Krebs on Security http://krebsonsecurity.com In-depth security news and investigation Thu, 17 Apr 2014 21:19:42 +0000 en-US hourly 1 http://wordpress.org/?v=3.8.3 3 Million Customer Credit, Debit Cards Stolen in Michaels, Aaron Brothers Breaches http://krebsonsecurity.com/2014/04/3-million-customer-credit-debit-cards-stolen-in-michaels-aaron-brothers-breaches/ http://krebsonsecurity.com/2014/04/3-million-customer-credit-debit-cards-stolen-in-michaels-aaron-brothers-breaches/#comments Thu, 17 Apr 2014 21:19:42 +0000 http://krebsonsecurity.com/?p=25704 Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.

michaelsThe disclosure, made jointly in a press release posted online and in a statement on the company’s Web site, offers the first real details about the breach since the incident was first disclosed by KrebsOnSecurity on January 25, 2014.

The statements by Irving, Texas-based Michaels suggest that the two independent security firms it hired to investigate the break-ins initially found nothing.

“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.

The Michaels breach first came to light just weeks after retail giant Target Corp. said that cyber thieves planted malware on cash registers at its stores across the nation, stealing more than 40 million credit and debit card numbers between Nov. 27 and Dec. 15, 2013. That malware was designed to siphon card data when customers swiped their cards at the cash register.

According to Michaels, the affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.

The company’s statement says the attack on Michaels’ targeted “a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014.”

“Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue,” the statement continues. “The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com.”

Regarding Aaron Brothers, Michaels Stores said it has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware, noting that the locations for each affected Aaron Brothers store are listed on www.aaronbrothers.com.

“The Company estimates that approximately 400,000 cards were potentially impacted during this period. The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.”

This incident marks the second time in three years that Michaels Stores has wrestled with a widespread compromise of its payment card systems. In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices at store registers in some Chicago locations, although further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.

Michaels says that while the Company has received limited reports of fraud, it is offering identity protection, credit monitoring and fraud assistance services through AllClear ID to affected Michaels and Aaron Brothers customers in the U.S. for 12 months at no cost to them. Details of the services and additional information related to the ongoing investigation are available on the Michaels and Aaron Brothers websites at www.michaels.com and www.aaronbrothers.com.

Incidentally, credit monitoring services will do nothing to protect consumers from fraud on existing financial accounts — such as credit and debit cards — and they’re not great at stopping new account fraud committed in your name. The most you can hope for with these services is that they alert you as quickly as possible after identity thieves have opened or attempted to open new accounts in your name.

As I noted in a recent story about the credit monitoring industry, the offering of these services has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud). For more information about the limitations of credit monitoring services and more proactive steps that you can take to better protect your identity and credit file, check out this story.

]]>
http://krebsonsecurity.com/2014/04/3-million-customer-credit-debit-cards-stolen-in-michaels-aaron-brothers-breaches/feed/ 42
Critical Java Update Plugs 37 Security Holes http://krebsonsecurity.com/2014/04/critical-java-update-plugs-37-security-holes/ http://krebsonsecurity.com/2014/04/critical-java-update-plugs-37-security-holes/#comments Wed, 16 Apr 2014 14:17:12 +0000 http://krebsonsecurity.com/?p=25682 Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead. So — if you have Java installed — it is time to update (or to ditch the program once and for all).

javamessThe latest update for Java 7 (the version most users will have installed) brings the program to Java 7 Update 55. Those who’ve chosen to upgrade to the newer, “feature release” version of Java — Java 8 — will find fixes available in Java 8 Update 5 (Java 8 doesn’t work on Windows XP).

According to Oracle, at least four of the 37 security holes plugged in this release earned a Common Vulnerability Scoring System (CVSS) rating of 10.0 — the most severe possible. According to Oracle, vulnerabilities with a 10.0 CVSS score are those which can be easily exploited remotely and without authentication, and which result in the complete compromise of the host operating system.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Otherwise, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework).

