Friday, October 27, 2017

Fear the Reaper, or Reaper Madness?

Last week we looked at reports from China and Israel about a new “Internet of Things” malware strain called “Reaper” that researchers said infected more than a million organizations by targeting newfound security weaknesses in countless Internet routers, security cameras and digital video recorders (DVRs). Now some botnet experts are calling on people to stop the “Reaper Madness,” saying the actual number of IoT devices infected with Reaper right now is much smaller.

Arbor Networks said it believes the size of the Reaper botnet currently fluctuates between 10,000 and 20,000 bots total. Arbor notes that this can change any time.

Reaper was based in part on “Mirai,” IoT malware code designed to knock Web sites offline in high-powered data floods, and an IoT malware strain that powered most of the largest cyberattacks of the past year. So it’s worrisome to think someone may have just built an army of a million IoT drones that could be used in crippling, coordinated assaults capable of wiping most networks offline.

If criminals haven’t yet built a million-strong botnet using the current pool of vulnerable devices, they certainly have the capacity to do so.

“An additional 2 million hosts have been identified by the botnet scanners as potential Reaper nodes, but have not been subsumed into the botnet,” Arbor’s ASERT team wrote, explaining that the coders may have intentionally slowed the how quickly the malware can spread to keep it quiet and under the radar.

Arbor says Reaper is likely being built to serve as the machine powering a giant attack-for-hire service known as a “booter” or “stresser” service.

“Our current assessment of Reaper is that it is likely intended for use as a booter/stresser service primarily serving the intra-China DDoS-for-hire market,” Arbor wrote. “Reaper appears to be a product of the Chinese criminal underground; some of the general Reaper code is based on the Mirai IoT malware, but it is not an outright Mirai clone.”

On Thursday I asked Israeli cybersecurity firm Check Point — the source of the one-million Reaper clones claim — about how they came up with the number of a million infected organizations.

Check Point said it knows of over 30,000 infected devices that scanned for additional vulnerable devices.

“We had a prism into these attacks from a data set that only contains a few hundreds of networks, out of which 60% were being scanned,” said Maya Horowitz, a group manager in the threat intelligence division of Check Point. “Thus we assume that the numbers globally are much higher, in at least 1 order of magnitude.”

Reaper borrows programming code from Mirai. But unlike Mirai, which infects systems after trying dozens of factory-default username and password combinations, Reaper targets nine security holes across a range of consumer and commercial products. About half of those vulnerabilities were discovered only in the past few months, and so a great many devices likely remain unpatched against Reaper.

Chinese cybersecurity firm Netlab 360, which published its own alert on Reaper shortly after Check Point’s advisory, issued a revised post on Oct. 25 stating that the largest gathering of Reaper systems it has seen by a single malware server is 28,000. Netlab’s original blog post has links to patches for the nine security flaws exploited by Reaper.



from
https://krebsonsecurity.com/2017/10/fear-the-reaper-or-reaper-madness/

Wednesday, October 25, 2017

Dell Lost Control of Key Customer Support Domain for a Month in 2017

A Web site set up by PC maker Dell Inc. to help customers recover from malicious software and other computer maladies may have been hijacked for a few weeks this summer by people who specialize in deploying said malware, KrebsOnSecurity has learned.

There is a program installed on virtually all Dell computers called “Dell Backup and Recovery Application.” It’s designed to help customers restore their data and computers to their pristine, factory default state should a problem occur with the device. That backup and recovery program periodically checks a rather catchy domain name — DellBackupandRecoveryCloudStorage.com — which until recently was central to PC maker Dell’s customer data backup, recovery and cloud storage solutions.

Sometime this summer, DellBackupandRecoveryCloudStorage.com was suddenly snatched away from a longtime Dell contractor for a month and exposed to some questionable content. More worryingly, there are signs the domain may have been pushing malware before Dell’s contractor regained control over it.

Image: Wikipedia

The purpose of DellBackupandRecoveryCloudStorage.com is inscribed in the hearts of countless PCs that Dell shipped customers over the past few years. The domain periodically gets checked by the “Dell Backup and Recovery application,” which “enables the user to backup and restore their data with just a few clicks.”

This program comes in two versions: Basic and Premium, explains “Jesse L,” a Dell customer liaison and a blogger on the company’s site.

“The Basic version comes pre-installed on all systems and allows the user to create the system recovery media and take a backup of the factory installed applications and drivers,”Jesse L writes. “It also helps the user to restore the computer to the factory image in case of an OS issue.”

Dell customer liaison Jesse L. talks about how the program in question is by default installed on all Dell PCs.

In other words: If DellBackupandRecoveryCloudStorage.com were to fall into the wrong hands it could be used to foist malicious software on Dell users seeking solace and refuge from just such nonsense!

It’s not yet clear how or why DellBackupandRecoveryCloudStorage.com got away from SoftThinks.com —  an Austin, Tex.-based software backup and imaging solutions provider that originally registered the domain back in mid-2013 and has controlled it for most of the time since. But someone at SoftThinks apparently forgot to renew the domain in mid-June 2017.

SoftThinks lists Dell among some of its “great partners” (see screenshot below). It hasn’t responded to requests for comment. Some of its other partners include Best Buy and Radio Shack.

Some of SoftThinks’ partners. Source: SoftThinks.com

From early June to early July 2017, DellBackupandRecoveryCloudStorage.com was the property of Dmitrii Vassilev of  TeamInternet.com,” a company listed in Germany that specializes in selling what appears to be typosquatting traffic. Team Internet also appears to be tied to a domain monetization business called ParkingCrew.

If you’re not sure what typosquatting is, think of what sometimes happens when you’re typing out a URL in the browser’s address field and you fat-finger a single character and suddenly get redirected to the kind of content that makes you look around quickly to see if anyone saw you looking at it. For more on Team Internet, see this enlightening Aug. 2017 post from Chris Baker at internet infrastructure firm Dyn. 

It could be that Team Internet did nothing untoward with the domain name, and that it just resold it or leased it to someone who did. But approximately two weeks after Dell’s contractor lost control over the domain, the server it was hosted on started showing up in malware alerts.

That’s according to Celedonio Albarran, assistant vice president of IT infrastructure and security at Equity Residential, a real estate investment trust that invests in apartments.

Albarran said Equity is responsible for thousands of computers, and that several of those machines in late June tried to reach out to DellBackupandRecoveryCloudStorage.com but were prevented from doing so because the Internet address tied to the domain was new and because that address had been flagged by two security firms as pushing malicious software.

On that particular day, anyone visiting DellBackupandRecoveryCloudStorage.com simultaneously would have been heading to the Internet address 54-72-9-51 (I’ve replaced the dots with dashes for safety reasons). Albarran said the first alert came on June 28 from a security tool from Rapid7 that flagged a malware detection on that Internet address.

