MacOS High Sierra Users: Change Root Password Now

A newly-discovered flaw in macOS High Sierra — Apple’s latest iteration of its operating system — allows anyone with local (and, apparently in some cases, remote) access to the machine to log in as the all-powerful “root” user without supplying a password. Fortunately, there is a simple fix for this until Apple patches this inexplicable bug: Change the root account’s password now.

For better or worse, this glaring vulnerability was first disclosed today on Twitter by Turkish software developer Lemi Orhan Ergin, who unleashed his findings onto the Internet with a tweet to @AppleSupport:

“Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?”

High Sierra users should be able to replicate the exploit by accessing System Preferences, then Users & Groups, and then click the lock to make changes. Type “root” with no password, and simply try that several times until the system relents and lets you in.

How does one change the root password? It’s simple enough. Open up a Terminal (in the Spotlight search box just type “terminal”) and type “sudo passwd root”.

Many people responding to that tweet said they were relieved to learn that this extremely serious oversight by Apple does not appear to be exploitable remotely. However, sources who have tested the bug say it can be exploited remotely if a High Sierra user a) has not changed the root password yet and b) has enabled “screen sharing” on their Mac.

Likewise, multiple sources have now confirmed that disabling the root account does not fix the problem because the exploit actually causes the account to be re-enabled.

There may be other ways that this vulnerability can be exploited: I’ll update this post as more information becomes available. But for now, if you’re using macOS High Sierra, take a moment to change the root password now, please.

from
https://krebsonsecurity.com/2017/11/macos-high-sierra-users-change-root-password-now/

Who Was the NSA Contractor Arrested for Leaking the ‘Shadow Brokers’ Hacking Tools?

In August 2016, a mysterious entity calling itself “The Shadow Brokers” began releasing the first of several troves of classified documents and hacking tools purportedly stolen from “The Equation Group,” a highly advanced threat actor that is suspected of having ties to the U.S. National Security Agency. According to media reports, at least some of the information was stolen from the computer of an unidentified software developer and NSA contractor who was arrested in 2015 after taking the hacking tools home. In this post, we’ll examine clues left behind in the leaked Equation Group documents that may point to the identity of the mysterious software developer.

The headquarters of the National Security Agency in Fort Meade, Md.

The existence of the Equation Group was first posited in Feb. 2015 by researchers at Russian security firm Kaspersky Lab, which described it as one of the most sophisticated cyber attack teams in the world.

According to Kaspersky, the Equation Group has more than 60 members and has been operating since at least 2001. Most of the Equation Group’s targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.

Although Kaspersky was the first to report on the existence of the Equation Group, it also has been implicated in the group’s compromise. Earlier this year, both The New York Times and The Wall Street Journal cited unnamed U.S. intelligence officials saying Russian hackers were able to obtain the advanced Equation Group hacking tools after identifying the files through a contractor’s use of Kaspersky Antivirus on his personal computer. For its part, Kaspersky has denied any involvement in the theft.

The Times reports that the NSA has active investigations into at least three former employees or contractors, including two who had worked for a specialized hacking division of NSA known as Tailored Access Operations, or TAO.

Thanks to documents leaked from former NSA contractor Edward Snowden we know that TAO is a cyber-warfare intelligence-gathering unit of NSA that has been active since at least 1998. According to those documents, TAO’s job is to identify, monitor, infiltrate and gather intelligence on computer systems being used by entities foreign to the United States.

The third person under investigation, The Times writes, is “a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer.”

JEEPFLEA & EASTNETS

So who are those two unnamed NSA employees and the contractor referenced in The Times’ reporting? The hacking tools leaked by The Shadow Brokers are now in the public domain and can be accessed through this Github repository. The toolset includes reams of documentation explaining how the cyber weapons work, as well as details about their use in highly classified intelligence operations abroad.

Several of those documents are Microsoft Powerpoint (.pptx) and PDF files. These files contain interesting metadata that includes the names of at least two people who appear to be connected to the NSA’s TAO operations.

Inside the unzipped folder there are three directories: “oddjob,” “swift,” and “windows.” Looking at the “swift” folder, we can see a Powerpoint file called “JFM_Status.pptx.”

JFM stands for Operation Jeepflea Market, which appears to have been a clandestine operation aimed at siphoning confidential financial data from EastNets — a middle eastern partner in SWIFT. Short for the Society for Worldwide Interbank Financial Telecommunication, SWIFT provides a network that enables financial institutions worldwide to send and receive data about financial transactions.

A slide from a Powerpoint presentation on the top secret Jeepflea Market operation, in which hackers allegedly tied to the National Security Agency compromised EastNets, a middle eastern partner of the global SWIFT financial network.

Each of the Jeepflea Powerpoint slides contain two overlapping seals; one for the NSA and another for an organization called the Central Security Service (CSS). According to Wikipedia, the CSS was formed in 1972 to integrate the NSA and the Service Cryptologic Elements (SCE) of the U.S. armed forces.

In Figure 10 of the Jeepflea Powerpoint document, we can see the seal of the Texas Cryptologic Center, a NSA/CSS entity that is based out of Lackland Air Force Base in San Antonio Texas.

The metadata contained in the Powerpoint document shows that the last person to modify it has the designation “NSA-FTS32 USA,” and that this leaked version is the 9^th revision of the document. What does NSA-FTS32 mean? According to multiple sources on the internet it means Tailored Access Operations.

We can also see that the creator of the Jeepflea document is the same person who last modified it. The metadata says it was last modified on 8/12/2013 at 6:52:27 PM and created on 7/1/2013 at 6:44:46 PM.

The file JFMStatus.pptx contains metadata showing that the creator of the file is one Michael A. Pecoraro. Public record searches suggest Mr. Pecoraro is in his mid- to late 30s and is from San Antonio, Texas. Pecoraro’s name appears on multiple documents in The Shadow Brokers collection. Mr. Pecoraro could not be reached for comment.

The metadata in a Microsoft Powerpoint presentation on Operation Jeepflea shows that the document was created and last modified in 2013 by a Michael A. Pecoraro.

Another person who earned the NSA-FTS32 designation in the document metadata was Nathan S. Heidbreder. Public record searches suggest that Mr. Heidbreder is approximately 30 years old and has lived in San Antonio and at Goodfellow Air Force Base in Texas, among other locations in the state.

According to Goodfellow’s Wikipedia entry, the base’s main mission is cryptologic and intelligence training for the Air Force, Army, Coast Guard, Navy, and Marine Corps. Mr. Heidbreder likewise could not be reached for comment.

The metadata contained in one of the classified Jeepflea Market Microsoft Excel documents released in The Shadow Brokers trove states that a Nathan S. Heidbreder was the last person to edit the document.

Another file in the leaked Shadow Brokers trove related to this Jeepflea/EastNets operation is potentially far more revealing, mainly because it appears to have last been touched not by an NSA employee, but by an outside contractor.

That file, “Eastnets_UAE_BE_DEC2010.vsd,” is a Microsoft Visual Studio document created in Sept. 2013. The metadata inside of it says the last user to open the file was one Gennadiy Sidelnikov. Open records searches return several results for this name, including a young business analyst living in Moscow and a software developer based in Maryland.

As the NSA is based in Fort Meade, Md., this latter option seems far more likely. A brief Internet search turns up a 50-something database programmer named Gennadiy “Glen” Sidelnikov who works or worked for a company called Independent Software in Columbia, Md. (Columbia is just a few miles away from Ft. Meade).

The metadata contained within Eastnets_UAE_BE_Dec2010.vsd says Gennadiy Sidelnikov is the last author of the document. Click to enlarge.

