Experian’s Credit Freeze Security is Still a Joke

April 26, 2021

In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian, one of the big three consumer credit bureaus in the United States.  Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space.

Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

Dune Thomas is a software engineer from Sacramento, Calif. who put a freeze on his credit files last year at Experian, Equifax and TransUnion after thieves tried to open multiple new payment accounts in his name using an address in Washington state that was tied to a vacant home for sale.

But the crooks were persistent: Earlier this month, someone unfroze Thomas’ account at Experian and promptly applied for new lines of credit in his name, again using the same Washington street address. Thomas said he only learned about the activity because he’d taken advantage of a free credit monitoring service offered by his credit card company.

Thomas said after several days on the phone with Experian, a company representative acknowledged that someone had used the “request your PIN” feature on Experian’s site to obtain his PIN and then unfreeze his file.

Thomas said he and a friend both walked through the process of recovering their freeze PIN at Experian, and were surprised to find that just one of the five multiple-guess questions they were asked after entering their address, Social Security Number and date of birth had anything to do with information only the credit bureau might know.

KrebsOnSecurity stepped through the same process and found similar results. The first question asked about a new mortgage I supposedly took out in 2019 (I didn’t), and the answer was none of the above. The answer to the second question also was none of the above.

The next two questions were useless for authentication purposes because they’d already been asked and answered; one was “which of the following is the last four digits of your SSN,” and the other was “I was born within a year or on the year of the date below.” Only one question mattered and was relevant to my credit history (it concerned the last four digits of a checking account number).

The best part about this lax authentication process is that one can enter any email address to retrieve the PIN — it doesn’t need to be tied to an existing account at Experian. Also, when the PIN is retrieved, Experian doesn’t bother notifying any other email addresses already on file for that consumer.

Finally, your basic consumer (read: free) account at Experian does not give users the option to enable any sort of multi-factor authentication that might help stymie some of these PIN retrieval attacks on credit freezes.

Unless, that is, you subscribe to Experian’s heavily-marketed and confusingly-worded “CreditLock” service, which charges between $14.99 and $24.99 a month for the ability to “lock and unlock your file easily and quickly, without delaying the application process.” CreditLock users can both enable multifactor authentication and get alerts when someone tries to access their account.

Thomas said he’s furious that Experian only provides added account security for consumers who pay for monthly plans.

“Experian had the ability to give people way better protection through added authentication of some kind, but instead they don’t because they can charge $25 a month for it,” Thomas said. “They’re allowing this huge security gap so they can make a profit. And this has been going on for at least four years.”

Experian has not yet responded to requests for comment.

When a consumer with a freeze logs in to Experian’s site, they are immediately directed to a message for one of Experian’s paid services, such as its CreditLock service. The message I saw upon logging in confirmed that while I had a freeze in place with Experian, my current “protection level” was “low” because my credit file was unlocked.

“When your file is unlocked, you’re more vulnerable to identity theft and fraud,” Experian warns, untruthfully. “You won’t see alerts if someone tries to access your file. Banks can check your file if you apply for credit or loans. Utility and service providers can see your credit file.”

Experian says my security is low because while I have a freeze in place, I haven’t bought into their questionable “lock service.”

Sounds scary, right? The thing is — except for the part about not seeing alerts — none of the above statement is true if you already have a freeze on your file. A security freeze essentially blocks any potential creditors from being able to view your credit file, unless you affirmatively unfreeze or thaw your file beforehand. Continue reading

Note to Self: Create Non-Exhaustive List of Competitors

April 20, 2021

What was the best news you heard so far this month? Mine was learning that KrebsOnSecurity is listed as a restricted competitor by Gartner Inc. [NYSE:IT] — a $4 billion technology goliath whose analyst reports can move markets and shape the IT industry.

Earlier this month, a reader pointed my attention to the following notice from Gartner to clients who are seeking to promote Gartner reports about technology products and services:

What that notice says is that KrebsOnSecurity is somehow on Gartner’s “non exhaustive list of competitors,” i.e., online venues where technology companies are not allowed to promote Gartner reports about their products and services.

