Latest Warnings

Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It?

From time to time, there emerge cybersecurity stories of such potential impact that they have the effect of making all other security concerns seem minuscule and trifling by comparison. Yesterday was one of those times. Bloomberg Businessweek on Thursday published a bombshell investigation alleging that Chinese cyber spies had used a U.S.-based tech firm to secretly embed tiny computer chips into electronic devices purchased and used by almost 30 different companies. There aren’t any corroborating accounts of this scoop so far, but it is both fascinating and terrifying to look at why threats to the global technology supply chain can be so difficult to detect, verify and counter.

In the context of computer and Internet security, supply chain security refers to the challenge of validating that a given piece of electronics — and by extension the software that powers those computing parts — does not include any extraneous or fraudulent components beyond what was specified by the company that paid for the production of said item.

In a nutshell, the Bloomberg story claims that San Jose, Calif. based tech giant Supermicro was somehow caught up in a plan to quietly insert a rice-sized computer chip on the circuit boards that get put into a variety of servers and electronic components purchased by major vendors, allegedly including Amazon and Apple. The chips were alleged to have spied on users of the devices and sent unspecified data back to the Chinese military.

It’s critical to note up top that Amazon, Apple and Supermicro have categorically denied most of the claims in the Bloomberg piece. That is, their positions refuting core components of the story would appear to leave little wiggle room for future backtracking on those statements. Amazon also penned a blog post that more emphatically stated their objections to the Bloomberg piece.

Nevertheless, Bloomberg reporters write that “the companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation.”

The story continues:

Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China.

Many readers have asked for my take on this piece. I heard similar allegations earlier this year about Supermicro and tried mightily to verify them but could not. That in itself should be zero gauge of the story’s potential merit. After all, I am just one guy, whereas this is the type of scoop that usually takes entire portions of a newsroom to research, report and vet. By Bloomberg’s own account, the story took more than a year to report and write, and cites 17 anonymous sources as confirming the activity.

Most of what I have to share here is based on conversations with some clueful people over the years who would probably find themselves confined to a tiny, windowless room for an extended period if their names or quotes ever showed up in a story like this, so I will tread carefully around this subject.

The U.S. Government isn’t eager to admit it, but there has long been an unofficial inventory of tech components and vendors that are forbidden to buy from if you’re in charge of procuring products or services on behalf of the U.S. Government. Call it the “brown list, “black list,” “entity list” or what have you, but it’s basically an indelible index of companies that are on the permanent Shit List of Uncle Sam for having been caught pulling some kind of supply chain shenanigans.

More than a decade ago when I was a reporter with The Washington Post, I heard from an extremely well-placed source that one Chinese tech company had made it onto Uncle Sam’s entity list because they sold a custom hardware component for many Internet-enabled printers that secretly made a copy of every document or image sent to the printer and forwarded that to a server allegedly controlled by hackers aligned with the Chinese government.

That example gives a whole new meaning to the term “supply chain,” doesn’t it? If Bloomberg’s reporting is accurate, that’s more or less what we’re dealing with here in Supermicro as well.

But here’s the thing: Even if you identify which technology vendors are guilty of supply-chain hacks, it can be difficult to enforce their banishment from the procurement chain. One reason is that it is often tough to tell from the brand name of a given gizmo who actually makes all the multifarious components that go into any one electronic device sold today.

Take, for instance, the problem right now with insecure Internet of Things (IoT) devices — cheapo security cameras, Internet routers and digital video recorders — sold at places like Amazon and Walmart. Many of these IoT devices have become a major security problem because they are massively insecure by default and difficult if not also impractical to secure after they are sold and put into use.

For every company in China that produces these IoT devices, there are dozens of “white label” firms that market and/or sell the core electronic components as their own. So while security researchers might identify a set of security holes in IoT products made by one company whose products are white labeled by others, actually informing consumers about which third-party products include those vulnerabilities can be extremely challenging. In some cases, a technology vendor responsible for some part of this mess may simply go out of business or close its doors and re-emerge under different names and managers.

