Secret Service Warns of Chip Card Scheme

April 5, 2018

The U.S. Secret Service is warning financial institutions about a new scam involving the temporary theft of chip-based debit cards issued to large corporations. In this scheme, the fraudsters intercept new debit cards in the mail and replace the chips on the cards with chips from old cards. When the unsuspecting business receives and activates the modified card, thieves can start draining funds from the account.

Signs of a card with an old or invalid chip include heat damage around the chip or on the card, or a small hole in the plastic used to pry the chip off the card. Image: U.S. Secret Service.

According to an alert sent to banks late last month, the entire scheme goes as follows:

1. Criminals intercept mail sent from a financial institution to large corporations that contain payment cards, targeting debit payment cards with access to large amount of funds.

2. The crooks remove the chip from the debit payment card using a heat source that warms the glue.

3. Criminals replace the chip with an old or invalid chip and repackage the payment card for delivery.

4. Criminals place the stolen chip into an old payment card.

5. The corporation receives the debit payment card without realizing the chip has been replaced.

6. The corporate office activates the debit payment card; however, their payment card is inoperable thanks to the old chip.

7. Criminals use the payment card with the stolen chip for their personal gain once the corporate office activates the card. Continue reading

Dot-cm Typosquatting Sites Visited 12M Times So Far in 2018

April 4, 2018

A story published here last week warned readers about a vast network of potentially malicious Web sites ending in “.cm” that mimic some of the world’s most popular Internet destinations (e.g. espn[dot]cm, aol[dot]cm and itunes[dot].cm) in a bid to bombard visitors with fake security alerts that can lock up one’s computer. If that piece lacked one key detail it was insight into just how many people were mistyping .com and ending up at one of these so-called “typosquatting” domains.

On March 30, an eagle-eyed reader noted that four years of access logs for the entire network of more than 1,000 dot-cm typosquatting domains were available for download directly from the typosquatting network’s own hosting provider. The logs — which include detailed records of how many people visited the sites over the past three years and from where — were deleted shortly after that comment was posted here, but not before KrebsOnSecurity managed to grab a copy of the entire archive for analysis.

The geographic distribution of 25,000 randomly selected Internet addresses (IP addresses) in the logs seen accessing the dot-cm typosquatting domains in February 2018. Batchgeo, the service used to produce this graphic, limits free lookups to 25,000, but the above image is likely still representative of the overall geographic distribution. Perhaps unsurprisingly, the largest share of traffic is coming from the United States.

Matthew Chambers, a security expert with whom this author worked on the original dot-cm typosquatting story published last week, analyzed the access logs from just the past three months and found the sites were visited approximately 12 million times during the first quarter of 2018.

Chambers said he combed through the logs and weeded out hits from Internet addresses that appeared to be bots or search engine scrapers. Here’s Chambers’ analysis of the 2018 access log data:

January 2018; 3,732,488 visitors
February 2018: 3,799,109 visitors
Mar 2018: 4,275,998 visitors

Total Jan-Mar 2018 is 11.8 million

Those figures suggest that the total number of visits to these typosquatting sites in the first quarter of 2018 was approximately 12 million, or almost 50 million hits per year. Certainly, not everyone visiting these sites will have the experience that Chambers’ users reported (being bombarded with misleading malware alerts and redirected to scammy and spammy Web sites), but it seems clear this network could make its operators a pretty penny regardless of the content that ends up getting served through it. Continue reading

Advertisement

Panerabread.com Leaks Millions of Customer Records

April 2, 2018

Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned.

The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com. The St. Louis-based company, which has more than 2,100 retail locations in the United States and Canada, allows customers to order food online for pickup in stores or for delivery.

Redacted records from Panera’s site, which let anyone search by a variety of customer attributes, including phone number, email address, physical address or loyalty account number. In this example, the phone number was a main line at an office building where many different employees apparently registered to order food online.

KrebsOnSecurity learned about the breach earlier today after being contacted by security researcher Dylan Houlihan, who said he initially notified Panera about customer data leaking from its Web site back on August 2, 2017.