The bulk of Gartner’s revenue comes from subscription-based IT market research. As the largest organization dedicated to the analysis of software, Gartner’s network of analysts are well connected to the technology and software industries. Some have argued that Gartner is a kind of private social network, in that a significant portion of Gartner’s competitive position is based on its interaction with an extensive network of software vendors and buyers.

Either way, the company regularly serves as a virtual kingmaker with their trademark “Magic Quadrant” designations, which rate technology vendors and industries “based on proprietary qualitative data analysis methods to demonstrate market trends, such as direction, maturity and participants.”

The two main subjective criteria upon which Gartner bases those rankings are “the ability to execute” and “completeness of vision.” They also break companies out into categories such as “challengers,” “leaders,” “visionaries” and “niche players.”

Gartner’s 2020 “Magic Quadrant” for companies that provide “contact center as a service” offerings.

So when Gartner issues a public report forecasting that worldwide semiconductor revenue will fall, or that worldwide public cloud revenue will grow, those reports very often move markets.

Being listed by Gartner as a competitor has had no discernable financial impact on KrebsOnSecurity, or on its reporting. But I find this designation both flattering and remarkable given that this site seldom promotes technological solutions. Continue reading

Advertisement

Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020?

April 16, 2021

On Aug. 13, 2020, someone uploaded a suspected malicious file to VirusTotal, a service that scans submitted files against more than five dozen antivirus and security products. Last month, Microsoft and FireEye identified that file as a newly-discovered fourth malware backdoor used in the sprawling SolarWinds supply chain hack. An analysis of the malicious file and other submissions by the same VirusTotal user suggest the account that initially flagged the backdoor as suspicious belongs to IT personnel at the National Telecommunications and Information Administration (NTIA), a division of the U.S. Commerce Department that handles telecommunications and Internet policy.

Both Microsoft and FireEye published blog posts on Mar. 4 concerning a new backdoor found on high-value targets that were compromised by the SolarWinds attackers. FireEye refers to the backdoor as “Sunshuttle,” whereas Microsoft calls it “GoldMax.” FireEye says the Sunshuttle backdoor was named “Lexicon.exe,” and had the unique file signatures or “hashes” of “9466c865f7498a35e4e1a8f48ef1dffd” (MD5) and b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8 (SHA-1).

“In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository,” FireEye wrote.

The “Sunshuttle” or “GoldMax” backdoor, as identified by FireEye and Microsoft, respectively. Image: VirusTotal.com.

A search in VirusTotal’s malware repository shows that on Aug. 13, 2020 someone uploaded a file with that same name and file hashes. It’s often not hard to look through VirusTotal and find files submitted by specific users over time, and several of those submitted by the same user over nearly two years include messages and files sent to email addresses for people currently working in NTIA’s information technology department.

An apparently internal email that got uploaded to VirusTotal in Feb. 2020 by the same account that uploaded the Sunshuttle backdoor malware to VirusTotal in August 2020.

The NTIA did not respond to requests for comment. But in December 2020, The Wall Street Journal reported the NTIA was among multiple federal agencies that had email and files plundered by the SolarWinds attackers. “The hackers broke into about three dozen email accounts since June at the NTIA, including accounts belonging to the agency’s senior leadership, according to a U.S. official familiar with the matter,” The Journal wrote.

It’s unclear what, if anything, NTIA’s IT staff did in response to scanning the backdoor file back in Aug. 2020. But the world would not find out about the SolarWinds debacle until early December 2020, when FireEye first disclosed the extent of its own compromise from the SolarWinds malware and published details about the tools and techniques used by the perpetrators.

The SolarWinds attack involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for some 18,000 users of its Orion network management software. Beginning in March 2020, the attackers then used the access afforded by the compromised SolarWinds software to push additional backdoors and tools to targets when they wanted deeper access to email and network communications. Continue reading

Microsoft Patch Tuesday, April 2021 Edition

April 13, 2021

Microsoft today released updates to plug at least 110 security holes in its Windows operating systems and other products. The patches include four security fixes for Microsoft Exchange Server — the same systems that have been besieged by attacks on four separate (and zero-day) bugs in the email software over the past month. Redmond also patched a Windows flaw that is actively being exploited in the wild.