Another anti-malware product Equity Residential uses is Carbon Black, which on June 28 detected a reason why a Dell computer within the company shouldn’t be able to visit dellbackupandrecoverycloudstorage.com. According to Albarran, that second alert was generated by Abuse.ch, a Swiss infrastructure security company and active anti-abuse advocate.

This Carbon Black log shows dellbackupandrecoverycloudstorage.com reaching out to a nasty Internet address on June 28, 2017.

The domain’s host appears to have been flagged by Abuse.ch’s Ransomware Tracker, which is a running list of Internet addresses and domains that have a history of foisting ransomware — a threat that encrypts your files with tough-to-crack encryption, and then makes you pay for a key to unlock the files.

Albarran told KrebsOnSecurity that his company was never able to find any evidence that computers on its networks that were beaconing home to DellBackupandRecoveryCloudStorage.com had any malware installed as a result of the traffic. But he said his systems were blocked from visiting the domains on June 28, 2017, and that his employer immediately notified Dell of the problem.

“A few weeks after that they confirmed they fixed the issue,” Albarran said. “They just acknowledged the issue and said it was fixed, but they didn’t offer any comment besides that.”

AlienVault‘s Open Threat Exchange says the Internet address that was assigned to DellBackupandRecoveryCloudStorage.com in late June is an Amazon server which is “actively malicious” (even today), categorizing it as an address known for spamming.

Reached for comment about the domain snafu, Dell spokesperson Ellen Murphy shared the following statement:

“A domain as part of the cloud backup feature for the Dell Backup and Recovery (DBAR) application, www.dellbackupandrecoverycloudstorage.com, expired on June 1, 2017 and was subsequently purchased by a third party. The domain reference in the DBAR application was not updated, so DBAR continued to reach out to the domain after it expired. Dell was alerted of this error and it was addressed. Dell discontinued the Dell Backup and Recovery application in 2016.”

I have asked Dell for more information about this incident, such as whether the company knows if any customers were harmed as a result of this rather serious oversight. I’ll update this story in the event that I hear back from Dell.

This is not the first time the failure to register a domain name caused a security concern for a company that should be very concerned about security. Earlier this month, experts noticed that the Web sites for credit bureaus Trans Union and Equifax were both redirecting browsers to popup ads that tried to disguise adware and spyware as an update for Adobe Flash Player.

The spyware episodes at Equifax’s and Trans Union’s Web sites were made possible because both companies outsourced e-commerce and digital marketing to Fireclick, a now-defunct digital marketing product run by Digital River. Fireclick in turn invoked a domain called Netflame.cc. But according to an Oct. 13 story in The Wall Street Journal, Netflame’s registration “was released in October 2016, three months after Digital River ended support for Fireclick as part of an ‘ongoing domain cleanup.'”

The problem with the Dell customer support domain name comes as Dell customers continue to complain of being called by scammers pretending to be Dell tech support specialists. In many cases, the callers will try to make their scams sound more convincing by reading off the unique Dell “service tag” code printed on each Dell customer’s PC or laptop.

How can scammers have all this data if Dell’s service and support system isn’t compromised, many Dell customers have asked? And still ask: I’ve had three readers quiz me about these Dell service tag scams in the past week alone. Dell continues to be silent on what may be going on with the service tag scams, and has urged Dell customers targeted by such scams to report them to the company.



from
https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/

Monday, October 23, 2017

Reaper: Calm Before the IoT Security Storm?

It’s been just over a year since the world witnessed some of the world’s top online Web sites being taken down for much of the day by “Mirai,” a zombie malware strain that enslaved “Internet of Things” (IoT) devices such as wireless routers, security cameras and digital video recorders for use in large-scale online attacks.

Now, experts are sounding the alarm about the emergence of what appears to be a far more powerful strain of IoT attack malware — variously named “Reaper” and “IoTroop” — that spreads via security holes in IoT software and hardware. And there are indications that over a million organizations may be affected already.

Reaper isn’t attacking anyone yet. For the moment it is apparently content to gather gloom to itself from the darkest reaches of the Internet. But if history is any teacher, we are likely enjoying a period of false calm before another humbling IoT attack wave breaks.

On Oct. 19, 2017, researchers from Israeli security firm CheckPoint announced they’ve been tracking the development of a massive new IoT botnet “forming to create a cyber-storm that could take down the Internet.” CheckPoint said the malware, which it called “IoTroop,” had already infected an estimated one million organizations.

The discovery came almost a year to the day after the Internet witnessed one of the most impactful cyberattacks ever — against online infrastructure firm Dyn at the hands of “Mirai,” an IoT malware strain that first surfaced in the summer of 2016. According to CheckPoint, however, this new IoT malware strain is “evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.”

Unlike Mirai — which wriggles into vulnerable IoT devices using factory-default or hard-coded usernames and passwords — this newest IoT threat leverages at least nine known security vulnerabilities across nearly a dozen different device makers, including AVTECH, D-Link, GoAhead, Netgear, and Linksys, among others (click each vendor’s link to view security advisories for the flaws).

This graphic from CheckPoint charts a steep, recent rise in the number of Internet addresses trying to spread the new IoT malware variant, which CheckPoint calls “IoTroop.”

Both Mirai and IoTroop are computer worms; they are built to spread automatically from one infected device to another. Researchers can’t say for certain what IoTroop will be used for but it is based at least in part on Mirai, which was made to launch distributed denial of service (DDoS) attacks.

While DDoS attacks target a single Web site or Internet host, they often result in widespread collateral Internet disruption. IoT malware spreads by scanning the Internet for other vulnerable devices, and sometimes this scanning activity is so aggressive that it constitutes an unintended DDoS on the very home routers, Web cameras and DVRs that the bot code is trying to subvert and recruit into the botnet.

However, according to research released Oct. 20 by Chinese security firm Netlab 360, the scanning performed by the new IoT malware strain (Netlab calls it the more memorable “Reaper”) is not very aggressive, and is intended to spread much more deliberately than Mirai. Netlab’s researchers say Reaper partially borrows some Mirai source code, but is significantly different from Mirai in several key behaviors, including an evolution that allows Reaper to more stealthily enlist new recruits and more easily fly under the radar of security tools looking for suspicious activity on the local network.

WARNING SIGNS, AND AN EVOLUTION

Few knew or realized it at the time, but even before the Mirai attacks commenced in August 2016 there were ample warning signs that something big was brewing. Much like the seawater sometimes recedes hundreds of feet from its normal coastline just before a deadly tsunami rushes ashore, cybercriminals spent the summer of 2016 using their state-of-the-art and new Mirai malware to siphon control over poorly-secured IoT devices from other hackers who were using inferior IoT malware strains.

