September, 2015


8
Sep 15

Microsoft Pushes a Dozen Security Updates

Microsoft today released a dozen security updates for computers running supported versions of its Windows operating system. Five of the patches fix flaws that could get PCs compromised with little to no help from users, and five of the bulletins have vulnerabilities that were publicly disclosed before today (including one that reportedly has been detected in exploits in the wild). Separately, Adobe is pushing a security update for its Shockwave Player – a browser plugin that I’ve long urged readers to junk.

brokenwindowsAccording to security firm Shavlik, the patches that address flaws which have already been publicly disclosed include a large Internet Explorer (IE) update that corrects 17 flaws and a fix for Microsoft Edge, Redmond’s flagship replacement browser for IE; both address this bug, among others.

A critical fix for a Windows graphics component addresses flaws that previously showed up in two public disclosures, one of which Shavlik says is currently being exploited in the wild (CVE-2015-2546).  The 100th patch that Microsoft has issued so far this year — a salve for Windows Media Player – fixes two different vulnerabilities that were publicly disclosed before today (CVE-2015-2509 and CVE-2015-2504).

In other important patch news today, Adobe has released a security update for its Shockwave Player browser plugin. If you need this program, then update it; the latest version is v. 12.2.0.162. But in my experience, most users don’t need it and are better off without it. For more on what I say that, see Why You Should Ditch Adobe Shockwave.

Not sure whether your computer has Shockwave installed? If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or in the case of Google Chrome for some reason just automatically downloads the installer), then you don’t have Shockwave installed. To remove Shockwave, grab Adobe’s uninstall tool here. Mozilla Firefox users should note that the presence of the “Shockwave Flash” plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave Player.


7
Sep 15

Arrests Tied to Citadel, Dridex Malware

Authorities in Europe have arrested alleged key players behind the development and deployment of sophisticated banking malware, including Citadel and Dridex. The arrests involved a Russian national and a Moldovan man, both of whom were traveling or residing outside of their native countries and are now facing extradition to the United States.

cuffedLast week, a 30-year-old from Moldova who was wanted by U.S. authorities was arrested in Paphos — a coastal vacation spot in Cyprus where the accused was reportedly staying with his wife. A story in the Cyprus Mail has few other details about the arrest, other than to say authorities believe the man was responsible for more than $3.5 million in bank fraud using a PC.

Sources close to the investigation say the man is a key figure in an organized crime gang responsible for developing and using a powerful banking Trojan known as “Dridex” (a.k.a. Cridex, Bugat). The Dridex gang is thought to have spun off from the “Business Club,” an Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide.

In June 2014, the U.S. Justice Department joined multiple international law enforcement agencies and security firms in taking down the Business Club’s key asset: The Gameover ZeuS botnet, an ultra-sophisticated, global crime machine that infected upwards of a half-million PCs and was used in countless cyberheists. Dridex would first emerge in July 2014, a month after the Gameover Zeus botnet was dismantled.

Separately, the press in Norway writes about a 27-year-old Russian man identified only as “Mark” who was reportedly arrested in the Norwegian town of Fredrikstad at the request of the FBI. The story notes that American authorities believe Mark is the software developer behind Citadel, a malware-as-a-service product that played a key role in countless cyberheists against American and European small businesses.

For example, Citadel was thought to have been the very same malware used to steal usernames and passwords from a Pennsylvania heating and air conditioning vendor; those same stolen credentials were reportedly leveraged in the breach that resulted in the theft of nearly 40 million credit cards from Target Corp. in November and December of 2013.

The Norwegian newspaper VG writes that Mark has been held under house arrest for the past 11 months, while the FBI tries to work out his extradition to the United States. His detention is being fought by Russia, which is naturally opposed to the treatment he may receive in the United States and says the evidence against Mark is scant.

According to VG, the U.S. Justice Department believes Mark is none other than “Aquabox,” the nickname chosen by the proprietor of the Citadel malware, which was created based off of the source code for the ZeuS Trojan malware. Citadel was sold and marketed as a service that let buyers and users interact with the developer and one another, to solicit feedback on how to fix bugs in the malware program, and to request new features in the malware going forward.