Nineteen of the vulnerabilities fixed this month earned Microsoft’s most-dire “Critical” label, meaning they could be used by malware or malcontents to seize remote control over vulnerable Windows systems without any help from users.

Microsoft released updates to fix four more flaws in Exchange Server versions 2013-2019 (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483). Interestingly, all four were reported by the U.S. National Security Agency, although Microsoft says it also found two of the bugs internally. A Microsoft blog post published along with today’s patches urges Exchange Server users to make patching their systems a top priority.

Satnam Narang, staff research engineer at Tenable, said these vulnerabilities have been rated ‘Exploitation More Likely’ using Microsoft’s Exploitability Index.

“Two of the four vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw,” Narang said. “With the intense interest in Exchange Server since last month, it is crucial that organizations apply these Exchange Server patches immediately.”

Also patched today was a vulnerability in Windows (CVE-2021-28310) that’s being exploited in active attacks already. The flaw allows an attacker to elevate their privileges on a target system.

“This does mean that they will either need to log on to a system or trick a legitimate user into running the code on their behalf,” said Dustin Childs of Trend Micro. “Considering who is listed as discovering this bug, it is probably being used in malware. Bugs of this nature are typically combined with other bugs, such as browser bug of PDF exploit, to take over a system.”

In a technical writeup on what they’ve observed since finding and reporting attacks on CVE-2021-28310, researchers at Kaspersky Lab noted the exploit they saw was likely used together with other browser exploits to escape “sandbox” protections of the browser.

“Unfortunately, we weren’t able to capture a full chain, so we don’t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities,” Kaspersky’s researchers wrote. Continue reading

ParkMobile Breach Exposes License Plate Data, Mobile Numbers of 21M Users

April 12, 2021

Someone is selling account information for 21 million customers of ParkMobile, a mobile parking app that’s popular in North America. The stolen data includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses.

KrebsOnSecurity first heard about the breach from Gemini Advisory, a New York City based threat intelligence firm that keeps a close eye on the cybercrime forums. Gemini shared a new sales thread on a Russian-language crime forum that included my ParkMobile account information in the accompanying screenshot of the stolen data.

Included in the data were my email address and phone number, as well as license plate numbers for four different vehicles we have used over the past decade.

Asked about the sales thread, Atlanta-based ParkMobile said the company published a notification on Mar. 26 about “a cybersecurity incident linked to a vulnerability in a third-party software that we use.”

“In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident,” the notice reads. “Out of an abundance of caution, we have also notified the appropriate law enforcement authorities. The investigation is ongoing, and we are limited in the details we can provide at this time.”

The statement continues: “Our investigation indicates that no sensitive data or Payment Card Information, which we encrypt, was affected. Meanwhile, we have taken additional precautionary steps since learning of the incident, including eliminating the third-party vulnerability, maintaining our security, and continuing to monitor our systems.”

Asked for clarification on what the attackers did access, ParkMobile confirmed it included basic account information – license plate numbers, and if provided, email addresses and/or phone numbers, and vehicle nickname.

“In a small percentage of cases, there may be mailing addresses,” spokesman Jeff Perkins said.
Continue reading

Are You One of the 533M People Who Got Facebooked?

April 6, 2021

Ne’er-do-wells leaked personal data — including phone numbers — for some 553 million Facebook users this week. Facebook says the data was collected before 2020 when it changed things to prevent such information from being scraped from profiles. To my mind, this just reinforces the need to remove mobile phone numbers from all of your online accounts wherever feasible. Meanwhile, if you’re a Facebook product user and want to learn if your data was leaked, there are easy ways to find out.

The HaveIBeenPwned project, which collects and analyzes hundreds of database dumps containing information about billions of leaked accounts, has incorporated the data into his service. Facebook users can enter the mobile number (in international format) associated with their account and see if those digits were exposed in the new data dump (HIBP doesn’t show you any data, just gives you a yes/no on whether your data shows up).