Mind you, there is no indication anyone is purposefully engineering so many of these IoT products to be insecure; a more likely explanation is that building in more security tends to make devices considerably more expensive and slower to market. In many cases, their insecurity stems from a combination of factors: They ship with every imaginable feature turned on by default; they bundle outdated software and firmware components; and their default settings are difficult or impossible for users to change.

We don’t often hear about intentional efforts to subvert the security of the technology supply chain simply because these incidents tend to get quickly classified by the military when they are discovered. But the U.S. Congress has held multiple hearings about supply chain security challenges, and the U.S. government has taken steps on several occasions to block Chinese tech companies from doing business with the federal government and/or U.S.-based firms.

Most recently, the Pentagon banned the sale of Chinese-made ZTE and Huawei phones on military bases, according to a Defense Department directive that cites security risks posed by the devices. The U.S. Department of Commerce also has instituted a seven-year export restriction for ZTE, resulting in a ban on U.S. component makers selling to ZTE.

Still, the issue here isn’t that we can’t trust technology products made in China. Indeed there are numerous examples of other countries — including the United States and its allies — slipping their own “backdoors” into hardware and software products.

Like it or not, the vast majority of electronics are made in China, and this is unlikely to change anytime soon. The central issue is that we don’t have any other choice right now. The reason is that by nearly all accounts it would be punishingly expensive to replicate that manufacturing process here in the United States.

Even if the U.S. government and Silicon Valley somehow mustered the funding and political will to do that, insisting that products sold to U.S. consumers or the U.S. government be made only with components made here in the U.S.A. would massively drive up the cost of all forms of technology. Consumers would almost certainly balk at buying these way more expensive devices. Years of experience has shown that consumers aren’t interested in paying a huge premium for security when a comparable product with the features they want is available much more cheaply. Continue reading →

Voice Phishing Scams Are Getting More Clever

Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you’re too smart to fall for one? Think again: Even technology experts are getting taken in by some of the more recent schemes (or very nearly).

Matt Haughey is the creator of the community Weblog MetaFilter and a writer at Slack. Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses.

Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.

Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out.

Haughey told the lady that he would need a replacement card immediately because he was about to travel out of state to California. Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren’t made in either Oregon or California.

This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip? It was the first time the voice inside his head spoke up and said, “Something isn’t right, Matt.” But, he figured, the customer service person at the credit union was trying to be helpful: She was doing him a favor, he reasoned.

The caller then read his entire home address to double check it was the correct destination to send a new card at the conclusion of his trip. Then the caller said she needed to verify his mother’s maiden name. The voice in his head spoke out in protest again, but then banks had asked for this in the past. He provided it.

Next she asked him to verify the three digit security code printed on the back of his card. Once more, the voice of caution in his brain was silenced: He’d given this code out previously in the few times he’d used his card to pay for something over the phone.

Then she asked him for his current card PIN, just so she could apply that same PIN to the new card being mailed out, she assured him. Ding, ding, ding went the alarm bells in his head. Haughey hesitated, then asked the lady to repeat the question. When she did, he gave her the PIN, and she assured him she’d make sure his existing PIN also served as the PIN for his new card.

Haughey said after hanging up he felt fairly certain the entire transaction was legitimate, although the part about her requesting the PIN kept nagging at him.

“I balked at challenging her because everything lined up,” he said in an interview with KrebsOnSecurity. “But when I hung up the phone and told a friend about it, he was like, ‘Oh man, you just got scammed, there’s no way that’s real.'”

Now more concerned, Haughey visited his credit union to make sure his travel arrangements were set. When he began telling the bank employee what had transpired, he could tell by the look on her face that his friend was right.

A review of his account showed that there were indeed two fraudulent charges on his account from earlier that day totaling $3,400, but neither charge was from Ohio. Rather, someone used a counterfeit copy of his debit card to spend more than $2,900 at a Kroger near Atlanta, and to withdraw almost $500 from an ATM in the same area. After the unauthorized charges, he had just $300 remaining in his account.