A long message thread that Houlihan shared between himself and Panera indicates that Mike Gustavison, Panera’s director of information security, initially dismissed Houlihan’s report as a likely scam. A week later, however, those messages suggest that the company had validated Houlihan’s findings and was working on a fix.

“Thank you for the information we are working on a resolution,” Gustavison wrote.

Panera was alerted about the data leakage in early August 2017, and said it was fixing the problem then.

Fast forward to early this afternoon — exactly eight months to the day after Houlihan first reported the problem — and data shared by Houlihan indicated the site was still leaking customer records in plain text. Worse still, the records could be indexed and crawled by automated tools with very little effort. Continue reading

Coinhive Exposé Prompts Cancer Research Fundraiser

March 30, 2018

A story published here this week revealed the real-life identity behind the original creator of Coinhive — a controversial cryptocurrency mining service that several security firms have recently labeled the most ubiquitous malware threat on the Internet today. In an unusual form of protest against that story, members of a popular German language image-posting board founded by the Coinhive creator have vented their dismay by donating tens hundreds of thousands of euros to local charities that support cancer research.

On Monday KrebsOnSecurity published Who and What is Coinhive, an in-depth story which proved that the founder of Coinhive was indeed the founder of the German image hosting and discussion forum pr0gramm[dot]com (not safe for work). I undertook the research because Coinhive’s code primarily is found on tens of thousands of hacked Web sites, and because the until-recently anonymous Coinhive operator(s) have been reluctant to take steps that might curb the widespread abuse of their platform.

One of countless pages of images posted about this author by pr0gramm users in response to the story about Coinhive.

In an early version of its Web site, Coinhive said its service was first tested on pr0gramm, and that the founder(s) of Coinhive considered pr0gramm “their platform” of 11 years (exactly the length of time pr0gramm has been online). Coinhive declined to say who was running their service, and tried to tell me their earlier statement about Coinhive’s longtime affiliation with pr0gramm was a convenient lie that was used to helped jump-start the service by enlisting the help of pr0gramm’s thousands of members.

Undeterred, I proceeded with my research based on the assumption that one or more of the founders of pr0gramm were involved in Coinhive. When I learned the real-life identities of the pr0gramm founders and approached them directly, each deflected questions about their apparent roles in founding and launching Coinhive.

However, shortly after the Coinhive story went live, the original founder of pr0gramm (Dominic Szablewski, a.k.a. “cha0s”) published a blog post acknowledging that he was in fact the creator of Coinhive. What’s more, Coinhive has since added legal contact information to its Web site, and has said it is now taking steps to ensure that it no longer profits from cryptocurrency mining activity after hacked Web sites owners report finding Coinhive’s code on their sites.

Normally, when KrebsOnSecurity publishes a piece that sheds light on a corner of the Internet that would rather remain in the shadows, the response is as predictable as it is swift: Distributed denial-of-service (DDoS) attacks on this site combined with threats of physical violence and harm from anonymous users on Twitter and other social networks.

While this site did receive several small DDoS attacks this week — and more than a few anonymous threats of physical violence and even death related to the Coinhive story — the response from pr0gramm members has been remarkably positive overall.

The pr0gramm community quickly seized on the fact that my last name — Krebs — means “crab” and “cancer” in German. Apparently urged by one of the pr0gramm founders named in the story to express their anger in “objective and polite” ways, several pr0gramm members took to donating money to the Deutsche Krebshilfe (German Cancer Aid/DKMS) Web site as a way to display their unity and numbers.

The protest (pr0test?) soon caught on in the Twitter hashtag “#KrebsIsCancer,” promoted and re-tweeted heavily by pr0gramm members as a means to “Fight Krebs” or fight cancer. According to a statement on DKMS’s Web site, the KrebsIsCancer campaign involved donations from more than 8,300 people totaling 207,500 euros (~USD $256,000).

Update, 2:46 p.m. ET: Updated donation figures per statement posted today on DKMS site.