What is Independent Software? Their Web site states that Independent Software is “a professional services company providing Information Technology products and services to mission-oriented Federal Civilian Agencies and the DoD. The company has focused on support to the Intelligence Community (IC) in Maryland, Florida, and North Carolina, as well as select commercial client markets outside of the IC.”

Indeed, this job advertisement from August 2017 for a junior software engineer at Independent Software says a qualified applicant will need a TOP SECRET clearance and should be able to pass a polygraph test.

WHO IS GLEN SIDELNIKOV?

The two NSA employees are something of a known commodity, but the third individual — Mr. Sidelnikov — is more mysterious. Sidelnikov did not respond to repeated requests for comment. Independent Software also did not return calls and emails seeking comment.

Sidelnikov’s LinkedIn page (PDF) says he began working for Independent Software in 2015, and that he speaks both English and Russian. In 1982, Sidelnikov earned his masters in information security from Kishinev University, a school located in Moldova — an Eastern European country that at the time was part of the Soviet Union.

Sildelnikov says he also earned a Bachelor of Science degree in “mathematical cybernetics” from the same university in 1981. Under “interests,” Mr. Sidelnikov lists on his LinkedIn profile Independent Software, Microsoft, and The National Security Agency.

Both The Times and The Journal have reported that the contractor suspected of leaking the classified documents was running Kaspersky Antivirus on his computer. It stands to reason that as a Russian native, Mr. Sildelnikov might be predisposed to using a Russian antivirus product.

Mr. Sidelnikov calls himself a senior consultant, but the many skills he self-described on his LinkedIn profile suggest that perhaps a better title for him would be “database administrator” or “database architect.”

A Google search for his name turns up numerous forums dedicated to discussions about administering databases. On the Web forum sqlservercentral.com, for example, a user named Glen Sidelnikov is listed as a “hall of fame” member for providing thousands of answers to questions that other users posted on the forum.

KrebsOnSecurity was first made aware of the metadata in the Shadow Brokers leak by Mike Poor, Rob Curtinseufert, and Larry Pesce. All three are security experts with InGuardians, a Washington, D.C.-based penetration testing firm that gets paid to break into companies and test their cybersecurity defenses.

Poor, who serves as president and managing partner of InGuardians, said he and his co-workers initially almost overlooked Sidelnikov’s name in the metadata. But he said the more they looked into Sidelnikov the less sense it made that his name was included in the Shadow Brokers metadata at all.

“He’s a database programmer, and they typically don’t have access to operational data like this,” Poor said. “Even if he did have access to an operational production database, it would be highly suspect if he accessed classified operation documents.”

Poor said that as the data owner, the NSA likely would be reviewing file access of all classified documents and systems, and it would definitely have come up as a big red flag if a software developer accessed and opened classified files during some routine maintenance or other occasion.

“He’s the only one in there that is not Agency/TAO, and I think that poses important questions,” Poor said. “Such as why did a DB programmer for a software company have access to operational classified documents? If he is or isn’t a source or a tie to Shadow Brokers, it at least begets the question of why he accessed classified operational documents.”

Curtinseufert said it may be that Sidelnikov’s skills came in handy in the Jeepflea operations, which appear to have involved compromising large financial databases, and querying those for very specific transactions.

For example, Jeepflea apparently involved surreptitiously injecting database queries into the SWIFT Alliance servers, which are responsible for handling the messaging tied to SWIFT financial transactions.

“It looks like the SWIFT data the NSA was collecting relied heavily on databases, and they were apparently also using some exploits to gather data,” Curtinseufert said. “The SWIFT databases are all records of financial transactions, and in Jeepflea they were able to query those SWIFT databases and see who’s moving money where. They were looking to pull SWIFT data on who was moving money around the Middle East. They did this with EastNets, and they tried to do it down in Venezuela. And it looks like through EastNets they were able to hack individual banks.”

The NSA did not respond to requests for comment.

InGuardians president Poor said we may never know for sure who was responsible for the Shadow Brokers leak, an incident that has been called “one of the worst security debacles ever to befall American intelligence.”  But one thing seems certain.

“I think it’s time that we state what we all know,” Poor said. “The Equation Group is Tailored Access Operations. It is the NSA.”

from
https://krebsonsecurity.com/2017/11/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/

Name+DOB+SSN=FAFSA Data Gold Mine

KrebsOnSecurity has sought to call attention to online services which expose sensitive consumer data if the user knows a handful of static details about a person that are broadly for sale in the cybercrime underground, such as name, date of birth, and Social Security Number. Perhaps the most eye-opening example of this is on display at fafsa.ed.gov, the Web site set up by the U.S. Department of Education for anyone interested in applying for federal student financial aid.

Short for the Free Application for Federal Student Aid, FAFSA is an extremely lengthy and detailed form required at all colleges that accept and award federal aid to students.

Visitors to the login page for FAFSA have two options: Enter either the student’s FSA ID and password, or choose “enter the student’s information.” Selecting the latter brings up a prompt to enter the student’s first and last name, followed by their date of birth and Social Security Number.

Anyone who successfully supplies that information on a student who has applied for financial aid through FAFSA then gets to see a virtual colonoscopy of personal information on that individual and their family’s finances — including almost 200 different data elements.

The information returned includes all of these data fields:

1. Student’s Last Name:
2. Student’s First Name:
3. Student’s Middle Initial:
4. Student’s Permanent Mailing Address:
5. Student’s Permanent City:
6. Student’s Permanent State:
7. Student’s Permanent ZIP Code:
8. Student’s Social Security Number:
9. Student’s Date of Birth:
10. Student’s Telephone Number:
11. Student’s Driver’s License Number:
12. Student’s Driver’s License State:
13. Student’s E-mail Address:
14. Student’s Citizenship Status:
15. Student’s Alien Registration Number:
16. Student’s Marital Status:
17. Student’s Marital Status Date:
18. Student’s State of Legal Residence:
19. Was Student a Legal Resident Before January 1, 2012?
20. Student’s Legal Residence Date:
21. Is the Student Male or Female?
22. Register Student With Selective Service System?
23. Drug Conviction Affecting Eligibility?
24. Parent 1 Educational Level:
25. Parent 2 Educational Level:
26. High School or Equivalent Completed?
27a. Student’s High School Name:
27b. Student’s High School City:
27c. Student’s High School State:
28. First Bachelor’s Degree before 2017-2018 School Year?
29. Student’s Grade Level in College in 2017-2018:
30. Type of Degree/Certificate:
31. Interested in Work-study?
32. Student Filed 2015 Income Tax Return?
33. Student’s Type of 2015 Tax Form Used:
34. Student’s 2015 Tax Return Filing Status:
35. Student Eligible to File a 1040A or 1040EZ?
36. Student’s 2015 Adjusted Gross Income:
37. Student’s 2015 U.S. Income Tax Paid:
38. Student’s 2015 Exemptions Claimed:
39. Student’s 2015 Income Earned from Work:
40. Spouse’s 2015 Income Earned from Work:
41. Student’s Total of Cash, Savings, and Checking Accounts:
42. Student’s Net Worth of Current Investments:
43. Student’s Net Worth of Businesses/Investment Farms:
44a. Student’s Education Credits:
44b. Student’s Child Support Paid:
44c. Student’s Taxable Earnings from Need-Based Employment Programs:
44d. Student’s College Grant and Scholarship Aid Reported in AGI:
44e. Student’s Taxable Combat Pay Reported in AGI:
44f. Student’s Cooperative Education Earnings:
45a. Student’s Payments to Tax-Deferred Pensions & Retirement Savings:
45b. Student’s Deductible Payments to IRA/Keogh/Other:
45c. Student’s Child Support Received:
45d. Student’s Tax Exempt Interest Income:
45e. Student’s Untaxed Portions of IRA Distributions:
45f. Student’s Untaxed Portions of Pensions:
45g. Student’s Housing, Food, & Living Allowances:
45h. Student’s Veterans Noneducation Benefits:
45i. Student’s Other Untaxed Income or Benefits:
45j. Money Received or Paid on Student’s Behalf:
46. Student Born Before January 1, 1994?
47. Is Student Married?
48. Working on Master’s or Doctorate in 2017-2018?
49. Is Student on Active Duty in U.S. Armed Forces?
50. Is Student a Veteran?
51. Does Student Have Children He/She Supports?
52. Does Student Have Dependents Other than Children/Spouse?
53. Parents Deceased?/Student Ward of Court?/In Foster Care?
54. Is or Was Student an Emancipated Minor?
55. Is or Was Student in Legal Guardianship?
56. Is Student an Unaccompanied Homeless Youth as Determined by High School/Homeless Liaison?
57. Is Student an Unaccompanied Homeless Youth as Determined by HUD?
58. Is Student an Unaccompanied Homeless Youth as Determined by Director of Homeless Youth Center?
59. Parents’ Marital Status:
60. Parents’ Marital Status Date:
61. Parent 1 (Father’s/Mother’s/Stepparent’s) Social Security Number:
62. Parent 1 (Father’s/Mother’s/Stepparent’s) Last Name:
63. Parent 1 (Father’s/Mother’s/Stepparent’s) First Name Initial:
64. Parent 1 (Father’s/Mother’s/Stepparent’s) Date of Birth:
65. Parent 2 (Father’s/Mother’s/Stepparent’s) Social Security Number:
66. Parent 2 (Father’s/Mother’s/Stepparent’s) Last Name:
67. Parent 2 (Father’s/Mother’s/Stepparent’s) First Name Initial:
68. Parent 2 (Father’s/Mother’s/Stepparent’s) Date of Birth:
69. Parents’ E-mail Address:
70. Parents’ State of Legal Residence:
71. Were Parents Legal Residents Before January 1, 2012?
72. Parents’ Legal Residence Date:
73. Parents’ Number of Family Members in 2017-2018:
74. Parents’ Number in College in 2017-2018 (Parents Excluded):
75. Parents Received Medicaid or Supplemental Security Income?
76. Parents Received SNAP?
77. Parents Received Free/Reduced Price Lunch?
78. Parents Received TANF?
79. Parents Received WIC?
80. Parents Filed 2015 Income Tax Return?
81. Parents’ Type of 2015 Tax Form Used:
82. Parents’ 2015 Tax Return Filing Status:
83. Parents Eligible to File a 1040A or 1040EZ?
84. Is Parent a Dislocated Worker?
85. Parents’ 2015 Adjusted Gross Income:
86. Parents’ 2015 U.S. Income Tax Paid:
87. Parents’ 2015 Exemptions Claimed:
88. Parent 1 (Father’s/Mother’s/Stepparent’s) 2015 Income Earned from Work:
89. Parent 2 (Father’s/Mother’s/Stepparent’s) 2015 Income Earned from Work:
90. Parents’ Total of Cash, Savings, and Checking Accounts:
91. Parents’ Net Worth of Current Investments:
92. Parents’ Net Worth of Businesses/Investment Farms:
93a. Parents’ Education Credits:
93b. Parents’ Child Support Paid:
93c. Parents’ Taxable Earnings from Need-Based Employment Programs:
93d. Parents’ College Grant and Scholarship Aid Reported in AGI:
93e. Parents’ Taxable Combat Pay Reported in AGI:
93f. Parents’ Cooperative Education Earnings:
94a. Parents’ Payments to Tax-Deferred Pensions & Retirement Savings:
94b. Parents’ Deductible Payments to IRA/Keogh/Other:
94c. Parents’ Child Support Received:
94d. Parents’ Tax Exempt Interest Income:
94e. Parents’ Untaxed Portions of IRA Distributions:
94f. Parents’ Untaxed Portions of Pensions:
94g. Parents’ Housing, Food, & Living Allowances:
94h. Parents’ Veterans Noneducation Benefits:
94i. Parents’ Other Untaxed Income or Benefits:
95. Student’s Number of Family Members in 2017-2018:
96. Student’s Number in College in 2017-2018:
97. Student Received Medicaid or Supplemental Security Income?
98. Student Received SNAP?
99. Student Received Free/Reduced Price Lunch?
100. Student Received TANF?
101. Student Received WIC?
102. Is Student or Spouse a Dislocated Worker?
103a. First Federal School Code:
103b. First Housing Plans:
103c. Second Federal School Code:
103d. Second Housing Plans:
103e. Third Federal School Code:
103f. Third Housing Plans:
103g. Fourth Federal School Code:
103h. Fourth Housing Plans:
103i. Fifth Federal School Code:
103j. Fifth Housing Plans:
103k. Sixth Federal School Code:
103l. Sixth Housing Plans:
103m. Seventh Federal School Code:
103n. Seventh Housing Plans:
103o. Eighth Federal School Code:
103p. Eighth Housing Plans:
103q. Ninth Federal School Code:
103r. Ninth Housing Plans:
103s. Tenth Federal School Code:
103t. Tenth Housing Plans:
104. Date Completed:
105. Signed By:
106. Preparer’s Social Security Number:
107. Preparer’s Employer Identification Number (EIN):
108. Preparer’s Signature:

From an identity thief’s perspective, it seems like the only question missing from this list is, “What was the name of your first pet?” Seriously though, armed with this bounty of data identity thieves would likely have little trouble impersonating a student (or parents of a student) who had applied for federal financial aid.

According to the Education Department, nearly 20 million students filled out this form in the 2015/2016 application cycle.

What indications are there that ID thieves might already be aware of this personal data treasure trove? In March 2017, the Internal Revenue Service (IRS) disabled an automated tool on its Web site that was used to help students and their families apply for federal financial aid — citing evidence that identity thieves were abusing it to siphon data used to commit tax refund fraud with the IRS.

The IRS found that identity thieves were abusing the automated tool — which pulled data directly from the FAFSA Web site — in order to learn the adjusted gross income (AGI) of applicant families. The AGI is crucial to successfully filing a tax refund request in someone’s name at the IRS.

While the IRS’s tool is no longer online, this post shows how easy it remains for identity thieves to gather this same information directly from the FAFSA Web site.

Think it’s hard to find someone’s SSN and DOB? Think again. There are a multitude of Web sites on the open Internet and Dark Web alike that sell access to SSN and DOB data on hundreds of millions of Americans — all for the price of about $4-5 worth of Bitcoin.

Somehow, we need to move away from allowing online access to such a deep vein of consumer data just by supplying static data points that are broadly compromised in a thousand breaches and on sale very cheaply in the cybercrime underground.

Until that happens, anyone who is applying for federal student aid or has a child who applied should strongly consider taking several steps:

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

–Consider placing a “security freeze” on your credit files with the major credit bureaus. See this tutorial about why a security freeze — also known as a “credit freeze,” may be more effective than credit monitoring in blocking ID thieves from assuming your identity to open up new lines of credit. Keep in mind that having a security freeze on your credit file won’t stop thieves from committing tax refund fraud in your name; the only real defense against that is to file your taxes as early as possible — before the fraudsters can do it for you.

–Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. Instructions for doing that are here.

from
https://krebsonsecurity.com/2017/11/namedobssnfafsa-data-gold-mine/

Correcting the Record on vDOS Prosecutions

KrebsOnSecurity recently featured a story about a New Mexico man who stands accused of using the now-defunct vDOS attack-for-hire service to hobble the Web sites of several former employers. That piece stated that I wasn’t aware of any other prosecutions related to vDOS customers, but as it happens there was a prosecution in the United Kingdom earlier this year of a man who’s admitted to both using and helping to administer vDOS. Here’s a look at some open-source clues that may have led to the U.K. man’s arrest.

