Krebs on Security

A Month Without Adobe Flash Player

June 23, 2015

I’ve spent the better part of the last month running a little experiment to see how much I would miss Adobe‘s buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much.

Browser plugins are favorite targets for malware and miscreants because they are generally full of unpatched or undocumented security holes that cybercrooks can use to seize complete control over vulnerable systems. The Flash Player plugin is a stellar example of this: It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently).

It’s also not uncommon for Adobe to release emergency fixes for the software to patch flaws that bad guys started exploiting before Adobe even knew about the bugs. This happened most recently in February 2015, and twice the month prior. Adobe also shipped out-of-band Flash fixes in December and November 2014.

Update, 11:30 a.m. ET: Oddly enough, Adobe just minutes ago released an out-of-band patch to fix a zero-day flaw in Flash.

Original story:

Time was, Oracle’s Java plugin was the favorite target of exploit kits, software tools made to be stitched into hacked or malicious sites and foist on visiting browsers a kitchen sink of exploits for various plugin vulnerabilities. Lately, however, it seems to pendulum has swung back in favor of exploits for Flash Player. A popular exploit kit known as Angler, for example, bundled a new exploit for a Flash vulnerability just three days after Adobe fixed it in April 2015.

So, rather than continue the patch madness and keep this insecure software installed, I decided to the pull the…er…plugin. I tend to (ab)use different browsers for different tasks, and so uninstalling the plugin was almost as simple as uninstalling Flash, except with Chrome, which bundles its own version of Flash Player. Fear not: disabling Flash in Chrome is simple enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).

In almost 30 days, I only ran into just two instances where I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing). For these, I opted to cheat and load the content into a Flash-enabled browser inside of a Linux virtual machine I have running inside of VirtualBox. In hindsight, it probably would have been easier simply to temporarily re-enable Flash in Chrome, and then disable it again until the need arose. Continue reading →

“Free” Proxies Aren’t Necessarily Free

June 22, 2015

30 Comments

Netflix, Hulu and a host of other content streaming services block non-U.S. users from viewing their content. As a result, many people residing in or traveling outside of the United States seek to circumvent such restrictions by using services that advertise “free” and “open” Web proxies capable of routing browser traffic through U.S.-based computers and networks. Perhaps unsurprisingly, new research suggests that most of these “free” offerings are anything but, and actively seek to weaken browser security and privacy.

The data comes from Austrian researcher and teacher Christian Haschek, who published a simple script to check 443 open Web proxies (no, that number was not accidental). His script tries to see if a given proxy allows encrypted browser traffic (https://), and whether the proxy tries to modify site content or inject any content into the user’s browser session, such as ads or malicious scripts.

Haschek found that 79 percent of the proxies he tested forced users to load pages in unencrypted (http://) mode, meaning the owners of those proxies could see all of the traffic in plain text.

“It could be because they want you to use http so they can analyze your traffic and steal your logins,” Haschek said. “If I’m a good guy setting up a server so that people can use it to be secure and anonymous, I’m going to allow people to use https. But what is my motive if I tell users http only?”

Haschek’s research also revealed that slightly more than 16 percent of the proxy servers were actively modifying static HTML pages to inject ads.

Virtual private networks (VPNs) allow users to tunnel their encrypted traffic to different countries, but increasingly online content providers are blocking popular VPN services as well. Tor offers users the ability to encrypt and tunnel traffic for free, but in my experience the service isn’t reliably fast enough to stream video. Continue reading →

OPM’s Database for Sale? Nope, It Came from Another US .Gov

June 18, 2015

41 Comments

A database supposedly from a sample of information stolen in the much publicized hack at the Office of Personnel Management (OPM) has been making the rounds in the cybercrime underground, with some ne’er-do-wells even offering to sell it as part of a larger package. But a review of the information made available as a teaser indicates that the database is instead a list of users stolen from a different government agency — Unicor.gov, also known as Federal Prison Industries.

Source: Unicor.gov

Earlier this week, miscreants who frequent the Hell cybercrime forum (a “Deep Web” site reachable only via the Tor network) began passing around a text file that contained more than 23,000 records which appeared to be a user database populated exclusively by user accounts with dot-gov email addresses. I thought it rather unlikely that the file had anything to do with the OPM hack, which was widely attributed to Chinese hackers who are typically interested in espionage — not selling the data they steal on open-air markets.