Mirai was designed to wrest control over systems infected with variants of an early IoT malware contagion known as “Qbot” — and it did so with gusto immediately following its injection into the Internet in late July 2016. As documented in great detail in “Who Is Anna Senpai, the Mirai Worm Author?“, the apparent authors of Mirai taunted the many Qbot botmasters in hacker forum postings, promising they had just unleashed a new digital disease that would replace all Qbot infected devices with Mirai.

Mirai’s architects were true to their word: their creation mercilessly seized control over hundreds of thousands of IoT devices, spreading the disease globally and causing total extinction of Qbot variants. Mirai had evolved, and Qbot went the way of the dinosaurs.

On Sept. 20, 2016, KrebsOnSecurity.com was hit with a monster denial-of-service attack from the botnet powered by the first known copy of Mirai. That attack, which clocked in at 620 Gbps, was almost twice the size that my DDoS mitigation firm at the time Akamai had ever mitigated before. They’d been providing my site free protection for years, but when the Mirai attackers didn’t go away and turned up the heat, Akamai said the attack on this site was causing troubles for its paying customers, and it was time to go.

Thankfully, several days later Google brought KrebsOnSecurity into the stable of journalist and activist Web sites that qualify for its Project Shield program, which offers DDoS protection to newsrooms and Web sites facing various forms of online censorship.

The same original Mirai botnet would be used to launch a huge attack — over one terabit of data per second — against French hosting firm OVH. After the media attention paid to this site’s attack and the OVH assault, the Mirai authors released the source code for their creation, spawning dozens of copycat Mirai clones that all competed for the right to infest a finite pool of vulnerable IoT devices.

Probably the largest Mirai clone to rise out of the source code spill was used in a highly disruptive attack on Oct. 20, 2016 against Internet infrastructure giant Dyn (now part of Oracle). Some of the Internet’s biggest destinations — including Twitter, SoundCloud, Spotify and Reddit — were unreachable for large chunks of time that day because Mirai targeted a critical service that Dyn provides these companies.

A depiction of the outages caused by the Mirai attacks on Dyn, an Internet infrastructure company. Source: Downdetector.com.

[AUTHOR’S NOTE: Some people believe that the Dyn attack was in retribution for information presented publicly hours before the attack by Dyn researcher Doug Madory. The talk was about research we had worked on together for a story exploring the rather sketchy history of a DDoS mitigation firm that had a talent for annexing Internet address space from its neighbors in a personal grudge match between that mitigation firm and the original Mirai authors and botmasters.]

It’s a safe bet that whoever is responsible for building this new Reaper IoT botnet will have more than enough firepower capable of executing Dyn-like attacks at Internet pressure points. Attacks like these can cause widespread Internet disruption because they target virtual gateways where third-party infrastructure providers communicate with hordes of customer Web sites, which in turn feed the online habits of countless Internet users.

It’s critical to observe that Reaper may not have been built for launching DDoS attacks: A global network of millions of hacked IoT devices can be used for a variety of purposes — such as serving as a sort of distributed proxy or anonymity network — or building a pool of infected devices that can serve as jumping-off points for exploring and exploiting other devices within compromised corporate networks.

“While some technical aspects lead us to suspect a possible connection to the Mirai botnet, this is an entirely new campaign rapidly spreading throughout the globe,” CheckPoint warns. “It is too early to assess the intentions of the threat actors behind it, but it is vital to have the proper preparations and defense mechanisms in place before an attack strikes.”

AND THE GOOD NEWS IS?

There have been positive developments on the IoT security front: Two possible authors of Mirai have been identified (if not yet charged), and some of Mirai’s biggest botmasters have been arrested and sentenced.

Some of the most deadly DDoS attack-for-hire services on the Internet were either run out of business by Mirai or have been forcibly shuttered in the past year, including vDOS — one of the Internet’s longest-running attack services. The alleged providers of vDOS — two Israeli men first outed by KrebsOnSecurity after their service was massively hacked last year — were later arrested and are currently awaiting trial in Israeli for related cybercrime charges.

Using a combination of arrests and interviews, the FBI and its counterparts in Europe have made it clear that patronizing or selling DDoS-for-hire services — often known as “booters” or “stressers” — is illegal activity that can land violators in jail.

The front page of vDOS, when it was still online last year. vDOS was powered by an IoT botnet similar to Mirai and Reaper.

Public awareness of IoT security is on the rise, with lawmakers in Washington promising legislative action if the tech industry continues to churn out junky IoT hardware that is the Internet-equivalent of toxic waste.

Nevertheless, IoT device makers continue to ship products with either little to no security turned on by default or with ill-advised features which can be used to subvert any built-in security.

WHAT YOU CAN DO

According to Netlab, about half of the security vulnerabilities exploited by Reaper were first detailed in just the past few months, suggesting there may be a great number of unpatched and vulnerable systems in real danger from this new IoT malware strain.

Check to make sure your network isn’t part of the problem: Netlab’s advisory links to specific patches available by vendor, as well as indicators of compromise and the location of various Reaper control networks. CheckPoint’s post breaks down affected devices by version number but doesn’t appear to include links to security advisories or patches.

Please note that many of the affected devices are cameras or DVRs, but there also are quite a few consumer wired/wireless routers listed here (particularly for D-Link and Linksys devices).

A listing of known IoT device vulnerabilities targeted by Reaper. Source: Netlab 360 blog.

One incessant problem with popular IoT devices is the inclusion of peer-to-peer (P2P) networking capability inside countless security cameras, DVRs and other gear. Jake Reynolds, a partner and consultant at Kansas City, Mo.-based Depth Security, published earlier this month research on a serious P2P weakness built into many FLIR/Lorex DVRs and security cameras that could let attackers remotely locate and gain access to vulnerable systems that otherwise are not directly connected to the Internet (FLIR’s updated advisory and patches are here).

In Feb. 2016, KrebsOnSecurity warned about a similar weakness powering the P2P component embedded in countless security cameras made by Foscam. That story noted that while the P2P component was turned on by default, disabling it in the security settings of the device did nothing to actually turn off P2P communications. Being able to do that was only possible after applying a firmware patch Foscam made available after users started complaining. My advice is to stay away from products that advertise P2P functionality.

Another reason IoT devices are ripe for exploitation by worms like Reaper and Mirai is that vendors infrequently release security updates for their firmware, and when they do there’s often no easy method available to notify users. Also, these updates are notoriously hard to do and easy to screw up, often leaving the unwary and unlearned with an oversized paperweight after a botched firmware update. So if it’s time to update your device, do it slowly and carefully.

What’s interesting about Reaper is that it is currently built to live harmoniously with Mirai. It’s not immediately clear whether the two IoT malware strains compete for any of the same devices, although some overlaps are bound to occur — particularly as the Reaper authors add new functionality and spreading mechanisms (both Netlab and Checkpoint say the Reaper code appears to be a work-in-progress).

That new Reaper functionality could well include the ability to seek out and supplant Mirai infections (much like Mirai did with Qbot), which would help Reaper to grow to even more terrifying numbers.