Jack Chappell, outside of a court hearing in the U.K. earlier this year.

In early July 2017, the West Midlands Police in the U.K. arrested 19-year-old Stockport resident Jack Chappell and charged him with aiding the vDOS co-founders — two Israeli men who were arrested late year and charged with running the service.

Until its demise in September 2016, vDOS was by far the most popular and powerful attack-for-hire service, allowing even completely unskilled Internet users to launch crippling assaults capable of knocking most Web sites offline. vDOS made more than $600,000 in just two of the four years it was in operation, launching more than 150,000 attacks against thousands of victims (including this site).

For his part, Chappell was charged with assisting in attacks against Web sites for some of the world’s largest companies, including Amazon, BBC, BT, Netflix, T-Mobile, Virgin Media, and Vodafone, between May 1, 2015 and April 30, 2016.

At the end of July 2017, Chappell pleaded guilty to those allegations, as well as charges of helping vDOS launder money from customers wishing to pay for attacks with PayPal accounts.

A big factor in that plea was the leak of the vDOS attacks, customer support and payments databases to this author and to U.S. law enforcement officials in the fall of 2016. Those databases provided extremely detailed information about co-conspirators, paying customers and victims.

But as with many other cybercrime investigations, the perpetrator in this case appears to have been caught thanks to a combination of several all-too-common factors, including password re-use, an active presence on the sprawling English-language hacking community Hackforums, and domain names registered in his real name. In combination, these clues provide a crucial bridge between Chappell’s online and real-world identities.

A simple search at domaintools.com for the name Jack Chappell and “UK” returns a handful of results, including the domain fractal[dot]hf. That domain was registered in June 2015 to a Jack Chappell in Stockport, using the email address me@jackchappell.co[dot]uk [full disclosure: Domaintools is an advertiser on this site].

Neither domain is online anymore, but a Google search on fractal[dot]hf reveals several mentions of this site on Hackforums — a sprawling English-language forum that until very recently hosted the most bustling open-air market for competing attack-for-hire services.

According to a review of those Hackforums postings, fractal[dot]hf was a free service that allowed users to test the size and impact of any DDoS attack tool — displaying detailed graphs showing how much data a given attack tool could hurl at an intended target. Multiple forum members told interested users that fractal[dot]hf was owned and operated by a friendly and helpful Hackforums user named Fractal.

A screenshot of the user Fractal advertising his service for measuring the size of attacks. Fractal posted this graphic to illustrate the power of an IRC-based botnet that was being sold on Hackforums in mid-2015.

Perhaps unsurprisingly, there was a very active user on vDOS who went by the same Fractal nickname, using the password “HelloWorld1998” and email address smellyjelly01@gmail.com.

The above-mentioned domain Jackchappell.co[dot]uk appears in the leaked vDOS payments database, which states that a PayPal account tied to the email address “paypal@jackchappell.co[dot]uk” was one of several PayPal accounts used to launder customer payments for online attacks.

As noted in my June 2017 piece Following the Money Hobbled vDOS Attack-for-Hire Service, vDOS was forced to round-robin customer PayPal payments through a series of accounts after academic researchers began signing up for a variety of attack-for-hire services (including vDOS) and then reporting to PayPal the email addresses tied to accounts being used to receive payments.

The paypal@jackchappell.co[dot]uk address was linked to a vDOS user account called “portalKiller” which used the password “HelloWorld8991.” Note that this password is very similar to the one used by the vDOS user Fractal — only the numbers at the end of the password have been reversed (1998/8991).

Portalkiller changed his password several times during his time on vDOS, and one of the passwords he used was “Smith8991.” An Internet search on this password turns up an account in the user database that was hacked and posted online from a similar attack-for-hire service previously run by a hacker group known as the Lizard Squad. The email address tied to that account? Smellyjelly01@gmail.com.

From reviewing Fractal’s posts and reputation on Hackforums it appears that on Dec. 28, 2015 his account received praise and positive reputation points (similar to eBay’s user “feedback” system) from M30w and AppleJ4ck, the nicknames used by the alleged co-founders of vDOS.

Positive reputation points awarded to Chappell by the co-owners of vDOS, who used the aliases “M30W” and “AppleJ4ck.”

Comments in the leaked vDOS databases also suggest Chappell was for a time one of several trusted administrators and/or support personnel of the service. vDOS routinely banned accounts for members who shared their logins, or who logged on via virtual private network (VPN) services to anonymize their connections, but many members ignored this advice.

For example, in one support ticket dated March 13, 2016, a vDOS subscriber named “Bears” who had his account banned pleaded with the administrators to reactivate (or “unban”) his account.

“Hi jeremy pls unban hi p1st i love you hi AJ i love you hi fractal i love you hi whoever else is support is swagdaddy still support?” Bears pleads.

Ironically, both of Chappell’s accounts on vDOS — Fractal and portalKiller — were ultimately banned, the latter supposedly for flouting vDOS’s no-VPN restrictions. In one customer support ticket, portalKiller explains the reason for his use of a VPN: He routinely used a VPN so that he could tunnel his connection to the United States and watch the U.S. catalog of Netflix videos.

“Account Banned’,85801,’portalKiller’,’Hi, My account was banned a couple of days ago for logging in from a VPN. Let me explain, the 82.132.234.244 IP is not a VPN it is my mobile provider (O2), which is not a proxy/VPN. The second IP was a mistake I made, I logged out and logged back in from my normal IP (81.103.71.50) after I noticed my VPN was on (I use it for Netflix). I really want you to re-consider my ban. Thanks, portalKiller.”

Fractal also was eventually banned from using vDOS, although it’s less clear why that account was banished. Perhaps Chappell no longer offered the ability to help the other vDOS administrators launder funds, or maybe he had a falling out with M30W/p1st and AppleJ4ck.

Chappell did not respond to requests for comment. His sentencing has been delayed several times since his guilty plea; it is currently slated for December 2017.

Chappell’s guilty plea reminds me that there are many others who helped launder funds for vDOS that are in all likelihood similarly exposed. Stay tuned for more updates on that front.

from
https://krebsonsecurity.com/2017/11/correcting-the-record-on-vdos-prosecutions/

Fund Targets Victims Scammed Via Western Union

If you, a friend or loved one lost money in a scam involving Western Union, some or all of those funds may be recoverable thanks to a more than half-billion dollar program set up by the U.S. Federal Trade Commission.

In January 2017, Englewood, Colo.-based Western Union settled a case with the FTC and the Department of Justice wherein it admitted to multiple criminal violations, including willfully failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud. As part of the settlement, the global money transfer business agreed to forfeit $586 million.

Last week, the FTC announced that individuals who lost money to scammers who told them to pay via Western Union’s money transfer system between January 1, 2004 and January 19, 2017 can now file a claim to get their money back by going to FTC.gov/WU before February 12, 2018.

Scammers tend to rely on money transfer businesses like Western Union and MoneyGram because once the money is sent and picked up by the recipient the transaction is generally irreversible. Such scams include transfers made for fraudulent lottery and prizes, family emergencies, advance-fee loans, and online dating, among others.

Affected consumers can visit FTC.gov/WU to file claims, learn more, or get updates on the claims process, which could take up to a year. The graphic below seeks to aid victims in filing claims.

The FTC says some people who have already reported their losses to Western Union, the FTC, or another government agency will receive a form in the mail from the claims administrator, Gilardi & Co., which has been hired by the DOJ to return victims’ money as part of the settlement. The form will have a Claim ID and a PIN number to use when filing a claim online via FTC.gov/WU.

