Security Tools

Mar 18

Checked Your Credit Since the Equifax Hack?

A recent consumer survey suggests that half of all Americans still haven’t checked their credit report since the Equifax breach last year exposed the Social Security numbers, dates of birth, addresses and other personal information on nearly 150 million people. If you’re in that fifty percent, please make an effort to remedy that soon.

Credit reports from the three major bureaus — Equifax, Experian and TransUnion — can be obtained online for free at — the only Web site mandated by Congress to serve each American a free credit report every year. is run by a Florida-based company, but its data is supplied by the major credit bureaus, which struggled mightily to meet consumer demand for free credit reports in the immediate aftermath of the Equifax breach. Personally, I was unable to order a credit report for either me or my wife even two weeks after the Equifax breach went public: The site just kept returning errors and telling us to request the reports in writing via the U.S. Mail.

Based on thousands of comments left here in the days following the Equifax breach disclosure, I suspect many readers experienced the same but forgot to come back and try again. If this describes you, please take a moment this week to order your report(s) (and perhaps your spouse’s) and see if anything looks amiss. If you spot an error or something suspicious, contact the bureau that produced the report to correct the record immediately.

Of course, keeping on top of your credit report requires discipline, and if you’re not taking advantage of all three free reports each year you need to get a plan. My strategy is to put a reminder on our calendar to order a new report every four months or so, each time from a different credit bureau. Continue reading →

Feb 18

USPS Finally Starts Notifying You by Mail If Someone is Scanning Your Snail Mail Online

In October 2017, KrebsOnSecurity warned that ne’er-do-wells could take advantage of a relatively new service offered by the U.S. Postal Service that provides scanned images of all incoming mail before it is slated to arrive at its destination address. We advised that stalkers or scammers could abuse this service by signing up as anyone in the household, because the USPS wasn’t at that point set up to use its own unique communication system — the U.S. mail — to alert residents when someone had signed up to receive these scanned images.

Image: USPS

The USPS recently told this publication that beginning Feb. 16 it started alerting all households by mail whenever anyone signs up to receive these scanned notifications of mail delivered to that address. The notification program, dubbed “Informed Delivery,” includes a scan of the front of each envelope destined for a specific address each day.

The Postal Service says consumer feedback on its Informed Delivery service has been overwhelmingly positive, particularly among residents who travel regularly and wish to keep close tabs on any bills or other mail being delivered while they’re on the road. It has been available to select addresses in several states since 2014 under a targeted USPS pilot program, but it has since expanded to include many ZIP codes nationwide. U.S. residents can find out if their address is eligible by visiting

According to the USPS, some 8.1 million accounts have been created via the service so far (Oct. 7, 2017, the last time I wrote about Informed Delivery, there were 6.3 million subscribers, so the program has grown more than 28 percent in five months).

Roy Betts, a spokesperson for the USPS’s communications team, says post offices handled 50,000 Informed Delivery notifications the week of Feb. 16, and are delivering an additional 100,000 letters to existing Informed Delivery addresses this coming week.

Currently, the USPS allows address changes via the USPS Web site or in-person at any one of more than 35,000 USPS retail locations nationwide. When a request is processed, the USPS sends a confirmation letter to both the old address and the new address.

If someone already signed up for Informed Delivery later posts a change of address request, the USPS does not automatically transfer the Informed Delivery service to the new address: Rather, it sends a mailer with a special code tied to the new address and to the username that requested the change. To resume Informed Delivery at the new address, that code needs to be entered online using the account that requested the address change.

A review of the methods used by the USPS to validate new account signups last fall suggested the service was wide open to abuse by a range of parties, mainly because of weak authentication and because it is not easy to opt out of the service.

Signing up requires an eligible resident to create a free user account at, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions.

The USPS told me it uses two ID proofing vendors: Lexis Nexisand, naturally, recently breached big three credit bureau Equifax — to ask the magic KBA questions, rotating between them randomly.

KrebsOnSecurity has assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.

It’s also nice when Equifax gives away a metric truckload of information about where you’ve worked, how much you made at each job, and what addresses you frequented when. See: How to Opt Out of Equifax Revealing Your Salary History for how much leaks from this lucrative division of Equifax. Continue reading →

Jan 18

Chronicle: A Meteor Aimed At Planet Threat Intel?