Omitting the “o” in .com Could Be Costly

March 29, 2018

Take care when typing a domain name into a browser address bar, because it’s far too easy to fat-finger a key and wind up somewhere you don’t want to go. For example, if you try to visit some of the most popular destinations on the Web but omit the “o” in .com (and type .cm instead), there’s a good chance your browser will be bombarded with malware alerts and other misleading messages — potentially even causing your computer to lock up completely. As it happens, many of these domains appear tied to a marketing company whose CEO is a convicted felon and once self-proclaimed “Spam King.”

Matthew Chambers is a security professional and researcher in Atlanta. Earlier this month Chambers penned a post on his personal blog detailing what he found after several users he looks after accidentally mistyped different domains — such as espn[dot]cm.

Chambers said the user who visited that domain told him that after typing in espn.com he quickly had his computer screen filled with alerts about malware and countless other pop-ups. Security logs for that user’s system revealed the user had actually typed espn[dot]cm, but when Chambers reviewed the source code at that Web page he found an innocuous placeholder content page instead.

“One thing we notice is that any links generated off these domains tend to only work one time, if you try to revisit it’s a 404,” Chambers wrote, referring to the standard 404 message displayed in the browser when a Web page is not found. “The file is deleted to prevent researchers from trying to grab it, or automatic scanners from downloading it. Also, some of the exploit code on these sites will randomly vaporize, and they will have no code on them, but were just being weaponized in campaigns. It could be the user agent, or some other factor, but they definitely go dormant for periods of time.”

Espn[dot]cm is one of more than a thousand so-called “typosquatting” domains hosted on the same Internet address (85.25.199.30), including aetna[dot]cmaol[dot]cm, box[dot]cm, chase[dot]cm, citicards[dot]cmcostco[dot]cm, facebook[dot]cmgeico[dot]cm, hulu[dot]cmitunes[dot]cm, pnc[dot]cmslate[dot]cmsuntrust[dot]cm, turbotax[dot]cm, and walmart[dot]cm. I’ve compiled a partial list of the most popular typosquatting domains that are part of this network here (PDF).

KrebsOnSecurity sought to dig a bit deeper into Chambers’ findings, researching some of the domain registration records tied to the list of dot-cm typosquatting domains. Helpfully, all of the domains currently redirect visitors to just one of two landing pages — either antistrophebail[dot]com or chillcardiac[dot]com.

For the moment, if one visits either of these domains directly via a desktop Web browser (I’d advise against this) chances are the site will display a message saying, “Sorry, we currently have no promotions available right now.” Browsing some of them with a mobile device sometimes leads to a page urging the visitor to complete a “short survey” in exchange for “a chance to get an gift [sic] cards, coupons and other amazing deals!”

Those antistrophebail and chillcardiac domains — as well as 1,500+ others — were registered to the email address: ryanteraksxe1@yahoo.com. A Web search on that address doesn’t tell us much, but entering it at Yahoo‘s “forgot password” page lists a partially obfuscated address to which Yahoo can send an account key that may be used to reset the password for the account. That address is k*****ng@mediabreakaway[dot]com.

The full email address is kmanning@mediabreakaway[dot]com. According to the “leadership” page at mediabreakaway[dot]com, the email address ryanteraksxe1@yahoo.com almost certainly belongs to one Kacy Manning, who is listed as the “Manager of Special Projects” at Colorado based marketing firm Media Breakaway LLC.

Media Breakaway is headed by Scott Richter, a convicted felon who’s been successfully sued for spamming by some of the biggest media companies over the years. Continue reading

Who and What Is Coinhive?

March 26, 2018

Multiple security firms recently identified cryptocurrency mining service Coinhive as the top malicious threat to Web users, thanks to the tendency for Coinhive’s computer code to be used on hacked Web sites to steal the processing power of its visitors’ devices. This post looks at how Coinhive vaulted to the top of the threat list less than a year after its debut, and explores clues about the possible identities of the individuals behind the service.

Coinhive is a cryptocurrency mining service that relies on a small chunk of computer code designed to be installed on Web sites. The code uses some or all of the computing power of any browser that visits the site in question, enlisting the machine in a bid to mine bits of the Monero cryptocurrency.