No matter what innovation Reaper brings, I’m hopeful that the knowledge being shared within the security community about how to defend against the Mirai attacks today will prove useful in ultimately helping to blunt any attacks from Reaper tomorrow. <Fingers crossed>

Speaking of calms before storms, KrebsOnSecurity.com soon will get its first major facelift since its inception in Dec. 2009. The changes are more structural than cosmetic; we’re striving to make the site more friendly to mobile devices, while maintaining the simple, almost minimalist look and feel of this site. I’ll make another announcement as we get closer to the switch (just so everyone doesn’t freak out and report the site’s been hacked).



from
https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/

Monday, October 16, 2017

What You Should Know About the ‘KRACK’ WiFi Security Weakness

Researchers this week published information about a newfound, serious weakness in WPA2 — the security standard that protects all modern Wi-Fi networks. What follows is a short rundown on what exactly is at stake here, who’s most at-risk from this vulnerability, and what organizations and individuals can do about it.

wifi

Short for Wi-Fi Protected Access II, WPA2 is the security protocol used by most wireless networks today. Researchers have discovered and published a flaw in WPA2 that allows anyone to break this security model and steal data flowing between your wireless device and the targeted Wi-Fi network, such as passwords, chat messages and photos.

“The attack works against all modern protected Wi-Fi networks,” the researchers wrote of their exploit dubbed “KRACK,” short for “Key Reinstallation AttaCK.”

“Depending on the network configuration, it is also possible to inject and manipulate data,” the researchers continued. “For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.”

What that means is the vulnerability potentially impacts a wide range of devices including those running operating systems from Android, Apple, Linux, OpenBSD and Windows.

As scary as this attack sounds, there are several mitigating factors at work here. First off, this is not an attack that can be pulled off remotely: An attacker would have to be within range of the wireless signal between your device and a nearby wireless access point.

More importantly, most sensitive communications that might be intercepted these days, such as interactions with your financial institution or browsing email, are likely already protected end-to-end with Secure Sockets Layer (SSL) encryption that is separate from any encryption added by WPA2 — i.e., any connection in your browser that starts with “https://”.

Also, the public announcement about this security weakness was held for weeks in order to give Wi-Fi hardware vendors a chance to produce security updates. The Computer Emergency Readiness Team has a running list of hardware vendors that are known to be affected by this, as well as links to available advisories and patches.

“There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” reads a statement published today by a Wi-Fi industry trade group. “This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.”

Sounds great, but in practice a great many products on the CERT list are currently designated “unknown” as to whether they are vulnerable to this flaw. I would expect this list to be updated in the coming days and weeks as more information comes in.

Some readers have asked if MAC address filtering will protect against this attack. Every network-capable device has a hard-coded, unique “media access control” or MAC address, and most Wi-Fi routers have a feature that lets you only allow access to your network for specified MAC addresses.

However, because this attack compromises the WPA2 protocol that both your wireless devices and wireless access point use, MAC filtering is not a particularly effective deterrent against this attack. Also, MAC addresses can be spoofed fairly easily.

To my mind, those most at risk from this vulnerability are organizations that have not done a good job separating their wireless networks from their enterprise, wired networks.

I don’t see this becoming a major threat to most users unless and until we start seeing the availability of easy-to-use attack tools to exploit this flaw. Those tools may emerge sooner rather than later, so if you’re super concerned about this attack and updates are not yet available for your devices, perhaps the best approach in the short run is to connect any devices on your network to the router via an ethernet cable (assuming your device still has an ethernet port).

From reading the advisory on this flaw, it appears that the most recent versions of Windows and Apple’s iOS are either not vulnerable to this flaw or are only exposed in very specific circumstances. Android devices, on the other hand, are likely going to need some patching, and soon.

If you discover from browsing the CERT advisory that there is an update available or your computer, wireless device or access point, take care to read and understand the instructions on updating those devices before you update. Failing to do so with a wireless access point, for example can quickly leave you with an expensive, oversized paperweight.

Finally, consider browsing the Web with an extension or browser add-on like HTTPS Everywhere, which forces any site that supports https:// connections to encrypt your communications with the Web site — regardless of whether this is the default for that site.

For those interested in a deeper dive on the technical details of this attack, check out the paper (PDF) released by the researchers who discovered the bug.



from
https://krebsonsecurity.com/2017/10/what-you-should-know-about-the-krack-wifi-security-weakness/

WPA2 KRACK Vulnerability, Getting Information

I'm sure everyone who does anything with networking or Wi-Fi has heard about the announced WPA2 KRACK vulnerability. I won't go into depth with my opinion on it. I'd just like to start a collection of useful information in one single place.

First, the security researcher's website on the attack details:
https://www.krackattacks.com/

Second, read this good analysis by Aruba Networks as well as their associated FAQ:
Blog: http://community.arubanetworks.com/t5/Technology-Blog/WPA2-Key-Reinstallation-Attacks/ba-p/310045
FAQ: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf

Third, here's the US-CERT page collecting information on vendor's affected:
http://www.kb.cert.org/vuls/id/228519

Finally, patching systems will be important over the coming hours/days/weeks/(what you take longer than a week or two to patch?!?). Client systems are the most affected, but infrastructure systems also have a few related issues requiring patching too. Here are some helpful manufacturer pages to keep an eye on for updates:

Wi-Fi client manufacturers:

Wi-Fi infrastructure manufacturers:

 

Cheers,
Andrew



from
http://www.revolutionwifi.net/revolutionwifi/2017/10/wpa2-krack-vulnerability-getting-information

Krebs Given ISSA’s ‘President’s Award’

KrebsOnSecurity was honored this month with the 2017 President’s Award for Public Service from the Information Systems Security Association, a nonprofit organization for cybersecurity professionals. The award recognizes an individual’s contribution to the information security profession in the area of public service.

issalogo

It’s hugely gratifying to have received this award, mainly because of the company I now keep.

Past ISSA President’s Award winners include former White House cybersecurity advisers Richard A. Clarke (2003) and the late Howard Schmidt (2016); DEF CON and Black Hat founder Jeff Moss (2011); Hacking Exposed authors George Kurtz, Stuart McClure and Joel Scambray (2015); as well as Liam O’Murchu, Eric Chien, and Nicolas Falliere, the team at Symantec credited for their groundbreaking analysis of the Stuxnet Worm (2012).

“[Krebs’] analysis of the bad actors and the dark web shines a light on the criminals and their methods that attack information security,” the ISSA said in explaining the award. “The information that he exposes to the light of day makes the jobs of white hats and blue teamers easier.”

I’m very grateful to the ISSA for this award, and wish a hearty congratulations to the other ISSA 2017 award recipients.



from
https://krebsonsecurity.com/2017/10/krebs-given-issas-presidents-award/

Thursday, October 12, 2017

Equifax Credit Assistance Site Served Spyware

Big-three consumer credit bureau Equifax says it has removed third-party code from its credit report assistance Web site that prompted visitors to download spyware disguised as an update for Adobe’s Flash Player software.