The agency emphasized that filing a claim is free, so consumers should not pay anyone to file a claim on their behalf. “No one associated with the claims process will call to ask for consumers’ bank account or credit card number,” the FTC advised.

This isn’t the first time a major money transfer business admitted to criminally facilitating wire fraud. In November 2012, MoneyGram International agreed to pay a $100 million fine and admit to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program.

from
https://krebsonsecurity.com/2017/11/fund-targets-victims-scammed-via-western-union/

R.I.P. root9B, We Hardly Knew Ya!

root9B, a company that many in the security industry consider little more than a big-name startup aimed at cashing in on the stock market’s insatiable appetite for cybersecurity firms, surprised no one this week when it announced it was ceasing operations at the end of the year.

Founded in 2011, Colorado Springs, Colo. based root9B Technologies touted itself as an IT security training firm staffed by an impressive list of ex-military leaders with many years of cybersecurity experience at the Department of Defense and National Security Agency (NSA). As it began to attract more attention from investors, root9B’s focus shifted to helping organizations hunt for cyber intruders within their networks.

By 2015, root9B was announcing lucrative cybersecurity contracts with government agencies and the infusion of millions from investors. The company’s stock was ballooning in price, reaching an all-time high in mid-May 2015.

That was just days after root9B issued a headline-grabbing report about how its cyber intelligence had single-handedly derailed a planned Russian cyber attack on several U.S. financial institutions.

The report, released May 12, 2015, claimed root9B had uncovered plans by an infamous Russian hacking group to target several banks. The company said the thwarted operation was orchestrated by Fancy Bear/Sofacy, a so-called “advanced persistent threat” (APT) hacking group known for launching sophisticated phishing attacks aimed at infiltrating some of the world’s biggest corporations.  root9B released its Q1 2015 earnings two days later, reporting record revenues.

On May 20, 2015, KrebsOnSecurity published a rather visceral dissection of that root9B report: Security Firm Redefines APT; African Phishing Threat. The story highlighted the thinness of the report’s claims, pointing to multiple contradictory findings by other security firms which suggested the company had merely detected several new phishing domains being erected by a comparatively low-skilled African phishing gang that was well-known to investigators and U.S. banks.

In mid-June 2015, an anonymous researcher who’d apparently done a rather detailed investigation into root9B’s finances said the company was “a worthless reverse-merger created by insiders with [a] long history of penny-stock wipeouts, fraud allegations, and disaster.”

That report, published by the crowd-sourced financial market research site SeekingAlpha.com, sought to debunk claims by root9B that it possessed “proprietary” cybersecurity hardware and software, noting that the company mainly acts as a reseller of a training module produced by a third party.

root9B’s stock price never recovered from those reports, and began a slow but steady decline after mid-2015. In Dec. 2016, root9B Technologies announced a reverse split of its issued and outstanding common stock, saying it would be moving to the NASDAQ market with the trading symbol RTNB and a new name — root9B Holdings. On January 18, 2017, a reshuffled root9B rang the market opening bell at NASDAQ, and got a bounce when it said it’d been awarded a five-year training contract to support the U.S. Defense Department.

The company’s founders remained upbeat even into mid-2017. On June 6, 2017 it announced that Michael Hayden, the four-star general who until recently served as director of the U.S. National Security Agency, had joined the company’s board.

On June 23, 2017, root9B issued a press release reminding everyone that the company had remained #1 on the Cybersecurity 500 for the 6th consecutive quarter. The Cybersecurity 500, by the way, rates cybersecurity firms based on their “branding and marketing.”

Nobody ever accused root9B of bad marketing. But all the press releases in the world couldn’t hide the fact that the company had never turned a profit. It lost more than $18.3 million in 2016, more than doubling a $8.03 million loss in 2015.

Since August 2017, shares of the company’s stock have fallen more than 90 percent. On Sept. 28, 2017, all of root9B’s assets were acquired by venture investment firm Tracker Capital Management LLC, and then sold at auction.

On Nov. 13, root9B Holdings issued a press release saying NASDAQ was de-listing the firm on Nov. 15 and that it was ceasing operations at the end of this year. The statement seemed to emphasize there was nothing left for the firm’s creditors to pick over.

“With the absence of any operating assets remaining after the Foreclosure, the Company will cease any and all operations effective, December 31, 2017,” the (final?) root9B press release concludes.

The demise of root9B resonates loudly with that of Norse Corp., another flashy, imploded cybersecurity startup that banked heavily on attracting and touting top talent, while managing to produce very little that was useful to or actionable by anybody.

Companies like these are a reminder that your success or failure in business as in life is directly tied to what you produce — not what you promise or represent. There is no shortcut to knowledge, success or mastery, and this goes for infosec students as well as active practitioners of the craft. Focus on consistently producing quality, unique content and/or services that are of real value to others, and the rest will take care of itself.

from
https://krebsonsecurity.com/2017/11/r-i-p-root9b-we-hardly-knew-ya/

Adobe, Microsoft Patch Critical Cracks

It’s Nov. 14 — the second Tuesday of the month (a.k.a. “Patch Tuesday) — and Adobe and Microsoft have issued gobs of security updates for their software. Microsoft’s 11 patch bundles fix more than four-dozen security holes in various Windows versions and Office products — including at least four serious flaws that were publicly disclosed prior to today. Meanwhile, Adobe’s got security updates available for a slew of titles, including Flash Player, Photoshop, Reader and Shockwave.

Four of the vulnerabilities Microsoft fixed today have public exploits, but they do not appear to be used in any active malware campaigns, according to Gill Langston at security vendor Qualys. Perhaps the two most serious flaws likely to impact Windows end users involve vulnerabilities in Microsoft browsers Internet Explorer and Edge.

Qualys’ Langston reminds us that on last Patch Tuesday, Microsoft quietly released the fix for CVE-2017-13080, widely known as the KRACK vulnerability in WPA2 wireless protocol, but did not make it known until a week later, when the vulnerability was publicly disclosed. Check out the Qualys blog and this post from Ivanti for more on this month’s patches from Redmond. Otherwise, visit Windows Update sometime soon (click the Start/Windows button, then type Windows Update).

Adobe issued patches to fix at least 62 security vulnerabilities in its products, including several critical bugs in Adobe Flash Player and Reader/Acrobat.  The Flash Player update brings the browser plugin to v. 27.0.0.187 on Windows, Mac, Linux and Chrome OS.

Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version.

When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are waiting to be installed.

Standard disclaimer: Because Flash remains such a security risk, I continue to encourage readers to remove or hobble Flash Player unless and until it is needed for a specific site or purpose. More on that approach (as well as slightly less radical solutions ) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

Another, perhaps less elegant, solution is to keep Flash installed in a browser that you don’t normally use, and then to only use that browser on sites that require it.

from
https://krebsonsecurity.com/2017/11/adobe-microsoft-patch-critical-cracks/

Wi-Fi Capacity Infographic

Learn tips and tricks for building a high-performance WLAN!

I teamed up with the great staff at Ekahau to put together this infographic about how to design and deploy high capacity Wi-Fi. It's the second poster in the series, following the Wi-Fi Design Poster that focused on radio frequency (RF) factors.