As discussed in my Oct. 2014 post, How to Tell Data Leaks from Publicity Stunts, there are several simple techniques that often can be used to tell whether a given data set is what it claims to be. One method involves sampling email addresses from the leaked/hacked database and then using them in an attempt to create new accounts at the site in question. In most cases, online sites and services will allow only one account per email address, so if a large, random sampling of email addresses from the database all come back as already registered at the site you suspect is the breached entity, then it’s a safe guess the data came from that entity.

How to know the identity of the organization from which the database was stolen? In most cases, database files list the users in the order in which they registered on the site. As a result, the email addresses and/or usernames for the first half-dozen or more users listed in the database are most often from the database administrators and/or site designers. When all of those initial addresses have the same top-level domain — in this case “unicor.gov” — it’s a good bet that’s your victim organization.

Image: Unicor.gov

According to Wikipedia, UNICOR is a wholly owned United States government corporation created in 1934 that uses penal labor from the Federal Bureau of Prisons to produce goods and services. It is apparently restricted to selling its products and services to federal government agencies, although recently private companies gained some access to UNICOR workforce. For instance, companies can outsource call centers to UNICOR. Case in point: If you call UNICOR’s main number off-hours, the voicemail message states that during business hours your call may be handled by an inmate! Continue reading →

Critical Flaws in Apple, Samsung Devices

June 17, 2015

51 Comments

Normally, I don’t cover vulnerabilities about which the user can do little or nothing to prevent, but two newly detailed flaws affecting hundreds of millions of Android, iOS and Apple products probably deserve special exceptions.

The first is a zero-day bug in iOS and OS X that allows the theft of both Keychain (Apple’s password management system) and app passwords. The flaw, first revealed in an academic paper (PDF) released by researchers from Indiana University, Peking University and the Georgia Institute of Technology, involves a vulnerability in Apple’s latest operating system versions that enable an app approved for download by the Apple Store to gain unauthorized access to other apps’ sensitive data.

“More specifically, we found that the inter-app interaction services, including the keychain…can be exploited…to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote,” the researchers wrote.

The team said they tested their findings by circumventing the restrictive security checks of the Apple Store, and that their attack apps were approved by the App Store in January 2015. According to the researchers, more than 88 percent of apps were “completely exposed” to the attack.

News of the research was first reported by The Register, which said that Apple was initially notified in October 2014 and that in February 2015 the company asked researchers to hold off disclosure for six months.

“The team was able to raid banking credentials from Google Chrome on the latest Mac OS X 10.10.3, using a sandboxed app to steal the system’s keychain and secret iCloud tokens, and passwords from password vaults,” The Register wrote. “Google’s Chromium security team was more responsive and removed Keychain integration for Chrome noting that it could likely not be solved at the application level. AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks or make the malware ‘work harder’ some four months after disclosure.”

A story at 9to5mac.com suggests the malware the researchers created to run their experiments can’t directly access existing keychain entries, but instead does so indirectly by forcing users to log in manually and then capturing those credentials in a newly-created entry.

“For now, the best advice would appear to be cautious in downloading apps from unknown developers – even from the iOS and Mac App Stores – and to be alert to any occasion where you are asked to login manually when that login is usually done by Keychain,” 9to5’s Ben Lovejoy writes.

SAMSUNG KEYBOARD FLAW

Separately, researchers at mobile security firm NowSecure disclosed they’d found a serious vulnerability in a third-party keyboard app that is pre-installed on more than 600 million Samsung mobile devices — including the recently released Galaxy S6 — that allows attackers to remotely access resources like GPS, camera and microphone, secretly install malicious apps, eavesdrop on incoming/outgoing messages or voice calls, and access pictures and text messages on vulnerable devices. Continue reading →

Password Manager LastPass Warns of Breach

June 16, 2015

120 Comments

LastPass, a company that offers users a way to centrally manage all of their passwords online with a single master password, disclosed Monday that intruders had broken into its databases and made off with user email addresses and password reminders, among other data.

In an alert posted to its blog, LastPass said the company has found no evidence that its encrypted user vault data was taken, nor that LastPass user accounts were accessed.

“The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised,” the company said. “We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”

Parsing LastPass’s statement requires a basic understanding of the way that passwords are generally stored. Passwords are “hashed” by taking the plain text password and running it against a theoretically one-way mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters that is supposed to be challenging to reverse.