Image: Randy-abrams.blogspot.com

Image: Randy-abrams.blogspot.com

On Wednesday, security expert and blogger Randy Abrams documented how browsing a page at Equifax’s consumer information services portal caused his browser to be served with a message urging him to download Adobe Flash Player.

“As I tried to find my credit report on the Equifax website I clicked on an Equifax link and was redirected to a malicious URL,” Abrahms wrote. “The URL brought up one of the ubiquitous fake Flash Player Update screens. ”

Ars Technica’s Dan Goodin was the first to cover the discovery, and said the phony Flash Player installer was detected by several antivirus tools as “Adware.Eorezo,” an intrusive program that displays advertisements in Internet Explorer and may install browser toolbars and other unwanted programs.

Several hours after Goodin’s piece went live, Equifax disabled the page in question, saying it was doing so out of “an abundance of caution” while it investigated the claims.

In a follow-up statement shared with KrebsOnSecurity this afternoon, however, Equifax said the problem stemmed from a “third-party vendor that Equifax uses to collect website performance data,” and that “the vendor’s code running on an Equifax Web site was serving malicious content.” Equifax did not say who the third party vendor was.

“Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis,” reads the statement. “Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal.”

That closing line of Equifax’s statement may do little to assuage a public that has grown increasingly weary of Equifax’s various security and public relations failures since it announced on Sept. 7, 2017 that hackers broke into the company’s servers and stole Social Security numbers and other sensitive data on more than 145 million Americans.

On Sunday, KrebsOnSecurity published a story warning that Equifax’s payroll and tax administration site made it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax. Equifax disabled that service just hours after the story ran, replacing it with a message stating the site was under maintenance. Four days later, that site remains offline.



from
https://krebsonsecurity.com/2017/10/equifax-credit-assistance-site-served-spyware/

Hyatt Hotels Suffers 2nd Card Breach in 2 Years

Hyatt Corp. is alerting customers about another credit card breach at some hotels, the second major incident with the hospitality chain in as many years.

hyattHyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017.

“Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities,” the company said in a statement. “Hyatt’s layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates.

The hotel chain said the incident affected payment card information – cardholder name, card number, expiration date and internal verification code – from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. It added there is no indication that any other information was involved.

In late 2015, Hyatt announced that for about four months that year hackers had gained access to credit card systems at 250 properties in 50 different countries. This time, the breach appears to have impacted 41 properties across 11 countries. Only five of the Hyatt properties affected in this most recent breach included U.S. locations, including three resorts in Hawaii and one each in Guam and Puerto Rico.

The nation with the largest number of Hyatt properties impacted was China (18). The company has published a list of the affected hotels here.

Each time one of these breach stories breaks, I hear from a number of readers who say they believe their cards were impacted based on some fraudulent activity on their cards. One thing I try to stress to those readers is that there are so many merchants both online and offline that are compromised by card-stealing malicious software that it is very likely that their card numbers were stolen from multiple victim companies.

The most important thing to bear in mind with all these card breaches is that consumers are not liable for fraudulent charges, it still usually falls to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.

For anyone curious about why the hotel industry has been so heavily targeted over the past few years, check out some of the case studies published by Trustwave Spiderlabs. Organized crime groups (most notably the Carbanak gang) have been targeting customer service and reservations specialists at various hospitality chains with tailored social engineering attacks that involve well-aged fake companies and custom malware.



from
https://krebsonsecurity.com/2017/10/hyatt-hotels-suffers-2nd-card-breach-in-2-years/

Wednesday, October 11, 2017

Microsoft’s October Patch Batch Fixes 62 Flaws

Microsoft on Tuesday released software updates to fix at least 62 security vulnerabilities in Windows, Office and other software. Two of those flaws were detailed publicly before yesterday’s patches were released, and one of them is already being exploited in active attacks, so attackers already have a head start.

brokenwindowsRoughly half of the flaws Microsoft addressed this week are in the code that makes up various versions of Windows, and 28 of them were labeled “critical” — meaning malware or malicious attackers could use the weaknesses to break into Windows computers remotely with no help from users.

The lone publicly disclosed Windows flaw (CVE-2017-8703) fixed in this batch is a problem with a feature only present in Windows 10 known as as the Windows Subsystem for Linux, which allows Windows 10 users to run unmodified Linux binary files. Researchers at CheckPoint recently released some interesting research worth reading about how attackers might soon use this capability to bypass antivirus and other security solutions on Windows.

The bug quashed this week that’s being actively exploited resides in Microsoft Office (CVE-2017-11826), and Redmond says attackers could seize control over a vulnerable system just by convincing someone to open a booby-trapped Word file. Another Office vulnerability, (CVE-2017-11776), involves a flaw in Outlook’s ability to encrypt messages; SEC-Consult has more details on this bug.

Another critical flaw (CVE-2017-11779) addresses a scary vulnerability in the domain name system (DNS) component of Windows 8 and Windows Server 2012. According to research from Bishop Fox, the security firm credited with finding and reporting the bug, this flaw could be exploited quite easily to gain complete control over vulnerable systems if the attacker controls or compromises a local network (think Wi-Fi hotspot).

Normally, Adobe uses Microsoft’s Patch Tuesday (the second Tuesday of each month) to release its own fixes for Flash Player, Reader and other products. However, this time around the company has no security updates available. Adobe did release a new version of Flash that includes bug fixes (v. 27.0.0.159), but generally speaking only even-numbered Flash releases include security fixes.

For additional commentary on October’s bundle of updates from Microsoft, see these blogs from security vendors Ivanti and Qualys. For those looking for a straight-up list of which patches deserve priority, check out the always useful roundup from the SANS Internet Storm Center.



from
https://krebsonsecurity.com/2017/10/microsofts-october-patch-batch-fixes-62-flaws/

Tuesday, October 10, 2017

Equifax Hackers Stole Info on 693,665 UK Residents

Equifax Inc. said today an investigation into information stolen in the epic data breach the company disclosed on Sept. 7 revealed that intruders took a file containing 15.2 million UK records. The company says it is now working to inform 693,665 U.K. consumers whose data was stolen in the attack.

equihaxPreviously, Equifax said the breach impacted approximately 400,000 U.K. residents. But in a statement released Tuesday, Equifax said it would notify 693,665 U.K. consumers by mail that their personal information was jeopardized in the breach. This includes:

-12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014 accessed.
-14,961 consumers who had portions of their Equifax.co.uk membership details — such as username, password, secret questions and answers, as well as partial credit card details — accessed
-29,188 consumers who had their drivers license numbers accessed
-637,430 consumers who had their phone numbers accessed

The numbers include data that Equifax held on U.K. consumers as far back as 2011, the company said. Equifax did not say whether any of the above-mentioned data was encrypted.

