Skip to content

Security News

Equifax should be wound down..Part 2

Quote

Equifax has consistently failed in their duty to protect data. The company should be forced to offer a permanent lifetime credit freeze for FREE. Or absent of that, wind them them down. They are completely incompetent and should not be allowed to be in this business in my opinion.

The company’s first order of business ought to have been to create a simple way for people to figure out if their data was potentially compromised. On this count, Equifax failed at first.

On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.

By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.

..

Now, to the remedy. The company is offering one free year of credit monitoring to all Americans, not just the ones whose data was stolen. It includes the ability to turn your Equifax credit report on and off, to keep thieves from applying for credit in your name using information they stole from Equifax and to have access to your Equifax report to do so.

That’s all well and good, except that the thieves might use the stolen information to apply for credit with lenders that check the credit reports only at the other big agencies, Experian and TransUnion. So this protection is incomplete.

And why just a year? Who knows? Isn’t this an invitation to the thieves to sit on the data for a while and then use it when all of us have moved on?

Meanwhile, people can’t easily change their Social Security numbers to thwart the thieves. So if any bad actors have your personal data, those numbers will be useful for years, maybe decades, depending on how the credit system changes over time.

Equifax should have made the monitoring last forever. Since it didn’t, it will now be able to solicit everyone who signs up for its year of free service. And what do you want to bet that the company will offer an extension bright and early on day 366 for, say, $16.95 per month?

So, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach. We would expect nothing less from the credit reporting industry, with which few of us would choose to do business but nearly everyone has to sooner or later.

In the meantime, here’s hoping that this breach is the nudge you need to finally sign up for permanent freezes on your credit files. I’ve used them for years, and here’s how they work. You sign up (and pay some fees, because you knew it wasn’t going to be free to protect data that you didn’t ask these companies to store, right?) at Equifax’s, Experian’s and TransUnion’s websites. Christina Bater, managing director at Barrett Asset Management in New York, suggests freezing your file at the little-known company Innovis, too. Hey, why not?

..

And then there’s this: A security freeze doesn’t protect you if the thieves break into the vault of the company that maintains the freeze. That’s what happened here, and we will now spend years seeing what happens next.

Equifax should be wound down..Part 1

There is simply no excuse for this bad actor. Terminate the company.

Quote

Last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.

Cybersecurity professionals criticized Equifax on Thursday for not improving its security practices after those previous thefts, and they noted that thieves were able to get the company’s crown jewels through a simple website vulnerability.

“Equifax should have multiple layers of controls” so if hackers manage to break in, they can at least be stopped before they do too much damage, Ms. Litan said.

Potentially adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered. The shares were not part of a sale planned in advance, Bloomberg reported.

The company handles data on more than 820 million consumers and more than 91 million businesses worldwide and manages a database with employee information from more than 7,100 employers, according to its website.

Equifax has created a website, www.equifaxsecurity2017.com, to help consumers determine whether their data was at risk.

People can go to the Equifax website to see if their information has been compromised. The site encourages customers to offer their last name and the last six digits of their Social Security number. When they do, however, they do not necessarily get confirmation about whether they were affected. Instead, the site provides an enrollment date for its protection service, and it may not start for several days.

Equifax’s credit protection service, which is free for one year for consumers who enroll by Nov. 21, is available to everyone and not just the victims of the breach.

Equifax is offering consumers the ability to freeze their Equifax credit reports, said John Ulzheimer, a consumer credit expert who often does expert witness work for banks and credit unions and worked at Equifax in the 1990s. Thieves could have information stolen from Equifax and used it to open accounts with creditors that use Experian or TransUnion.

“It’s like locking one of three doors in your house and leaving the other two unlocked,” Mr. Ulzheimer said. “You’re hoping the thief stumbles on the locked door.” He recommended that all those affected immediately place a fraud alert on all three of their credit files, which anyone can do for free.

