PROJET AUTOBLOG


Krebs on Security

Site original : Krebs on Security

⇐ retour index

Federal Legislation Targets “Swatting” Hoaxes

jeudi 19 novembre 2015 à 16:25

A bill introduced in the U.S. House of Representatives on Wednesday targets “swatting,” an increasingly common and costly hoax in which perpetrators spoof a communication to authorities about a hostage situation or other violent crime in progress in the hopes of tricking police into responding at a particular address with deadly force.

swatnet1

The Interstate Swatting Hoax Act of 2015, introduced by Rep. Katherine Clark (D-Mass.) and Rep. Patrick Meehan (R-PA), targets what proponents call a loophole in current law. “While federal law prohibits using the telecommunications system to falsely report a bomb threat hoax or terrorist attack, falsely reporting other emergency situations is not currently prohibited,” reads a statement by the House co-sponsors.

To address this shortcoming, the bill “would close this loophole by prohibiting the use of the internet telecommunications system to knowingly transmit false information with the intent to cause an emergency law enforcement response.”

“In recent years, swatting has become a widely used tool for online harassers to attack journalists, academics, domestic violence survivors, and celebrities,” the lawmakers wrote. “Perpetrators locate victims’ private information online and use technology to conceal their identity as they contact emergency responders.”

Fairfax County Police outside my home on 3/14/13

Fairfax County Police outside my home on 3/14/13

As the target and victim of multiple swatting hoaxes, I support efforts to crack down on this dangerous crime, which wastes public resources, unnecessarily endangers lives, and diverts first responders away from real emergencies.

However, the bill doesn’t and can’t address a big part of the swatting problem: A huge percentage of those involved in swatting are under the age of 18, and the federal justice system simply isn’t built to handle juvenile offenders. As a result, most cases of youths detained for swatting are handled by state and local authorities. Thus, unless more states pass anti-swatting laws, many of these crimes likely will continue to go unpunished.

California, for example, has a law on the books that requires convicted swatters to repay any costs associated with the incident, which can range as high as $10,000. Under the California law, which took effect Jan. 1, 2014, convicted swatters can face up to a year in jail.

Report: Everyone Should Get a Security Freeze

mercredi 18 novembre 2015 à 16:34

This author has frequently urged readers to place a security freeze on their credit files as a means of proactively preventing identity theft. Now, a major consumer advocacy group is recommending the same: The U.S. Public Interest Research Group (US-PIRG) recently issued a call for all consumers to request credit file freezes before becoming victims of ID theft.

everyonegetsafreeze

Each time news of a major data breach breaks, the hacked organization arranges free credit monitoring for all customers potentially at risk from the intrusion. But as I’ve echoed time and again, credit monitoring services do little if anything to stop thieves from stealing your identity. The best you can hope for from these services is that they will alert you when a thief opens or tries to open a new line of credit in your name.

But with a “security freeze” on your credit file at the four major credit bureaus, creditors won’t even be able to look at your file in order to grant that phony new line of credit to ID thieves.

Thankfully, US-PIRG — the federation of state public interest research groups — also is now recommending that consumers file proactive security freezes on their credit files.

“These constant breaches reveal what’s wrong with data security and data breach response. Agencies and companies hold too much information for too long and don’t protect it adequately,” the organization wrote in a report (PDF) issued late last month. “Then, they might wait months or even years before informing victims. Then, they make things worse by offering weak, short-term help such as credit monitoring services.”

The report continues: “Whether your personal information has been stolen or not, your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring. Paid credit monitoring services in particular are not necessary because federal law requires each of the three major credit bureaus to provide a free credit report every year to all customers who request one. You can use those free reports as a form of do-it-yourself credit monitoring.”

Check out the USPIRG’s full report, Why You Should Get Security Freezes Before Your Information is Stolen (PDF) for more good advice. In case anything in that report is unclear, in June I posted a Q&A on security freezes, explaining how they work, how to place them and the benefits and potential drawbacks of placing a freeze.

Have you frozen your credit file? If so, sound off about the experience in the comments. If not, why not?

