It’s remarkable how quickly a stolen purse or wallet can morph into full-blown identity theft, and possibly even result in the victim’s wrongful arrest. All of the above was visited recently on a fellow infosec professional whose admitted lapse in physical security led to a mistaken early morning arrest in front of his kids.

On the morning of Feb. 20, Lance Miller was arrested in front of his two children by local sheriffs in Golden, Colo. Miller, a managing partner at cybersecurity recruitment firm Curity, had discovered his wallet was missing three days prior to his arrest, reported it to the local police and canceled his credit cards. In the meantime someone had drained his checking account of approximately $5,000, and maxed out his credit cards for almost another $5,000.

“I was standing there in front of my kids saying, ‘You guys are crazy. Do I look like a burglar?'” Miller recalled. “The cop goes, ‘Well, I don’t know what a burglar looks like,’ and they put me in cuffs and in the car.”

Miller said it wasn’t until the 30-minute, handcuffed drive to police station that the local police and the local sheriff’s office began comparing notes, discovering in the process that they’d grabbed the wrong guy and removing the cuffs. Miller soon learned the thief who’d stolen his wallet had impersonated him during multiple traffic stops. A car the impostor was driving also was spotted speeding away from the scene of a burglary, but Miller said the police in that case didn’t give chase in that case because it wasn’t a violent crime.

“He started doing all kinds of stuff, and when he got pulled over he gave them my ID,” Miller said. “The first time he got pulled over and gave them my ID he was riding shotgun in a car with stolen plates that hadn’t yet been reported stolen. They let the guy go that night but then came and arrested me the next morning.”

Miller’s arrest came less than 24 hours after the local Arvada Police Department called to alert him that someone had tried to use his credit card at a nearby bank. Not long after that, a fuel station owner called the cops after getting suspicious about a customer and writing down his license plates.

“When we got to the [police] station, the police chief met me in the parking lot and apologized, then brought me 3 cups of coffee,” Miller said.

According to Miller, the police eventually arrested the guy suspected of stealing his wallet and other crimes that were previously pinned on Miller. The authorities now believe the man responsible is one John Tyler Waldorf, a 37-year-old suspect who had at least 16 warrants for his arrest pending in surrounding counties in connection with burglary and other alleged offenses.

Miller said investigators told him that Waldorf was suspected of associating with a white supremacist crime ring involved in identity theft, drug dealing and serial burglary.

“When these guys are not in prison, they’re expected to earn for the gang,” Miller said. “And apparently one of the best earning methods for these guys is ID theft.”

Louisville, Colo. police issued a bulletin explaining that Waldorf and his associates were known to have entered unlocked vehicles in the driveways of local residences and grabbed the garage door openers to the homes. “The suspect(s) entered the homes through the garage doors and stole items of value,” the police explained. “Both homes were occupied during the burglaries.”

Miller allows that the thieves in his case didn’t need to open the garage or enter his home: He’d absent-mindedly left his wallet in the car overnight while the vehicle was parked in the open garage. He now vows to tighten up his personal security habits.

“We live in a pretty nice area, and I got lulled into the idea that the garage was safe,” he said. “But in the end, it’s all on me. I’m an infosec guy, and if I can’t practice better operational security like that at my house, I should get the hell out of this industry.”

If your wallet or purse is lost or stolen, it’s a good idea to do most – if not all — of these things:

-File a police report as soon as possible to establish a record of the loss. If possible, get a physical copy of the police report at some point. You may be able to file a report and obtain a copy of it online, or you may have to go down to the local police station and pay a small administrative fee to get a copy. Either way, this report can be very useful in getting you a freeze on your credit file or an extended fraud alert at no cost if you decide to do that down the road.