Equifax’s offer of one year of free protection falls short of what consumers really need, because their information can be bought and sold by hackers for years to come, Mr. Ulzheimer added.

Beyond compromising the personal data of millions of consumers, the breach also poses a potential national security threat. In recent years, Chinese nation-state hackers have breached insurers like Anthem and federal agencies, siphoning detailed personal and medical information. These hackers go wide in their assaults in an effort to build databases of Americans’ personal information, which can be used for blackmail or future attacks.

Governments regularly buy stolen personal information on the so-called Dark Web, security experts say. The black market sites where this information is sold are far more exclusive than black markets where stolen credit card data is sold. Interested buyers are even asked to submit to background checks before they are admitted.

“Cyberwar is in large part conducted through data mining and cyberintelligence,” Ms. Litan said. “This is also a Homeland Security risk as enemy nation states build databases of Americans that they then use to get to their targets, for example a network operator at a power grid, or a defense contractor at a missile defense company.”

Sen. Mark R. Warner, a Virginia Democrat who co-founded the Senate Cybersecurity Caucus, said he believed the severity of the Equifax breach raised serious questions about whether Congress needed to rethink data protection policies.

“It is no exaggeration to suggest that a breach such as this — exposing highly sensitive personal and financial information central for identity management and access to credit — represents a real threat to the economic security of Americans,” he said in a statement.

Equifax Hack

Quote

“Stand up who HASN’T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone” 143m in US, unknown number in UK, Canada – gulp!

Global credit reporting agency Equifax admitted today it suffered a massive breach of security that could affect almost half of the US population.

In a statement, the biz confessed that hackers managed to get access to some of its internal data in mid-May by exploiting a vulnerable website application. They remained on the system until they were discovered on July 29. Equifax has called in the FBI and is in contact with regulators in other countries about the case.

CEO Richard Smith said that the company’s core consumer and commercial credit reporting databases were untouched – only the names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million Americans were exposed.

Oh, so is that good news? Only 143mil? These are foilks that are SOPPOSED to get security right in the first place! What bozos!

In response to the debacle, Equifax is offering every US citizen a year’s free identity theft monitoring for those who apply, and has set up a dedicated call center and website to handle information requests from worried consumers. It will also mail notifications to everyone who lost data in the incident.

Yes, the identity theft detection service will be supplied by… Equifax. And if you want to check you’re affected by the mega-hack, you have to supply your last name and last six digits of your social security number. To an outfit that just lost your social security number. Which is no use to peeps in the UK or Canada.

Great comment

‘We pride ourselves on being a leader in managing and protecting data’

Really, you do do you.

I pride myself at being good at detecting bullshit, the needle moved a bit at that statement.

It should have moved off the scale and bent the needle, but I’ve recently re-calibrated it.

HOTSPOT VPN == Spyware

Quote

Hotspot Shield VPN throws your privacy in the fire, injects ads, JS into browsers – claim
CDT tries to set fed trade watchdog on internet biz
By Thomas Claburn in San Francisco 7 Aug 2017 at 20:20

The Center for Democracy & Technology (CDT), a digital rights advocacy group, on Monday urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive and unfair trade practices.

AnchorFree claims its Hotspot Shield VPN app protects netizens from online tracking, but, according to a complaint filed with the FTC, the company’s software gathers data and its privacy policy allows it to share the information.

Worryingly, it is claimed the service forces ads and JavaScript code into people’s browsers when connected through Hotspot Shield: “The VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes.”

“Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this,” said Michelle De Mooy, Director of CDT’s Privacy & Data Project, in a statement. “They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks.”

….
IP address and unique device identifiers are generally considered to be private personal information, but AnchorFree’s Privacy Policy explicitly exempts this data from its definition of Personal Information.

“Contrary to Hotspot Shield’s claims, the VPN has been found to be actively injecting JavaScript codes using iFrames for advertising and tracking purposes,” the complaint says, adding that the VPN uses more than five different third-party tracking libraries.