Paris Terror Attacks Stoke Encryption Debate

mardi 17 novembre 2015 à 23:13

U.S. state and federal law enforcement officials appear poised to tap into public concern over the terror attacks in France last week to garner support for proposals that would fundamentally weaken the security of encryption technology used by U.S. corporations and citizens. Here’s a closer look at what’s going on, and why readers should be tuned in and asking questions.

encryptedeyeDespite early and widely repeated media reports that the terrorists who killed at least 128 people in Paris used strong encryption to disguise their communications, the evidence of this has failed to materialize. An initial report on Nov. 14 from Forbes titled “Why the Paris ISIS Terrorists Used PlayStation4 to Plan Attacks” was later backpedalled to “How Paris ISIS Terrorists May Have Used PlayStation 4 to Discuss and Plan.” Turns out there was actually nothing to indicate the attackers used gaming consoles to hide their communications; only that they could do that if they wanted to.

Politico ran a piece on Sunday that quoted a Belgian government official saying French authorities had confiscated at least one PlayStation 4 gaming console from one of the attacker’s belongings (hat tip to Insidesources.com).

“It’s unclear if the suspects in the attacks used PlayStation as a means of communication,” the Politico story explained. “But the sophistication of the attacks raises questions about the ability of law enforcement to detect plots as extremists use new and different forms of technology to elude investigators.”

Also on Sunday, The New York Times published a story that included this bit:

“The attackers are believed to have communicated using encryption technology, according to European officials who had been briefed on the investigation but were not authorized to speak publicly. It was not clear whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate. Intelligence officials have been pressing for more leeway to counter the growing use of encryption.”

After heavy criticism of the story on Twitter, The Times later removed the story from the site (it is archived here). That paragraph was softened into the following text, which was included in a different Times story later in the day: “European officials said they believed the Paris attackers had used some kind of encrypted communication, but offered no evidence.” To its credit, the Times today published a more detailed look at the encryption debate.

The media may be unwittingly playing into the hands of folks that former NBC reporter Bob Sullivan lovingly calls the “anti-encryption opportunists,” i.e., those who support weakening data encryption standards to make it easier for law enforcement officials to lawfully monitor people suspected of terrorist activity.

The directors of the FBI , Central Intelligence Agency and National Security Agency have repeated warned Congress and the technology community that they’re facing a yawning intelligence gap from smart phone and internet communication technologies that use encryption which investigators cannot crack — even after being granted the authority to do so by the U.S. courts.

For its part, the Obama administration has reportedly backed down in its bitter dispute with Silicon Valley over the encryption of data on iPhones and other digital devices.

“While the administration said it would continue to try to persuade companies like Apple and Google to assist in criminal and national security investigations, it determined that the government should not force them to breach the security of their products,” wrote Nicole Perlroth and David Sanger for The New York Times in October. “In essence, investigators will have to hope they find other ways to get what they need, from data stored in the cloud in unencrypted form or transmitted over phone lines, which are covered by a law that affects telecommunications providers but not the technology giants.”

But this hasn’t stopped proponents of weakening encryption from identifying opportunities to advance their cause. In a memo obtained in August by The Washington PostRobert Litt, a lawyer in the Office of the Director of National Intelligence, wrote that the public support for weakening encryption “could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

To that apparent end, law enforcement officials from Manhattan and the City of London are expected on Wednesday to release a “white paper on smartphone encryption,” during an annual financial crimes and cybersecurity symposium at The Federal Reserve Bank of New York. A media notice (PDF) about the event was sent out by Manhattan District Attorney Cyrus R. Vance Jr., one of the speakers at the event and a vocal proponent of building special access for law enforcement into encrypted communications. Here’s Vance in a recent New York Times op-ed on the need for the expanded surveillance powers.

Critics say any plans designed to build in secret “backdoors” that allow court-ordered access to encrypted communications ultimately would backfire once those backdoors were discovered by crooks and nation states. In her column titled “After Paris Attacks, Here’s What the CIA Director Gets Wrong About Encryption,” Wired.com’s Kim Zetter examines security holes in the arguments for weakening encryption.

The aforementioned Bob Sullivan reminds us that weakening domestic encryption laws would simply ensure that the criminals we wish to monitor use non-US encryption technology:

“For starters, U.S. firms that sell products using encryption would create backdoors, if forced by law.  But products created outside the U.S.?  They’d create backdoors only if their governments required it.  You see where I’m going. There will be no global master key law that all corporations adhere to.  By now I’m sure you’ve realized that such laws would only work to the extent that they are obeyed.  Plenty of companies would create rogue encryption products, now that the market for them would explode.  And of course, terrorists are hard at work creating their own encryption schemes.”