Monero differs from Bitcoin in that its transactions are virtually untraceble, and there is no way for an outsider to track Monero transactions between two parties. Naturally, this quality makes Monero an especially appealing choice for cybercriminals.

Coinhive released its mining code last summer, pitching it as a way for Web site owners to earn an income without running intrusive or annoying advertisements. But since then, Coinhive’s code has emerged as the top malware threat tracked by multiple security firms. That’s because much of the time the code is installed on hacked Web sites — without the owner’s knowledge or permission.

Much like a malware infection by a malicious bot or Trojan, Coinhive’s code frequently locks up a user’s browser and drains the device’s battery as it continues to mine Monero for as long a visitor is browsing the site.

According to publicwww.com, a service that indexes the source code of Web sites, there are nearly 32,000 Web sites currently running Coinhive’s JavaScript miner code. It’s impossible to say how many of those sites have installed the code intentionally, but in recent months hackers have secretly stitched it into some extremely high-profile Web sites, including sites for such companies as The Los Angeles Times, mobile device maker Blackberry, Politifact, and Showtime.

And it’s turning up in some unexpected places: In December, Coinhive code was found embedded in all Web pages served by a WiFi hotspot at a Starbucks in Buenos Aires. For roughly a week in January, Coinhive was found hidden inside of YouTube advertisements (via Google’s DoubleClick platform) in select countries, including Japan, France, Taiwan, Italy and Spain. In February, Coinhive was found on “Browsealoud,” a service provided by Texthelp that reads web pages out loud for the visually impaired. The service is widely used on many UK government websites, in addition to a few US and Canadian government sites.

What does Coinhive get out of all this? Coinhive keeps 30 percent of whatever amount of Monero cryptocurrency that is mined using its code, whether or not a Web site has given consent to run it. The code is tied to a special cryptographic key that identifies which user account is to receive the other 70 percent.

Coinhive does accept abuse complaints, but it generally refuses to respond to any complaints that do not come from a hacked Web site’s owner (it mostly ignores abuse complaints lodged by third parties). What’s more, when Coinhive does respond to abuse complaints, it does so by invalidating the key tied to the abuse.

But according to Troy Mursch, a security expert who spends much of his time tracking Coinhive and other instances of “cryptojacking,” killing the key doesn’t do anything to stop Coinhive’s code from continuing to mine Monero on a hacked site. Once a key is invalidated, Mursch said, Coinhive keeps 100 percent of the cryptocurrency mined by sites tied to that account from then on.

Mursch said Coinhive appears to have zero incentive to police the widespread abuse that is leveraging its platform.

“When they ‘terminate’ a key, it just terminates the user on that platform, it doesn’t stop the malicious JavaScript from running, and it just means that particular Coinhive user doesn’t get paid anymore,” Mursch said. “The code keeps running, and Coinhive gets all of it. Maybe they can’t do anything about it, or maybe they don’t want to. But as long as the code is still on the hacked site, it’s still making them money.”

Reached for comment about this apparent conflict of interest, Coinhive replied with a highly technical response, claiming the organization is working on a fix to correct that conflict.

“We have developed Coinhive under the assumption that site keys are immutable,” Coinhive wrote in an email to KrebsOnSecurity. “This is evident by the fact that a site key can not be deleted by a user. This assumption greatly simplified our initial development. We can cache site keys on our WebSocket servers instead of reloading them from the database for every new client. We’re working on a mechanism [to] propagate the invalidation of a key to our WebSocket servers.”

AUTHEDMINE

Coinhive has responded to such criticism by releasing a version of their code called “AuthedMine,” which is designed to seek a Web site visitor’s consent before running the Monero mining scripts. Coinhive maintains that approximately 35 percent of the Monero cryptocurrency mining activity that uses its platform comes from sites using AuthedMine.