The Wi-Fi Capacity Infographic covers:

• An overview of airtime and why it is important
• Understanding the two primary factors affecting airtime:
  1. Airtime within a cell
  2. Airtime across cells
• Methods to maximize airtime efficiency to get the most out of your WLAN
• Channel inventory as it relates to capacity
• How client capabilities affect airtime consumption, and hence capacity, in a WLAN
• Factors to consider when selecting infrastructure to deploy
• Factors to consider with infrastructure placement and configuration
• Features available within Ekahau Site Survey to set you up for success

Download the Wi-Fi Capacity Infographic today!

from
http://www.revolutionwifi.net/revolutionwifi/2017/11/wi-fi-capacity-infographic

How to Opt Out of Equifax Revealing Your Salary History

A KrebsOnSecurity series on how easy big-three credit bureau Equifax makes it to get detailed salary history data on tens of millions of Americans apparently inspired a deeper dive on the subject by Fast Company, which examined how this Equifax division has been one of the company’s best investments. In this post, I’ll show you how to opt out of yet another Equifax service that makes money at the expense of your privacy.

My original report showed how the salary history for tens of millions of employees at some of the world’s largest corporations was available to anyone armed with an employee’s Social Security number and date of birth — information that was stolen on 145.5 million Americans in the recent breach at Equifax.

Equifax took down their salary portal — a service from the company’s Workforce Solutions division known as The Work Number (formerly “TALX“) — just a few hours after my story went live on Oct. 8. The company explained that the site was being disabled for routine maintenance, but Equifax didn’t fully reopen the portal until Nov. 2, following the addition of unspecified “security improvements.”

Fast Company writer Joel Winston’s story examines how some 70,000 companies — including Amazon, AT&T, Facebook, Microsoft, Oracle, Twitter and Wal-Mart — actually pay Equifax to collect, organize, and re-sell their employees’ personal income information and work history.

“A typical employee at Facebook (which also owns Instagram and WhatsApp) may require verification of his employment through TALX when he leases an apartment, updates his immigration status, applies for a loan or public aid, or applies for a new job,” Winston writes. “If his new prospective employer is among the 70,000 approved entities in Equifax’s verifier network with a “permissible purpose,” that company can purchase his employment and income information for about $20.”

While this may sound like a nice and legitimate use of salary data, the point of my original report was that this salary data is also available to anyone who has the Social Security number and date of birth on virtually any person who once worked at a company that uses this Equifax service.

In May 2017, KrebsOnSecurity broke the story of how this same Equifax Workforce portal was abused for an entire year by identity thieves involved in tax refund fraud with the Internal Revenue Service. Fraudsters used SSN and DOB data to reset the 4-digit PINs given to customer employees as a password, and then steal W-2 tax data after successfully answering personal questions about those employees.

Curiously, Equifax claims they have no evidence that anyone was harmed as a result of the year-long pattern of tax fraud related to how easy it was to coax salary and payroll data out of its systems.

“We do not know of any specific fraud incidents linked with the Work Number,” Equifax spokeswoman Marisa Salcines told Fast Company.

This statement sounds suspiciously like what big-three credit bureau Experian told lawmakers in 2014 after they were hauled up to Capitol Hill to explain another breach that was scooped by KrebsOnSecurity: That a Vietnamese man who ran an identity theft service which catered to tax refund fraudsters had access for nine months to more than 200 million consumer records maintained by Experian.

Experian’s suits told lawmakers that no consumers were harmed even as the U.S. Secret Service was busy arresting customers of this identity theft service — nearly all of whom were involved in tax refund fraud and other forms of consumer ID theft.

Loyal readers here will know I have long urged consumers to opt out of letting the big credit bureaus resell your credit file to potential lenders (and, by proxy, to ID thieves), by placing a freeze on their credit files with the Equifax, Experian, Trans Union and Innovis.

In the wake of the Equifax breach, one thing I’ve heard from so many readers that was a big factor in their decision to finally freeze their credit was that the bureaus would no longer be able to profit by selling their credit files.

As it happens, it is possible to opt out of having your salary data sold through Equifax. According to Equifax, this involves placing a free “freeze” on your file with the Work Number. These instructions on how to do that come verbatim from Equifax:

To place a security freeze on your The Work Number employment report, send
your request via mail to:

TALX Corporation
ATTN: Employment Data Report Dept 19-10
11432 Lackland Road
St. Louis, Missouri 63146

Or, you may contact us on the web at http://www.theworknumber.com or call 800-996-7566.

It’s not clear what may be the potential consequences of freezing your file with The Work Number. Fast Company explains the service and its giant database “helps streamline various processes for employers and other agencies, and it helps employees too, Equifax wrote in an emailed statement. The Work Number provides prospective landlords a way to verify an applicant’s income, for instance, or makes it cheaper for human resources departments to examine an applicant’s background.”

Here’s Equifax explaining why consumers might want to leave their files alone:

“Without the Work Number, a lender, property manager or pre-employment screener will call an employer and explain why they need to check on an employee or former employee’s employment or income. That individual has no control over who picks up the phone, whether the right information is actually given out, or if his or her privacy will be respected.”

Neither does the consumer have any control over to whom Equifax gives this data. I for one am taking my chances and freezing my salary data at Equifax. I’ll let you know how it goes.

Before you opt out, you may wish to see which lenders, credit agencies and other entities may have received or attempted to pull your Work Number salary history.

To request a free Employment Data Report, you’ll need to fill out a form at the Work Number website, or make a request by mail, or through a toll-free phone number (1-866-222-5880).

from
https://krebsonsecurity.com/2017/11/how-to-opt-out-of-equifax-revealing-your-salary-history/

Hack of Attack-for-Hire Service vDOS Snares New Mexico Man

A New Mexico man is facing federal hacking charges for allegedly using the now defunct attack-for-hire service vDOS to launch damaging digital assaults aimed at knocking his former employer’s Web site offline. Prosecutors were able to bring the case in part because vDOS got massively hacked last year, and its customer database of payments and targets leaked to this author and to the FBI.

Prosecutors in Minnesota have charged John Kelsey Gammell, 46, with using vDOS and other online attack services to hurl a year’s worth of attack traffic at the Web sites associated with Washburn Computer Group, a Minnesota-based company where Gammell used to work.

vDOS as it existed on Sept. 8, 2016.

vDOS existed for nearly four years, and was known as one of the most powerful and effective pay-to-play tools for launching distributed denial-of-service (DDoS) attacks. The vDOS owners used a variety of methods to power their service, including at least one massive botnet consisting of tens of thousands of hacking Internet of Things (IoT) devices, such compromised Internet routers and security cameras. vDOS also was used in numerous DDoS attacks against this site.

Investigators allege that although Gammell used various methods to hide his identity, email addresses traced back to him were found in the hacked user and target databases from vDOS.

More importantly, prosecutors say, someone began taunting Washburn via Yahoo and Gmail messages while the attacks were underway, asking how everything was going at the company and whether the IT department needed any help.

“Also attached to this second email was an image of a mouse laughing,” the Justice Department indictment (PDF) alleges. “Grand jury subpoenas for subscriber information were subsequently served on Google…and Yahoo. Analysis of the results showed information connecting both accounts to an individual named John Gammell. Both email addresses were created using the cell phone number 612-205-8609.”

The complaint notes that the government subpoenaed AT&T for subscriber information and traced that back to Gammell as well, but phone number also is currently listed as the recovery number for a Facebook account tied to John K. Gammell.

That Facebook account features numerous references to the hacker collective known as Anonymous. This is notable because according to the government Gammell used two different accounts at vDOS: One named “AnonCunnilingus” and another called “anonrooster.” The email addresses this user supplied when signing up at vDOS (jkgammell@gmail.com and jkgammell@icloud.com) include other addresses quite clearly tied to multiple accounts for John K. Gammell.

John K. Gammell’s Facebook account.

Below is a snippet from a customer service ticket that the AnonCunnilingus account filed in Aug. 2015

“Dear Colleagues, this is Mr. Cunnilingus. You underestimate your capabilities. Contrary to your statement of “Notice!” It appears from our review that you are trying to stress test a DDoS protected host, vDOS stresser is not capable of taking DDoS protected hosts down which means you will not be able to drop this hosting using vDOS stresser…As they do not have my consent to use my internet, after their site being down for two days, they changed their IP and used rackspace DDoS mitigation and must now be removed from cyberspace. Verified by downbyeveryone. We will do much business. Thank you for your outstanding product We Are Anonymous USA.”

