Tag Archives: Cybercrime

Week in security: Home Depot speaks, Gmail and Android ‘leak’

American home-improvers haven’t had a great week, with Home Depot once again dominating the security news – and this week, Android and Gmail users have had things to fret over, too. On the home improvement front, not only has Home Depot confirmed that there was a large-scale data breach at the world’s largest home improvement chain, the indefatigable security reporter Brian Krebs uncovered evidence of PIN-protected debit card information stolen in the breach being used for large-scale fraud, due to weak protection against criminals changing PIN codes by phone using basic information such as ZIP codes.

Meanwhile, University of New Haven researchers tormented Android chat app users all week, with a series of videos showing just how leaky chat apps on the platform could be: a dozen apps were shown to have serious privacy issues, including big names such as Instagram, OoVoo, OKCupid and Grindr.

Many Gmail passwords were changed in a hurry, too, as a dump of five million usernames and passwords appeared online. Things turned out not to be QUITE as bad as they seemed, but it might be time to change that dusty old password anyway…

Security news: Home Depot tops the bill, again

The news for anyone who’s shopped in Home Depot’s American stores, and used plastic, started bad, and is just getting worse and worse.

This week, the world’s largest home improvement chain store, Home Depot, confirmed a data breach affecting Home Depot credit cards and debit cards used in stores on the American mainland, which may have continued since April.

Reports by security reporter Brian Krebs broke the even more unwelcome news that large-scale fraud is being perpetrated with stolen debit cards, with $300,000 withdrawn from one bank in under two hours, using what appeared to be debit card numbers used in Home Depot.

In an official release, the company said that anyone who used a payment card at a Home Depot store since April 2014 may have been affected, and the chain is to offer free identity protection and credit monitoring to such customers. Customers who shopped online or in Mexico have not been affected, the chain said in an official release.

ESET senior security researcher Stephen Cobb offers an important reminder about who the real villains are in such hacks: it’s not the beleaguered corporations themselves, but the criminals who install malware in shop POS terminals to steal from the innocent. In a thoughtful blog post, Cobb analyzes where guilt REALLY lies in both the recent leak of celebrity photos and the Home Depot hack.

Gmail: Passwords leaked online, but service ‘not hacked’

Users of Google Mail got a fright earlier this week when a dump of what appeared to be five million username-password combinations for the site appeared online on a Russian Bitcoin security forum.

The truth, however, wasn’t quite as bad as it appeared: although if you haven’t changed your Gmail password in years, it might be worth a quick refresh.

Google pointed out in an official statement that less than 2% of the leaked passwords actually worked – although, as Forbes points out, that’s still 100,000 passwords which do, and that there was speculation that the list had simply been cobbled together from hacks on other sites where Google was used as a login.

ESET senior security researcher Stephen Cobb wrote, “The assumption is that this compromised data is a collection of credentials obtained by phishing campaigns or malware attacks over recent years.”

“A website called isleaked.com appeared during the day purporting to allow people to check if their Gmail address had been compromised. However, as of right now, it does not appear to be functioning correctly and frankly I would not go there. Instead, you can check your email address at this site —Have I been pwned — which is run by Troy Hunt, a trusted Microsoft MVP.”

Chat apps fingered for leaking data

Chat apps on Android are not a particularly good way to have a genuinely private conversation, it seems – University of New Haven researchers spent the week drip-feeding a series of videos showing serious security flaws in everything from Instagram to OoVoo and from OKCupid to Grindr.

With many of the most popular chat apps on Android affected, tech news site CNET calculates that nearly a billion(968 million) users could be putting highly private data in the hands of apps that transmit and store it unencrypted.

Many of the Android apps (the researchers focused on Android rather than iOS, although there is no evidence the iOS apps behave differently), send text wirelessly unencrypted, and store images on servers for weeks without encryption or authentication.

The researchers used PC ‘sniffer’ software such as Wireshark and Network Miner to monitor the data transmitted by the apps, and found images and text transmitted and stored unencrypted – and potentially at risk from snoopers.

Facebook freaks out world… again

A simple case of mistaken identity? Or a dark hint at what Facebook’s algorithms might be able to do? The answer might well be both, after a young data scientist was mistakenly ‘tagged’ in a series of photos he’d posted – of his mother as a young woman.