But according to a report published in February by security firm Malwarebytes, the AuthedMine code is “barely used” compared to the use of Coinhive’s mining code that does not seek permission from Web site visitors. Malwarebytes’ telemetry data (drawn from antivirus alerts when users browse to a site running Coinhive’s code) determined that AuthedMine is used in a little more than one percent of all cases that involve Coinhive’s mining code.

Image: Malwarebytes. The statistic above refer to the number of times per day between Jan. 10 and Feb. 7 that Malwarebytes blocked connections to AuthedMine and Coinhive, respectively.

Asked to comment on the Malwarebytes findings, Coinhive replied that if relatively few people are using AuthedMine it might be because anti-malware companies like Malwarebytes have made it unprofitable for people to do so.

“They identify our opt-in version as a threat and block it,” Coinhive said. “Why would anyone use AuthedMine if it’s blocked just as our original implementation? We don’t think there’s any way that we could have launched Coinhive and not get it blacklisted by Antiviruses. If antiviruses say ‘mining is bad,’ then mining is bad.”

Similarly, data from the aforementioned source code tracking site publicwww.com shows that some 32,000 sites are running the original Coinhive mining script, while the site lists just under 1,200 sites running AuthedMine.

WHO IS COINHIVE?

[Author’s’ note: Ordinarily, I prefer to link to sources of information cited in stories, such as those on Coinhive’s own site and other entities mentioned throughout the rest of this piece. However, because many of these links either go to sites that actively mine with Coinhive or that include decidedly not-safe-for-work content, I have included screenshots instead of links in these cases. For these reasons, I would strongly advise against visiting pr0gramm’s Web site.]

According to a since-deleted statement on the original version of Coinhive’s Web site — coin-hive[dot]com — Coinhive was born out of an experiment on the German-language image hosting and discussion forum pr0gramm[dot]com.

A now-deleted “About us” statement on the original coin-hive[dot]com Web site. This snapshop was taken on Sept. 15, 2017. Image courtesy archive.org.

Indeed, multiple discussion threads on pr0gramm[dot]com show that Coinhive’s code first surfaced there in the third week of July 2017. At the time, the experiment was dubbed “pr0miner,” and those threads indicate that the core programmer responsible for pr0miner used the nickname “int13h” on pr0gramm. In a message to this author, Coinhive confirmed that “most of the work back then was done by int13h, who is still on our team.”

I asked Coinhive for clarity on the disappearance of the above statement from its site concerning its affiliation with pr0gramm. Coinhive replied that it had been a convenient fiction:

“The owners of pr0gramm are good friends and we’ve helped them with their infrastructure and various projects in the past. They let us use pr0gramm as a testbed for the miner and also allowed us to use their name to get some more credibility. Launching a new platform is difficult if you don’t have a track record. As we later gained some publicity, this statement was no longer needed.”

Asked for clarification about the “platform” referred to in its statement (“We are self-funded and have been running this platform for the past 11 years”) Coinhive replied, “Sorry for not making it clearer: ‘this platform’ is indeed pr0gramm.”

After receiving this response, it occurred to me that someone might be able to find out who’s running Coinhive by determining the identities of the pr0gramm forum administrators. I reasoned that if they were not one and the same, the pr0gramm admins almost certainly would know the identities of the folks behind Coinhive. Continue reading

San Diego Sues Experian Over ID Theft Service

March 23, 2018

The City of San Diego, Calif. is suing consumer credit bureau Experian, alleging that a data breach first reported by KrebsOnSecurity in 2013 affected more than a quarter-million people in San Diego but that Experian never alerted affected consumers as required under California law.

The lawsuit, filed by San Diego city attorney Mara Elliott, concerns a data breach at an Experian subsidiary that lasted for nine months ending in 2013. As first reported here in October 2013, a Vietnamese man named Hieu Minh Ngo ran an identity theft service online and gained access to sensitive consumer information by posing as a licensed private investigator in the United States.

In reality, the fraudster was running his identity theft service from Vietnam, and paying Experian thousands of dollars in cash each month for access to 200 million consumer records. Ngo then resold that access to more than 1,300 customers of his ID theft service. KrebsOnSecurity first wrote about Ngo’s ID theft service — alternately called Superget[dot]info and Findget[dot]mein 2011.