Gammell has pleaded not guilty to the charges. He has not responded to requests for comment. The indictment states that Gammell allegedly attacked at least a half-dozen other companies over a year-long period between mid-2015 and July 2016, including several banks and two other companies at which he either previously worked or with whom he’d interviewed for a job.

In late July 2016, an anonymous security researcher reached out to KrebsOnSecurity to share a copy of the vDOS databases. The databases showed that vDOS made more than $600,000 in just two of the four years it was in operation, helping to launch more than 150,000 DDoS attacks.

Since then, two alleged co-owners of vDOS — two 19-year-old Israeli men —  have been arrested and charged with operating an attack-for-hire service. Aside from Gammell’s case, I am not aware of any other public cases involving the prosecution of people who allegedly used vDOS to conduct attacks.

But that will hopefully change soon, as there are countless clues about the identities of other high-volume vDOS users and their targets. Identifying the perpetrators in those cases should not be difficult because at some point vDOS stopped allowing users to log in to the service using a VPN, meaning many users likely logged into vDOS using an Internet address that can be traced back to them either via a home Internet or wireless account.

According to a review of the vDOS database, both accounts allegedly tied to Gammell were banned by vDOS administrators — either because he shared his vDOS username and password with another person, or because he logged on to the accounts with a VPN. Here’s a copy of a notice vDOS sent to AnonCunnilingus on July 28, 2015:

“Dear AnonCunnilingus , We have recently reviewed your account activity, and determined that you are in violation of vDos’s Terms of Service, It appears from our review that you have shared your account (or accessed vDos stresser from several locations and platforms) which is against our Terms of Services. Please refer to the following logs and terms:\n- AnonCunnilingus logged in using the following IPs: 64.145.76.110 (US), 85.10.210.199 (XX) date: 06-08-2015 18:05\n\n- 8) You are not allowed to access vDos stresser using a VPN/VPS/Proxy/RDP/Server Tunnelling and such.\n- 3) You may not share your account, if you will, your account will be closed without a warning or a refund!”

What’s most likely limiting prosecutors from pursuing more vDOS users is a lack of DDoS victims coming forward. In an advisory issued last month, the FBI urged DDoS victims to report the attacks.

The FBI requests DDoS victims contact their local FBI field office and/or file a complaint with the Internet Crime Complaint Center (IC3), regardless of dollar loss or timing of incident. Field office contacts can be identified at www.fbi.gov/contact-us/field. IC3 complaints should be filed at www.ic3.govwith the following details (if applicable):

• Traffic protocol used by the DDoS (DNS, NTP, SYN flood, etc)
  • Attempt to preserve netflow and/or packet capture of the attack
• Any extortion/threats pertaining to the DDoS attack
  • Save any such correspondence in its original, unforwarded format
• Victim information
• Overall losses associated with the DDoS attack
• If a ransom associated with the attack was paid, provide transaction details, the subject’s email address, and/or crypto currency wallet address
• Victim impact statement (e.g., impacted services/operations)
• IP addresses used in the DDoS attack

Related reading:

How Not to DDoS Your Former Employer

from
https://krebsonsecurity.com/2017/11/hack-of-attack-for-hire-service-vdos-snares-new-mexico-man/

DDoS-for-Hire Service Launches Mobile App

In May 2013 KrebsOnSecurity wrote about Ragebooter, a service that paying customers can use to launch powerful distributed denial-of-service (DDoS) attacks capable of knocking individuals and Web sites offline. The owner of Ragebooter subsequently was convicted in 2016 of possessing child pornography, but his business somehow lived on while he was in prison. Now just weeks after Poland made probation, a mobile version of the attack-for-hire service has gone up for sale on the Google Play store.

In the story Ragebooter: ‘Legit’ DDoS Service, or Fed Backdoor, I profiled then 19-year-old Justin D. Poland from Memphis — who admitted to installing code on his Ragebooter service that allowed FBI investigators to snoop on his customers.

Last February, Poland was convicted of one felony count of possession of child pornography, after investigators reportedly found 2,600 child pornography images on one of his computers. Before his trial was over, Poland skipped town but his bondsman later located him at his mother’s house. He was sentenced to two years in jail.

Poland did not respond to multiple requests for comment, but on his Facebook account Poland said the images belonged to his former roommate — David Starliper — who’d allegedly used Poland’s computer. Starliper also was convicted of possessing child pornography and sentenced to two years in prison.

In September 2017, Poland began posting on his Facebook account that he had made parole and was getting ready to be released from prison. On Oct. 6, the first version of the Android edition of Ragebooter was put on sale at Google’s Play Store.

The mobile version of Ragebooter.

Poland’s Facebook page says he is the owner of ragebooter[dot]com, ragebooter[dot]net, and another site called vmdeploy[net]. The advertisement for Ragebooter’s new mobile app on Google Play says the developer’s email address is contact@rageservices[dot]net. The registration details for rageservices[dot]net are hidden, but the Web site lists some useful contact details.

One of them is a phone number registered in Memphis — 901-219-3644 — that is tied to a Facebook account for an Alex Slovak in Memphis. The other domain Poland mentions on his Facebook page — vmdeploy[dot]net — was registered to an Alex Czech from Memphis. It seems likely that Alex has been running Ragebooter while Poland was in prison. Mr. Slovak/Czech did not respond to requests for comment, but it is clear from his Facebook page that he is friends with Poland’s family.

Rageservices[dot]net advertises itself as a store for custom programming and Web site development. Its content is identical to a site called QuantumServices. A small purchase through the rageservices[dot]net site for a simple program generated a response from Quantum Services and an email from quantumservicesweb@gmail.com. The person responding at that email address declined to give his or her name, but said they were not Justin Poland.

Figures posted to the home page of ragebooter[dot]net claim the service has been used to conduct more than 310,000 DDoS attacks. Memberships are sold in packages ranging from $3 per day to $300 a year for an “enterprise” plan. Ragebooter[dot]net includes a notice at the top of the site indicating that rageservices[dot]net is indeed affiliated with Ragebooter.

If Poland still is running Ragebooter, he may well be violating the terms of his parole. According to the FBI, the use of DDoS-for-hire services like Ragebooter is illegal.

In October the FBI released an advisory warning that the use of booter services — also called “stressers” — is punishable under the Computer Fraud and Abuse Act, and may result in arrest and criminal prosecution.

“Booter and stresser services are a form of DDoS-for-hire— advertised in forum communications and available on Dark Web marketplaces— offering malicious actors the ability to anonymously attack any Internet-connected target. These services are obtained through a monetary transaction, usually in the form of online payment services and virtual currency. Criminal actors running booter and stresser services sell access to DDoS botnets, a network of malware-infected computers exploited to make a victim server or network resource unavailable by overloading the device with massive amounts of fake or illegitimate traffic.”

from
https://krebsonsecurity.com/2017/11/ddos-for-hire-service-launches-mobile-app/

Simple Banking Security Tip: Verbal Passwords

There was a time when I was content to let my bank authenticate me over the phone by asking for some personal identifiers (SSN/DOB) that are broadly for sale in the cybercrime underground. At some point, however, I decided this wasn’t acceptable for institutions that held significant chunks of our money, and I began taking our business away from those that wouldn’t let me add a simple verbal passphrase that needed to be uttered before any account details could be discussed over the phone.

Most financial institutions will let customers add verbal passwords or personal identification numbers (PINs) that are separate from any other PIN or online banking password you might use, although few will advertise this.