Alphabet Inc., the parent company of Google, said today it is in the process of rolling out a new service designed to help companies more quickly make sense of and act on the mountains of threat data produced each day by cybersecurity tools.

Countless organizations rely on a hodgepodge of security software, hardware and services to find and detect cybersecurity intrusions before an incursion by malicious software or hackers has the chance to metastasize into a full-blown data breach.

The problem is that the sheer volume of data produced by these tools is staggering and increasing each day, meaning already-stretched IT staff often miss key signs of an intrusion until it’s too late.

Enter “Chronicle,” a nascent platform that graduated from the tech giant’s “X” division, which is a separate entity tasked with tackling hard-to-solve problems with an eye toward leveraging the company’s core strengths: Massive data analytics and storage capabilities, machine learning and custom search capabilities.

“We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find,” wrote Stephen Gillett, CEO of the new venture.

Few details have been released yet about how exactly Chronicle will work, although the company did say it would draw in part on data from VirusTotal, a free service acquired by Google in 2012 that allows users to scan suspicious files against dozens of commercial antivirus tools simultaneously.

Gillett said his division is already trialing the service with several Fortune 500 firms to test the preview release of Chronicle, but the company declined to name any of those participating.


It’s not terribly clear from Gillett’s post or another blog post from Alphabet’s X division by Astro Teller how exactly Chronicle will differentiate itself in such a crowded market for cybersecurity offerings. But it’s worth considering the impact that VirusTotal has had over the years.

Currently, VirusTotal handles approximately one million submissions each day. The results of each submission get shared back with the entire community of antivirus vendors who lend their tools to the service — which allows each vendor to benefit by adding malware signatures for new variants that their tools missed but that a preponderance of other tools flagged as malicious.

Naturally, cybercriminals have responded by creating their own criminal versions of VirusTotal: So-called “no distribute” scanners. These services cater to malware authors, and use the same stable of antivirus tools, except they prevent these tools from phoning home to the antivirus companies about new, unknown variants. Continue reading →

Jan 18

Some Basic Rules for Securing Your IoT Stuff

Most readers here have likely heard or read various prognostications about the impending doom from the proliferation of poorly-secured “Internet of Things” or IoT devices. Loosely defined as any gadget or gizmo that connects to the Internet but which most consumers probably wouldn’t begin to know how to secure, IoT encompasses everything from security cameras, routers and digital video recorders to printers, wearable devices and “smart” lightbulbs.

Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here’s a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

-Rule #1: Avoid connecting your devices directly to the Internet — either without a firewall or in front it, by poking holes in your firewall so you can access them remotely. Putting your devices in front of your firewall is generally a bad idea because many IoT products were simply not designed with security in mind and making these things accessible over the public Internet could invite attackers into your network. If you have a router, chances are it also comes with a built-in firewall. Keep your IoT devices behind the firewall as best you can.

-Rule #2: If you can, change the thing’s default credentials to a complex password that only you will know and can remember. And if you do happen to forget the password, it’s not the end of the world: Most devices have a recessed reset switch that can be used to restore to the thing to its factory-default settings (and credentials). Here’s some advice on picking better ones.

I say “if you can,” at the beginning of Rule #2 because very often IoT devices — particularly security cameras and DVRs — are so poorly designed from a security perspective that even changing the default password to the thing’s built-in Web interface does nothing to prevent the things from being reachable and vulnerable once connected to the Internet.

Also, many of these devices are found to have hidden, undocumented “backdoor” accounts that attackers can use to remotely control the devices. That’s why Rule #1 is so important. Continue reading →

Jul 16

Trump, DNC, RNC Flunk Email Security Test

Donald J. Trump has repeatedly bashed Sen. Hillary Clinton for handling classified documents on her private email server, suggesting that anyone who is so lax with email security isn’t fit to become president. But a closer look at the Web sites for each candidate shows that in contrast to, has failed to take full advantage of a free and open email security technology designed to stymie email spoofing and phishing attacks.

atballAt issue is a fairly technical proposed standard called DMARC. Short for “domain-based messaging authentication reporting and conformance,” DMARC tries to solve a problem that has plagued email since its inception: It’s surprisingly difficult for email providers and end users alike to tell whether a given email is real – i.e. that it really was sent by the person or organization identified in the “from:” portion of the missive.