]]>
http://krebsonsecurity.com/2014/04/critical-java-update-plugs-37-security-holes/feed/ 71
Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach http://krebsonsecurity.com/2014/04/hardware-giant-lacie-acknowledges-year-long-credit-card-breach/ http://krebsonsecurity.com/2014/04/hardware-giant-lacie-acknowledges-year-long-credit-card-breach/#comments Tue, 15 Apr 2014 14:39:12 +0000 http://krebsonsecurity.com/?p=25674 Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:

“To follow up on my last e-mail to you, I can confirm that we did find indications that an unauthorized person used the malware you referenced to gain access to information from customer transactions made through LaCie’s website.”

“The information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014. We engaged a leading forensic investigation firm, who conducted a thorough investigation into this matter. As a precaution, we have temporarily disabled the e-commerce portion of the LaCie website while we transition to a provider that specializes in secure payment processing services. We will resume accepting online orders once we have completed the transition.”

Security and data privacy are extremely important to LaCie, and we deeply regret that this happened. We are in the process of implementing additional security measures which will help to further secure our website. Additionally, we sent notifications to the individuals who may have been affected in order to inform them of what has transpired and that we are working closely and cooperatively with the credit card companies and federal authorities in their ongoing investigation.

It is unclear how many customer records and credit cards may have been accessed during the time that the site was compromised; Over said in his email that the company did not have any additional information to share at this time.

As I noted in a related story last month, Adobe ColdFusion vulnerabilities have given rise to a number of high profile attacks in the past. The same attackers who hit LaCie also were responsible for a breach at jam and jelly maker Smuckers, as well as Alpharetta, Ga. based credit card processor SecurePay.

In February, a hacker in the U.K. was charged with accessing computers at the Federal Reserve Bank of New York in October 2012 and stealing names, phone numbers and email addresses using ColdFusion flaws. According to this Business Week story, Lauri Love was arrested in connection with a sealed case which claims that between October 2012 and August 2013, Love hacked into computers belonging to the U.S. Department of Health and Human Services, the U.S. Sentencing Commission, Regional Computer Forensics Laboratory and the U.S. Department of Energy.

According to multiple sources with knowledge of the attackers and their infrastructure, this is the very same gang responsible for an impressive spree of high-profile break-ins last year, including:

-An intrusion at Adobe in which the attackers stole credit card data, tens of millions of customer records, and source code for most of Adobe’s top selling software (ColdFusion,Adobe Reader/Acrobat/Photoshop);

-A break-in targeting data brokers LexisNexis, Dun & Bradstreet, and Kroll.

-A hack against the National White Collar Crime Center, a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.

]]>
http://krebsonsecurity.com/2014/04/hardware-giant-lacie-acknowledges-year-long-credit-card-breach/feed/ 51
Crimeware Helps File Fraudulent Tax Returns http://krebsonsecurity.com/2014/04/crimeware-helps-file-fraudulent-tax-returns/ http://krebsonsecurity.com/2014/04/crimeware-helps-file-fraudulent-tax-returns/#comments Mon, 14 Apr 2014 04:00:52 +0000 http://krebsonsecurity.com/?p=25514 Many companies believe that if they protect their intellectual property and customers’ information, they’ve done a decent job of safeguarding their crown jewels from attackers. But in an increasingly common scheme, cybercriminals are targeting the Human Resources departments at compromised organizations and rapidly filing fraudulent federal tax returns on all employees.

Last month, KrebsOnSecurity encountered a Web-based control panel that an organized criminal gang has been using to track bogus tax returns filed on behalf of employees at hacked companies whose HR departments had been relieved of W2 forms for all employees.

The control panel for a tax fraud botnet involving more than a half dozen victim organizations.

An obfuscated look at the he control panel for a tax fraud operation involving more than a half dozen victim organizations.

According to the control panel seen by this reporter, the scammers in charge of this scheme have hacked more than a half-dozen U.S. companies, filing fake tax returns on nearly every employee. At last count, this particular scam appears to stretch back to the beginning of this year’s tax filing season, and includes fraudulent returns filed on behalf of thousands of people — totaling more than $1 million in bogus returns.

The control panel includes a menu listing every employee’s W2 form, including all data needed to successfully file a return, such as the employee’s Social Security number, address, wages and employer identification number. Each fake return was apparently filed using the e-filing service provided by H&R Block, a major tax preparation and filing company. H&R Block did not return calls seeking comment for this story.

