Happy 6th Birthday, KrebsOnSecurity!

December 29, 2015

You know you’re getting old when you can’t remember your own birthday (a reader tipped me off). Today is the sixth anniversary of this site’s launch! KrebsOnSecurity turns 6! I’m pretty sure that’s like middle age in Internet years.

sixfingersAbsolutely none of this would be possible without you, Dear Reader. You have supported, encouraged and inspired me in too many ways to count these past years. The community that’s sprung up around here has been a joy to watch, and essential to the site’s success. Thank you!

I tried for at least one post per weekday in 2015, and came close, publishing some 206 entries this year (not counting this one). The frequency of new posts suffered a bit from September to November, when I was on the road nearly 24/7 for a series of back-to-back speaking gigs. Fun fact: Since its inception, this site has featured some 1,200 stories that generated more than 62,000 reader comments. Continue reading

Flash Player Patch Fixes 0-Day, 18 Other Flaws

December 28, 2015

Adobe has shipped a new version of its Flash Player browser plugin to close at least 19 security holes in the program, including one that is already being exploited in active attacks.

brokenflash-aThe new Flash version, v. 20.0.0.267 for most Mac and Windows users, includes a fix for a vulnerability (CVE-2015-8651) that Adobe says is being used in “limited, targeted attacks.” If you have Flash installed, please update it.

Better yet, get rid of Flash altogether, or at least disable it until and unless you need it. Doing without Flash just makes good security sense, and it isn’t as difficult as you might think: See my post, A Month Without Adobe Flash Player, for tips on how to minimize the risks of having Flash installed.

The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). This link should tell you whether your system has Flash and if so which version of Flash is installed in your browser.

Advertisement

2016 Reality: Lazy Authentication Still the Norm

December 28, 2015

My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.

Junaid Hussain's Twitter profile photo.

Junaid Hussain’s Twitter profile photo.

On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.

I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.

Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.

PayPal locked the account shortly after the assailant allegedly tried to send my money to the email account of the late Junaid Hussain, a 17-year-old member of the hacktivist group Team Poison. Hussain — who used the nickname “TriCk” and is believed to have been a prominent ISIS propagandist online — was reportedly killed in a U.S.-led drone strike earlier this year in Raqqa, Syria. No doubt, the attempted transfer was a bid to further complicate matters for me by associating my account with known terrorists.

In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

Let’s leave aside for a moment the reality that all of this static information about Brian Krebs has been posted online by various miscreants over the years (and probably remains online): Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts.

This almost certainly includes all of the companies that supply utilities to your residence, your bank or credit union, and a host of other companies. They’re vulnerable because those static identifiers about you are no longer secret and are available for sale in the underground.

I asked the PayPal supervisor why the company couldn’t simply verify my identity by sending a text message to my phone, or a special signal to a PayPal mobile app? After all, PayPal has had the same mobile number of mine on file for years (the attacker also deleted that number from my profile as well). The supervisor explained that the company didn’t have any mobile authentication technologies, and that in order to regain access to the funds in my account I had to send the company a photocopied or scanned copy of my driver’s license.

Nevermind that it was PayPal’s lack of any modern authentication methods that led to this mess. Also, let’s forget for the moment that there are a half-dozen services online that let customers create fake but realistic looking scans of all types of documents, including utility bills, passports, driver’s licenses, bank statements, etc. This is the ultimate and most sophisticated customer authentication system that PayPal has: Send us a copy of your driver’s license. Continue reading

Malware-Driven Card Breach at Hyatt Hotels

December 23, 2015

Hyatt Hotels Corporation said today it recently discovered malicious software designed to steal credit card data on computers that operate the payment processing systems for Hyatt-managed locations.

hyattHyatt’s notice to customers has very few details about the investigation, such as how long the breach lasted or how many consumers may have had their card data stolen as a result. Hyatt did say that it has taken steps to strengthen its systems, and that “customers can feel confident using payment cards at Hyatt hotels worldwide.”

As of September 30, 2015, Chicago-based Hyatt’s worldwide portfolio included 627 properties in 52 countries.

