May, 2014


15
May 14

The Mad, Mad Dash to Update Flash

An analysis of how quickly different browser users patch Adobe Flash vulnerabilities shows a marked variation among browser makers. The data suggest that Google Chrome and Mozilla Firefox users tend to get Flash updates relatively quickly, while many users on Microsoft’s Internet Explorer browser consistently lag behind.

The information comes from ThreatMetrix, a company that helps retailers and financial institutions detect and block patterns of online fraud. ThreatMetrix Chief Technology Officer Andreas Baumhof looked back over the past five months across 10,000+ sites the company serves, to see how quickly visitors were updating to the latest versions of Flash.

Baumhof measured the rates of update adoption for these six Flash patches:

Jan 14, 2014 – APSB14-02 Security updates available for Adobe Flash Player (2 critical vulnerabilities)

Feb 4, 2014 – APSB14-04 Security updates available for Adobe Flash Player (2 critical flaws, including 1 zero-day)

Feb 20, 2014 – APSB14-07 Security updates available for Adobe Flash Player (1 zero-day)

Mar 11, 2014 – APSB14-08 Security updates available for Adobe Flash Player (2 critical vulnerabilities)

Apr 8, 2014, – APSB14-09 Security updates available for Adobe Flash Player (4 critical vulnerabilities)

Apr 28, 2014 – APSB14-13 Security updates available for Adobe Flash Player (1 zero-day)

Overall, Google Chrome users were protected the fastest. According to Baumhof, Chrome usually takes just a few days to push the latest update out to 90 percent of users. Chrome pioneered auto-updates for Flash several years ago, with Firefox and newer versions of IE both following suit in recent years.

The adoption rate, broken down by browser type, of the last six Adobe Flash updates.

The adoption rate, broken down by browser type, of the last six Adobe Flash updates.

Interestingly, the data show that IE users tend to receive updates at a considerably slower clip (although there are a few times in which IE surpasses Firefox users in adoption of the latest Flash updates).  This probably has to do with the way Flash is updated on IE, and the legacy versions of IE that are still out there. Flash seems to have more of a seamless auto-update process on IE 10 and 11 on Windows 8 and above, and more of a manual one on earlier versions of the browser and operating system.

Another explanation for IE’s performance here is that it is commonly used in business environments, which tend to take a few days at least to test patches before rolling them out in a coordinated fashion across the enterprise along with the rest of the Patch Tuesday updates. Continue reading →


13
May 14

Adobe, Microsoft Issue Critical Security Fixes

Adobe and Microsoft today each released software updates to plug dangerous security holes in their products. Adobe pushed patches to fix holes in Adobe Acrobat/Reader as well as Flash Player. Microsoft issued eight update bundles to nix at least 13 security vulnerabilities in Windows and software that runs on top of the operating system.

A majority of the patches released by Microsoft are fixes for products that run in enterprise environments. Chief among the consumer-facing Microsoft updates is cumulative patch for Internet Explorer that fixes a pair of flaws in all supported versions of IE. This patch also includes the emergency update that Microsoft released earlier this month to address a zero-day vulnerability in IE. Microsoft also issued fixes for several Office vulnerabilities. This month’s batch also includes a .NET fix, which in my experience is best installed separately.

Adobe released a fix for its Flash Player software that corrects at least six security flaws. The Flash update brings the media player to v. 13.0.0.214 on Windows and Mac systems, and v. 11.2.202.359 for Linux users. To see which version of Flash you have installed, check this linkContinue reading →


13
May 14

Postal Service: Beware Stamp Kiosk Skimmers

The United States Postal Inspection Service is investigating reports that fraudsters are installing skimming devices on automated stamp vending machines at Post Office locations across the United States, KrebsOnSecurity has learned.

USPS Automated Postal Center (APC) self-service stamp kiosk.

USPS Automated Postal Center (APC) self-service stamp kiosk.

Earlier this month, I began hearing from sources in the banking industry about fraudulent debit card activity on cards that were all recently used at self-service stamp vending machines at U.S. Post Offices in at least 13 states and the District of Columbia.

Asked about the activity, a spokesperson for the U.S. Postal Inspection Service confirmed that the agency has an open investigation into the matter, but declined to elaborate further beyond offering tips for consumers to help spot skimming devices that may be affixed to automated stamp vending machines at post office locations.

In an emailed response, the USPIS said it is urging USPS employees to visually inspect the Automated Postal Center (APC) machines multiple times during the day, and that it is asking customers to do the same.

“USPIS recommends customers who use the APC machine should personally visually inspect the machine prior to use,” the USPIS said. “Look for any type of plastic piece that looks like it has been slid over the actual credit card reader. Look for any other type of marking on the machine that looks as though it has been applied by a third-party.”

The USPIS is asking customers who see something that appears to be out of place on the machines to notify the local post office supervisor immediately.