The weakness of this approach is that hashes by themselves are static, meaning that the password “123456,” for example, will always compute to the same password hash. To make matters worse, there are plenty of tools capable of very rapidly mapping these hashes to common dictionary words, names and phrases, which essentially negates the effectiveness of hashing. These days, computer hardware has gotten so cheap that attackers can easily and very cheaply build machines capable of computing tens of millions of possible password hashes per second for each corresponding username or email address.

But by adding a unique element, or “salt,” to each user password, database administrators can massively complicate things for attackers who may have stolen the user database and rely upon automated tools to crack user passwords.

“What a salt does it makes it hard to go after a lot of passwords at once as opposed to one users’ password, because every user requires a separate guess and that separate guess is going to take a considerable amount of time,” said Steve Bellovin, a professor in computer science at Columbia University . “With a salt, even if a bunch of users have the same password, like ‘123456,’ everyone would have a different hash.”

More concerning in this particular breach, Bellovin said, is that users’ password reminders also were stolen.

Continue reading →

Catching Up on the OPM Breach

June 15, 2015

73 Comments

I heard from many readers last week who were curious why I had not weighed in on the massive (and apparently still unfolding) data breach at the U.S. Office of Personnel Management (OPM). Turns out, the easiest way for a reporter to make sure everything hits the fan from a cybersecurity perspective is to take a two week vacation to the other end of the world. What follows is a timeline that helped me get my head on straight about the events that preceded this breach, followed by some analysis and links to other perspectives on the matter.

OPM offices in Washington, DC. Image: Flickr.

July 2014: OPM investigates a breach of its computer networks dating back to March 2014. Authorities trace the intrusion to China. OPM offers employees free credit monitoring and assures employees that no personal data appears to have been stolen.

Aug. 2014: It emerges that USIS, a background check provider for the U.S. Department of Homeland Security, was hacked. USIS offers 27,000 DHS employees credit monitoring through AllClearID (full disclosure: AllClear is an advertiser on this blog). Investigators say Chinese are hackers responsible, and that the attackers broke in by exploiting a vulnerability in an enterprise management software product from SAP. OPM soon suspends work with USIS.

November 2014: A report (PDF) by OPM’s Office of the Inspector General on the agency’s compliance with Federal Information Security Management Act finds “significant” deficiencies in the department’s IT security. The report found OPM did not maintain a comprehensive inventory of servers, databases and network devices, nor were auditors able to tell if OPM even had a vulnerability scanning program. The audit also found that multi-factor authentication (the use of a token such as a smart card, along with an access code) was not required to access OPM systems. “We believe that the volume and sensitivity of OPM systems that are operating without an active Authorization represents a material weakness in the internal control structure of the agency’s IT security program,” the report concluded.

Dec. 2014: KeyPoint, a company that took over background checks for USIS, suffers breach. OPM states that there is “no conclusive evidence to confirm sensitive information was removed from the system.” OPM vows to notify 48,439 federal workers that their information may have been exposed in the attack.

Feb. 2015: Health insurance giant Anthem discloses breach impacting nearly 80 million customers. Experts later trace domains, IP addresses implicated in attack to Chinese hackers. Anthem offers two years of free credit monitoring services through AllClearID.

May 2015: Premera Blue Cross, one of the insurance carriers that participates in the Federal Employees Health Benefits Program, discloses a breach affecting 11 million customers. Federal auditors at OPM warned Premera three weeks prior to the breach that its network security procedures were inadequate. Unlike the Anthem breach, the incident at Premera exposes clinical medical information in addition to personally identifiable information. Premera offers two years of free credit monitoring through Experian.

May 2015: Carefirst Blue Cross discloses breach impacting 1.1 million customers. Clues unearthed by researchers point to the same attack infrastructure and methods used in the Anthem and Premera breach. Carefirst offers two years free credit monitoring through Experian.

June 2015: OPM discloses breach affecting up to 4 million federal employees, offers 18 months of free credit monitoring through CSID. Follow-up reports indicate that the breach may extend well beyond federal employees to individuals who applied for security clearances with the federal government.

ANALYSIS

As the OPM’s Inspector General report put it, “attacks like the ones on Anthem and Premera [and OPM] are likely to increase. In these cases, the risk to Federal employees and their families will probably linger long after the free credit monitoring offered by these companies expires.”

That would appear to be the understatement of the year. The OPM runs a little program called e-QIP, which processes applications for security clearances for federal agencies, including top secret and above. This bit, from a July 10, 2014 story in The Washington Post, puts the depth and breadth of this breach in better perspective:

“In those files are huge treasure troves of personal data, including “applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends such as college roommates and co-workers. Employees log in using their Social Security numbers.”