Ngo was arrested after being lured out of Vietnam by the U.S. Secret Service. He later pleaded guilty to identity fraud charges and was sentenced in July 2015 to 13 years in prison.

News of the lawsuit comes from The San Diego Union-Tribune, which says the city attorney alleges that some 30 million consumers could have had their information stolen in the breach, including an estimated 250,000 people in San Diego.

“Elliott’s office cited the Internal Revenue Service in saying hackers filed more than 13,000 false returns using the hacked information, obtaining $65 million in fraudulent tax refunds,” writes Union-Tribune reporter Greg Moran.

Experian did not respond to requests for comment.

Ngo’s Identity theft service, superget.info, which relied on access to consumer databases maintained by a company that Experian purchased in 2012.

In December 2013, an executive from Experian told Congress that the company was not aware of any consumers who had been harmed by the incident. However, soon after Ngo was extradited to the United States, the Secret Service began identifying and rounding up dozens of customers of Ngo’s identity theft service. And most of Ngo’s customers were indeed involved in tax refund fraud with the states and the IRS. Continue reading

Survey: Americans Spent $1.4B on Credit Freeze Fees in Wake of Equifax Breach

March 22, 2018

Almost 20 percent of Americans froze their credit file with one or more of the big three credit bureaus in the wake of last year’s data breach at Equifax, costing consumers an estimated $1.4 billion, according to a new study. The findings come as lawmakers in Congress are debating legislation that would make credit freezes free in every state.

The figures, commissioned by small business loan provider Fundera and conducted by Wakefield Research, surveyed some 1,000 adults in the U.S. Respondents were asked to self-report how much they spent on the freezes; 32 percent said the freezes cost them $10 or less, but 38 percent said the total cost was $30 or more. The average cost to consumers who froze their credit after the Equifax breach was $23.

A credit freeze blocks potential creditors from being able to view or “pull” your credit file, making it far more difficult for identity thieves to apply for new lines of credit in your name.

Depending on your state of residence, the cost of placing a freeze on your credit file can run between $3 and $10 per credit bureau, and in many states the bureaus also can charge fees for temporarily “thawing” and removing a freeze (according a list published by Consumers Union, residents of four states — Indiana, Maine, North Carolina, South Carolina — do not need to pay to place, thaw or lift a freeze).

Image: Wakefield Research.

In a blog post published today, Fundera said the percentage of people who froze their credit in response to the Equifax breach incrementally decreases as people get older.

“Thirty-two percent of millennials, 16 percent of Generation Xers and 12 percent of baby boomers froze their credit,” Fundera explained. “This data is surprising considering that older generations have been working on building their credit for a longer period of time, and thus they have a more established record to protect.”

However, freeze fees could soon be a thing of the past. A provision included in a bill passed by the U.S. Senate on March 14 would require credit-reporting firms to let consumers place a freeze without paying (the measure is awaiting action in the House of Representatives).

But there may be a catch: According to CNBC, the congressional effort to require free freezes is part of a larger measure, S. 2155, which rolls back some banking regulations put in place after the financial crisis that rocked the U.S. economy a decade ago. Continue reading

15-Year-old Finds Flaw in Ledger Crypto Wallet

March 20, 2018

A 15-year-old security researcher has discovered a serious flaw in cryptocurrency hardware wallets made by Ledger, a French company whose popular products are designed to physically safeguard public and private keys used to receive or spend the user’s cryptocurrencies.

Ledger’s Nano-S cryptocurrency hardware wallet. Source: Amazon.

Hardware wallets like those sold by Ledger are designed to protect the user’s private keys from malicious software that might try to harvest those credentials from the user’s computer.  The devices enable transactions via a connection to a USB port on the user’s computer, but they don’t reveal the private key to the PC.

Yet Saleem Rashid, a 15-year-old security researcher from the United Kingdom, discovered a way to acquire the private keys from Ledger devices. Rashid’s method requires an attacker to have physical access to the device, and normally such hacks would be unremarkable because they fall under the #1 rule of security — namely, if an attacker has physical access to your device, then it is not your device anymore.