The case raised several intriguing questions: for instance, if genetic similarities are enough to trigger mistaken identity, could Facebook’s algorithms identify someone who had never used the site?

And could the biometric identification systems in use by law enforcement mistake someoone for a relative?

Fred Benenson, who was mistaken for his (very similar-looking) mother, said that the “oddly compelling” incident “opens the door to larger and more difficult questions,” according to a report in The Verge.

Clearly in this case, they made an error, Fred Benenson, a data scientist at KickStarter, says, but he said the case raises serious questions: “What about the cases where this algorithm isn’t used for fun photo tagging?”

“What if another false positive leads to someone being implicated for something they didn’t do? Facebook is a publicly traded company that uses petabytes of our personal data as their business model — data that we offer to them, but at what cost?”

NEC’s Neoface biometric software is already being used by police forces in the U.S. and the UK to identify people from video footage, as reported by We Live Security.

The post Week in security: Home Depot speaks, Gmail and Android ‘leak’ appeared first on We Live Security.

Salesforce software – millions of users at risk of Dyre malware

A strain of malware which previously targeted banks has turned its attention to users of the popular Customer Relationship Management (CRM) software Salesforce, used by 100,000 organizations and millions of subscribers, according to SC Magazine’s report.

Dyre, detected by ESET software as Win32/Battdil.A, is believed to be an entirely new strain of malware, and has in the past targeted users of large banks, siphoning data from machines to steal logins, with additional features allowing it to bypass some two-factor authentication systems.

Salesforce software posted a warning on its site this month saying, “Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance.”

Dyre has previously targeted Bank of America and Citigroup customers, as well as a number of British banks such as NatWest. It is thought to be delivered as a “service” to criminal customers: on sale to the highest bidder.

Salesforce software: Under threat from hi-tech malware

The Register says of the remote-access Trojan (RAT), “Once it’s installed on a Windows PC, usually via a phishing attack, the software nasty then looks out for data sent from web browsers – even SSL-encrypted data – and siphons it off to its masters.”

It’s unclear why Salesforce software users are being targeted. SC Magazine speculates that the switch may be due to a specific order from a “customer”.

The magazine points out that while the company does not publish specific customer numbers of its Salesforce software, it’s estimated that 160,000 organizations and around five million subscribers use the cloud software.

Dyre: New strain of malware on sale to highest bidder

Named Dyre, or Dyreza (and detected by ESET software as Win32/Battdil.A), the Trojan software was discovered by researchers investigating a phishing scam that was spreading via Dropbox. It is believed to be a completely new family of malware, similar to but sufficiently distinct from, the Zeus malware. The news that it is targeting Salesforce software users is an entirely new “use” for the malware.

Dyre was initially designed to target certain banks in particular – Bank of America, CitiGroup, NatWest, RBS and Ulsterbank. It is thought to be an example of ‘crime-as-a-service’ – malware for hire to the highest bidder. It has been found able to bypass both SSL encryption and two-factor authentication systems.

The phishing campaign first used to spread the malware worked via asking users to download a zip file that claims to contain invoices or federal tax information. Dropbox quickly removed the links from its system, but the hackers switched to Cubby, a similar service, to continue their campaign.

The post Salesforce software – millions of users at risk of Dyre malware appeared first on We Live Security.

Five million Gmail credentials posted online

[Updated to clarify that the Gmail account passwords exposed were not necessarily those for your Gmail account.]

According to reports that started to appear on Reddit and other forums on September 9, some five million account credentials were published that have a Gmail address as the user name. For example, if you subscribed to a newsletter on the finegardenz.com site using [email protected] as your user name and the password thumbsup then it is is possible this may have been made public. How? Possibly finegardenz.com was hacked at some point in the past.

The site where the data was published referred to itself as Bitcoin Security and the language of the site that published the email addresses with matching passwords is Russian.

Some people who reviewed the data said that in most cases, the passwords were five years old and did not allow access to their accounts. However, apparently some were still current and reports of attempts to use the credentials have been seen. The assumption is that this compromised data is a collection of credentials obtained by phishing campaigns or malware attacks over recent years.

A website called isleaked.com appeared during the day purporting to allow people to check if their Gmail address had been compromised. However, as of right now, it does not appear to be functioning correctly and frankly I would not go there. Instead, you can check your email address at this site — Have I been pwned — which is run by Troy Hunt, a trusted Microsoft MVP.