Meanwhile, the U.K.’s National Cyber Security Centre is warning residents to be on their guard against phishing attacks made to look like communications from Equifax about the breach.

“Another risk to UK citizens affected by this data breach is that they could be on the receiving end of more targeted and realistic phishing messages,” the NCSC wrote. “Fraudsters can use the data to make their phishing messages look much more credible, including using real names and statements such as: ‘To show this is not a phishing email, we have included the month of your birth and the last 3 digits of your phone number’. These phishing messages may be unrelated to Equifax and may use more well known brands. It is unlikely that any organisations will ask their customers to reset security information or passwords as a result of the Equifax breach, but this may be a tactic employed by criminals.”

ANALYSIS

Equifax has been widely criticized for continuously bungling their public response to this still-unfolding data disaster, and today’s update about the extent of the breach in the U.K. was no exception. The Equifax Web site that hosts today’s press release serves “mixed content,” meaning it includes elements that are served over both encrypted and unencrypted pages. The practical effect of this varies depending on which browser you’re using, but some browsers will display a security warning when this happens.

That mixed content error may have something to do with a missing image in the press release. That press release was supposed to include an image that breaks down what exactly was stolen from U.K. residents — as detailed in the bulleted list above — but apparently the graphic was either removed or moved pre- or post-publication. Here’s what the press release looks like in Firefox (Equifax still hasn’t fixed this):

eq-uk-ff

In Chrome:

eq-uk-chrome

In Internet Explorer:

eq-uk-ie

It’s fairly terrifying when you realize that a company which can’t even issue a press release without managing to omit the most important piece of information in it wields so much power over consumers. Nothing says ‘we care about your security and privacy’ like a message which warns “you got hacked!” and then fails to tell you what that actually means.

I’ve been spending quite a bit of time looking at Equifax’s various Web properties over the past few weeks and I have to say it gets scarier the more I look. First it was the discovery that Equifax’s consumer dispute portal in Argentina was protected by nothing more than the username and password “admin/admin.” It’s worth noting that, as mentioned countless times by Equifax’s former CEO in front of several congressional committees last week, the breach of sensitive data on 145.5 million Americans began with lax security at just such a dispute portal (the company declined to say which).

Earlier this week I pointed out that the company’s TALX Web site made it trivial to find the salary history of large chunk of the American population, armed with nothing more than someone’s date of birth and Social Security number (both data points, by the way, that were stolen on 145.5 million Americans, thanks to Equifax). The company responded by taking the site offline a few hours after that story ran on Sunday. That site is still “under maintenance,” according to Equifax.

While Equifax has stressed that it will offer free credit monitoring services to victims of its own breach, it is still using the entire incident to drive traffic to areas of its consumer business that make the company oodles of money, such as “FREE* credit report & score” services for only £14.95 per month. It’s impossible to understand how Equifax could fail to notice the atrocious optics here, unless of course it really doesn’t care.

Equifax.co.uk

By the way, if you’re somehow just tuning in to news about this breach, don’t sweat it: Here’s a Q&A that explains what’s at stake and what you should do.



from
https://krebsonsecurity.com/2017/10/equifax-hackers-stole-info-on-693665-uk-residents/

Sunday, October 8, 2017

Equifax Breach Fallout: Your Salary History

In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax.

twn

At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that “Your personal information is protected.”

“With your consent your personal data can be retrieved only by credentialed verifiers,” Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits.

Sadly, this isn’t anywhere near true because most employers who contribute data to The Work Number — including Fortune 100 firms, government agencies and universities — rely on horribly weak authentication for access to the information.

To find out how easy it is to view your detailed salary history, you’ll need your employer’s name or employer code. Helpfully, this page lets you look that up quite easily (although if you opt to list employers alphabetically by the fist letter of the company name, there are so many entries for each letter that I found Equifax’s database simply crashes half the time instead of rendering the entire list).

findemployercode

What’s needed to access your salary and employment history? Go here, and enter the employer name or employer code. After that, it asks for a “user ID.” This might sound like privileged information, but in most cases this is just the employees’s Social Security number (or a portion of it).

At the next step, the site asks visitors to “enter your PIN,” short for Personal Identification Number. However, in the vast majority of cases this appears to be little more than someone’s eight-digit date of birth. The formats differ by employer, but it’s usually either yyyy/mm/dd or mm/dd/yyyy, without the slashes.

Successful validation to the system produces two sets of data: An employee’s salary and employment history going back at least a decade, and a report listing all of the entities (ostensibly, the aforementioned “credentialed verifiers”) that have previously requested and viewed this information.

Once you’re successfully “authenticated,” the system asks you to change your PIN to something more secret than your birthday. When the default PIN is changed, The Work Number prompts users to select a series of six challenge/response questions, which Equifax claims will “improve the security of your data and create an extra layer of protection on your account.”

Unfortunately, consumers whose employee history is stored by this service effectively have no privacy or security unless they possess both the awareness that this service exists and the forethought to access their account online before identity thieves or others do it first.

newpin

The Work Number does allow employers to opt for TALX’s “enhanced authentication” feature, wherein after logging in with your employer ID and PIN (often the last four digits of an SSN plus the birth year), the system is designed to require the requester to respond to an email at a work address or a phone call to a work number to validate the login.

However, I did not find this to be the case in several instances involving readers whose employers supposedly used this enhanced authentication method. In cases where corporate human resources departments fail to populate employee email addresses and phone numbers, the system defaults to asking visitors to enter any email address and phone number to complete the validation. This is detailed here (PDF), wherein The Work Number states “if you do not have the required phone and e-mail information on file, you will be prompted to update/add your phone numbers/email addresses.”

squestionsa

Worse yet, while companies that use this service tend to vary their approaches to what’s required in terms of user IDs and PINs, a great many employers publish online detailed instructions on how to fill out these various forms. For example, the State of California‘s process is listed here (PDF); instructions for the Health Resources & Services Administration (HRSA) are here; employees at the National Institutes of Health (NIH) can learn the steps by consulting this document (PDF). The process for getting this information on current and former UCLA employees is spelled out here. There are countless other examples that are easy to find with a simple Internet search.

Many readers probably consider their current and former salaries to be very private information, but as we can see this data is easily available on a broad spectrum of the working population in America today. The information needed to obtain it has been widely compromised in thousands of data breaches over the past few years, and the SSN and DOB on most Americans is for sale in a variety of places online. In short, if you can get these details from Equifax’s online service, so can anyone else.

Fortunately, you can reduce the likelihood that an acquaintance, co-worker, stalker or anyone else can do this by claiming your own account, changing the PIN and selecting a half-dozen security questions and answers. As always, it’s best not to answer these questions truthfully, but to input answers that only you will know and that can’t be found using social networking sites or other public data sources.