“People I’ve talked to about this say there’s no way they’d fall for that, but when someone from a trustworthy number calls, says they’re from your small town bank, and sounds incredibly professional, you’d fall for it, too,” Haughey said.

Fraudsters can use a variety of open-source and free tools to fake or “spoof” the number displayed as the caller ID, lending legitimacy to phone phishing schemes. Often, just sprinkling in a little foreknowledge of the target’s personal details — SSNs, dates of birth, addresses and other information that can be purchased for a nominal fee from any one of several underground sites that sell such data — adds enough detail to the call to make it seem legitimate. Continue reading →

A Little Sunshine / Latest Warnings / The Coming Storm / Web Fraud 2.0 — 32 Comments
24
Sep 18

Beware of Hurricane Florence Relief Scams

If you’re thinking of donating money to help victims of Hurricane Florence, please do your research on the charitable entity before giving: A slew of new domains apparently related to Hurricane Florence relief efforts are now accepting donations on behalf of victims without much accountability for how the money will be spent.

For the past two weeks, KrebsOnSecurity has been monitoring dozens of new domain name registrations that include the terms “hurricane” and/or “florence” and some word related to support (e.g., “relief,” “assistance,” etc.). Most of these domains have remained parked or dormant since their creation earlier this month; however, several of them became active only in the past few days, directing visitors to donate money through private PayPal accounts without providing any information about who is running the site or what will be done with donated funds.

The landing page for hurricaneflorencerelieffund-dot-com also is the landing page for at least 4 other Hurricane Florence donation sites that use the same anonymous PayPal address.

Among the earliest of these is hurricaneflorencerelieffund-dot-com, registered anonymously via GoDaddy on Sept. 13, 2018. Donations sent through the site’s PayPal page go to an email address tied to the PayPal account on the site (info@hurricaneflorencerelieffund-dot-com); emails to that address did not elicit a response.

Sometime in the past few days, several other Florence-related domains that were previous parked at GoDaddy now redirect to this domain, including hurricanflorence-dot-org (note the missing “e”); florencedisaster-dot-org; florencefunds-dot-com; and hurricaneflorencedonation-dot-com. All of these domains include the phone number 833-FLO-FUND, which rings to an automated system that ultimately asks the caller to leave a message. There is no information provided about the organization or individual running the sites.

The domain hurricaneflorencedisasterfund-dot-com has a slightly different look and feel, invokes the name of the Red Cross and also includes the 833-FLO-FUND number. Likewise, it accepts PayPal donations tied to the same email address mentioned above. It claims “80% of all donations go directly to FIRST RESPONDERS in North & South Carolina!” although it provides no clear way to verify that claim.

Hurricaneflorencedisasterfund-dot-com is one of several domains anonymously accepting PayPal donations, purportedly on behalf of Hurricane Florence victims.

The domain hurricaneflorencerelief-dot-fund, registered on Sept. 11, also accepts PayPal donations with minimal information about who might benefit from monies given. The site links to Facebook, Twitter and other social network accounts set up with the same name, although none of them appear to have any meaningful content. The email address tied to that PayPal account — hurricaneflorencerelief@gmail.com — did not respond to requests for comment.

The domain theflorencefund-dot-com until recently also accepted PayPal donations and had an associated Twitter account (now deleted), but that domain recently changed its homepage to include the message, “Due to the change in Florence’s path, we’re suspending our efforts.” Continue reading →

A Little Sunshine / Latest Warnings — 57 Comments
5
Sep 18

Browser Extensions: Are They Worth the Risk?

Popular file-sharing site Mega.nz is warning users that cybercriminals hacked its browser extension for Google Chrome so that usernames and passwords submitted through the browser were copied and forwarded to a rogue server in Ukraine. This attack serves as a fresh reminder that legitimate browser extensions can and periodically do fall into the wrong hands, and that it makes good security sense to limit your exposure to such attacks by getting rid of extensions that are no longer useful or actively maintained by developers.