The USPIS declined to answer additional questions about the investigation, such as when the fraud first began. But according to sources at two separate financial institutions whose customers have been impacted by the activity, the fraud began in late November 2013, and has been traced back to self-service stamp vending machines in Arizona, California, Colorado, Florida, Georgia, Kentucky, Massachusetts, Nebraska, New York, Oregon, Pennsylvania, Utah, Virginia, and Washington, D.C. Continue reading →


12
May 14

Teen Arrested for 30+ Swattings, Bomb Threats

A 16-year-old male from Ottawa, Canada has been arrested for allegedly making at least 30 fraudulent calls to emergency services across North America over the past few months. The false alarms — two of which targeted this reporter — involved calling in phony bomb threats and multiple attempts at “swatting” — a hoax in which the perpetrator spoofs a call about a hostage situation or other violent crime in progress in the hopes of tricking police into responding at a particular address with deadly force.

po2-swatbkOn March 9, a user on Twitter named @ProbablyOnion (possibly NSFW) started sending me rude and annoying messages. A month later (and several weeks after blocking him on Twitter), I received a phone call from the local police department. It was early in the morning on Apr. 10, and the cops wanted to know if everything was okay at our address.

Since this was not the first time someone had called in a fake hostage situation at my home, the call I received came from the police department’s non-emergency number, and they were unsurprised when I told them that the Krebs manor and all of its inhabitants were just fine.

Minutes after my local police department received that fake notification, @ProbablyOnion was bragging on Twitter about swatting me, including me on his public messages: “You have 5 hostages? And you will kill 1 hostage every 6 times and the police have 25 minutes to get you $100k in clear plastic.” Another message read: “Good morning! Just dispatched a swat team to your house, they didn’t even call you this time, hahaha.”

I told this user privately that targeting an investigative reporter maybe wasn’t the brightest idea, and that he was likely to wind up in jail soon. But @ProbablyOnion was on a roll: That same day, he hung out his for-hire sign on Twitter, with the following message: “want someone swatted? Tweet me  their name, address and I’ll make it happen.” Continue reading →


7
May 14

Antivirus is Dead: Long Live Antivirus!

An article in The Wall Street Journal this week quoted executives from antivirus pioneer Symantec uttering words that would have been industry heresy a few years ago, declaring antivirus software “dead” and stating that the company is focusing on developing technologies that attack online threats from a different angle.

Ads for various crypting services.

Ads for various crypting services.

This hardly comes as news for anyone in the security industry who’s been paying attention over the past few years, but I’m writing about it because this is a great example of how the cybercrime underground responds to — and in some cases surpasses — innovations put in place by the good guys.

About 15 years ago, when the antivirus industry was quite young, there were far fewer competitors in the anti-malware space. Most antivirus firms at the time had a couple of guys in the lab whose job it was to dissect, poke and prod at the new crimeware specimens. After that, they’d typically write reports about the new threats, and then ship “detection signatures” that would ostensibly protect customers that hadn’t already been compromised by the new nasties.

This seemed to work for while, until the smart guys in the industry started noticing that the volume of malicious software being released on the Internet each year was growing at fairly steady clip. Many of the industry’s leaders decided that if they didn’t invest heavily in technologies and approaches that could help automate the detection and classification of new malware threats, that they were going to lose this digital arms race.

So that’s exactly what these firms did: They went on a buying spree and purchased companies and technologies left and right, all in a bid to build this quasi-artificial intelligence they called “heuristic detection.” And for a while after that, the threat from the daily glut of malware seemed to be coming under control.

But the bad guys didn’t exactly take this innovation laying down; rather, they responded with their own innovations. What they came up with is known as the “crypting” service, a service that has spawned an entire industry that I would argue is one of the most bustling and lucrative in the cybercrime underground today.

Put simply, a crypting service takes a bad guy’s piece of malware and scans it against all of the available antivirus tools on the market today — to see how many of them detect the code as malicious. The service then runs some custom encryption routines to obfuscate the malware so that it hardly resembles the piece of code that was detected as bad by most of the tools out there. And it repeats this scanning and crypting process in an iterative fashion until the malware is found to be completely undetectable by all of the antivirus tools on the market. Continue reading →


6
May 14

The Target Breach, By the Numbers

News that Target’s CEO Gregg Steinhafle is stepping down has prompted a flurry of reports from media outlets trying to recap events since the company announced a data breach on Dec. 19, 2013. Sprinkled throughout those reports were lots of numbers, which got me to thinking about synthesizing them with some of the less-reported numbers associated with this epic breach.

numbers40 million The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013.

70 million – The number of records stolen that included the name, address, email address and phone number of Target shoppers.

46 – The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before.

200 million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.

100 million – The number of dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards.

0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions).

0 – The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target (according to the AP).

18.00 – 35.70 – The median price range (in dollars) per card stolen from Target and resold on the black market (range covers median card price on Feb. 19, 2014 vs. Dec. 19, 2013, respectively). Continue reading →


1
May 14

Microsoft Issues Fix for IE Zero-Day, Includes XP Users

Microsoft has issued an emergency security update to fix a zer0-day vulnerability that is present in all versions of its Internet Explorer Web browser and that is actively being exploited. In an unexpected twist, the company says Windows XP users also will get the update, even though Microsoft officially ceased supporting XP last month.

IEwarning

The rushed patch comes less than five days after the software giant warned users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. This flaw can be used to silently install malicious software without any help from users, save for perhaps browsing to a hacked or malicious site.

“We have made the decision to issue a security update for Windows XP users,” writes Dustin C. Childs, group manager, response communications at Microsoft. “Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11.”

Microsoft says the majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. Windows users who don’t take advantage of the automatic updates feature of Windows (or who don’t wish to wait around for it to install the patch) can do so by visiting Windows Update.