I could see this service potentially helping to create a toxic workplace environment because it offers a relatively simple method for employees to glean data about the salaries of their co-workers and bosses. While some people believe that companies should be more transparent about employee salaries, this data in the wrong hands very often generates a great deal of resentment and hostility among co-workers.

Employers who use The Work Number should strongly consider changing as many defaults as possible, and truly implementing the service’s enhanced authentication features.

October is National Cybersecurity Awareness Month, and as such KrebsOnSecurity will continue pointing readers to similar services that let anyone access your personal data armed with little more than static identifiers about you that should no longer be considered private. Although some readers may take issue with my pointing these out — reasoning that I’m only making it easier for bad people to do bad things — it’s important to understand that knowledge is half the battle: Planting your flag before someone else does is usually the only way to keep others from abusing such services to expose your personal information.

Related reading:

USPS ‘Informed Delivery’ is Stalker’s Dream
Student Aid Tool Held Key for Tax Fraudsters
Sign Up at IRS.gov Before Crooks Do It For You
Crooks Hijack Retirement Funds via SSA Portal
Social Security Administration Now Requires Two-Factor Authentication
SSA: Ixnay on txt msg reqmnt 4 e-acct, sry



from
https://krebsonsecurity.com/2017/10/equifax-breach-fallout-your-salary-history/

Wednesday, October 4, 2017

Fear Not: You, Too, Are a Cybercrime Victim!

Maybe you’ve been feeling left out because you weren’t among the lucky few hundred million or billion who had their personal information stolen in either the Equifax or Yahoo! breaches. Well buck up, camper: Both companies took steps to make you feel better today.

Yahoo! announced that, our bad!: It wasn’t just one billion users who had their account information filched in its record-breaking 2013 data breach. It was more like three billion (read: all) users. Meanwhile, big three credit bureau Equifax added 2.5 million more victims to its roster of 143 million Americans who had their Social Security numbers and other personal data filched in a breach earlier this year. At the same time, Equifax’s erstwhile CEO informed Congress that the breach was the result of even more bone-headed security than was first disclosed.

To those still feeling left out by either company after this spate of bad news, I have only one thing to say (although I feel a bit like a broken record in repeating this): Assume you’re compromised, and take steps accordingly.

If readers are detecting a bit of sarcasm and cynicism in my tone here, it may be that I’m still wishing I’d done almost anything else today besides watching three hours worth of testimony from former Equifax CEO Richard Smith before lawmakers on a panel of the House Energy & Commerce Committee.

While he is no longer the boss of Equifax, Smith gamely agreed to submit to several day’s worth of grilling from legislators in both houses of Congress this week. It was clear from the questions that lawmakers didn’t ask in Round One, however, that Smith was far more prepared for the first batch of questioning than they were, and that the entire ordeal would amount to only a gentle braising.

Nevertheless, Smith managed to paint a even more dismal picture than was already known about the company’s efforts to secure the very data that makes up the core of its business. Helpfully, Smith clarified early on in the hearing that the company’s customers are in fact banks and other businesses — not consumers.

Smith told lawmakers that the breach stemmed from a combination of technological error and a human error, casting the breach as the kind of failure that could have happened to anyone. In reality, the company waited 4.5 months (until after it discovered the breach in late July 2017) to fix a dangerous security flaw that it should have known was being exploited on Day One (~March 6 or 7, 2017).

“The human error involved the failure to apply a software patch to a dispute portal in March 2017,” Smith said. He declined to explain (and lawmakers inexplicably failed to ask) how 145.5 million Americans — nearly 60 percent of the adult population of the United States — could have had their information tied up in a dispute portal at Equifax. “The technological error involved a scanner which failed to detect a vulnerability on that particular portal.”

As noted in this Wired.com story, Smith admitted that the data which was compromised in the breach was not encrypted:

When asked by representative Adam Kinzinger of Illinois about what data Equifax encrypts in its systems, Smith admitted that the data compromised in the customer-dispute portal was stored in plaintext and would have been easily readable by attackers. “We use many techniques to protect data—encryption, tokenization, masking, encryption in motion, encrypting at rest,” Smith said. “To be very specific, this data was not encrypted at rest.”

It’s unclear exactly what of the pilfered data resided in the portal versus other parts of Equifax’s system, but it turns out that also didn’t matter much, given Equifax’s attitude toward encryption overall. “OK, so this wasn’t [encrypted], but your core is?” Kinzinger asked. “Some, not all,” Smith replied. “There are varying levels of security techniques that the team deploys in different environments around the business.”

Smith also sought to justify the company’s historically poor breach response after it publicly disclosed the breach on Sept. 7 — roughly 40 days after it says Equifax’s security team first became aware of the incident (on July 29). As many readers here are well familiar, KrebsOnSecurity likened that breach response to a dumpster fire — noting that it was perhaps the most haphazard and ill-conceived of any major data breach disclosure in history.

Smith artfully dodged questions of why the company waited so long to notify the public, and about the perception that Equifax sought to profit off of its own data breach. One lawmaker noted that Smith gave two public speeches in the second and third weeks of August in which he was quoted as saying that fraud was a “a huge opportunity for Equifax,” and that it was a “massive, growing business” for the company.

Smith interjected that he had “no indication” that consumer data was compromised at the time of the Aug. 11 speech. As for the Aug. 17 address, he said “we did not know how much data was compromised, what data was compromised.”

Follow-up questions from lawmakers on the panel revealed that Smith didn’t ask for a briefing about what was then allegedly only classified internally as “suspicious activity” until August 15, almost two weeks after the company hired outside cybersecurity experts to examine the issue.

Smith also maneuvered around questions about why Equifax chose to disclose the breach on the very day that Hurricane Irma was dominating front-page news with an imminent landfall on the eastern seaboard of the United States.

However, Smith did blame Irma in explaining why the company’s phone systems were simply unable to handle the call volume from U.S. consumers concerned about the Category Five data breach, saying that Irma took down two of Equifax’s largest call centers days after the breach disclosure. He said the company handled over 420 million consumer visits to the portal designed to help people figure out whether they were victimized in the breach, underscoring how so many American adults were forced to revisit the site again and again because it failed to give people consistent answers about whether they were affected.

Just a couple of hours after the House Commerce panel hearing ended, Politico ran a story noting that the Internal Revenue Service opted to award Equifax a $7.25 million no-bid contract to provide identity-proofing and anti-fraud services to the tax bureau. Bear in mind that Equifax’s poor security contributed to an epidemic of tax refund fraud at the IRS in the 2015 and 2016 tax years, when fraudsters took advantage of weak security questions provided to the IRS by Equifax to file and claim phony tax refund requests on behalf of hundreds of thousands of taxpayers.

Don’t forget that tax fraudsters exploited this same lax security at Equifax’s TALX payroll division to steal employee tax records from an as-yet undisclosed number of companies between April 2016 and March 2017.