-Contact your bank and report any checks or credit/debit cards lost or stolen. Most banks issue credit and debit cards with “zero liability” provisions, meaning you’re not on the hook for fraudulent charges or withdrawals — provided you report them promptly. The Truth In Lending Act limits consumer liability to $50.00 once a credit card is reported lost or stolen, although many card issuers will waive that amount as well. Fraudulent debit card charges are a different story: The Electronic Fund Transfer Act limits liability for unauthorized charges to $50.00, if you notify your financial institution within two business days of discovering that your debit card was “lost or stolen.” If you wait longer, but notify your bank within 60 days of the date your statement is mailed, you may be responsible for up to $500.00. Wait longer than that and you could lose all the money stolen from your account.

-Contact one of the major credit reporting bureaus (Equifax, Experian, Innovis and Trans Union) and at the very least ask to put a fraud alert on your file, to prevent identity theft in the future. By law, the one you alert has to share the alert with the other three. The initial fraud alert stays on for 90 days. If you have that police report handy, you can instead request an extended fraud alert, which stays in effect for seven years.

-Fraud alerts are okay, but consider placing a security freeze on your credit file with the major bureaus. For more on the importance of a security freeze, check out How I Learned to Stop Worrying and Embrace the Security Freeze.

-Order a free copy of your credit report from one of the major bureaus. By law, you are entitled to a free report from each of the bureaus once a year. The only real free place to get your report is via the site mandated by the federal government: annualcreditreport.com.

Staminus Communications Inc., a California-based Internet hosting provider that specializes in protecting customers from massive “distributed denial of service” (DDoS) attacks aimed at knocking sites offline, has itself apparently been massively hacked. Staminus’s entire network was down for more than 20 hours until Thursday evening, leaving customers to vent their rage on the company’s Facebook and Twitter pages. In the midst of the outage, someone posted online download links for what appear to be Staminus’s customer credentials, support tickets, credit card numbers and other sensitive data.

Newport Beach, Calif.-based Staminus first acknowledged an issue on its social media pages because the company’s Web site was unavailable much of Thursday.

“Around 5am PST today, a rare event cascaded across multiple routers in a system wide event, making our backbone unavailable,” Staminus wrote to its customers. “Our technicians quickly began working to identify the problem. We understand and share your frustration. We currently have all hands on deck working to restore service but have no ETA for full recovery.”

Staminus now says its global services are back online, and that ancillary services are being brought back online. However, the company’s Web site still displays a black page with a short message directing customers to Staminus’s social media pages.

Meanwhile, a huge trove of data appeared online Thursday, in a classic “hacker e-zine” format entitled, “Fuck ’em all.” The page includes links to download databases reportedly stolen from Staminus and from Intreppid, another Staminus project that targets customers looking for protection against large DDoS attacks.

The authors of this particular e-zine indicated that they seized control over most or all of Staminus’s Internet routers and reset the devices to their factory settings. They also accuse Staminus of “using one root password for all the boxes,” and of storing customer credit card data in plain text, which is violation of payment card industry standards.

Staminus so far has not offered any additional details about what may have caused the outage, nor has it acknowledged any kind of intrusion. Several Twitter accounts associated with people who claim to be Staminus customers frustrated by the outage say they have confirmed seeing their own account credentials in the trove of data dumped online.

I’ve sent multiple requests for comment to Staminus, which is no doubt busy with more pressing matters at the moment. I’ll update this post in the event I hear back from them.

It is not unusual for attackers to target Anti-DDoS providers. After all, they typically host many customers whose content or message might be offensive — even hateful — speech to many. For example, among the company’s many other clients is kkk-dot-com, the official home page of the Ku Klux Klan (KKK) white supremacist group. In addition, Staminus appears to be hosting a large number of internet relay chat (IRC) networks, text-based communities that are often the staging grounds for large-scale DDoS attack services.

User-friendly and secure. Hardly anyone would pick either word to describe the vast majority of wireless routers in use today. So naturally I was intrigued a year ago when I had the chance to pre-order a eero, a new WiFi system billed as easy-to-use, designed with security in mind, and able to dramatically extend the range of a wireless network without compromising speed. Here’s a brief review of the eero system I received and installed a week ago.