Hyatt joins a crowded list of other hotel chains similarly breached in the past year, including Hilton, Starwood, Mandarin Oriental, White Lodging and the Trump Collection.

Expect Phishers to Up Their Game in 2016

December 23, 2015

Expect phishers and other password thieves to up their game in 2016: Both Google and Yahoo! are taking steps to kill off the password as we know it.

passcrackNew authentication methods now offered by Yahoo! and to a beta group of Google users let customers log in just by supplying their email address, and then responding to a notification sent to their mobile device.

According to TechCrunch, Google is giving select Gmail users a password-free means of signing in. It uses a “push” notification sent to your phone that then opens an app where you approve the log-in.

The article says the service Google is experimenting with will let users sign in without entering a password, but that people can continue to use their typed password if they choose. It also says Google may still ask for your password as an additional security measure if it notices anything unusual about a login attempt.

The new authentication feature being tested by some Gmail users comes on the heels of a similar service Yahoo! debuted in October 2015. That offering, called “on-demand passwords,” will text users a random four-character code (the ones I saw were all uppercase letters) that needs to be entered into a browser or mobile device.

yahoogetstarted

This is not Yahoo!’s first stab at two-factor authentication. Another security feature it has offered for years — called “two-step verification” — sends a security code to your phone when you log in from new devices, but only after you supply your password. Yahoo! users who wish to take advantage of the passwords-free, on-demand password feature will need to disable two-step verification for on-demand passwords to work.

Continue reading

Oracle, LifeLock Settle FTC Deception Charges

December 21, 2015

The U.S. Federal Trade Commission this past week announced it reached settlements with software giant Oracle and identity protection firm LifeLock over separate charges of allegedly deceiving users and customers about security. LifeLock agreed to pay $100 million for violating a 2010 promise to cease deceptive advertising practices. Oracle’s legal troubles with the FTC stem from its failure to fully remove older, less secure versions of Java when consumers installed the latest Java software.

javamessThe FTC sued Oracle over years of failing to remove older, more vulnerable versions of Java SE when consumers updated their systems to the newest Java software.  Java is installed on more than 850 million computers, but only recently (in Aug. 2014) did the company change its updater software to reliably remove older versions of Java during the installation process.

According to the FTC’s complaint, since acquiring Java in 2010, Oracle was aware of significant security issues affecting older versions of Java SE. The FTC charges that Oracle was aware of the insufficiency of its update process.

“Internal documents stated that the ‘Java update mechanism is not aggressive enough or simply not working,’ and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers,” the FTC said “The security issues allowed hackers’ to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks.” Continue reading

Password Thieves Target E-Giftcard Firm Gyft

December 18, 2015

Digital gift card retailer Gyft has forced a password reset for some of its users. The move comes in response to the theft of usernames and passwords from a subset of Gyft customers.

gyftMountain View, Calif. based Gyft lets customers buy and use gift cards entirely from their mobile devices. Acting on a tip from a trusted source in the cybercrime underground who reported that a cache of account data on Gyft customers was on offer for the right bidder, KrebsOnSecurity contacted Gyft to share intelligence and to request comment.

Gyft declined to comment on the record for this story. But company officials insist their platforms were never breached — pointing instead to an unnamed third party.

Gyft did confirm attackers were able to acquire usernames and passwords for a subset of Gyft customers, and that it had forced a password reset for those accounts.

The company has not disclosed publicly how many customers it has, but insiders said the percentage of users affected was in the “high single digits.” Two Gyft executives told KrebsOnSecurity they first learned of the issue about three weeks ago, and that all of the affected accounts were being monitored for suspicious activity.

Gyft was acquired in July 2014 by payment giant First Data, a company that has traditionally specialized in processing credit cards and managing ATMs. Continue reading

Banks: Card Breach at Landry’s Restaurants

December 17, 2015

Fraud analysts in the banking industry tell KrebsOnSecurity that the latest hospitality firm to suffer a credit card breach is likely Landry’s Inc., a company that manages a nationwide stable of well-known restaurants — including Bubba Gump, Claim Jumper, McCormick & Schmick’s, and Morton’s. 