The Russian site CNews was the first to publish a story about the credentials and connected them to other recent leaks such as the one affecting Yandex, a popular search engine in Russia. Later TheDailyDot published a screenshot of leaked credentials belonging to Spanish, English and Russian speakers.

Representatives from Google and Yandex issued assurances that their systems had not been compromised, but as mentioned above, the keys had been stolen by phishing campaigns and unauthorized access to user accounts (in other words, not leaked by the system for which the credentials were created, but by users of those systems).

Obviously, Gmail account credentials themselves are of great value, given that they provide access to so many Google services, such as Google+ and Google Maps. Access to those two services alone could potentially reveal your home address and allow a stranger to see who your friends are. The lesson here is that if you use a Gmail address as a user name at some site or online service, you should NOT use your Gmail password with that. Remember: different passwords for different sites/services.

For safety’s sake, I just went and changed my Gmail password and I suggest you consider doing the same, even though it is a real pain. I already have two-factor authentication enabled on my Google account and recommend you do this for Google and other accounts that support it. Here is a handy list for some popular services that offer 2FA:

If you want to implement two factor authentication for access to your website, there are a number of options available, including ESA which you can learn about here.

I hope this information helps. I also hope we see some arrests of the criminals who keep exposing other people’s private information: doing so is illegal in most countries and a total jerk move wherever you live. (I recently wrote about the need to pressure governments to act against cyber criminals.)

Big hat tip to Sabrina Pagnotta of ESET LATAM office for her early reporting and research on this news.

 

The post Five million Gmail credentials posted online appeared first on We Live Security.

MH17 plane crash victims exploited by cold-hearted scammers

When Malaysia Airlines Flight 17 (MH17) was shot down in Ukrainian airspace in July of this year, the world was understandably shocked.

The news of an civilian passenger flight from Amsterdam to Kuala Lumpur being possibly downed by a surface-to-air missile was horrifying enough, but coming just months after the loss of another Malaysian Airlines flight (MH370) in mysterious circumstances made the headlines seemed even harder to believe.

As we have previously documented on We Live Security, the earlier lost aircraft has been the subject of various scams including a fraudulent message that spread on Facebook claiming it had been found, a fake video of the supposed rescue of its passengers, as well as claims that hackers had stolen secret classified documents held by Malaysian government officials.

Now it appears, the cold-hearted scammers are exploiting the tragic events that befell MH17 over Ukraine too.

MH17 email scam

Part of the spammed out message reads as follows:

<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>

I am a German Solicitor resident in Germany. I was the personal Attorney to Mr.Foo Ming Lee, a national of Malaysia who used to work with a contruction company here in Germany.

Mr.Foo Ming Lee 52 years old made a fixed deposit of funds valued at Nineteen Million Euros with a Bank here in Europe and unfortunately lost his life in the
Malaysia Airlines Flight MH 17 from Amsterdam to Kuala Lumpur that was shot down by pro-Russian separatists on 17 July 2014, killing all 283 passengers and 15 crew on board as you can see on the following link: http://en.wikipedia.org/wiki/Malaysia_Airlines_Flight_17

To the best of my knowledge as his personal attorney, Mr.Foo Ming Lee has no living beneficiary or next of kin therefore, I want you to reply me immediately after reading this email so that, I can prepare the necessary legal documents and present you to the bank as the only surviving relative to Mr.Foo Ming Lee and instruct the bank to wire the deposit funds Nineteen Million Euros into your provided account.

Yes, it’s “yet another 419 scam”.

Also commonly known as “Letters from Nigeria” or “Advanced Fee Fraud”, the scams typically involve the promise of a vast fortune – but sooner or later (once you have begun to be sucked in and lost all wariness) you will be told that you need to advance an amount of money for logistical reasons, or share sensitive information such as your passport or banking details.

You might not fool for a scam like this, but unfortunately there are plenty of vulnerable people out there who do. And it only requires one person to fool for the scam for it to be worthwhile to the fraudsters, who have typically spammed it out to thousands.

But what makes this scam particularly sick is that it uses the name of a genuine victim of the MH17 tragedy.

As media reports confirm, Foo Ming Lee, who lived in Geneva and was a sales and marketing chief for a Japanese tobacco company, was indeed a passenger on MH17 and was amongst the 43 Malaysians who perished in the downing of MH17 over Ukraine.