For a full translation of the original Citadel sales pitch as penned by Aquabox in 2011, see this link (PDF). For a full translated version of the VG story on Mark, see this PDF (thanks to KrebsOnSecurity reader Jeevan Sivagnanasuntharam for helping with the translation). VG notes that Mark continues to maintain his innocence. [Side note: The Citadel malware has for years had in its code a dig directed at the author of this blog: Included in the guts of the Trojan is the text string, “Coded by BRIAN KREBS for personal use only. I love my job & wife.” Needless to say, the second part of that statement is true, but Citadel was not coded by this Brian Krebs.]

A text string inside of the Citadel trojan. Source: AhnLab

A text string inside of the Citadel trojan. Source: AhnLab

Ars Technica carries an interesting piece about Deniss Calovskis, a Latvian man who was arrested in February and extradited to the United States for his role in creating the Gozi virus, another powerful malware family that has been used in countless cyberheists. The 30-year-old Calovskis long maintained his innocence, but ultimately acknowledged his role in a guilty plea entered in a federal court in Manhattan last week. Continue reading →


3
Sep 15

More ATM “Insert Skimmer” Innovations

Most of us know to keep our guard up when withdrawing cash from an ATM and to look for any signs that the machine may have been tampered with. But ATM fraud experts say they continue to see criminal innovations with “insert skimmers,” wafer-thin data theft devices that fit inside the ATM’s card acceptance slot and do not alter the outward appearance of a compromised cash machine.

The insert skimmer pictured below was recently pulled from an ATM in Europe. According to a report by the European ATM Security Team (EAST), this type of device is inserted through the card reader throat and then sits inside the card reader capturing the data of cards that are subsequently inserted.

An insert skimmer.

An insert skimmer. Image: EAST.

Of course, an insert skimmer alone isn’t going to capture your PIN. For that, thieves typically rely on cleverly hidden tiny cameras. Often, the spy camera is tucked inside a false panel above or directly beside the PIN pad. But as I’ve noted in stories about skimming attacks that never touch the ATM (such as vestibule door skimmers), crooks often get very creative, hiding cameras behind things like convex mirrors — or even phony fire alarms.

The image below was captured last year by a U.S.-based bank’s own ATM security camera. It shows a skimmer scammer getting ready to install a tiny camera hidden inside of a fake fire alarm.

Hidden cameras made to work in tandem with skimming devices don't have to be hidden on the compromised ATM.

Hidden cameras made to work in tandem with skimming devices need not be hidden on the compromised ATM itself.

Continue reading →


2
Sep 15

OPM (Mis)Spends $133M on Credit Monitoring

The Office of Personnel Management (OPM) has awarded a $133 million contract to a private firm in an effort to provide credit monitoring services for three years to nearly 22 million people who had their Social Security numbers and other sensitive data stolen by cybercriminals. But perhaps the agency should be offering the option to pay for the cost that victims may incur in “freezing” their credit files, a much more effective way of preventing identity theft.

Not long after news broke that Chinese hackers had stolen SSNs and far more sensitive data on 4.2 million individuals — including background investigations, fingerprint data, addresses, medical and mental-health history, and financial history — OPM announced it had awarded a contract worth more than $20 million to Austin, Texas-based identity protection firm CSID to provide 18 months of protection for those affected.

Soon after the CSID contract was awarded, the OPM acknowledged that the breach actually impacted more than five times as many individuals as originally thought. In response, the OPM has awarded a $133 million contract to Portland, Ore. based ID Experts.

No matter how you slice it, $133 million is a staggering figure for a service that in all likelihood will do little to prevent identity thieves from hijacking the names, good credit and good faith of breach victims. While state-sponsored hackers thought to be responsible for this breach were likely interested in the data for more strategic than financial reasons (recruiting, discovering and/or thwarting spies), the OPM should not force breach victims to pay for true protection.

As I’ve noted in story after story, identity protection services like those offered by CSID, Experian and others do little to block identity theft: The most you can hope for from these services is that they will notify you after crooks have opened a new line of credit in your name. Where these services do excel is in helping with the time-consuming and expensive process of cleaning up your credit report with the major credit reporting agencies.

Many of these third party services also induce people to provide even more information than was leaked in the original breach. For example, CSID offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.

The only step that will reliably block identity thieves from accessing your credit file — and therefore applying for new loans, credit cards and otherwise ruining your good name — is freezing your credit file with the major credit bureaus. This freeze process — described in detail in the primer, How I Learned to Stop Worrying and Embrace the Security Freeze — can be done online or over the phone. Each bureau will give the consumer a unique personal identification number (PIN) that the consumer will need to provide in the event that he needs to apply for new credit in the future.