The phone number associated with my late Facebook account (which I deleted in Jan. 2020) was not in HaveIBeenPwned, but then again Facebook claims to have more than 2.7 billion active monthly users.

It appears much of this database has been kicking around the cybercrime underground in one form or another since last summer at least. According to a Jan. 14, 2021 Twitter post from Under the Breach’s Alon Gal, the 533 million Facebook accounts database was first put up for sale back in June 2020, offering Facebook profile data from 100 countries, including name, mobile number, gender, occupation, city, country, and marital status.

Under The Breach also said back in January that someone had created a Telegram bot allowing users to query the database for a low fee, and enabling people to find the phone numbers linked to a large number of Facebook accounts.

A cybercrime forum ad from June 2020 selling a database of 533 Million Facebook users. Image: @UnderTheBreach

Many people may not consider their mobile phone number to be private information, but there is a world of misery that bad guys, stalkers and creeps can visit on your life just by knowing your mobile number. Sure they could call you and harass you that way, but more likely they will see how many of your other accounts — at major email providers and social networking sites like Facebook, Twitter, Instagram, e.g. — rely on that number for password resets. Continue reading

Ransom Gangs Emailing Victim Customers for Leverage

April 5, 2021

Some of the top ransomware gangs are deploying a new pressure tactic to push more victim organizations into paying an extortion demand: Emailing the victim’s customers and partners directly, warning that their data will be leaked to the dark web unless they can convince the victim firm to pay up.

This letter is from the Clop ransomware gang, putting pressure on a recent victim named on Clop’s dark web shaming site.

“Good day! If you received this letter, you are a customer, buyer, partner or employee of [victim],” the missive reads. “The company has been hacked, data has been stolen and will soon be released as the company refuses to protect its peoples’ data.”

“We inform you that information about you will be published on the darknet [link to dark web victim shaming page] if the company does not contact us,” the message concludes. “Call or write to this store and ask to protect your privacy!!!!”

The message above was sent to a customer of RaceTrac Petroleum, an Atlanta company that operates more than 650 retail gasoline convenience stores in 12 southeastern states. The person who shared that screenshot above isn’t a distributor or partner of RaceTrac, but they said they are a RaceTrac rewards member, so the company definitely has their email address and other information.

Several gigabytes of the company’s files — including employee tax and financial records — have been posted to the victim shaming site for the Clop ransomware gang.

In response to questions from KrebsOnSecurity, RaceTrac said it was recently impacted by a security incident affecting one of its third-party service providers, Accellion Inc.

For the past few months, attackers have been exploiting a a zero-day vulnerability in Accellion File Transfer Appliance (FTA) software, a flaw that has been seized upon by Clop to break into dozens of other major companies like oil giant Shell and security firm Qualys.

“By exploiting a previously undetected software vulnerability, unauthorized parties were able to access a subset of RaceTrac data stored in the Accellion File Transfer Service, including email addresses and first names of some of our RaceTrac Rewards Loyalty users,” the company wrote. “This incident was limited to the aforementioned Accellion services and did not impact RaceTrac’s corporate network. The systems used for processing guest credit, debit and RaceTrac Rewards transactions were not impacted.”

The same extortion pressure email has been going out to people associated with the University of California, which was one of several large U.S. universities that got hit with Clop ransomware recently. Most of those university ransomware incidents appeared to be tied to attacks on attacks on the same Accellion vulnerability, and the company has acknowledged roughly a third of its customers on that appliance got compromised as a result.

Clop is one of several ransom gangs that will demand two ransoms: One for a digital key needed to unlock computers and data from file encryption, and a second to avoid having stolen data published or sold online. That means even victims who opt not to pay to get their files and servers back still have to decide whether to pay the second ransom to protect the privacy of their customers.

As I noted in Why Paying to Delete Stolen Data is Bonkers, leaving aside the notion that victims might have any real expectation the attackers will actually destroy the stolen data, new research suggests a fair number of victims who do pay up may see some or all of the stolen data published anyway. Continue reading

Ubiquiti All But Confirms Breach Response Iniquity

April 4, 2021

For four days this past week, Internet-of-Things giant Ubiquiti did not respond to requests for comment on a whistleblower’s allegations the company had massively downplayed a “catastrophic” two-month breach ending in January to save its stock price, and that Ubiquiti’s insinuation that a third-party was to blame was a fabrication. I was happy to add their eventual public response to the top of Tuesday’s story on the whistleblower’s claims, but their statement deserves a post of its own because it actually confirms and reinforces those claims.