The trouble is that consumer demand for Ledger’s products has frequently outpaced the company’s ability to produce them (it has sold over a million of its most popular Nano S models to date). This has prompted the company’s chief technology officer to state publicly that Ledger’s built-in security model is so robust that it is safe to purchase their products from a wide range of third-party sellers, including Amazon and eBay.

Ledger’s message to users regarding the lack of anti-tampering mechanisms on its cryptocurrency hardware wallets.

But Rashid discovered that a reseller of Ledger’s products could update the devices with malicious code that would lie in wait for a potential buyer to use it, and then siphon the private key and drain the user’s cryptocurrency account(s) when the user goes to use it.

The crux of the problem is that Ledger’s devices contain a secure processor chip and a non-secure microcontroller chip. The latter is used for a variety of non-security related purposes, from handling the USB connections to displaying text on the Ledger’s digital display, but the two chips still pass information between each other. Rashid found that an attacker could compromise the insecure processor (the microcontroller) on Ledger devices to run malicious code without being detected.

Ledger’s products do contain a mechanism for checking to ensure the code powering the devices has not been modified, but Rashid’s proof-of-concept code — being released today in tandem with an announcement from Ledger about a new firmware update designed to fix the bug — allows an attacker to force the device to sidestep those security checks.

“You’re essentially trusting a non-secure chip not to change what’s displayed on the screen or change what the buttons are saying,” Rashid said in an interview with KrebsOnSecurity. “You can install whatever you want on that non-secure chip, because the code running on there can lie to you.”

Kenneth White, director of the Open Crypto Audit Project, had an opportunity to review Rashid’s findings prior to their publication today. White said he was impressed with the elegance of the proof-of-concept attack code, which Rashid sent to Ledger approximately four months ago. A copy of Rashid’s research paper on the vulnerability is available here (PDF). A video of Rashid demonstrating his attack is below.

White said Rashid’s code subverts the security of the Ledger’s process for generating a backup code for a user’s private key, which relies on a random number generator that can be made to produce non-random results.

“In this case [the attacker] can set it to whatever he wants,” White said. “The victim generates keys and backup codes, but in fact those codes have been predicted by the attacker in advance because he controls the Ledger’s random number generator.”

Rashid said Ledger initially dismissed his findings as implausible. But in a blog post published today, Ledger says it has since fixed the flaw Rashid found — as well as others discovered and reported by different security researchers — in a firmware update that brings Ledger Nano S devices from firmware version 1.3.1 to version 1.4.1 (the company actually released the firmware update on March 6, potentially giving attackers time to reverse engineer Rashid’s method).

The company is still working on an update for its pricier Ledger Blue devices, which company chief security officer Charles Guillemet said should be ready soon. Guillemet said Nano-S devices should alert users that a firmware update is available when the customer first plugs the device into a computer.

“The vulnerability he found was based on the fact that the secure element tries to authenticate the microcontroller, and that authentication is not strong enough,” Guillemet told KrebsOnSecurity. “This update does authentication more tightly so that it’s not possible to fool the user.” Continue reading

Adrian Lamo, ‘Homeless Hacker’ Who Turned in Chelsea Manning, Dead at 37

March 18, 2018

Adrian Lamo, the hacker probably best known for breaking into The New York Times‘s network and for reporting Chelsea Manning‘s theft of classified documents to the FBI, was found dead in a Kansas apartment on Wednesday. Lamo was widely reviled and criticized for turning in Manning, but that chapter of his life eclipsed the profile of a complex individual who taught me quite a bit about security over the years.

Adrian Lamo, in 2006. Source: Wikipedia.

I first met Lamo in 2001 when I was a correspondent for Newsbytes.com, a now-defunct tech publication that was owned by The Washington Post at the time. A mutual friend introduced us over AOL Instant Messenger, explaining that Lamo had worked out a simple method allowing him to waltz into the networks of some of the world’s largest media companies using nothing more than a Web browser.