What’s the alternative? Rool your own, set up a VPS or Algo or both

Police say fridges could be turned into listening devices

Quote

Just say NO to IOT

Your fridge could be turned into a covert listening device by Queensland Police conducting surveillance.

The revelation was made during a Parliamentary committee hearing on proposed legislation to give police more powers to combat terrorism.

Police Commissioner Ian Stewart said technology was rapidly changing and police and security agencies could use devices already in place, and turn them into listening devices.

“It is not outside the realm that, if you think about the connected home that we now look at quite regularly where people have their security systems, their CCTV systems and their computerised refrigerator all hooked up wirelessly, you could actually turn someone’s fridge into a listening device,” Mr Stewart said.

Share on Facebook SHARE
Share on Twitter TWEET

Queensland Police Commissioner Ian Stewart said the proposed new laws were necessary to keep people safe.
Queensland Police Commissioner Ian Stewart said the proposed new laws were necessary to keep people safe. Photo: Glenn Hunt

“This is the type of challenge that law enforcement is facing in trying to keep pace with events and premises where terrorists may be planning, they may be gathering to discuss deployment in a tactical way and they may be building devices in that place.

“All of that is taken into account by these new proposed laws.”

The Counter-Terrorism and Other Legislation Amendment bill would give police more powers during and following attacks.

Nasty Hole in Skype

Nothing to see here, says Microsoft, just more crappy code

Infosec researchers have discovered a nasty and exploitable security vulnerability in older versions of Skype on Windows.The stack buffer overflow flaw allows miscreants to inject malicious code into Windows boxes running older versions of Skype, bug hunters at Vulnerability Laboratory warn: The issue can be exploited remotely via session or by local interaction. The problem is located in the print clipboard format & cache transmit via remote session on Windows XP, Windows 7, Windows 8 and Windows 10. In Skype v7.37 the vulnerability is patched.The CVE-2017-9948 bug involves mishandling of remote RDP clipboard content within the message box.Microsoft said the bug isn’t a problem for those running the latest version of its software.”Users on the latest Skype client are automatically protected, and we recommend upgrading to this version for the best protection,” a Microsoft spokesperson told El Reg.Vulnerability Laboratory’s Benjamin Kunz Mejri responded that although Microsoft had fixed this issue with version 7.37, widely used versions 7.2, 7.35 and 7.36 are still vulnerable to what he described as a “critical” security issue.
Source

If you are using XP you are screwed maybe as 7.36 is the last version… but

CVE-2017-9948 allows local or remote attackers to execute own codes on the affected and connected systems via Skype.
CVE-2017-9948 Fixed in v7.2, v7.3.5 & v7.3.6 Skype Versions

“In a software update of the v7.2, v7.3.5 & v7.3.6 version of Skype, a limitation has been implemented for the clipboard function”, researchers explain. Users of older versions of Skype are advised to update to the latest version as soon as possible to avoid becoming victims of malicious attacks.

Also, it’s important to note that the security risk associated with this flaw is high, as the exploitation of the buffer overflow software vulnerability requires no user interaction and only a low privilege Skype user account.

Source
https://sensorstechforum.com/cve-2017-9948-severe-skype-flaw/

Petya Ransonware

I have been busy so no chance to write the blog. But I had few minutes this AM to collect some links of articles on the Petya Ransomware.

Good Summaries
https://www.nytimes.com/2017/06/27/technology/global-ransomware-hack-what-we-know-and-dont-know.html
https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe

Up to Minute Updates from ESET (L4 Networks is an ESET Partner)
https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/

How to protect yourself (From ESET)

  • Use reliable antimalware software: This is a basic but critical component. Just because it’s a server, and it has a firewall, does not mean it does not need antimalware. It does! Always install a reputable antimalware program and keep it updated. [L4 Note: And just because you have a hardware firewall, it does NOT mean you do not need an application level firewall. You DO! ]
  • Make sure that you have all current Windows updates and patches installed
    Run ESET’s EternalBlue Vulnerability Checker to see whether your Windows machines are patched against EternalBlue exploit, and patch if necessary.
    For ESET Home Users: Perform a Product Update.
    For ESET Business Users: Send an Update Task to all Client Workstations or update Endpoint Security or Endpoint Antivirus on your client workstations.