Ubiquiti’s IoT gear includes things like WiFi routers, security cameras, and network video recorders. Their products have long been popular with security nerds and DIY types because they make it easy for users to build their own internal IoT networks without spending many thousands of dollars.

But some of that shine started to come off recently for Ubiquiti’s more security-conscious customers after the company began pushing everyone to use a unified authentication and access solution that makes it difficult to administer these devices without first authenticating to Ubiquiti’s cloud infrastructure.

All of a sudden, local-only networks were being connected to Ubiquiti’s cloud, giving rise to countless discussion threads on Ubiquiti’s user forums from customers upset over the potential for introducing new security risks.

And on Jan. 11, Ubiquiti gave weight to that angst: It told customers to reset their passwords and enable multifactor authentication, saying a breach involving a third-party cloud provider might have exposed user account data. Ubiquiti told customers they were “not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed.”

Ubiquiti’s notice on Jan. 12, 2021.

On Tuesday, KrebsOnSecurity reported that a source who participated in the response to the breach said Ubiquiti should have immediately invalidated all credentials because all of the company’s key administrator passwords had been compromised as well. The whistleblower also said Ubiquiti never kept any logs of who was accessing its databases.

The whistleblower, “Adam,” spoke on condition of anonymity for fear of reprisals from Ubiquiti. Adam said the place where those key administrator credentials were compromised — Ubiquiti’s presence on Amazon’s Web Services (AWS) cloud services — was in fact the “third party” blamed for the hack.

From Tuesday’s piece:

“In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there.

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide.

Ubiquiti finally responded on Mar. 31, in a post signed “Team UI” on the company’s community forum online.

“Nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11. In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems.”

“These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.”

Ubiquiti’s response this week on its user forum.

Ubiquiti also hinted it had an idea of who was behind the attack, saying it has “well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.” Continue reading

New KrebsOnSecurity Mobile-Friendly Site

April 1, 2021

Dear Readers, this has been long overdue, but at last I give you a more responsive, mobile-friendly version of KrebsOnSecurity. We tried to keep the visual changes to a minimum and focus on a simple theme that presents information in a straightforward, easy-to-read format. Please bear with us over the next few days as we hunt down the gremlins in the gears.

We were shooting for responsive (fast) and uncluttered. Hopefully, we achieved that and this new design will render well in whatever device you use to view it. If something looks amiss, please don’t hesitate to drop a note in the comments below.

NB: KrebsOnSecurity has not changed any of its advertising practices: The handful of ads we run are still image-only creatives that are vetted by me and served in-house. If you’re blocking ads on this site, please consider adding an exception here. Thank you!

Whistleblower: Ubiquiti Breach “Catastrophic”

March 30, 2021

On Jan. 11, Ubiquiti Inc. [NYSE:UI] — a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras — disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. Now a source who participated in the response to that breach alleges Ubiquiti massively downplayed a “catastrophic” incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication.

A security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020 contacted KrebsOnSecurity after raising his concerns with both Ubiquiti’s whistleblower hotline and with European data protection authorities. The source — we’ll call him Adam — spoke on condition of anonymity for fear of retribution by Ubiquiti.

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”

Ubiquiti has not responded to repeated requests for comment.

Update, Mar. 31, 6:58 p.m. ET: In a post to its user forum, Ubiquiti said its security experts identified “no evidence that customer information was accessed, or even targeted.” Ubiquiti can say this, says Adam, because it failed to keep records of which accounts were accessing that data. We’ll hear more about this from Adam in a bit.

Original story:

According to Adam, the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”

In its Jan. 11 public notice, Ubiquiti said it became aware of “unauthorized access to certain of our information technology systems hosted by a third party cloud provider,” although it declined to name the third party.

In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there.

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide. Continue reading