It’s clear that whoever is behind this scam has scooped up the name of a victim from media reports, and exploited it in an attempt to defraud the unwary.

After all, anyone who was dubious about the unsolicited message might Google some of the details in an attempt to confirm if any elements of it could be confirmed to be true or not.

Yes, the plane crash happened on the date the scam claims, and Mr Foo Ming Lee was amongst the victims.

What is not true, however, is the claim that he had no next of kin. Another news report confirms that his widow, son and daughter laid his ashes to rest at Nirwana Memorial Park on August 24th.

If scammers had any conscience, they wouldn’t compound the misery of those who have been left bereaved and heartbroken by using the names of victims and details of horrendous accidents and tragedies in their money-making plots.

But the sad truth is that the scammers and fraudsters don’t have any conscience, and are prepared to do anything if it might net them a rich reward.

Hat-tip: Thanks to ESET researcher Pierre-Marc Bureau for bringing this scam to my attention.

The post MH17 plane crash victims exploited by cold-hearted scammers appeared first on We Live Security.

Nude Celebs, Target, Home Depot: Who is to blame? Criminals!

Celebgate, the leaking of nude photos of celebrities from iCloud that started in August, continues to make headlines but now has competition from another big cybercrime story. The compromise of payment card data at Home Depot is emerging under headlines that make comparisons with another huge retail breach, as in: “bigger than Target?” What’s the connection between the sleazy creeps who hack private online storage accounts to share the contents thereof and folks who hack into point-of-sale systems to steal and sell payment card data? They are all criminals, a fact that is too often overlooked in the angry aftermath of the data breach du jour.

Blaming Cybercrime Victims

As the Celebgate story was emerging I received an interview request from a journalist with the Hungarian edition of CHIP magazine. His first question was: “Who’s responsible for the latest Apple iCloud ‘celebrity nude pictures leak’ scandal and why?” My response went something like this: The correct answer to this question is people, not technology. I continued:

The creepy people who stole the pictures are the ones responsible for this scandal and they should be held accountable. For some strange reason, the world tends to approach computer security differently from physical security. If you forget to lock your car, that does not make you responsible for it being stolen. The car thief is clearly the only person truly responsible. To think that any party other than the sleazy criminals who exposed private information is responsible is to condone their actions.

I was not just saying this to differentiate my analysis from that of actress and Celebgate victim Kirsten Dunst. I’m sure most people have seen headlines like this: “Kirsten Dunst Slams Apple After Alleged Nude Photo Leak: blames iCloud for photo hacking” (Hollywood Life). Much as I admire Ms. Dunst as an actress and sympathize with her entirely justified outrage at this incident, I don’t agree that Apple is to blame, any more than I would blame BMW if my car was stolen. Of course, any company whose business model involves handling sensitive private information has a responsibility to protect it. But persons who work to defeat those protections and then violate the privacy of that information are, in that case, the persons to blame, the responsible party. We must not forget that Target and Home Depot are victims of cybercrime, just as Ms. Dunst and other celebrities whose private photos were exposed are victims of cybercrime, whatever the passwords protecting their accounts happened to be.

To think that any party other than the sleazy criminals who exposed private information is responsible is to condone their actions. I say this because to say otherwise is to go down a road best avoided. Consider Apple’s reaction to Celebgate: they have instituted improved security measures. What if we fast forward 12 months and hear that, once again, a determined group of sick-minded perverts has defeated those enhanced security measures and exposed another batch of private pictures. Is Apple still responsible? Before you answer, let’s consider the Home Depot hack. Reports so far indicate that the criminals used an enhanced version of the malware deployed to steal tens of millions of payment card records from Target stores. The response from Target includes a commitment to use EMV cards in the future. EMV cards contain a chip and are much harder for criminals to replicate, making the conversion of stolen card data into cash more challenging. But notice that I’m saying “harder, more challenging” but not impossible.

In other words, unless human nature experiences a sudden and unprecedented global upgrade, some people somewhere will always be trying to defeat security measures for their own ends. A certain number will always succeed, so the trick is to reduce that number. And that is why societies put in place policies and allocate resources to deter criminal activity, notably through the detection, identification, apprehension, prosecution, and punishment of persons deemed to be criminal perpetrators. If any party other than the criminals is to blame for Celebgate and the Target and Home Depot hacks I would say it is society for failing to devote enough resources to the deterrence of cybercrime.