Bowl Tending: Chipotle

QUOTE

Fast-food chain Chipotle says hackers infected its point of sale terminals to gain access to card data from stores in 47 states and Washington, DC.

The self-described “Mexican Grill” says that the malware was active earlier this year from March 24 to April 18, when it was detected, triggering the company to issue an alert.

“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in its latest summary of the incident.

“There is no indication that other customer information was affected.”

That last sentence is a bit puzzling, as a fraudster who has payment card numbers, dates, and security codes would have little need for any other info.

….

Chipotle recommends that anyone who paid with a card at one of the compromised stores keep a close eye on bank statements and consider having an alert placed to their credit file to catch possible fraud.

Yeah right, double speak “there is no indication that other customer information was affected.” Which means, no other customer information EXCEPT the information stolen in the hack! Excuse me while I barf.

Trump Scandal? Ooops..Hackers target The Donald’s businesses

Quote

The FBI and CIA are investigating an attempted hack on the Trump Organization.

According to a report from ABC citing unnamed officials with the intelligence agencies, it is believed someone overseas attempted to breach the President’s international real estate holding company.

The report claims that officials and cybersecurity specialists with both the FBI and CIA met earlier this month with Eric and Donald Trump Jr, who have been running the Trump Organization since their father assumed the Presidency of the United States in January.

The report did not suggest where the hackers may have originated. The Trump Organization has denied any of its data was compromised.

“We absolutely weren’t hacked,” Eric Trump said. “That’s crazy. We weren’t hacked, I can tell you that.”

According to ABC, the meeting took place on May 9th, one day before Trump caused a political firestorm by firing FBI director James Comey in the midst of his investigation into Russian government-backed hackers meddling in the 2016 US election, which saw Trump score a surprise win.

In the months following the election, the FBI and Congress have launched investigations into just how much (if anything) the Trump campaign knew of the Russian meddling.

This is not the first time the Trump Organization has been targeted for cybercrime. First in 2015 and again in 2016, hackers managed to get malware onto the point of sale systems at several Trump hotels.

Those incidents were entirely financial, however, as the attackers were looking to steal the payment card numbers of restaurant customers and hotel guests. This latest incident, given the interest taken by the FBI and CIA, could well have involved a more serious target

WannaCry‬pt ransomware note likely written by Google Translate-using Chinese speakers

Quote

The ‪WannaCry‬pt extortion notes were most likely written by Chinese-speaking authors, according to linguistic analysis.

WannaCry samples analysed by security outfit Flashpoint contained language configuration files with translated ransom messages for 28 languages. All but three of these messages were put together using Google Translate, according to Flashpoint.

Analysis revealed that nearly all of the ransom notes were translated using Google Translate and that only three, the English version and the Chinese versions (Simplified and Traditional), are likely to have been written by a human instead of machine translated. Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated.

Flashpoint found that the English note was used as the source text for machine translation into the other languages.

The two Chinese ransom notes differ substantially from other notes in both content, format, and tone. This means they were likely that the Chinese text was put together separately from the English text and by someone who is at least fluent in Chinese if not a native speaker. The Chinese note is longer than the English note, containing content absent from other versions of the shake-down message.

The most plausible scenario is that the Chinese was the original source of the English version, say analysts. Flashpoint concludes that the unidentified perps – without speculating on their nationality – are likely to be Chinese speakers.

Flashpoint assesses with high confidence that the author(s) of WannaCry’s ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore. Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native. This alone is not enough to determine the nationality of the author(s).