DMARC may not yet be widely deployed beyond the major email providers, but that’s about to change. Google announced late last year that it will soon move to a policy of rejecting any messages that don’t pass the authentication checks spelled out in the DMARC specification. And others are already moving in the same direction.

Probably the easiest way to understand DMARC is to walk through a single site’s records. According to the DMARC compliance lookup tool at — a DMARC awareness, training and support site — has fully implemented DMARC. This means that the campaign has posted a public policy that enables email providers like Google, Microsoft and Yahoo to quickly determine whether a message claiming to have been sent from was actually sent from that domain.

Specifically, (and this is where things can quickly descend into a Geek Factor 5 realm of nerdiness) DMARC sits on top of two existing technologies that try to make email easy to identify: Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).

SPF is basically a list of Internet addresses and domains which are authorized to send email on behalf of (in case anyone’s interested, here’s a copy of the SPF record for DKIM allows email receivers to verify that a piece of email originated from an Internet domain through the use of public key cryptography. Deploying both technologies gives email receivers two ways to figure out if a piece of email is legitimate.

The DMARC record for Clinton’s site includes the text string “p=quarantine.” The “p” bit stands for policy, and “quarantine” means the Web site’s administrators have instructed email providers to quarantine all messages sent from addresses or domains not on that list and not signed with DKIM – effectively consigning them to the intended recipient’s “spam” or “junk” folder. Another blocking option available is “p=reject,” which tells email providers to outright drop or reject any mail sent from domains or addresses not specified in the organization’s SPF records and lacking any appropriate DKIM signatures.

Turning’s tool against, we can see that although the site is thinking about turning on DMARC, it hasn’t actually done so yet. The site’s DMARC records are set to the third option — “p=none” — which means the site administrators haven’t yet asked email providers to block or quarantine any messages that fail to match the site’s SPF records. Rather, the site merely asks email providers to report to “” about the source of any email messages claiming to have been sent by that domain. Continue reading →

Mar 16

eero: A Mesh WiFi Router Built for Security

User-friendly and secure. Hardly anyone would pick either word to describe the vast majority of wireless routers in use today. So naturally I was intrigued a year ago when I had the chance to pre-order a eero, a new WiFi system billed as easy-to-use, designed with security in mind, and able to dramatically extend the range of a wireless network without compromising speed. Here’s a brief review of the eero system I received and installed a week ago.

Three eero devices designed to create a "mesh" wireless network with extended range without compromising speed.

Three eero devices designed to create an extended range “mesh” wireless network without compromising speed.

The standard eero WiFi system comes with three eero devices, each about the width of a square coaster and roughly an inch thick. Every individual eero unit has two built-in WiFi radios that are designed to hand off traffic with the other two units.

This two-radio aspect is important, as most consumer devices that are made and marketed as WiFi range extenders or “repeaters” contain only one radio, and thus end up halving the speed of the repeated WiFi signal.

The makers of eero recommend one device for every 1,000 square feet, and advise placing one device no further than 40 feet from another. Each eero has two ethernet ports in the back, but only one of the eeros needs to be connected directly into your modem with an ethernet cable. That means that a 3-piece eero set has a total of five available ethernet ports, or at least one open ethernet port at each eero location.

Most wireless routers require owners to configure the device by using a hard-wired computer or laptop, opening a browser and navigating to a numeric Internet address to enter some default credentials. From there, you’re on your own. In contrast, the eero system relies on a simple mobile app for setup. The app asks for your name, email address and mobile number, and then sends a text with a one-time passcode.

After you verify the code on your mobile device, the app prompts you to pick a network name (SSID) and password. The device defaults to WPA-2 PSK (AES) for encryption — the strongest security currently available.

Once you’ve assigned each eero a unique location — and as long as the three devices can talk to each other — the network should be set up. The entire process — from placing and plugging in the eeros to setting up the network —  took me about five minutes, but most of that was just me walking from one room or floor to the next to adjust the location of the devices. Continue reading →

Feb 16

Good Riddance to Oracle’s Java Plugin

Good news: Oracle says the next major version of its Java software will no longer plug directly into the user’s Web browser. This long overdue step should cut down dramatically on the number of computers infected with malicious software via opportunistic, so-called “drive-by” download attacks that exploit outdated Java plugins across countless browsers and multiple operating systems.

javamessAccording to Oracle, some 97 percent of enterprise computers and a whopping 89 percent of desktop systems in the U.S. run some form of Java. This has made Java JRE (the form of Java that runs most commonly on end-user systems) a prime target of malware authors.