Cybercrime and Society

Sure, many companies and consumers could do a better job of protecting the information systems they use, from changing the default password on point of sale devices, to using stronger passwords on our accounts than 123456 (which recently replaced password as the most widely used password, according to an analysis of millions of compromised records – see this paper on password advice to choose something better).

In recent years a lot of useful advice on how to improve our digital security has been made freely available. The federal government publishes a wide range of guides to best practices, including the comprehensive Framework for Improving Critical Infrastructure Cybersecurity from NIST (the National institute of Standards and Technology).

So why don’t more organizations do a better job at security? There are many reasons, cost being the most obvious, but failing to fit your front door with an expensive pick-proof lock does not make you responsible for a burglary or home invasion; there seems to be broad consensus that responsibility for those crimes rests with any criminal who chooses to violate your physical space. Violations of private virtual space should be considered equally criminal, and violators should be vigorously pursued.

America has well-established measures in place for responding to such physical crimes, from tracking down the perpetrators to arresting, prosecuting, and punishing them. And America’s efforts to deter traditional physical crime appear to be effective when you look at the number of bank robberies each year and the average amount of loot they yield. Both numbers are gradually declining: from 7,644 incidents yielding an average of $10,000 in 2003 to 5,086 incidents yielding $7,539 in 2011 (based on FBI reporting).

When it comes to computer fraud, the graph is a steep line going in the opposite direction: up from $125 million in 2003 to $781 million in 2013 (based on Internet Crime Complaint Center reporting, in conjunction with the FBI). So where is the effort to deter cybercrime? And where is it located on the list of national priorities? Clearly there are some law enforcement resources devoted to catching and prosecuting cybercriminals. We have seen a number of high profile arrests already this year (and I expect to see more). I have seen some very impressive computer forensics conducted by law enforcement at the local, national, and international levels.

What I don’t see are sufficient resources deployed to fight cybercrime at anything like the scale on which such crime is being conducted. In no way is this a criticism of the folks in the field who are knocking on doors and dissecting hard drives. I just don’t think there are enough of them. An in-depth academic study of cybercrime put the annual global law enforcement spend on the fight against cybercrime at $400 million in 2010 (Anderson, Barton, Bohme, Clayton, van Eeten, Levi, Moore, Savage. 2012). In speaking with one of the authors of that study, I found that about half of that figure, $200 million, was U.S. spending. Compare that to the FBI’s total budget request for fiscal year 2015: $8.3 billion.

Now compare that number to the $21 billion budget for the espionage activities of the NSA/NRO, which is on top of the $14.7 billion we shell out for whatever the CIA does these days. Now look at the staffing levels funded in the 2015 FBI budget request: 34,970 permanent positions including 13,050 special agents. Compare that with the FBI’s 2014 request for $8.4 billion to cover 34,787 permanent positions including 13,082 special agents. By my count, that $100 million less in spending, and a reduction in force of 32 special agents.

I’m a security professional and not a budget analyst, but to me those numbers don’t seem consistent with a firm national resolve to tackle cybercrime. So, speaking as a security professional, I suggest that the next time a major IT security breach hits the headlines, we take a break from blaming the victims, and that includes people who use weak passwords on their accounts or companies who have holes in their security systems. Let’s put some of that anger and outrage into lobbying our government to take more decisive action against cybercrime and the people who perpetrate it.

Disagree? Leave a comment and let me know what you think. BTW, here’s a link to the FBI’s most wanted cyber criminal page.
 

The post Nude Celebs, Target, Home Depot: Who is to blame? Criminals! appeared first on We Live Security.

Online ad threat – Yahoo, Amazon, YouTube ‘victims of malvertising’

Anyone who has visited popular domains such as YouTube.com, Amazon.com or Ads.Yahoo.com could be a victim of a new, mutating malware attack distributed through the online ad network adverts displayed on the sites, according to a new blog by networking specialist Cisco.

The blog describes how the online ad malware (which comes in two forms, one for PC, one for Mac), is distributed via online advertising networks – basically by conning one of the large companies whose ads are seen on thousands of sites into forwarding an ad with a malicious payload.