The standard eero WiFi system comes with three eero devices, each about the width of a square coaster and roughly an inch thick. Every individual eero unit has two built-in WiFi radios that are designed to hand off traffic with the other two units.

This two-radio aspect is important, as most consumer devices that are made and marketed as WiFi range extenders or “repeaters” contain only one radio, and thus end up halving the speed of the repeated WiFi signal.

The makers of eero recommend one device for every 1,000 square feet, and advise placing one device no further than 40 feet from another. Each eero has two ethernet ports in the back, but only one of the eeros needs to be connected directly into your modem with an ethernet cable. That means that a 3-piece eero set has a total of five available ethernet ports, or at least one open ethernet port at each eero location.

Most wireless routers require owners to configure the device by using a hard-wired computer or laptop, opening a browser and navigating to a numeric Internet address to enter some default credentials. From there, you’re on your own. In contrast, the eero system relies on a simple mobile app for setup. The app asks for your name, email address and mobile number, and then sends a text with a one-time passcode.

After you verify the code on your mobile device, the app prompts you to pick a network name (SSID) and password. The device defaults to WPA-2 PSK (AES) for encryption — the strongest security currently available.

Once you’ve assigned each eero a unique location — and as long as the three devices can talk to each other — the network should be set up. The entire process — from placing and plugging in the eeros to setting up the network —  took me about five minutes, but most of that was just me walking from one room or floor to the next to adjust the location of the devices.

MY TAKE?

The eero system did indeed noticeably extend the range of my home WiFi network. My most recent router — an ASUS RT-N66U, a.k.a the “Dark Knight” — cost about $150 when I bought it, but it never gave me coverage throughout our three-level home despite multiple experiments with physical placement of the device. In contrast, the eero system extended the range of my network throughout our home and to about a dozen meters outside the house in every direction.

In fact, I’m now writing this column from a folding chair in the front lawn, something I couldn’t do with any router I’ve previously owned. Then again, a wireless network that extends well beyond one’s home may actually be a security minus for those who’d rather not have their network broadcast beyond their front porch or apartment walls.

This is a good time to note one of eero’s best features: The ability to add guests to your wireless network quickly and easily. According to an interview with eero’s co-founder (more on that below), the firewall rules that govern any devices added to a eero guest network prevent individual hosts from directly communicating with any other on the local network. With a few taps on the app, guests are invited to join via a text or email message, and the invite contains the name (SSID) of the guest wireless network and a plaintext password.

There are a few aspects about the eero system that may give pause to some readers — particularly the tinfoil hat types and those who crave more granular control over their wireless router. Control freaks may have a hard time letting go with the eero — in part because it demands a great deal of trust — but also because frankly it’s a little too easy to set up.

There aren’t a lot of configuration options available in the app. eero says it is working on rolling out new features and options, and that it’s so far been focused on getting shipping all of the pre-ordered units so that they work as advertised. This is a WiFi system that I can see selling very nicely to relatively well-off consumers who don’t know or don’t want to know how to configure a wireless router.

To be clear, the eero is not a cheap WiFi system. I paid $299 for my three eeros, and that was at the pre-order rate. The same package now retails for $499. In contrast, your average, 4-port consumer WiFi router sells for about $45-$50 at the local electronics store and will do the job okay for most Internet users.

Another behavior central to the eero that is bound to be a sticking point with some is that it is regularly checking for or downloading new security and bug updates from the cloud. This may be a huge change for consumers accustomed to configuring all of this themselves, but overall I think it’s a positive development if done right.

For starters, the vast majority of consumer grade routers ship with poorly written and insecure software, and often with unnecessary networking features turned on. It’s a fair bet that if you were to buy a regular WiFi router off the shelf at the local electronics store, that software or “firmware” that powers that device is going to be out-of-date and in need of updating straight out of the box.