Finally, much of today’s hearing centered around questions about the difference between a security freeze — a right that was hard-won on a state-by-state level over several years — and the “credit lock” services being pushed instead by Equifax and the big bureaus. Lawmakers on today’s panel seemed content with Smith’s answer that the two things were effectively the same, only that a freeze was more cumbersome and costly, whereas credit locks were free and far more consumer-friendly.

To those still wavering on which is better, I have only to point to reasoning by Christina Tetreault, a staff attorney on the financial services team of Consumers Union — the policy arm of Consumer Reports. Tetreault notes that perhaps the main reason a security freeze is the better option is that its promise to guard your credit accounts is guaranteed by law, whereas a credit lock is simply an agreement between you and the credit monitoring company.

“Having a contractual agreement is not as strong as having protections under law,” Tetreault said. “The contract may be unclear, may include provisions that allow the other party to change it, or include provisions that you may be better off not agreeing to, such as an arbitration agreement.”

What’s more, placing a freeze on your file is exactly what Equifax and the other bureaus do not want you to do, because it prevents them from making money by selling your credit file to banks and others (including ID thieves) who wish to grant new lines of credit in your name. If that’s not the best reason for opting for a freeze, I don’t know what is.

If anyone needs more convincing on this front, check out the testimony given in other committees today by representatives from banking behemoth Wells Fargo, which is under fire signing up tens of thousands of auto loan customers for insurance they did not need and in some cases couldn’t afford. That scandal comes on the heels of another debacle in which Wells Fargo was found to have created more than 3.5 million bank accounts without consumers’ permission between 2009 and 2016.

Mr. Smith is slated to testify before at least three other committees in the House and Senate this week before he’s off the hot seat. On Friday, KrebsOnSecurity published a lengthy list of questions that lawmakers should consider asking the former Equifax CEO. Here’s hoping our elected representatives don’t merely use these additional opportunities for more grandstanding and regurgitating the same questions.



from
https://krebsonsecurity.com/2017/10/fear-not-you-too-are-a-cybercrime-victim/

Monday, October 2, 2017

USPS ‘Informed Delivery’ Is Stalker’s Dream

A free new service from the U.S. Postal Service that provides scanned images of incoming mail before it is slated to arrive at its destination address is raising eyebrows among security experts who worry about the service’s potential for misuse by private investigators, identity thieves, stalkers or abusive ex-partners. The USPS says it hopes to have changes in place by early next year that could help blunt some of those concerns.

The service, dubbed “Informed Delivery,” has been available to select addresses in several states since 2014 under a targeted USPS pilot program, but it has since expanded to include many ZIP codes nationwide, according to the Postal Service. U.S. residents can tell if their address is eligible by visiting informeddelivery.usps.com.

Image: USPS

Image: USPS

According to the USPS, some 6.3 million accounts have been created via the service so far. The Postal Service says consumer feedback has been overwhelmingly positive, particularly among residents who travel regularly and wish to keep close tabs on any mail being delivered while they’re on the road.

But a review of the methods used by the USPS to validate new account signups suggests the service is wide open to abuse by a range of parties, mainly because of weak authentication and because it is not easy to opt out of the service.

Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions. KrebsOnSecurity has relentlessly assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.

Once signed up, a resident can view scanned images of the front of each piece of incoming mail in advance of its arrival. Unfortunately, because of the weak KBA questions (provided by recently-breached big-three credit bureau Equifax, no less) stalkers, jilted ex-partners, and private investigators also can see who you’re communicating with via the Postal mail.

Perhaps this wouldn’t be such a big deal if the USPS notified residents by snail mail when someone signs up for the service at their address, but it doesn’t.

Peter Swire, a privacy and security expert at Georgia Tech and a senior counsel at the law firm of Alston & Bird, said strong authentication relies on information collected from multiple channels — such as something you know (a password) and something you have (a mobile phone). In this case, however, the USPS has opted not to leverage a channel that it uniquely controls, namely the U.S. Mail system.

“The whole service is based on a channel they control, and they should use that channel to verify people,” Swire said. “That increases user trust that it’s a good service. Multi-channel authentication is becoming the industry norm, and the U.S. Postal Service should catch up to that.” 

I also wanted to know whether there was any way for households to opt out of having scanned images of their mail sent as part of this offering. The USPS replied that consumers may contact the Informed Delivery help desk to request that the service not be presented to anyone in their household. “Each request is individually reviewed and assessed by members of the Postal Service Informed Delivery, Privacy and Legal teams,” the Postal Service replied.

There does not appear to be any limit on the number of people who can sign up for the service at any one address, except that one needs to know the names and KBA question answers for a valid resident of that address.

“Informed Delivery may be accessed by any adult member of a household,” the USPS wrote in response to questions. “Each member of the household must be able to complete the identity proofing process implemented by the Postal Service.”

The Postal Service said it is not possible for an address occupant to receive emailed, scanned images of incoming mail at more than one email address. In other words, if you wish to prevent others from signing up in your name or in the name of any other adults at the address, the surest way to do that may be to register your own account and then urge all other adult residents at the address to create their own accounts.

A highly positive story about Informed Delivery published by NBC in April 2017 suggests another use for the service: Reducing mail theft. However, without stronger authentication, this service could let local ID thieves determine with pinpoint accuracy exactly when mail worth stealing is set to arrive.

The USPS says businesses are not currently eligible to sign up as recipients of Informed Delivery. However, people running businesses out of their home could also be the target of competitors hoping to steal away customers, or to pose as partner firms in demanding payment for outstanding invoices.

Informed Delivery seems like a useful service for those residents who wish to take advantage of it. But lacking stronger consumer validation the service seems ripe for abuse. The USPS should use its own unique communications channel (snail mail) to alert Americans when their physical address has been signed up for this service.

Bob Dixon, the executive program director for Informed Delivery, said the Postal Service is working on an approach that it hopes to make available to the public in January 2018 which would allow USPS to send written notification to addresses when someone at that residence signs up for Informed Delivery.

Dixon said that capability will build on technology already in place to notify Americans via mail when a change of address is requested. Currently, the USPS allows address changes via the USPS Web site or in-person at any one of more than 3,000 post offices nationwide. When a request is processed, the USPS sends a confirmation letter to both the old address and the new address.

If someone already signed up for Informed Delivery later posts a change of address request, the USPS does not automatically transfer the Informed Delivery service to the new address: Rather, it sends a mailer with a special code tied to the new address and to the username that requested the change. To resume Informed Delivery at the new address, that code needs to be entered online using the account that requested the address change.

“Part of coming up with a mail-based verification system will also let us do some additional notification that, candidly, we just haven’t built yet,” Dixon said. “It is our intent to have this ready by January 2018, and it is one of our higher priorities to get it done by then.”



from
https://krebsonsecurity.com/2017/10/usps-informed-delivery-is-stalkers-dream/