But there’s a catch: Depending on the state in which you reside, the freeze can cost $5 to $15 per credit bureau. Also, in some states consumers can be charged a fee to temporarily lift the freeze. Continue reading →


1
Sep 15

Like Kaspersky, Russian Antivirus Firm Dr.Web Tested Rivals

A recent Reuters story accusing Russian security firm Kaspersky Lab of faking malware to harm rivals prompted denials from the company’s eponymous chief executive — Eugene Kaspersky — who called the story “complete BS” and noted that his firm was a victim of such activity.  But according to interviews with the CEO of Dr.Web — Kaspersky’s main competitor in Russia — both companies experimented with ways to expose antivirus vendors who blindly accepted malware intelligence shared by rival firms.

quarantineThe Reuters piece cited anonymous, former Kaspersky employees who said the company assigned staff to reverse-engineer competitors’ virus detection software to figure out how to fool those products into flagging good files as malicious. Such errors, known in the industry as “false positives,” can be quite costly, disruptive and embarrassing for antivirus vendors and their customers.

Reuters cited an experiment that Kaspersky first publicized in 2010, in which a German computer magazine created ten harmless files and told antivirus scanning service Virustotal.com that Kaspersky detected them as malicious (Virustotal aggregates data on suspicious files and shares them with security companies). The story said the campaign targeted antivirus products sold or given away by AVG, Avast and Microsoft.

“Within a week and a half, all 10 files were declared dangerous by as many as 14 security companies that had blindly followed Kaspersky’s lead, according to a media presentation given by senior Kaspersky analyst Magnus Kalkuhl in Moscow in January 2010,” wrote Reuters’ Joe Menn. “When Kaspersky’s complaints did not lead to significant change, the former employees said, it stepped up the sabotage.”

Eugene Kaspersky posted a lengthy denial of the story on his personal blog, calling the story a “conflation of a number of facts with a generous amount of pure fiction.”  But according to Dr.Web CEO Boris Sharov, Kaspersky was not alone in probing which antivirus firms were merely aping the technology of competitors instead of developing their own.

Dr. Web CEO Boris Sharov.

Dr.Web CEO Boris Sharov.

In an interview with KrebsOnSecurity, Sharov said Dr.Web conducted similar analyses and reached similar conclusions, although he said the company never mislabeled samples submitted to testing labs.

“We did the same kind of thing,” Sharov said. “We went to the [antivirus] testing laboratories and said, ‘We are sending you clean files, but a little bit modified. Could you please check what your system says about that?'”

Sharov said the testing lab came back very quickly with an answer: Seven antivirus products detected the clean files as malicious.

“At this point, we were very confused, because our explanation was very clear: ‘We are sending you clean files. A little bit modified, but clean, harmless files,'” Sharov recalled of an experiment the company said it conducted over three years ago. “We then observed the evolution of these two files, and a week later, half of the antivirus products were flagging them as bad. But we never flagged these ourselves as bad.”

Sharov said the experiments by both Dr.Web and Kaspersky — although conducted differently and independently — were attempts to expose the reality that many antivirus products are simply following the leaders.

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” Sharov said. “It’s unacceptable.”

According to Sharov, a good antivirus product actually consists of two products: One that is sold to customers in a box and/or or online, and the second component that customers will never see — the back-end internal infrastructure of people, machines and databases that are constantly scanning incoming suspicious files and testing the overall product for quality assurance. Such systems, he said, include exhaustive “clean file” tests, which scan incoming samples to make sure they are not simply known, good files. Programs that have never been seen before are nearly always given more scrutiny, but they also are a frequent source of false positives.

“We have sometimes false positives because we are unable to gather all the clean files in the world,” Sharov said. “We know that we can get some part of them, but pretty sure we never get 100 percent. Anyway, this second part of the [antivirus product] should be much more powerful, to make sure what you release to public is not harmful or dangerous.”

Sharov said some antivirus firms (he declined to name which) have traditionally not invested in all of this technology and manpower, but have nevertheless gained top market share.

“For me it’s not clear that [Kaspersky Lab] would have deliberately attacked other antivirus firm, because you can’t attack a company in this way if they don’t have the infrastructure behind it,” Sharov said. Continue reading →