The Register describes the process as, “The high-profile serving domains – along with many others – are, of course, receiving the “malvertising” from online ad networks that have been tricked into hosting the attack content.”

Online ad threat: How it works

The Cisco bloggers say that a number of major domains, listed in their original blog post, have been affected by the current attack. The attack has been nicknamed Kyle and Stan, due to the naming scheme of the subdomains within the group – “stan.mxp2099.com” and “kyle.mxp2038.com”.

Threatpost reports that the likely size of the attack is probably much larger than the 700 domains analyzed by Cisco, and says, “700 domains and nearly 10,000 users have hit these domains and been exposed to the malicious advertisements.”

Threatpost points out that the attack vector is not new – the New York Times has previously fallen victim to a malvertising campaign – but that ‘Kyle and Stan’ takes a unique approach.

Cisco says that the attack delivers a unique malicious payload for every visitor, packaged with a legitimate media player, and a piece of malware which is tailored to each user.

 “Extremely effective attack”

“The idea is very simple: use online advertising to spread malware. This attack form is not new, but extremely effective,” Cisco says.

“The world of online ads has only a few major players. If an attacker can get one of those major online ad networks to display an advertisement with a malicious payload just for a few minutes without being detected, then countless machines can be infected by such an attack.”

The attack comes in various forms, Cisco reports, but so far relies on pure social-engineering, rather than ‘drive-by downloads’ where users who don’t click are infected. Different malware packages are delivered according to platform and user, and the attack is evolving, the bloggers warn.

A discussion of the murky world of malvertising, adware and ‘badware’ by ESET researcher Joan Calvet can be found here.

The post Online ad threat – Yahoo, Amazon, YouTube ‘victims of malvertising’ appeared first on We Live Security.

Home Depot credit cards: chain confirms breach, fraud spikes

The world’s largest home improvement chain store, Home Depot, yesterday confirmed a data breach affecting Home Depot credit cards and debit cards used in stores on the American mainland, which may have continued since April.

Reports by security reporter Brian Krebs and others have said that the malware used in the attack was the same used in the Target breach, and that large-scale fraud is being perpetrated with stolen debit cards, with $300,000 withdrawn from one bank in under two hours, using what appeared to be debit card numbers used in Home Depot.

In an official release, the company said that anyone who used a payment card at a Home Depot store since April 2014 may have been affected, and the chain is to offer free identity protection and credit monitoring to customers who used Home Depot credit cards or debit card in-store. Customers who shopped online or in Mexico have not been affected, the chain said in an official release.

Home Depot credit cards: Who is at risk?

Veteran security reporter Brian Krebs said that the news had been accompanied by a spike in debit card fraud, after a vast haul of Home Depot credit card and debit card numbers were sold on an underground forum last week.

Krebs said, “multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts. Those same crooks also are taking advantage of weak authentication methods in the automated phone systems that many banks use to allow customers to reset the PINs on their cards.”

Home Depot said that there was no evidence PIN numbers had been compromised during the breach, and that, “Home Depot’s investigation is focused on April forward, and the company has taken aggressive steps to address the malware.”

Technology site GigaOm reports that the malware involved in the breach has been reported as being BlackPOS, the same used in the Target breach earlier this year.

“We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue,” said Frank Blake, chairman and CEO.

“We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It’s important to emphasize that no customers will be responsible for fraudulent charges to their accounts.”

How criminals withdraw cash without needing PINs

GigaOm reports that the chain is to roll out EMV chip-and-PIN technology by the end of the year, offering a secure chip rather than a magnetic stripe which is more easily copied by malware such as BlackPOS.

Krebs said that the current glut of fraud relies on working out a customer’s ZIP code using criminal services which sell such information, starting from the ZIP code of the Home Depot they shopped at.

Krebs writes, “Countless banks in the United States let customers change their PINs with a simple telephone call, using an automated call-in system known as a Voice Response Unit (VRU). A large number of these VRU systems allow the caller to change their PIN provided they pass three out of five security checks. One is that the system checks to see if the call is coming from a phone number on file for that customer. It also requests the following four pieces of information:the 3-digit code (known as a card verification value or CVV/CV2) printed on the back of the debit card; the card’s expiration date; the customer’s date of birth; the last four digits of the customer’s Social Security number.”

Krebs said that this authentication process was weak enough that one large bank told him that a single West Coast bank had lost $300,000 in less than two hours due to debit and credit card fraud perpetrated with cards stolen in the breach.