The "drops" page of this tax  fraud operation lists the nicknames of the co-conspirators who agreed to "cash out" funds on the prepaid cards generated by the bogus returns -- minus a small commission.

The “drops” page of this tax fraud operation lists the nicknames of the co-conspirators who agreed to “cash out” funds on the prepaid cards generated by the bogus returns — minus a small commission.

Fraudulent returns listed in the miscreants’ control panel that were successfully filed produced a specific five-digit tax filing Personal Identification Number (PIN) apparently generated by H&R Block’s online filing system. An examination of the panel suggests that successfully-filed returns are routed to prepaid American Express cards that are requested to be sent to addresses in the United States corresponding to specific “drops,” or co-conspirators in the scheme who have agreed to receive the prepaid cards and “cash out” the balance — minus their fee for processing the bogus returns.

Alex Holden, chief information security officer at Hold Security, said although tax fraud is nothing new, automating the exploitation of human resource systems for mass tax fraud is an innovation.

“The depth of this specific operation permits them to act as a malicious middle-man and tax preparation company to be an unwitting ‘underwriter’ of this crime,” Holden said. “And the victims maybe exploited not only for 2013 tax year but also down the road,  and perhaps subject of higher scrutiny by IRS — not to mention potential financial losses. Companies should look at their human resource infrastructure to ensure that payroll, taxes, financial, medical, and other benefits are afforded the same level of protection as their other mission-critical assets.”

ULTIPRO USERS TARGETED

I spoke at length with Doug, a 45-year-old tax fraud victim at a company that was listed in the attacker’s control panel. Doug agreed to talk about his experience if I omitted his last name and his employer’s name from this story. Doug confirmed that the information in the attacker’s tax fraud panel was his and mostly correct, but he said he didn’t recognize the Gmail address used to fraudulently submit his taxes at H&R Block.

Doug said his employer recently sent out a company-wide email stating there had been a security breach at a cloud provider that was subcontracted to handle the company’s employee benefits and payroll systems.

“Our company sent out a blanket email saying there had been a security breach that included employee names, addresses, Social Security numbers, and other information, and that they were going to pay for a free year’s worth of credit monitoring,” Doug said.

Almost a week after that notification, the company sent out a second notice stating that the breach extended to the personal information of all spouses and children of its employees.

“We were later notified that the breach was much deeper than originally suspected, which included all of our beneficiaries, their personal information, my life insurance policy, 401-K stuff, and our taxes,” Doug said. “My sister-in-law is an accountant, so I raced to her and asked her to help us file our taxes immediately. She pushed them through quickly but the IRS came back and said someone had already filed our taxes a few days before us.”

Doug has since spent many hours filling out countless forms with a variety of organizations, including the Federal Trade Commission, the FBI, the local police department, and of course the Internal Revenue Service.

Doug’s company and another victim at a separate company whose employees were all listed as recent tax fraud victims in the attacker’s online control panel both said their employers’ third-party cloud provider of payroll services was Weston, Fla.-based Ultimate Software. In each case, the attackers appear to have stolen the credentials of the victim organization’s human resources manager, credentials that were used to manage employee payroll and benefits at Ultipro, an online HR and payroll solutions provider.

Jody Kaminsky, senior vice president of marketing at Ultimate Software, said the company has no indication of a compromise of Ultimate’s security. Instead, she said Doug’s employer appears to have had its credentials stolen and abused by this fraud operation.

“Although we are aware that several customers’ employees were victims of tax fraud, we have no reason to believe this unauthorized access was the result of a compromise of our own security,” Kaminsky said. “Rather, our investigation suggests this is the result of stolen login information on the end-user level and not our application.”

Kaminsky continued:

“Unfortunately incidents of tax fraud this tax season across the U.S. are increasing and do not appear to be limited to just our customers or any one company (as I’m sure you’re well aware due to your close coverage of this issue). Over the past several weeks, we have communicated multiple times with our customers about recent threats of tax fraud and identity theft schemes.”

“We believe through schemes such as phishing or malware on end-user computers, criminals are attempting to obtain system login information and use those logins to access employee data for tax fraud purposes. We take identity theft schemes extremely seriously. As tax season progresses, we have been encouraging our customers to take steps to protect their systems such as enforcing frequent password resets and ensuring employee computers’ are up-to-date on anti-malware protection.”