“There’s also the problem of existing products, created before such a law. These have no backdoors and could still be used. You might think of this as the genie out of the bottle problem, which is real. It’s very,  very hard to undo a technological advance.”

“Meanwhile, creation of backdoors would make us all less safe.  Would you trust governments to store and protect such a master key?  Managing defense of such a universal secret-killer is the stuff of movie plots.  No, the master key would most likely get out, or the backdoor would be hacked.  That would mean illegal actors would still have encryption that worked, but the rest of us would not. We would be fighting with one hand behind out backs.”

“In the end, it’s a familiar argument: disabling encryption would only stop people from using it legally. Criminals and terrorists would still use it illegally.”

Where do you come down on this debate, dear readers? Are you taking advantage of the kinds of technologies and services — like Signal, Telegram and Wickr — that use encryption the government says it can’t crack? Sound off in the comments below.

Chipotle Serves Up Chips, Guac & HR Email

lundi 16 novembre 2015 à 23:51

The restaurant chain Chipotle Mexican Grill seems pretty good at churning out huge numbers of huge burritos, but the company may need to revisit some basic corporate cybersecurity concepts. For starters, Chipotle’s human resources department has been replying to new job applicants using the domain “chipotlehr.com” — a Web site name that the company has never owned or controlled.

chipemailTranslation: Until last week, anyone could have read email destined for the company’s HR department just by registering the domain “chipotlehr.com”. Worse, Chipotle itself has inadvertently been pointing this out for months in emails to everyone who’s applied for a job via the company’s Web site.

This security oversight by Chipotle was brought to light by KrebsOnSecurity.com reader Michael Kohlman, a professional IT expert who discovered the bug after applying for a job at the food retailer.

Kohlman, who’s between jobs at the moment, said he submitted his resume and application to Chipotle’s online HR department not necessarily because he wanted to be a restaurant employee, but more to satisfy the terms of his unemployment benefits (which require him to regularly show proof that he is actively looking for work).

Kohlman said after submitting his resume and application, he received an email from Chipotle Careers that bore the return address @chipotlehr.com. The Minnesota native said he became curious about the source of the Chipotle HR email when a reply sent to that address generated an error or “bounce” message saying his missive was undeliverable.

“The canned response was very odd,” Kohlman said. “Rather than indicating the email didn’t exist, [the bounced message] just came back and said it could not resolve the DNS settings.”

A quick search for ownership records on the domain showed that it had never before been registered. So, Kohlman said, on a whim he plunked down $30 to purchase it.

The welcome message that one receives upon successfully submitting an application for a job at Chipotle discourages users from replying to the message. But Kohlman said a brief look at the incoming email associated with that domain revealed a steady stream of wayward emails to chipotlehr.com — mainly from job seekers and people seeking password assistance to the Chipotle HR portal.

A confirmation letter from Chipotle Careers, which for at least several months used the reply address chipotlehr.com, a domain the company didn't own.

A confirmation letter I got from Chipotle Careers, which for at least several months used the reply address chipotlehr.com, a domain the company didn’t own.

“In nutshell, everything that goes in email to this HR system could be grabbed, so the potential for someone to abuse this is huge,” said Kohlman. “As someone who has made a big chunk of their career defending against cyber-attackers, I’d rather see Chipotle and others learn from their mistakes rather than cause any real damage.”

Kohlman has since offered to freely give over the domain to the restaurant chain. But Chipotle expressed zero interest in acquiring the free domain. In fact, Chipotle’s spokesman Chris Arnold says the company doesn’t see this as a big deal at all.

“The chipotlehr.com domain is not a functional address and never has been,” Arnold wrote in an emailed statement. “It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this. That address is being changed to careers.chipotle.com (a domain that we do own), but this has never been functional and is really a non-issue.”

I suppose that’s not really a shocking response from a $3.5 billion/year company that only just last month hired its first chief information officer. Chipotle still doesn’t have a job position that puts anyone in charge of computer security. One might say the company’s infosec security maturity level leaves a bit to be desired.

This entire debacle reminds me of a story I wrote for The Washington Post in 2008 titled “They Told You Not To Reply“. That piece was about an adventuresome young man who gamely registered the domain “donotreply.com” — just to see how badly the domain was being abused. Little did he know what he was signing up for: a constant glut of email destined for companies that had dumped customers there for years — including banks, defense contractors and a whole mess of other organizations that should have known better. He ending up publishing the funniest emails on his blog, and would usually only remove the emails after the offending companies agreed to make a donation to any local animal shelter.