ESET researcher Lysa Myers says, “Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now.”

Myers offers a detailed guide for businesses concerned that they may be being targeted with POS malware.

The post Home Depot credit cards: chain confirms breach, fraud spikes appeared first on We Live Security.

Now your LinkedIn account can be better protected than ever before

Let’s be honest. LinkedIn doesn’t have the most spotless record when it comes to security and privacy.

In the past, LinkedIn has been hacked (Who can forget when 6.5 million stolen LinkedIn passwords were found on a Russian web server?)

Or maybe you recall hearing about how LinkedIn was scooping up the contents of iOS calendars, including sensitive information such as confidential meeting notes and call-in numbers, and transmitting them unencrypted in plaintext.

Or how about the time that LinkedIn controversially introduced (and then rapidly withdrew) a widget that meddled with the standard iOS Mail app, with the side effect of compromising the entire security of your email inbox, allowing LinkedIn to read every message you sent or received *outside* of the site?

I could go on, but you get the idea – and, anyway, I like to think that companies can learn. And, on this occasion, LinkedIn has done something that should be applauded.

In a blog post published yesterday, LinkedIn explained that it was introducing three new tools which go some way to boosting security, and granting members more control over their data.

First up, you can now check where (if anywhere) else you are currently logged into LinkedIn.

It’s all very well being logged into your LinkedIn account at home, but are you sure you logged off in the office? Alternatively, is it possible that a hacker has stolen your password and is currently messing around with your LinkedIn account on the other side of the world?

Now there’s an easy way to check.

Go to your settings and click on See where you are logged in to view a complete list of the devices that you are signed into the site.

LinkedIn active sessions

In the above screenshot, you can see that I have nothing to fear. There’s only one computer currently logged into my LinkedIn account, and I feel fairly comfortable that that’s me.

But if there had been additional sessions displayed, I would have been able check what browser and operating system is being used in each case, and the approximate location of the activity. Then, if I chose, logging them out remotely is just a mouse click away.

Multiple sessions

And, of course, if the other sessions were at locations or on devices I didn’t recognise then that might be a good time to consider changing my password and enabling LinkedIn’s two-factor authentication.

Next up, LinkedIn is offering more information to users in its password change email notifications – telling them, for the first time, when and where an account’s password change occurred.

LinkedIn password change

Finally, LinkedIn has taken a leaf out of Facebook and Google’s book and provided a way for users to easily export all of the data that the site stores about you, by requesting your data archive.

Request LinkedIn data archive

Once requested, it takes LinkedIn approximately 72 hours to collate the data that it holds on you, but never fear because you will be sent an email once the data is available for download.

None of these new features can really be considered rocket science, but it’s good to see LinkedIn introduce them and putting more power into the hands of its millions of users, who would feel pretty dreadful if their account was ever compromised.

It’s essential to keep your LinkedIn account out of the hands of fraudsters and internet criminals, precisely because it is the “business social network”.

In the past hackers have taken over accounts and posted poisoned links, and it’s easy to imagine the fraudulent behaviour that could take place if a worker’s colleagues and industry peers believed that it was John Doe communicating with them rather than a malicious attacker.

Of course, there’s no point to these tools if they aren’t actually used in the way that they’re designed.

Read LinkedIn’s blog, ensure that you’re familiar with these new features and the site’s two-factor authentication facility, and you will be better placed to protect both yourself and your fellow workers.

The post Now your LinkedIn account can be better protected than ever before appeared first on We Live Security.

Car hacking – are one-third of thefts ‘electronic hacks’?

The UK government is to work with car manufacturers to prevent hackers using electronic means to break into increasingly hi-tech vehicles in Britain, after a spate of ‘car hacking’ in London, Computer World reports.

In a speech to independent think tank Reform, Home Secretary Theresa May said that thieves were using “sophisticated devices” to grab car key codes, and driving away in less than 10 seconds without using force, according to the Daily Mail.

The report claimed that “hackers” were behind a third of card thefts in London.

At the Black Hat security conference this summer two researchers launched a petition to change how car companies and technology companies work together. “We request that you unite with us in a joint commitment to safety between the automotive and cyber security industries,” the researchers said via Change.org.

Car hacking: A real risk?