In a statement posted to its Web site, Mega.nz said the extension for Chrome was compromised after its Chrome Web store account was hacked. From their post:

“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.”

Browser extensions can be incredibly handy and useful, but compromised extensions — depending on the level of “permissions” or access originally granted to them — also can give attackers access to all data on your computer and the Web sites you visit.

For its part, Google tries to communicate the potential risk of extensions using three “alert” levels: Low, medium and high, as detailed in the screenshot below. In practice, however, most extensions carry the medium or high alert level, which means that if the extension is somehow compromised (or malicious from the get-go), the attacker in control of it is going to have access to ton of sensitive information on a great many Internet users. Continue reading →

Latest Warnings / The Coming Storm / Time to Patch — 21 Comments
23
Aug 18

Experts Urge Rapid Patching of ‘Struts’ Bug

In September 2017, Equifax disclosed that a failure to patch one of its Internet servers against a pervasive software flaw — in a Web component known as Apache Struts — led to a breach that exposed personal data on 147 million Americans. Now security experts are warning that blueprints showing malicious hackers how to exploit a newly-discovered Apache Struts bug are available online, leaving countless organizations in a rush to apply new updates and plug the security hole before attackers can use it to wriggle inside.

On Aug. 22, the Apache Software Foundation released software updates to fix a critical vulnerability in Apache Struts, a Web application platform used by an estimated 65 percent of Fortune 100 companies. Unfortunately, computer code that can be used to exploit the bug has since been posted online, meaning bad guys now have precise instructions on how to break into vulnerable, unpatched servers.

Attackers can exploit a Web site running the vulnerable Apache Struts installation using nothing more than a Web browser. The bad guy simply needs to send the right request to the site and the Web server will run any command of the attacker’s choosing. At that point, the intruder could take any number of actions, such as adding or deleting files, or copying internal databases.

An alert about the Apache security update was posted Wednesday by Semmle, the San Francisco software company whose researchers discovered the bug.

“The widespread use of Struts by leading enterprises, along with the proven potential impact of this sort of vulnerability, illustrate the threat that this vulnerability poses,” the alert warns.

“Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” wrote Semmle co-founder Pavel Avgustinov. “A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.” Continue reading →

Latest Warnings / The Coming Storm — 40 Comments
27
Jul 18

State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China

Here’s a timely reminder that email isn’t the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned.

This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer. According to a non-public alert shared with state and local government agencies by the Multi-State Information Sharing and Analysis Center (MS-ISAC), the scam arrives in a Chinese postmarked envelope and includes a “confusingly worded typed letter with occasional Chinese characters.”

Several U.S. state and local government agencies have reported receiving this letter, which includes a malware-laden CD. Images copyright Sarah Barsness.

The MS-ISAC said preliminary analysis of the CDs indicate they contain Mandarin language Microsoft Word (.doc) files, some of which include malicious Visual Basic scripts. So far, State Archives, State Historical Societies, and a State Department of Cultural Affairs have all received letters addressed specifically to them, the MS-ISAC says. It’s not clear if anyone at these agencies was tricked into actually inserting the CD into a government computer.

I’m sure many readers could think of clever ways that this apparent mail-based phishing campaign could be made more effective or believable, such as including tiny USB drives instead of CDs, or at least a more personalized letter that doesn’t look like it was crafted by someone without a mastery of the English language.

Nevertheless, attacks like this are a reminder that cybercrime can take many forms. The first of Krebs’s 3 Basic Rules for Online Safety — “If you didn’t go looking for it don’t install it” — applies just as well here: If you didn’t go looking for it, don’t insert it or open it.

A Little Sunshine / Latest Warnings / The Coming Storm — 1,076 Comments
12
Jul 18

Sextortion Scam Uses Recipient’s Hacked Passwords

Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.

The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded. But this one begins with an unusual opening salvo:

“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation.

The rest is formulaic:

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

Continue reading →

Latest Warnings / Security Tools — 76 Comments
28
Jun 18

Plant Your Flag, Mark Your Territory

Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.