PROTECT YOURSELF FROM TAX FRAUD

According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

It’s important to note that fraudsters engaged in this type of crime are in no way singling out H&R Block or Ultipro. Cybercrooks in charge of large collections of hacked computers can just as easily siphon usernames and passwords — as well as incomplete returns — from taxpayers who are preparing returns via other online filing services, including TurboTax and TaxSlayer.

If you become the victim of identity theft outside of the tax system or believe you may be at risk due to a lost/stolen purse or wallet, questionable credit card activity or credit report, etc., you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.

That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.

The most frightening aspect of this tax crimeware panel is that its designers appear to have licensed it for resale. It’s not clear how much this particular automated fraud machine costs, but sources in the financial industry tell this reporter that this same Web interface has been implicated in multiple tax return scams targeting dozens of companies in this year’s tax-filing season.

]]>
http://krebsonsecurity.com/2014/04/crimeware-helps-file-fraudulent-tax-returns/feed/ 95
Heartbleed Bug: What Can You Do? http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/ http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/#comments Thu, 10 Apr 2014 16:19:07 +0000 http://krebsonsecurity.com/?p=25638 In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here’s a short primer.

The Heartbleed bug concerns a security vulnerability in a component of recent versions of OpenSSL, a technology that a huge chunk of the Internet’s Web sites rely upon to secure the traffic, passwords and other sensitive information transmitted to and from users and visitors.

Around the same time that this severe flaw became public knowledge, a tool was released online that allowed anyone on the Internet to force Web site servers that were running vulnerable versions of OpenSSL to dump the most recent chunk of data processed by those servers.

That chunk of data might include usernames and passwords, re-usable browser cookies, or even the site administrator’s credentials. While the exploit only allows for small chunks of data to be dumped each time it is run, there is nothing to prevent attackers from replaying the attack over and over, all the while recording fresh data flowing through vulnerable servers. Indeed, I have seen firsthand data showing that some attackers have done just that; for example, compiling huge lists of credentials stolen from users logging in at various sites that remained vulnerable to this bug.

For this reason, I believe it is a good idea for Internet users to consider changing passwords at least at sites that they visited since this bug became public (Monday morning). But it’s important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords. Here are some resources that can tell you if a site is vulnerable:

http://filippo.io/Heartbleed/

https://www.ssllabs.com/ssltest/

http://heartbleed.criticalwatch.com/

https://lastpass.com/heartbleed/

As I told The New York Times yesterday, it is likely that many online companies will be prompting or forcing users to change their passwords in the days and weeks ahead, but then again they may not (e.g., I’m not aware of messaging from Yahoo to its customer base about their extended exposure to this throughout most of the day on Monday). But if you’re concerned about your exposure to this bug, checking the site and then changing your password is something you can do now (keeping in mind that you may be asked to change it again soon).

It is entirely possible that we may see a second wave of attacks against this bug, as it appears also to be present in a great deal of Internet hardware and third-party security products, such as specific commercial firewall and virtual private network (VPN) tools. The vast majority of non-Web server stuff affected by this bug will be business-oriented devices (and not consumer-grade products such as routers, e.g.). The SANS Internet Storm Center is maintaining a list of commercial software and hardware devices that either have patches available for this bug or that will need them.

For those in search of more technical writeups/analyses of the Hearbleed bug, see this Vimeo video and this blog post (hat tip once again to Sandro Süffert).

Finally, given the growing public awareness of this bug, it’s probable that phishers and other scam artists will take full advantage of the situation. Avoid responding to emailed invitations to reset your password; rather, visit the site manually, either using a trusted bookmark or searching for the site in question.

]]>
http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/feed/ 127
Adobe, Microsoft Push Critical Fixes http://krebsonsecurity.com/2014/04/adobe-microsoft-push-critical-fixes/ http://krebsonsecurity.com/2014/04/adobe-microsoft-push-critical-fixes/#comments Tue, 08 Apr 2014 20:43:09 +0000 http://krebsonsecurity.com/?p=25555 Adobe and Microsoft each issued updates to fix critical security vulnerabilities in their software today. Adobe patched its Flash Player software and Adobe AIR. Microsoft issued four updates to address at least 11 unique security flaws, including its final batch of fixes for Office 2003 and for systems powered by Windows XP.

crackedwinTwo of the four patches that Microsoft issued come with Redmond’s “critical” rating (its most severe), meaning attackers or malware can exploit the flaws to break into vulnerable systems without any help from users. One of the critical patches is a cumulative update for Internet Explorer (MS14-018); the other addresses serious issues with Microsoft Word and Office Web apps (MS14-017), including a fix for a zero-day vulnerability that is already being actively exploited. More information on these and other patches are available here.