In her speech to Reform, May said, “There have been reports that they could even use ‘malware’ to commandeer vehicle systems via satellites and issue remote demands to unlock doors, disable alarms and start car engines.”

“Because we have this understanding, we can now work with industry to improve electronic resilience, include this kind of resilience in the vehicle’s overall security ratings, and work out the extent to which the same threat applies to other physical assets such as building security systems.”

May’s speech echoes a series of presentations by security researchers which warn that as cars become increasingly ‘connected’, with up to 200 control units each, hacking such vehicles becomes easy.

Two researchers have concluded that this will become even easier once web browsers in cars become more common.

Hackers behind ‘third’ of crimes

Earlier this summer, a group of Chinese researchers showed off a hack which could open the doors on a Tesla S while in motion, as well as controlling other vehicle systems – and the car’s control panel, thought to run a modified version of Firefox, was claimed to be behind the hack.

Charlie Miller and Chris Valasek in their paper A Survey of Remote Automotive Attack Surfaces conclude that the danger of “hackable” cars is expanding – but is about to grow rapidly, as web browsers are added to cars.

“Once you add a web browser to a car, it’s open. I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers.”

Last year a U.S senator urged auto manufacturers to change – and his open letter ignited a spate of commentary, with Market Oracle describing the crime as “cyberjacking”, and pointing out that the average family car contains 100 million lines of computer code, and that software can account for up to 40% of the cost of the vehicle, according to researchers at the University of Wisconsin-Madison.

On the researchers’ page, I am the Cavalry, they say, “Modern cars are computers on wheels and are increasingly connected and controlled by software. Dependence on technology in vehicles has grown faster than effective means to secure it.”

 

The post Car hacking – are one-third of thefts ‘electronic hacks’? appeared first on We Live Security.

Credit card security fears – could Home Depot breach be biggest yet?

Shoppers at Home Depot stores may have had their credit card security details leaked online, after a massive batch of card information went on sale on a criminal internet site this week, according to veteran security writer Brian Krebs, who reported the possible breach on his Krebs on Security website. Krebs claims the breach may be the biggest yet seen.

The credit card security breach could have begun as early as April or early May of this year, and may be linked to hackers responsible for the breaches at Target and P.F. Changs, according to Krebs. Separate batches of debit and credit card details from European and American shoppers have been offered for sale on a criminal website this week.

U.S.A. Today reports that the breach could dwarf even the Target Breach, in which 40 million debit and credit accounts were compromised.

Fox Business News reported that Home Depot has, as yet, not confirmed the scale of the breach.

Credit card security: The biggest breach yet?

“Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately,” spokesperson Paula Drake said in a statement.

The card data were offered for sale under the title, “American Sanctions,” which Krebs interpreted as related to the ongoing conflict in the Ukraine. Stolen information from European cards which had been used in the stores were sold separately as “European Sanctions,” Krebs reported.

Home Depot shares dropped 2.6% at the news, Fox Business reported.

Krebs’ spoke to several banks, and his latest update hints that this breach could be the biggest yet seen. “Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period,” he says.

Mark James, security specialist at ESET says, “The news of another credit card hack is not surprising – but is no less worrying. It seems that no company is safe and if you have EVER used a credit card to purchase goods then you may be at risk.”

“It is thought the original team that targeted P.F.Chang’s and Target are also the perpetrators here, and due to the amount of data that has been stolen it stands to reason it will be used or released in batches over time.”

Card breach: What to do

ESET Malware Researcher Lysa Myers says, “Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now.”

Myers offers a detailed guide for businesses concerned that they may be being targeted with POS malware.

ESET’s James says, “Nothing can be done about the data already stolen, but we could take some actions to lessen the impact of compromised credit cards. Don’t just have a single credit for all uses: for instance, separate your physical purchases (in store) and your online purchases by using different credit cards for each.”

“At least that way if one gets lost or stolen it’s not so much of an impact to get it stopped and replaced, also it’s always good practice to keep an eye on your credit statement for small or unusual payments, often small (under the radar) amounts are processed to test if the cards are valid. If they go through then larger amounts will follow.”

“If you spot something unusual notify your bank immediately. As always, it’s imperative the organization in question notifies all parties involved in any security breach so we the public can take action quickly.”

The post Credit card security fears – could Home Depot breach be biggest yet? appeared first on We Live Security.