JPMorgan Hackers Breached Anti-Fraud Vendor G2 Web Services

vendredi 13 novembre 2015 à 16:53

Buried in the federal indictments unsealed this week against four men accused of stealing tens of millions of consumer records from JPMorgan Chase and other brokerage firms are other unnamed companies that were similarly victimized by the accused. One of them, identified in the indictments only as “Victim #12,” is an entity that helps banks block transactions for dodgy goods advertised in spam. Turns out, the hackers targeted this company so that they could more easily push through payments for spam-advertised prescription drugs and fake antivirus schemes.

g2webAccording to multiple sources, Victim #12 is none other than Bellevue, Wash. based G2 Web Services LLC, a company that helps banks figure out if a website is fraudulent or is selling contraband. G2 Web Services has not responded to multiple requests for comment.

In the final chapters of my book, Spam Nation: The Inside Story of Organized Cybercrime, I detailed the work of The International AntiCounterfeiting Coalition (IACC), a non-profit organization dedicated to combating product counterfeiting and piracy.

In 2011, G2 Web Services landed a contract to help the IACC conduct “test buys” at sites with products that were being advertised via spam. The company would identify which banks (mostly in Asia) were processing payments for these sites, and then Visa and MasterCard would rain down steep fines on the banks for violating their contracts with the credit card companies. The idea was to follow the money from schemes tied to cybercrime, deter banks from accepting funds from fraudulent transactions, and make it difficult for spammers to maintain stable credit card processing for those endeavors.

Prosecutors say the ringleader of the cybercrime gang accused of breaking into JPMC, Scottrade, E-Trade and others is 31-year-old Gery Shalon, a resident of Tel Aviv and Moscow. Investigators allege Shalon and his co-conspirators monitored credit card transactions processed through their payment processing business to attempt to discern which, if any, were undercover transactions made on behalf of credit card companies attempting to identify unlawful merchants. The government also charges that beginning in or about 2012, Shalon and his co-conspirators hacked into the computer networks of Victim-12 (G2 Web Services).

Shalon and his gang allegedly monitored Victim-12’s detection efforts, including reading emails of Victim-12 employees so they could take steps to evade detection.

“In particular, through their unlawful intrusion into Victim-12’s network, Shalon and his co-conspirators determined which credit and debit card numbers Victim-12 employees were using the make undercover purchases of illicit goods in the course of their effort to detect unlawful merchants,” Shalon’s indictment explains. “Upon identifying those credit and debit card numbers, Shalon and his co-conspirators blacklisted the numbers from their payment processing business, automatically declining any transaction for which payment was offered through one of those credit or debit card numbers.”

According to the U.S. government, Shalon ran idpay.com, a dodgy credit card processor that worked with dozens of banks to push through sales for fake antivirus and pharma-spam sites. Interestingly, in 2011, I wrote about a source who’d stumbled upon a portion of the customer database for idpay.com. As I wrote then:

“The idpay.com database indicates that a large number of fake AV Web sites were using idpay.com to process payments (a partial list is here). The idpay.com database revealed even bigger fish: Among the companies it processed was rx-partners.com, a major rogue pharmacy affiliate program that pays hackers and spammers to promote its pharmacy sites.”

“Another interesting client that processes payments through idpay.com was HzMedia Limited. That entity is owned by Igor Gusev, the founder of GlavMed, one of the world’s largest and spammiest rogue Internet pharmacy affiliate programs.”

Gusev would emerge as one of two major cybercrime kingpins I profiled in Spam Nation.

This story is interesting because it shows how money laundering is such a key component of cybercrime operations, and that anyone who has built such networks likely knows or works with a great many of the world’s top cybercrooks. It also illustrates the lengths to which organized cybercriminals will go to preserve their business models.

G2 was profiled in a New York Times story last month on firms that pit artificial intelligence against hacking threats. That piece cited G2 Web’s ability to spot “transaction laundering,” in which an illegal business tries to appear legitimate by processing transactions through a legal site. The story didn’t mention a breach, but it quoted a G2 employee on the challenges associated with fighting crooks who possess the means and the motive for hacking those who stand in their way.

“The guys who run these illicit sites are also into viruses and malware,” the Times quoted Alan Krumholz, principal data scientist at G2. “It’s a cat-and-mouse game. They go from one business into another.”

The full indictment against Shalon is here (PDF). The mention of Victim 12 (G2) is on page 23.