As expected, Microsoft also used today’s patch release to pitch XP users on upgrading to a newer version of Windows, warning that attackers will begin to zero in on XP users even more now that Microsoft will no longer be issuing security updates for the 13-year-old operating system. From Microsoft’s Technet blog:

“From the year that Windows XP was built, cyber attacks have increased in sophistication.  Systems receiving regular updates get the protections they need based on the latest cyber threats.  But at some point an older model of any product will lack the capability to keep up and becomes antiquated.  Obsolescence for Windows XP is just around the corner.

Cybercriminals will work to take advantage of businesses and people running software that no longer has updates available to repair issues.  Over time, attackers will evolve their malicious software, malicious websites, and phishing attacks to take advantage of any  newly discovered vulnerabilities in Windows XP, which post April 8th, will no longer be fixed.”

Microsoft offers free a Windows XP data transfer tool to ease the hassle of upgrading to a newer version of Windows. I would submit that if your PC runs XP and came with XP installed, that it might be time to upgrade the computer hardware itself in addition to the software. In any case, beyond this month is not the greatest idea, and it’s time for XP users to consider other options. Don’t forget that there are many flavors of Linux that will run quite happily on older hardware. If you’ve been considering the switch for a while, take a few distributions for a spin using one of dozens of flavors of Linux available via Live CD.

ADOBE

Adobe fixed at least four vulnerabilities in Flash, all of them critical. The company says it is not aware of any exploits in the wild against the flaws. The latest version is v. 13.0.0.182 for Windows, Mac and Linux systems. The Adobe advisory for the Flash update is here.

This link will tell you which version of Flash your browser has installed. IE10/IE11 for Windows 8.0/8.1 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is 34.0.1847.116 for Windows, Mac, and Linux (to learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu).

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

If you use Adobe AIR (required by some desktop software products such as Pandora, e.g.,), you’ll need to make sure that’s updated as well. AIR usually does a good job of checking for new versions on startup. If you’re not sure whether you have AIR installed or what version it’s at, see these directions. The latest version is 13.0.0.83, and is available for manual download here.

flash13-0-0-182

]]>
http://krebsonsecurity.com/2014/04/adobe-microsoft-push-critical-fixes/feed/ 21
‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/ http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/#comments Tue, 08 Apr 2014 16:33:51 +0000 http://krebsonsecurity.com/?p=25608 Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.

Credit: Heartbleed.com

Credit: Heartbleed.com

From Heartbleed.com:

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”

An advisory from Carnegie Mellon University’s CERT notes that the vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f. According to Netcraft, a company that monitors the technology used by various Web sites, more than a half million sites are currently vulnerable. As of this morning, that included Yahoo.com, and — ironically — the Web site of openssl.org. This list at Github appears to be a relatively recent test for the presence of this vulnerability in the top 1,000 sites as indexed by Web-ranking firm Alexa.

An easy-to-use exploit that is being widely traded online allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL “libssl” library in chunks of 64kb at a time. As CERT notes, an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets.

Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library [full disclosure: AlienVault is an advertiser on this blog].

It is likely that a great many Internet users will be asked to change their passwords this week (I hope). Meantime, companies and organizations running vulnerable versions should upgrade to the latest iteration of OpenSSL - OpenSSL 1.0.1g — as quickly as possible.

Update, 2:26 p.m.: It appears that this Github page allows visitors to test whether a site is vulnerable to this bug (hat tip to Sandro Süffert). For more on what you can do you to protect yourself from this vulnerability, see this post.