The panoply of alternate nicknames he used on instant messenger in those days shed light on a personality not easily grasped: Protagonist, Bitter Geek, AmINotMerciful, Unperceived, Mythos, Arcane, truefaith, FugitiveGame.

In this, as in so many other ways, Lamo was a study in contradictions: Unlike most other hackers who break into online networks without permission, he didn’t try to hide behind the anonymity of screen names or Internet relay chat networks.

By the time I met him, Adrian had already earned the nickname “the homeless hacker” because he had no fixed address, and found shelter most evenings in abandoned buildings or on friend’s couches. He launched the bulk of his missions from Internet cafes or through the nearest available dial-up connections, using an old Toshiba laptop that was missing seven keys. His method was the same in every case: find security holes; offer to fix them; refuse payment in exchange for help; wait until hole is patched; alert the media.

Lamo had previously hacked into the likes of AOL Time Warner, ComcastMCI Worldcom, Microsoft, SBC Communications and Yahoo after discovering that these companies had enabled remote access to their internal networks via Web proxies, a kind of security by obscurity that allowed anyone who knew the proxy’s Internet address and port number to browse internal shares and other network resources of the affected companies.

By 2002, Lamo had taken to calling me on the phone frequently to relate his various exploits, often spoofing his phone number to make it look like the call had come from someplace ominous or important, such as The White House or the FBI. At the time, I wasn’t actively taking any measures to encrypt my online communications, or to suggest that my various sources do likewise. After a few weeks of almost daily phone conversations with Lamo, however, it became abundantly clear that this had been a major oversight.

In February 2002, Lamo told me that he’d found an open proxy on the network of The New York Times that allowed him to browse the newsroom’s corporate intranet. A few days after that conversation, Lamo turned up at Washingtonpost.com’s newsroom (then in Arlington, Va.). Just around the corner was a Kinkos, and Adrian insisted that I follow him to the location so he could get online and show me his discovery firsthand.

While inside the Times’ intranet, he downloaded a copy of the Times’ source list, which included phone numbers and contact information for such household names as Yogi Berra, Warren Beatty, and Robert Redford, as well as high-profile political figures – including Palestinian leader Yassir Arafat and Secretary of State Colin Powell. Lamo also added his own contact information to the file. My exclusive story in Newsbytes about the Times hack was soon picked up by other news outlets.

In August 2003, federal prosecutors issued an arrest warrant for Lamo in connection with the New York Times hack, among other intrusions. The next month, The Washington Post’s attorneys received a letter from the FBI urging them not to destroy any correspondence I might have had with Lamo, and warning that my notes may be subpoenaed.

In response, the Post opted to take my desktop computer at work and place it in storage. We also received a letter from the FBI requesting an interview (that request was summarily denied). In October 2003, the Associated Press ran a story saying the FBI didn’t follow proper procedures when it notified reporters that their notes concerning Lamo might be subpoenaed (the DOJ’s policy was to seek materials from reporters only after all other investigative steps had been exhausted, and then only as a last resort).

In 2004, Lamo pleaded guilty to one felony count of computer crimes against the Times, as well as LexisNexis and Microsoft. He was sentenced to six month’s detention and two years probation, an ordered to pay $65,000 in restitution.

Several months later while attending a formal National Press Foundation dinner at the Washington Hilton, my bulky Palm Treo buzzed in my suit coat pocket, signaling a new incoming email message. The missive was blank save for an unusually large attachment. Normally, I would have ignored such messages as spam, but this one came from a vaguely familiar address: adrian.lamo@us.army.mil. Years before, Lamo had told me he’d devised a method for minting his own .mil email addresses.

The attachment turned out to be the Times’ newsroom source list. The idea of possessing such information was at once overwhelming and terrifying, and for the rest of the evening I felt certain that someone was going to find me out (it didn’t help that I was seated adjacent to a table full of NYT reporters and editors). It was difficult not to stare at the source list and wonder at the possibilities. But ultimately, I decided the right thing to do was to simply delete the email and destroy the file. Continue reading