Update, 2:57 p.m. ET: Landry’s has acknowledged an investigation. Their press release is available here (PDF).

landrys

Original story:

Houston-based Landry’s Inc. owns and operates more than 500 properties, such as Landry’s Seafood, Chart House and Rainforest Cafe. Last week, I began hearing from banking industry sources who said fraud patterns on cards they’d issued to customers strongly suggested a breach at the restaurateur. Industry sources told this author that the problem appears to have started in May 2015 and may still be impacting some Landry’s locations.

It remains unclear how many of Landry’s 500 properties may be affected. The company says it is investigating reports of unauthorized charges on certain payment cards after the cards were used legitimately at some of its restaurants. An online FAQ about the incident posted to Landry’s site says the company does not yet know the extent of the breach.

Restaurants are a prime target for credit card thieves, mainly because they traditionally have not placed a huge emphasis on securing their payment systems. The attackers typically exploit security vulnerabilities or weaknesses in point-of-sale devices to install malicious software that steals credit and debit card data.

Thieves can encode the stolen data onto new plastic and use the counterfeit cards at big box retailers like Best Buy and Target. Indeed, multiple sources in the banking industry say they are now seeing fraudulent purchases at big box stores on cards that all were used at apparently compromised Landry’s locations.

Skimmers Found at Some Calif., Colo. Safeways

December 16, 2015

Sources at multiple financial institutions say they are tracking a pattern of fraud indicating that thieves have somehow compromised the credit card terminals at checkout lanes within multiple Safeway stores in California and Colorado. Safeway confirmed it is investigating skimming incidents at several stores.

safeway

Banking sources say they’ve been trying to figure out why so many customers in the Denver and Englewood areas of Colorado were seeing their debit cards drained of cash at ATMs after shopping at Safeways there. The sources compared notes and found that all of the affected customers had purchased goods from one of several specific lanes in different compromised stores (the transaction data includes a “terminal ID” which can be useful in determining which checkout lanes were compromised.

Safeway spokesperson Brian Dowling said the fraud was limited to a handful of stores, and that the company has processes and procedures in place to protect customers from fraudulent activity.

“We have an excellent track record in this area,” Dowling said. “In fact, we inspect our store’s pin pads regularly and from time to time find a skimmer, but findings have been limited and small in scale. We immediately contact law enforcement and take steps to minimize customer impact.” Continue reading

13 Million MacKeeper Users Exposed

December 14, 2015

The makers of MacKeeper — a much-maligned software utility many consider to be little more than scareware that targets Mac users — have acknowledged a breach that exposed the usernames, passwords and other information on more than 13 million customers and, er…users. Perhaps more interestingly, the guy who found and reported the breach doesn’t even own a Mac, and discovered the data trove merely by browsing Shodan — a specialized search engine that looks for and indexes virtually anything that gets connected to the Internet.

mackeeperIT helpdesk guy by day and security researcher by night, 31-year-old Chris Vickery said he unearthed the 21 gb trove of MacKeeper user data after spending a few bored moments searching for database servers that require no authentication and are open to external connections.

Vickery told Shodan to find all known instances of database servers listening for incoming connections on port 27017. “Ports” are like doorways that govern access into and out of specific areas of a server, and each port number generally maps to one or a handful of known Web applications and services. Port 27017 happens to be associated with MongoDB, a popular database management system.

In short order, Vickery’s request turned up four different Internet addresses, all of which he later learned belonged to Kromtech, the company that makes MacKeeper.

“There are a lot of interesting, educating and intriguing things that you can find on Shodan,” Vickery said. “But there’s a lot of stuff that should definitely not be out there, and when I come across those I try to notify the owner of the affected database.”

Vickery said he reached out the company, which responded quickly by shuttering public access to its user database, and publicly thanking him for reporting it.

“Some 13 million customer records leaked from is aware of a potential vulnerability in access to our data storage system and we are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use,” the company said in a statement published to its site totday. “We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.”

Kromtech said all customer credit card and payment information is processed by a 3rd party merchant and was never at risk. Continue reading