]]>
http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/feed/ 169
Fact-Checking Experian’s Talking Points http://krebsonsecurity.com/2014/04/fact-checking-experians-talking-points/ http://krebsonsecurity.com/2014/04/fact-checking-experians-talking-points/#comments Sat, 05 Apr 2014 23:51:53 +0000 http://krebsonsecurity.com/?p=25557 In the wake of long-overdue media attention to revelations that a business unit of credit bureau Experian sold consumer personal data directly to an online service that catered to identity thieves, Experian is rightfully trying to explain its side of the story by releasing a series of talking points. This blog post is an attempt to add more context and fact-checking to those talking points.

Experian has posted several articles on its Web properties that lament the existence of “inaccurate information about Experian circulating in news outlets and other Web sites.”

“It’s no surprise that cybercrime and data breaches are hot topics for media and bloggers these days,” wrote Gerry Tschopp, senior vice president of public affairs at Experian. “Unfortunately, because of all the attention paid to these topics, we’ve seen some inaccurate information about Experian circulating in news outlets and other Web sites. I want to take a moment to clarify the facts and events.”

I’ve read this clarification closely, and it seems that Experian’s latest talking points deserve some clarification and fact-checking of their own. Below are Experian’s assertions of the facts (in bold), followed by some supplemental information glossed over by said statements of fact.

-No Experian database was accessed. The data in question have at all relevant times been owned and maintained, not by Experian, but by a company called US Info Search.

As all of my stories on this incident have explicitly stated, the government has said the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search. US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa. Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including the proprietor of the identity theft service).

For its part, US Info Search says Experian’s explanation of the events is based on false statements and misrepresentations, and that the proprietor of the ID theft service paid Experian for his access using large cash payments sent to Experian via wire from Singapore.

“Experian provided access to records via a gateway that used multiple data sources and the suspect never had access to our service,” US Info Search CEO Marc Martin said in a written statement. “We, like many others, provide data to Experian, who in turn sold data to customers they approved and monitored. Our agreement with Court Ventures and subsequently Experian was to provide information that was being used for identity verification and fraud prevention.

-Further, Experian’s only involvement was that it purchased the assets of a company, Court Ventures, that provided access to US Info Search’s data to Court Ventures’ customers. Under that contract, customers of Court Ventures, including the criminal in this case, could access US Info Search’s data. This was not an Experian database, and specifically, this was not a credit database.

Experian has a duty to conduct “due diligence” on companies it wishes to acquire, because it knows that in purchasing a company it will acquire all of the company’s assets — including whatever debts, liabilities or poor decisions the previous owners may have incurred that end up creating problems down the road. Experian wants to blame everyone else, but by its own admission, Experian didn’t conduct proper due diligence on Court Ventures before acquiring the company. Addressing a U.S. Senate committee last December, Experian’s senior vice president of government policy, Tony Hadley, allowed that “during the due diligence process, we didn’t have total access to all the information we needed in order to completely vet that, and by the time we learned of the malfeasance nine months had expired, and the Secret Service came to us and told us of the incident. We were a victim, and scammed by this person.”

Also, if it wasn’t clear by now, Experian’s PR mantra on this crisis has been that “no Experian database was accessed,” in this fraud. But this mantra draws attention away from the real victim: Consumers whose information was sold by Experian’s company directly to an identity theft service. A critical question to ask to this line of thinking is: Why does it matter whose database it is, if it contains personal info and Experian profited from its sale? 

-Court Ventures was selling the data in question to the criminal for over a year before Experian acquired the assets of Court Ventures.

True. Which suggests there should have been plenty of evidence for Experian’s due diligence team to detect fraudulent activity of the sort generated by an identity theft service using its network. Perhaps just as importantly, Court Ventures continued to sell consumer records to the ID theft service for almost 10 months after Experian acquired the company.

-Furthermore, any implication that there was a breach of 200 million records is entirely false and misleading – while the size of the database may be 200 million, that does not mean the total number of records were accessed.

This publication has never stated that there was a breach of 200 million records. But it is true that KrebsOnSecurity.com was the first to report on the information contained in government statements made during the guilty plea hearing of Hieu Minh Ngo — the man who admitted to running the identity theft service. In those statements, prosecutors for the U.S. Justice Department stated that Ngo — by virtue of fooling Court Ventures into thinking he was a private investigator – had access to approximately 200 million consumer records. As I have stated previously, however, Ngo had to pay for the records he accessed, and he was running a service that charged customers for each records search they ran.