That quote aptly explains why a nation like China might wish to hoover up data from the OPM and a network of healthcare providers that serve federal employees: If you were a state and wished to recruit foreign spies or uncover traitors within your own ranks, what sort of goldmine might this data be? Imagine having access to files that include interviews with a target’s friends and acquaintances over the years, some of whom could well have shared useful information about that person’s character flaws, weaknesses and proclivities.

For its part, China has steadfastly denied involvement. Politico cites a news story from the Chinese news service Xinhua which dismissed the U.S. allegations as “obviously another case of Washington’s habitual slander against Beijing on cybersecurity.” Continue reading →

Discount Chain Fred’s Inc. Probes Card Breach

June 12, 2015

19 Comments

Fred’s Inc., a discount general merchandise and pharmacy chain that operates 650 stores in more than a dozen states, disclosed today that it is investigating a potential credit card breach.

KrebsOnSecurity contacted Fred’s earlier this week, after hearing from multiple financial institutions about a pattern of fraud on customer cards indicating that Fred’s was the latest victim of card-stealing malware secretly installed on point-of-sale systems at checkout lanes.

Sources said it was unclear how many Fred’s locations were affected, but that the pattern of fraudulent charges traced back to Fred’s stores across the company’s footprint in the midwest and south, including Alabama, Arkansas, Georgia, Indiana, Kentucky, Louisiana, Mississippi, Tennessee and Texas.

Reached for comment about the allegations, the company issued the following response today:

Fred’s Inc. recently became aware of a potential data security incident and immediately launched an internal investigation to determine the scope of the issue. We retained Mandiant, a leading independent forensics firm, to examine our data security systems.

We want to assure our customers that protecting their information is one of our top priorities and we are taking this potential incident very seriously. Until this investigation is completed, it will be difficult to determine with certainty the scope or nature of any potential incident, but we will continue to work vigilantly to address any potential issues that may affect our customers.

I am hearing about so many different retail breaches at retail and restaurant chains right now that I could do nothing but write about them full time and still fall behind.

A quick note about this blog: I’ve been on vacation for the past two weeks in Australia and New Zealand, which is why posting has been sporadic at best of late. Also, a glitch in our email server prevented many readers from receiving notifications of new updates over the last few weeks. Fixing the glitch caused subscribers to receive 10 days’ worth of email notifications all at once. Sorry for the inconvenience.

Breach at Winery Card Processor Missing Link

June 10, 2015

44 Comments

Missing Link Networks Inc., a credit card processor and point-of-sale vendor that serves a number of wineries in Northern California and elsewhere, disclosed today that a breach of its networks exposed card data for transactions it processed in the month of April 2015.

Earlier this week, I heard from a source at one of Sonoma, Calif.’s fancier wineries that their card processor had been breached. On Tuesday, I reached out to Calistoga, Calif. based Missing Link. Today, the company responded that it had begun notifying its customers about the incident, and that it was working with law enforcement and the card associations on an investigation.

“Beginning on May 27, 2015, we began notifying our winery customers that eCellar Systems, our consumer-direct sales platform, had been breached during the month of April, 2015 by an unknown intruder,” the company’s founder and CEO, Paul Thienes, said in a written statement. “To that end, each of our winery clients will be sending out notice of this event to their customers and it is likely that individual consumers may receive a similar notice from multiple wineries.”

“The intruder gained access to customer names, credit/debit card numbers, the related billing addresses, and any dates of birth in our system during the window of April 1st through 30th this year,” Thienes wrote. “The intruder did not have access to any driver license numbers, Social Security numbers, CVV verification numbers, or PIN numbers (data which we would typically not collect anyway). We have identified and secured the method that was used to breach our platform. Additionally, to prevent a future reoccurrence, we are in the process of converting to a ‘token’ system so that credit card numbers will no longer be stored by the eCellar platform.” Continue reading →

Adobe, Microsoft Issue Critical Security Fixes

June 10, 2015

34 Comments

Adobe today released software updates to plug at least 13 security holes in its Flash Player software. Separately, Microsoft pushed out fixes for at least three dozen flaws in Windows and associated software.

The bulk of the flaws Microsoft addressed today (23 of them) reside in the Internet Explorer Web browser. Microsoft also issued fixes for serious problems in Office, the Windows OS itself and Windows Media Player, among other components. A link to an index of the individual Microsoft updates released today is here.