“Exploit kits,” crimeware made to be stitched into the fabric of hacked and malicious sites, lie in wait for visitors who browse the booby-trapped sites. The kits can silently install malicious software on computers of anyone visiting or forcibly redirected to booby-trapped sites without the latest version of the Java plugin installed. In addition, crooks are constantly trying to inject scripts that invoke exploit kits via tainted advertisements submitted to the major ad networks.

These exploit kits — using names like “Angler,” “Blackhole,” “Nuclear” and “Rig” — are equipped to try a kitchen sink full of exploits for various browser plugins, but historically most of those exploits have been attacks on outdated Java and Adobe Flash plugins. As a result, KrebsOnSecurity has long warned users to remove Java altogether, or at least unplug it from the browser unless and until it is needed.

On Jan. 27, 2016, Oracle took a major step toward reducing the effectiveness of exploit kits and other crimeware when the company announced it was pulling the browser plugin from the next desktop version of Java – Java JRE 9. Continue reading →

Jan 16

FTC: Tax Fraud Behind 47% Spike in ID Theft

The U.S. Federal Trade Commission (FTC) today said it tracked a nearly 50 percent increase in identity theft complaints in 2015, and that by far the biggest contributor to that spike was tax refund fraud. The announcement coincided with the debut of a beefed up FTC Web site aimed at making it easier for consumers to report and recover from all forms of ID theft.

In kicking off “Tax Identity Theft Awareness Week,” FTC released new stats showing that the agency received more than 490,000 identity theft complaints last year, a 47 percent increase over 2014. In a conference call with the news media, FTC Chairwoman Edith Ramirez called tax refund fraud “the largest and fastest growing ID theft category” that the commission tracks.

Tax refund fraud contributed mightily to a big spike in ID theft complaints to the FTC in 2015. Image: FTC

Tax refund fraud contributed mightily to a big spike in ID theft complaints to the FTC in 2015. Image: FTC

Those numbers roughly coincide with data released by the Internal Revenue Service (IRS), which also shows a major increase in tax-related identity theft in 2015.

Incidence of tax-related ID theft as of Sept. 2015. Source: IRS.

Incidence of tax-related ID theft as of Sept. 2015. Source: IRS.

Ramirez was speaking to reporters to get the word out about the agency’s new and improved online resource,, which aims to streamline the process of reporting various forms of identity theft to the FTC, the IRS, the credit bureaus and to state and local officials.

“The upgraded site, which is mobile and tablet accessible, offers an array of easy-to-use tools, that enables identity theft victims to create the documents they need to alert police, the main credit bureaus and the IRS among others,” Ramirez said. “Identity theft victims can now go online and get a free, personalized identity theft recovery plan.”

Ramirez added that the agency’s site does not collect sensitive data — such as drivers license or Social Security numbers. The areas where that information is required are left blank in the forms that get produced when consumers finish stepping through the process of filing an ID theft complaint (consumers are instructed to “fill these items in by hand, after you print it out”).

The FTC chief also said the agency is working with the credit bureaus to further streamline the process of reporting fraud. She declined to be specific about what that might entail, but the new and improved site is still far from automated. For example, the “recovery plan” produced when consumers file a report merely lists the phone numbers and includes Web site links for the major credit bureaus that consumers can use to place fraud alerts or file a security freeze.

The "My Recovery Plan" produced when I filed a test report claiming the worst possible scenario of ID theft that I could think up. The FTC requests that consumers not file false reports (I had their PR person remove this entry after filing it).

The “My Recovery Plan” produced when I filed a test report claiming the worst possible scenario of ID theft that I could think up. The FTC kindly requests that consumers not file false reports (I had their PR person remove this entry after filing it).

Nevertheless, I was encouraged to see the FTC urging consumers to request a security freeze on their credit file, even if this was the last option listed on the recovery plan that I was issued and the agency’s site appears to do little to help consumers actually file security freezes.