A transcript (PDF) of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity shows that his ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data on more than three million Americans.

Lastly, Experian discontinued the sales of this data immediately upon learning of the problem and worked closely with law enforcement to bring this criminal to justice, (the perpetrator has recently pleaded guilty). We are treating the matter seriously and have filed a lawsuit against the former owners of Court Ventures for permitting the sale of US Info Search’s data to Ngo (the perpetrator), and intend to hold those individuals fully responsible for their conduct in establishing access to the data for an identity thief unbeknownst to Experian.

If it really was US Info Search — not Court Ventures — whose database was accessed in this scheme, why is Experian suing Court Ventures? [Update, 9:03 P.M.: Databreaches.net has a good explanation to this question, which happens to support previous research of mine on why this breach could be far bigger than 3 million Americans).

Original story:

Here’s a far more important question that Experian needs to answer: What has the company done to make things right with the Americans whose identities were stolen because of this whole fiasco? 

Regarding those victims, Experian’s Mr. Hadley stated under oath in front of a U.S. Senate committee that “we know who they are, and we’re going to make sure they’re protected.” But, incredibly, in the very next breath Hadley seemed to suggest that none of the millions of consumers whose data was stolen by Ngo and his identity theft service had experienced any danger of identity theft or were even in need of Experian’s protection.

“There’s been no allegation that any harm has come, thankfully, in this scam,” Hadley told the committee.

For his part, US Info Search CEO Martin says it doesn’t appear that Experian is interested in notifying anyone.

“We have cooperated and assisted the authorities in their investigation and from the onset have urged Experian to make timely notifications,” Martin wrote in an email to KrebsOnSecurity. “In addition, Experian never notified us of the breach as required by state statute, and to date has not cooperated with our investigation, nor provided us with the queries the suspect ran.”

Experian has declined to answer questions about whether it has lifted a finger to help consumers impacted by this scheme, or to clarify its apparently conflicting statements about whether it believes anyone has been harmed by its (in)action. But then again, what exactly would the company do? Offer them a year’s worth of dubiously valuable credit monitoring services? Oh wait, that’s right, Experian practically invented the hugely profitable credit monitoring industry, whose services are negotiated and purchased en masse virtually every time there is a major consumer data breach. Br’er Rabbit would be so proud.

In summary, Experian wants you to remember that the consumer data sold to Ngo’s identity theft service didn’t come directly from its database, but merely from the database of a company it owns. But happily, there is no proof that any of Ngo’s customers — who collectively paid Experian $1.9 million to access the data — actually harmed any consumers.

Readers who find all of this a bit hard to swallow can be forgiven: After all, this version of the facts comes from a company that has been granted a legal right to sell your personal data without your consent (opting out generally requires you to cut through a bunch of red tape and to pay them a fee on top of it). This from a company that is quibbling over which of its business units profited from the sale of consumer records to an identity theft service.

]]>
http://krebsonsecurity.com/2014/04/fact-checking-experians-talking-points/feed/ 39
U.S. States Investigating Breach at Experian http://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/ http://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/#comments Thu, 03 Apr 2014 21:45:32 +0000 http://krebsonsecurity.com/?p=25545 An exclusive KrebsOnSecurity investigation detailing how a unit of credit bureau Experian ended up selling consumer records to an identity theft service in the cybercrime underground has prompted a multi-state investigation by several attorneys general, according to wire reports.

Ngo's Identity theft service, superget.info

Ngo’s Identity theft service, superget.info

Reuters moved a story this afternoon quoting Illinois Attorney General Lisa Madigan saying that  ”it’s part of a multistate investigation,” and that Connecticut Attorney General George Jepsen said that Connecticut is looking into the matter as well.

News of the breach first came to light on this blog in October 2013, when KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus.

Hieu Minh Ngo, a 24-year-old Vietnamese national, pleaded guilty last month to running an identity theft service out of his home in Vietnam. Ngo was arrested last year in Guam by U.S. Secret Service agents after he was lured into visiting the U.S. territory to consummate a business deal with a man he believed could deliver huge volumes of consumers’ personal and financial data for resale.

But according to prosecutors, Ngo had already struck deals with one of the world’s biggest data brokers: Experian. Court records just released last week show that Ngo tricked an Experian subsidiary into giving him direct access to personal and financial data on more than 200 million Americans. 