Even so, many institutions don’t properly train their customer support staff (or have high turnover in that department). This can allow clever and insistent crooks to coax customer service reps into validating the call with just the SSN and/or date of birth, or requiring the correct answers to so-called knowledge-based authentication (KBA) questions.

As noted in several stories here previously, identity thieves can reliably work around KBA because it involves answering  questions about things like previous loans, addresses and co-residents — information that can often be gleaned from online services or social media.

A few years ago, I began testing financial institutions that held our personal assets. I was pleasantly surprised to discover that most of them were happy to add a PIN or pass phrase to the account. But many of the customer service personnel at those institutions failed in their responses when I called in and said I didn’t remember the phrase and was there any other way they could verify that I was me?

Ultimately, I ended up moving our investments to an institution that consistently adhered to my requirements. Namely, that failing to provide the pass phrase required an in-person visit to a bank branch to continue the transaction, at which time ID would be requested. Their customer service folks consistently asked the right questions, and weren’t interested in being much helpful otherwise (I’m not going to name the institution for obvious reasons).

Not sure whether your financial institution supports verbal passwords? Ask them. If they agree to set one up for you, take a moment or two over the next few days to call in and see if you can get the customer service folks at that institution to talk about your account without hearing that password.

While a great many people are willing to trade security for more convenience, it’s nice when those of us who are paranoid can opt-in for more security. A great, recent example of this is Google‘s optional “advanced protection” feature, which makes it much harder for password thieves to hack into your Gmail, Drive or other Google properties — even if the attackers already know your password.

“The opt-in, ultra-secure mode is intended for truly high-risk users, including those who face the threat of state-sponsored, highly resourced cyberespionage,” writes Andy Greenberg for Wired. “Think politicians and officials, high net-worth individuals, activists, dissidents, and journalists.”

Greenberg continues:

“As such, it’s a strict and unforgiving system, designed to reinforce every possible weak link that hackers could use to hijack your account. Logging in from a desktop will require a special USB key, while accessing your data from a mobile device will similarly require a Bluetooth dongle. All non-Google services and apps will be exiled from reaching into your Gmail or Google Drive. Google’s malware scanners will use a more intensive process to quarantine and analyze incoming documents. And if you forget your password, or lose your hardware login keys, you’ll have to jump through more hoops than ever to regain access, the better to foil any intruders who would abuse that process to circumvent all of Google’s other safeguards.”

Gartner fraud analyst Avivah Litan says she has long relied on verbal passwords for her most important accounts.

“I think a verbal password is a good step and definitely adds more security than does KBA built on top of heavily compromised credit bureau and life history data,” Litan said. Plus it’s free and convenient.  It’s of course not perfect and consumers should try to use verbal passwords that are unique for them and which they don’t use for online passwords —  in case the latter have been compromised by hackers.”

Verbal passwords should not be confused with voice biometrics, a technology some financial institutions are now adopting that can help authenticate customers while profiling and blocking fraudsters who repeatedly call in to customer service representatives. Even if your institution offers voice biometrics, adding a verbal password/passphrase is still a good idea.

Julie Conroy, research director at market research firm Aite Group, said financial institutions are still very concerned about putting up too many hurdles for good customers, so many are treading lightly on verbal passwords.

“Many FIs are moving in the direction of not just asking for the password, but also behind the scenes they are performing analysis of the call characteristics as well as the consumer’s voice print,” Conroy said.

Have you asked your financial institution(s) to add a unique verbal password/passphrase for your most important accounts? If so, sound off about your experience in the comments below.

from
https://krebsonsecurity.com/2017/11/simple-banking-security-tip-verbal-passwords/

2nd Breach at Verticalscope Impacts 25M

For the second time in as many years, hackers have compromised Verticalscope.com, a Canadian company that manages hundreds of popular Web discussion forums totaling more than 45 million user accounts. Evidence of the breach was discovered just before someone began using that illicit access as a commercial for a new paid search service that indexes consumer information exposed in corporate data breaches.

Toronto-based Verticalscope runs a network of sites that cater to automotive, pets, sports and technology markets. Verticalscope acknowledged in June 2016 that a hacking incident led to the siphoning of 45 million user accounts. Now, it appears the company may have been hit again, this time in a breach involving at least 25 million user accounts.

On Thursday, KrebsOnSecurity was contacted by Alex Holden, a security researcher and founder of Hold Security. Holden saw evidence of hackers selling access to Verticalscope.com and to a host of other sites operated by the company.

Holden said at first he suspected someone was merely trying to resell data stolen in the 2016 breach. But that was before he contacted one of the hackers selling the data and was given screen shots indicating that Verticalscope.com and several other properties were in fact compromised with a backdoor known as a “Web shell.”

A backdoor “Web shell” discovered on Verticalscope.com this week.

With a Web shell installed on a site, anyone can remotely administer the site, upload and delete content at will, or dump entire databases of information — such as usernames, passwords, email addresses and Internet addresses associated with each account.

Holden said the intruders obfuscated certain details in the screenshots that gave away exactly where the Web shells were hidden on Verticalscope.com, but that they forgot to blur out a few critical details — allowing him to locate at least two backdoors on Veriticalscope’s Web site. He also was able to do the same with a second screen shot the hackers shared which showed a similar backdoor shell on Toyotanation.com, one of Verticalscope’s most-visited forums.

Reached for comment about the claims, Verticalscope said the company had detected an intrusion on six of its Web sites, including Toyotanation.com.

“The intrusion granted access to each individual website files,” reads a statement shared Verticalscope. “Out of an abundance of caution, we have removed the file manager, expired all passwords on the 6 websites in question, added the malicious file pattern and attack vector to our detection tools, and taken additional steps to lock down access.”

Verticalscope said the other forums impacted included Jeepforum.com — the company’s second most-popular site with 9.3 million users; and watchuseek.com, a forum for wristwatch enthusiast which claims more than 12 million users.

Verticalscope admitted a breach in 2016 after their forum users’ data was outed in a blog post on Leakedsource.com, a now-defunct service that sold access to username and password details stolen in some of history’s largest data breaches.

An Internet search on one of the compromised Verticalscope domains leads to a series of now-deleted Pastebin posts suggesting that the individual(s) responsible for this hack may be trying to use it to advertise a legally dicey new online service called LuiDB.

Similar to Leakedsource, LuiDB allows registered users to search for account details associated with any data element compromised in a breach — such as login, password, email, first/last name and Internet address. The first search is free, but viewing results requires purchasing a subscription for between $5 and $400 in Bitcoin.

The various subscription packages sold by LuiDB, payable in Bitcoin.

People who re-use passwords across multiple Web sites tend to be those hardest-hit by these breaches, and by these dodgy password lookup services. It may not seem like a big deal if someone chooses to re-use the same password across a range of sites that don’t ask for or store your personal data, such as discussion forums. The problem is that this encourages poor password habits, and for many folks this eventually results in using that forum password at more important sites that do store sensitive data.

In practice, there’s no reason people should ever re-use the same password. Password managers can help users pick and remember unique, strong passwords for all sites that require a login; all the user needs to do is remember a single “master password” to unlock all the others. Old schoolers like Yours Truly tend to stick to local password managers like Keepass (or even PwdSafe), although many folks I admire in the security industry rely heavily on cloud-based password managers like LastPass and Dashlane.

While few online discussion forums offer two-factor or multi-factor authentication (requiring you to log in using a password and a one-time code, e.g.), a great many services do offer this very effective security measure. Check out twofactorauth.org to see if there are online services you use that could be furthered hardened by turning on two-factor authentication.

from
https://krebsonsecurity.com/2017/11/2nd-breach-at-verticalscope-impacts-25m/