The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses.

Some examples of how being a modern-day Luddite can backfire are well-documented, such as when scammers create online accounts in someone’s name at the Internal Revenue Service, the U.S. Postal Service or the Social Security Administration.

Other examples may be far less obvious. Consider the case of a consumer who receives their home telephone service as part of a bundle through their broadband Internet service provider (ISP). Failing to set up a corresponding online account to manage one’s telecommunications services can provide a powerful gateway for fraudsters.

Carrie Kerskie is president of Griffon Force LLC, a company in Naples, Fla. that helps identity theft victims recover from fraud incidents. Kerskie recalled a recent case in which thieves purchased pricey items from a local jewelry store in the name of an elderly client who’d previously bought items at that location as gifts for his late wife.

In that incident, the perpetrator presented a MasterCard Black Card in the victim’s name along with a fake ID created in the victim’s name (but with the thief’s photo). When the jewelry store called the number on file to verify the transactions, the call came through to the impostor’s cell phone right there in the store.

Kerskie said a follow-up investigation revealed that the client had never set up an account at his ISP (Comcast) to manage it online. Multiple calls with the ISP’s customer support people revealed that someone had recently called Comcast pretending to be the 86-year-old client and established an online account.

“The victim never set up his account online, and the bad guy called Comcast and gave the victim’s name, address and Social Security number along with an email address,” Kerskie said. “Once that was set up, the bad guy logged in to the account and forwarded the victim’s calls to another number.”

Incredibly, Kerskie said, the fraudster immediately called Comcast to ask about the reason for the sudden account changes.

“While I was on the phone with Comcast, the customer rep told me to hold on a minute, that she’d just received a communication from the victim,” Kerskie recalled. “I told the rep that the client was sitting right beside me at the time, and that the call wasn’t from him. The minute we changed the call forwarding options, the fraudster called customer service to ask why the account had been changed.”

Two to three days after Kerskie helped the client clean up fraud with the Comcast account, she got a frantic call from the client’s daughter, who said she’d been trying her dad’s mobile phone but that he hadn’t answered in days. They soon discovered that dear old dad was just fine, but that he’d also neglected to set up an online account at his mobile phone provider.

“The bad guy had called in to the mobile carrier, provided his personal details, and established an online account,” Kerskie said. “Once they did that, they were able transfer his phone service to a new device.”

OFFLINE BANKING

Many people naively believe that if they never set up their bank or retirement accounts for online access then cyber thieves can’t get access either. But Kerskie said she recently had a client who had almost a quarter of a million dollars taken from his bank account precisely because he declined to link his bank account to an online identity.

“What we found is that the attacker linked the client’s bank account to an American Express Gift card, but in order to do that the bad guy had to know the exact amount of the microdeposit that AMEX placed in his account,” Kerskie said. “So the bad guy called the 800 number for the victim’s bank, provided the client’s name, date of birth, and Social Security number, and then gave them an email address he controlled. In this case, had the client established an online account previously, he would have received a message asking to confirm the fraudulent transaction.”

After tying the victim’s bank account to a prepaid card, the fraudster began slowly withdrawing funds in $5,000 increments. All told, thieves managed to siphon almost $170,000 over a six month period. The victim’s accounts were being managed by a trusted acquaintance, but the withdrawals didn’t raise alarms because they were roughly in line with withdrawal amounts the victim had made previously.

“But because the victim didn’t notify the bank within 60 days of the fraudulent transactions as required by law, the bank only had to refund the last 60 days worth of fraudulent transactions,” Kerskie said. “We were ultimately able to help him recover most of it, but that was a whole other ordeal.” Continue reading →

Latest Warnings — 40 Comments
18
Jun 18

Google to Fix Location Data Leak in Google Home, Chromecast

Google in the coming weeks is expected to fix a location privacy leak in two of its most popular consumer products. New research shows that Web sites can run a simple script in the background that collects precise location data on people who have a Google Home or Chromecast device installed anywhere on their local network.