I’m also glad to see the Commission’s site employ multi-factor authentication for consumers who wish to receive a recovery plan in addition to filing an ID theft report with the FTC. Those who request a plan are asked to provide an email address, pick a complex password, and input a one-time code that is sent via text message or automated phone call. Continue reading →

Jan 16

The Lowdown on Freezing Your Kid’s Credit

A story in a national news source earlier this month about freezing your child’s credit file to preempt ID thieves prompted many readers to erroneously conclude that all states allow this as of 2016. The truth is that some states let parents create a file for their child and then freeze it, while many states have no laws on the matter. Here’s a short primer on the current situation, with the availability of credit freezes (a.k.a “security freeze”) for minors by state and by credit bureau.

The lighter-colored states have some type of law permitting parents and/or guardians to place a freeze or flag on a dependent's credit file.

The lighter-colored states have laws permitting parents and/or guardians to place a freeze or flag on a dependent’s credit file.

A child’s Social Security number can be used by identity thieves to apply for government benefits, open bank and credit card accounts, apply for a loan or utility service, or rent a place to live. Why would ID thieves wish to assume a child’s identity? Because that child is (likely) a clean slate, which translates to plenty of available credit down the road. In addition, minors generally aren’t in the habit of checking their credit reports or even the existence of one, and most parents don’t find out about the crime until the child approaches the age of 18 (or well after).

A 2012 report on child identity theft from the Carnegie Mellon University CyLab delves into the problem of identity thieves targeting children for unused Social Security numbers. The study looked at identity theft protection scans done on some 40,000 children, and found that roughly 10 percent of them were victims of ID theft.

The Protect Children from Identity Theft Act, introduced in the House of Representatives in March 2015, would give parents and guardians the ability to create a protected, frozen credit file for their children. However, GovTrack currently gives the bill a two percent chance of passage in this Congress.

So for now, there is no federal law for minors regarding credit freezes. This has left it up to the states to establish their own policies.

Credit bureau Equifax offers a free service that will allow parents to create a credit report for a minor and freeze it regardless of the state requirement. The minor also does not have to be a victim of identity theft. Equifax has more information on this offering here.

Experian told me that company policy is not to create a file for a minor upon request unless mandated by state law. “However, if a file exists for the minor we will provide a copy free to the parent or legal guardian and will freeze it,” said Experian spokesperson Susan Henson.

Henson added that depending on state law, there may be a fee ranging from $3 to $10 associated with the minor’s freeze. However, if the minor is a victim of identity theft and the applicant submits a copy of a valid police or incident report or complaint with a law enforcement agency or the Department of Motor Vehicles (DMV), the fee will be waived.

Trans Union has a form on its site that lets parents and guardians check for the presence of a credit file on their dependents. But it also only allows freezes in states that reserve that right for minors and their parents or guardians, and applicable fees may apply.

Innovis, often referred to as the fourth major consumer credit bureau, allows parents or guardians to place a freeze on their dependent’s file regardless of state laws. Continue reading →

Dec 15

Expect Phishers to Up Their Game in 2016

Expect phishers and other password thieves to up their game in 2016: Both Google and Yahoo! are taking steps to kill off the password as we know it.

passcrackNew authentication methods now offered by Yahoo! and to a beta group of Google users let customers log in just by supplying their email address, and then responding to a notification sent to their mobile device.

According to TechCrunch, Google is giving select Gmail users a password-free means of signing in. It uses a “push” notification sent to your phone that then opens an app where you approve the log-in.

The article says the service Google is experimenting with will let users sign in without entering a password, but that people can continue to use their typed password if they choose. It also says Google may still ask for your password as an additional security measure if it notices anything unusual about a login attempt.

The new authentication feature being tested by some Gmail users comes on the heels of a similar service Yahoo! debuted in October 2015. That offering, called “on-demand passwords,” will text users a random four-character code (the ones I saw were all uppercase letters) that needs to be entered into a browser or mobile device.


This is not Yahoo!’s first stab at two-factor authentication. Another security feature it has offered for years — called “two-step verification” — sends a security code to your phone when you log in from new devices, but only after you supply your password. Yahoo! users who wish to take advantage of the passwords-free, on-demand password feature will need to disable two-step verification for on-demand passwords to work.

Continue reading →