked or misconfigured systems so that those systems are forced to simultaneously flood a target network with junk internet traffic. The goal, of course, is to prevent legitimate visitors from being able to load the site or or use the service under attack.

It’s unfortunate that some companies which specialize in DDoS protection services have chosen to promote their products by categorizing these latest attacks as “herculean” and “sophisticated;” these adjectives describe neither the attackers nor their attacks. The sad truth is that these attacks take advantage of compromised and misconfigured systems online, and there are tens of millions of these systems that can be freely leveraged to launch such attacks. What’s more, the tools and instructions for launching such assaults are widely available.

The LizardSquad leadership is closely tied to a cybercrime forum called Darkode[dot]com, a network of ne’er-do-wells that I have written about extensively. So much so, in fact, that the LizardSquad has made attacking KrebsOnSecurity.com and keeping it offline for at least 30 minutes a prerequisite “proof of skills” for any new members who wish to join their ranks (see the screen shot below).

LizardSquad wannabes trying to prove their "skills" by knocking my site offline.

LizardSquad wannabes trying to prove their “skills” by knocking my site offline.

Continue reading →


9
Dec 14

Unencrypted Data Lets Thieves ‘Charge Anywhere’

Charge Anywhere LLC, a mobile payments provider, today disclosed that malicious software planted on its networks may have jeopardized credit card data from transactions the company handled between November 2009 and September 2014.

chargeanywhereIn a statement released today, the South Plainfield, N.J. electronic payment provider said it launched investigation after receiving complaints about fraudulent charges on cards that had been legitimately used at certain merchants. The information stolen includes the customer name, card number, expiration date and verification code.

“The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic,” the company explained. “Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.” Continue reading →


1
Dec 14

KrebsOnSecurity on CBS’s ’60 Minutes’

In case any of you loyal readers missed it, KrebsOnSecurity.com and its author were featured in a 60 Minutes interview last night on the credit and debit card breaches that have hit countless retailers and consumers over the past year.

60mk

I spent more than a dozen hours with 60 Minutes producers, film crews and the host of this segment — CBS’s Bill Whitaker, so I’m glad they were able to use as much footage as they did. Leading up to the filming, the producer of the show asked some very incisive questions — some of which I didn’t know the answers to myself — and I was hoping the segment would address some of the less discussed issues that contribute to this epidemic of card breaches. But, alas, I hope to explore some of those questions in future posts.

A link to a video and transcript of the program is here. Continue reading →


17
Nov 14

Amazon: Spam Nation one of “Best of Month”

A quick update on my new book, Spam Nation, The Inside Story of Organized Cybercrime — From Global Epidemic to Your Front Door debuting on bookstore shelves  Tuesday, Nov. 18: Amazon has selected Spam Nation as one of their “Best Books of the Month” picks for November, listed alongside such notable authors as Stephen King and Nora Roberts.

abbotm-cIn addition, my publisher has graciously extended the freeZeusGard offer until Nov. 25 for the next 500 people who order more than one copy of the book.

In early October we launched a promotion in which the first 1,000 readers to preorder more than one copy of the book, audio recording and/or e-book version of Spam Nation would receive a free, KrebsOnSecurity-branded ZeusGard, a USB-based technology that’s designed to streamline the process of adopting the Live CD approach for online banking.

Approximately 500 readers took us up on this offer, but that means we still have about 500 left! Thankfully, my publisher (Sourcebooks) has agreed to extend this offer by one week (until Nov. 25, 2014).

Finally, if you live in Chicago, San Francisco, Seattle or Austin and would like a personalized copy of Spam Nation, please consider joining me this week as I drop by a local bookstore near you! See the tour schedule for dates, times and locations.


31
Oct 14

KrebsOnSecurity Honored for Fraud Reporting

The Association of Certified Fraud Examiners today announced they have selected Yours Truly as the recipient of this year’s “Guardian Award,” an honor given annually to a journalist “whose determination, perseverance, and commitment to the truth have contributed significantly to the fight against fraud.”

acfeThe Guardian Award bears the inscription “For Vigilance in Fraud Reporting.”

Previous honorees include former Washington Post investigative reporter and two-time Pulitzer Prize winner Susan Schmidt; Diana Henriques, a New York Times contributing writer and author of The Wizard of Lies (a book about Bernie Madoff); and Allan Dodds Frank, a regular contributor to Fortune.com and The Daily Beast.

I’d like to thank the ACFE for this prestigious award, and offer a special note of thanks to all of you dear readers who continue to support my work as an independent journalist.

The ACFE’s blog post about the award is here.