Craig Young, a researcher with security firm Tripwire, said he discovered an authentication weakness that leaks incredibly accurate location information about users of both the smart speaker and home assistant Google Home, and Chromecast, a small electronic device that makes it simple to stream TV shows, movies and games to a digital television or monitor.

Young said the attack works by asking the Google device for a list of nearby wireless networks and then sending that list to Google’s geolocation lookup services.

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”

It is common for Web sites to keep a record of the numeric Internet Protocol (IP) address of all visitors, and those addresses can be used in combination with online geolocation tools to glean information about each visitor’s hometown or region. But this type of location information is often quite imprecise. In many cases, IP geolocation offers only a general idea of where the IP address may be based geographically.

This is typically not the case with Google’s geolocation data, which includes comprehensive maps of wireless network names around the world, linking each individual Wi-Fi network to a corresponding physical location. Armed with this data, Google can very often determine a user’s location to within a few feet (particularly in densely populated areas), by triangulating the user between several nearby mapped Wi-Fi access points. [Side note: Anyone who’d like to see this in action need only to turn off location data and remove the SIM card from a smart phone and see how well navigation apps like Google’s Waze can still figure out where you are].

“The difference between this and a basic IP geolocation is the level of precision,” Young said. “For example, if I geolocate my IP address right now, I get a location that is roughly 2 miles from my current location at work. For my home Internet connection, the IP geolocation is only accurate to about 3 miles. With my attack demo however, I’ve been consistently getting locations within about 10 meters of the device.”

Young said a demo he created (a video of which is below) is accurate enough that he can tell roughly how far apart his device in the kitchen is from another device in the basement.

“I’ve only tested this in three environments so far, but in each case the location corresponds to the right street address,” Young said. “The Wi-Fi based geolocation works by triangulating a position based on signal strengths to Wi-Fi access points with known locations based on reporting from people’s phones.”

Beyond leaking a Chromecast or Google Home user’s precise geographic location, this bug could help scammers make phishing and extortion attacks appear more realistic. Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could abuse Google’s location data to lend credibility to the fake warnings, Young notes.

“The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns,” he said. “Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.”

When Young first reached out to Google in May about his findings, the company replied by closing his bug report with a “Status: Won’t Fix (Intended Behavior)” message. But after being contacted by KrebsOnSecurity, Google changed its tune, saying it planned to ship an update to address the privacy leak in both devices. Currently, that update is slated to be released in mid-July 2018. Continue reading →

Latest Warnings / Security Tools / The Coming Storm — 81 Comments
28
May 18

FBI: Kindly Reboot Your Router Now, Please

The Federal Bureau of Investigation (FBI) is warning that a new malware threat has rapidly infected more than a half-million consumer devices. To help arrest the spread of the malware, the FBI and security firms are urging home Internet users to reboot routers and network-attached storage devices made by a range of technology manufacturers.

The growing menace — dubbed VPNFilter — targets Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office space, as well as QNAP network-attached storage (NAS) devices, according to researchers at Cisco.

Experts are still trying to learn all that VPNFilter is built to do, but for now they know it can do two things well: Steal Web site credentials; and issue a self-destruct command, effectively rendering infected devices inoperable for most consumers.

Cisco researchers said they’re not yet sure how these 500,000 devices were infected with VPNFilter, but that most of the targeted devices have known public exploits or default credentials that make compromising them relatively straightforward.

“All of this has contributed to the quiet growth of this threat since at least 2016,” the company wrote on its Talos Intelligence blog.

The Justice Department said last week that VPNFilter is the handiwork of “APT28,” the security industry code name for a group of Russian state-sponsored hackers also known as “Fancy Bear” and the “Sofacy Group.” This is the same group accused of conducting election meddling attacks during the 2016 U.S. presidential race.

“Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide,” the FBI said in a warning posted to the Web site of the Internet Crime Complaint Center (IC3). “The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.”

According to Cisco, here’s a list of the known affected devices: Continue reading →