As it normally does on Patch Tuesday, Adobe issued fixes for its Flash and AIR software, plugging a slew of dangerous flaws in both products. Flash continues to be one of the more complex programs to manage and update on a computer, mainly because its auto-update function tends to lag the actual patches by several days at least (your mileage may vary), and it’s difficult to know which version is the latest. Continue reading →

Firms Could Be Forced to Disgorge Profits from Tax Refund Fraud

June 9, 2015

37 Comments

Last week, KrebsOnSecurity ran an interview with Julie Magee, Alabama’s chief tax administrator, to examine what the states are doing in tandem with the IRS and others to make it harder for ID thieves to commit tax refund fraud — a $6 billion a year problem. Today we’ll hear from John Valentine, chair of Utah’s State Tax Commission, about the challenges his state faced this year, as well as the prospect that tax preparation firms could be forced return to the U.S. Treasury any profits they make from processing fraudulent tax refunds.

Valentine was a tax attorney before being appointed the chair of Utah’s tax commission, so he’s familiar with the challenges facing both the tax preparation industry as well as the tax agencies.

“I came out of the private sector and spent nearly 40 years suing the state tax commission and the IRS,” Valentine said. “Now I am that.”

Utah is actively engaged in an IRS task force made up of state, federal and industry tax experts trying to quash refund fraud. Like Alabama’s deputy tax commissioner Joe Garrett — who had a $7,700 fraudulent refund filed in his name — several of Utah’s senior tax administration officials also were victimized by ID thieves this year.

“We’ve had some of our senior people who had tax returns filed on their behalf,” Valentine said. “Of course, they had not filed them yet and we knew that they were more than a little suspicious.”

Among the steps the task force is considering is whether to mail all taxpayers an Identity Protection Personal Identification Number (IP PIN) that is tied to each taxpayer and must be included in each tax return. The IRS issues the IP PINs to taxpayers who have suffered tax return fraud. Additionally, consumers willing to swear they have been victims of identity theft can apply for a filing PIN, however the IRS is picky about granting those requests.

Even if the IRS were to switch to issuing IP PINs to all taxpayers, the agency would still run up against the thorny problem of how to verify consumers’ identity (no doubt, that challenge would be exacerbated by millions of taxpayers phoning the IRS after losing or misplacing their assigned PINs). A major focus of the working groups attention is finding better ways to authenticate people beyond merely requesting static identifiers (Social Security numbers, dates of birth) and other data that is frequently exposed in data breaches and is readily for sale on underground markets.

“They’re going to have to switch to a 2-factor authentication system, where they really strengthen the front-end of that authentication,” Valentine said of the tax preparation firms like TurboTax, which briefly shut down all state tax filing this year after a massive spike in phony refund requests put through its systems via hijacked and fraudulently created TurboTax accounts.

Valentine also made the decision to halt all Utah tax refunds around that same time.

“When we installed our [anti-fraud] analytics program, we thought we were getting a lot of false positives, so we did a bunch of back checking,” he said “While we were doing that, I made a decision to stop all refunds. For a period of two weeks Utah gave no refunds while we worked through the analytics to make sure we’d identified the nature and extent of the fraud. It turned out to be much more extensive than we’ve ever seen.”

In fact, ten times as much as any year prior, according to Valentine.

“We’ve always seen fraud where a tax practitioner will file a whole bunch of fraudulent returns, or we’ll see ID theft targeting a large employer. But this fraud wave was a little tougher, because it went across spectrum of employers, across the entire demographic of taxpayers, high low and middle income. Also, the fraud wasn’t regionalized — it was across the whole state — and [the fraudsters] didn’t seem to be selective as to who they hit. They got people of notoriety and people nobody knew. In the end, it appeared that the common factor among all of them was how you filed in 2013,” because the phony 2014 returns all included nearly identical information as the victim’s 2013 returns.

“What we saw in Utah was a population of the same information in the 2013 return into the 2014 return, with the exception of bank routing and bank account number,” Valentine said. “That’s a different fraud that we’d just never seen before.”

TurboTax’s lax security around authentication for new and existing accounts played a well-documented role in the type of fraud described by Valentine this year. But ID thieves also got help directly from the IRS this year. Late last month, the agency suspended the “get transcript” function that previously allowed taxpayers to order a copy of their previous year’s W2 information, among other data; turns out, crooks had used the service to pull tax data on more than 100,000 citizens, stealing tens of millions from the U.S. Treasury in the process. Continue reading →

Last »