According to U.S. government investigators, the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search. US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa. Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including Mr. Ngo). For almost ten months after Experian completed that acquisition, Ngo continued siphoning consumer data and making his wire transfers.

A transcript (PDF) of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity shows that his ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data on more than three million Americans.

]]>
http://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/feed/ 59
Android Botnet Targets Middle East Banks http://krebsonsecurity.com/2014/04/android-botnet-targets-middle-east-banks/ http://krebsonsecurity.com/2014/04/android-botnet-targets-middle-east-banks/#comments Wed, 02 Apr 2014 23:32:25 +0000 http://krebsonsecurity.com/?p=23589 I recently encountered a botnet targeting Android smartphone users who bank at financial institutions in the Middle East. The crude yet remarkably effective mobile bot that powers this whole operation comes disguised as one of several online banking apps, has infected more than 2,700 phones, and has intercepted at least 28,000 text messages.

The botnet — which I’ve affectionately dubbed “Sandroid” — comes bundled with Android apps made to look like mobile two-factor authentication modules for various banks, including Riyad Bank, SAAB (formerly the Saudi British Bank), AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.

The fake Android bank apps employed by this botnet.

The fake Android bank apps employed by the Sandroid botnet.

It’s not clear how the apps are initially presented to victims, but if previous such scams are any indication they are likely offered after infecting the victim’s computer with a password-stealing banking Trojan. Many banks send customers text messages containing one-time codes that are used to supplement a username and password when the customer logs on to the bank’s Web site. And that precaution of course requires attackers interested in compromising those accounts to also hack the would-be victim’s phone.

Banking Trojans — particularly those targeting customers of financial institutions outside of the United States — will often throw up a browser pop-up box that mimics the bank and asks the user to download a “security application” on their mobile phones. Those apps are instead phony programs that merely intercept and then relay the victim’s incoming SMS messages to the botnet master, who can then use the code along with the victim’s banking username and password to log in as the victim.

Text messages intercepted by the Sandroid botnet malware.

Some of the 28,000+ text messages intercepted by the Sandroid botnet malware.

This particular botnet appears to have been active for at least the past year, and the mobile malware associated with it has been documented by both Symantec and Trend Micro. The malware itself seems to be heavily detected by most of the antivirus products on the market, but then again it’s likely that few — if any — of these users are running antivirus applications on their mobile devices.

In addition, this fake bank campaign appears to have previously targeted Facebook, as well as banks in Australia and Spain, including Caixa Bank, Commonwealth Bank, National Australia Bank, and St. George Bank.

The miscreant behind this campaign seems to have done little to hide his activities. The same registry information that was used to register the domain associated with this botnet — funnygammi.com — was also used to register the phony bank domains that delivered this malware, including alrajhiankapps.com, commbankaddons.com, facebooksoft.net, caixadirecta.net, commbankapps.com, nationalaustralia.org, and stgeorgeaddons.com. The registrar used in each of those cases was Center of Ukrainian Internet Names.

I am often asked if people should be using mobile antivirus products. From my perspective, most of these malicious apps don’t just install themselves; they require the user to participate in the fraud. Keeping your mobile device free of malware involves following some of the same steps outlined in my Tools for a Safer PC and 3 Rules primers: Chiefly, if you didn’t go looking for it, don’t install it! If you own an Android device and wish to install an application, do your homework before installing the program. That means spending a few moments to research the app in question, and not installing apps that are of dubious provenance. 

That said, this malware appears to be well-detected by mobile antivirus solutions. Many antivirus firms offer free mobile versions of their products. Some are free, and others are free for the initial use — they will scan and remove malware for free but charge for yearly subscriptions. Some of the free offerings include AVG, Avast, Avira, Bitdefender, Dr. Web, ESET, Fortinet, Lookout, Norton, Panda Cloud Antivirus, Sophos, and ZoneAlarm.

Incidentally, the mobile phone number used to intercept all of the text messages is +79154369077, which traces back to a subscriber in Moscow on the Mobile Telesystems network.

]]>
http://krebsonsecurity.com/2014/04/android-botnet-targets-middle-east-banks/feed/ 22