Worse still, most of these device will remain in this default insecure state for the remainder of their Internet-connected lifespan (which is probably at least several years), because few consumer routers make it easy for consumers to update, or even alert them that the devices need updates. There are so many out-of-date and insecure routers exposed to the Internet now that it’s not uncommon to find criminal botnets made up entirely of hacked home routers.

True, geeks who feel at home tinkering with open-source router firmware can void their warranty by installing something like DD-WRT or Tomato on a normal wireless router, and I have recommended as much for those with the confidence to do so. But I also am careful to note that anyone who updates their router with third-party firmware but fumbles a crucial step can quickly be left with an oversized and otherwise useless paperweight.

INTERVIEW WITH EERO CEO/CO-FOUNDER

I wanted to know more about the security design that went into the eero, and fortunately was in eero’s hometown of San Francisco last week for the RSA Security conference. So I dropped by the company’s headquarters and got to sit down briefly with the company’s CEO and co-founder, Nick Weaver.

“The way we designed the eero system in general is that it’s a distributed system that runs in your home, and the system we use to deliver that experience is also a distributed system,” Weaver explained. “In your home, the system distributes the load of clients, compute, updates, and diagnostics across the units in your home. We also have a cloud with a distributed architecture, and that’s what allows the eero networks to update an configure themselves automatically.”

BK: Where does that distributed cloud architecture live?

NW: Today it’s Amazon, and everything is hosted on AWS. There’s a high frequency [of check-ins] but not a lot of traffic.  There is very little information exchanged. Only diagnostic info that explains how the links between the eeros are doing. You can think of it as a network engineer in the sky who helps ensure that your network is configured properly.

BK: How does the eero know the updates being pushed to it are from eero and not from someone else?

NW: Every update is signed by a key, and that key is locked away at [the bank].

BK: Does eero collect any other information about its users?

NW: There is no information collected ever about where you go on the Internet or how your connection is being used. That is not information that’s interesting to us. The other co-founder studied networking and security and contributed quite a bit to the Tor Project. We’ve got all the right tensions in our founding team. Security is really important. And it’s been totally underestimated by all the existing players. As we’re discovering more and more security vulnerabilities, we have to be able to move quickly and deploy quickly. Because if you don’t, you’re doing a disservice to your customers.

Would you buy a eero system? Sound off in the comments below.

Update 12:58 p.m. ET: Corrected the price of the 3-eero unit.

Microsoft today pushed out 13 security updates to fix at least 39 separate vulnerabilities in its various Windows operating systems and software. Five of the updates fix flaws that allow hackers or malware to break into vulnerable systems without any help from the user, save for perhaps visiting a hacked Web site.

The bulk of the security holes plugged in this month’s Patch Tuesday reside in either Internet Explorer or in Microsoft’s flagship browser — Edge. As security firm Shavlik notes, Microsoft’s claim that Edge is more secure than IE seems to be holding out, albeit not by much. So far this year, Shavlik found, Edge has required 19 fixes versus IE’s 27.

Windows users who get online with a non-Microsoft browser still need to get their patches on: Ten of the updates affect Windows — including three other critical updates from Microsoft. As always, Qualys has a readable post about the rest of the Microsoft patches. If you experience any issues with the Windows patches, please share your experience in the comments below.

As it is known to do on patch Tuesday, Adobe issued security updates for its Reader and Acrobat software. Alas, there appears to be no update for Adobe’s Flash Player plugin as per usual on Patch Tuesday. However, an Adobe spokesperson told KrebsOnSecurity that the company will be issuing a Flash Player update on Thursday morning.

Citing ongoing security concerns, the Internal Revenue Service (IRS) has suspended a service offered via its Web site that allowed taxpayers to retrieve so-called IP Protection PINs (IP PINs), codes that the IRS has mailed to some 2.7 million taxpayers to help prevent those individuals from becoming victims of tax refund fraud two years in a row. The move comes just days after KrebsOnSecurity first exposed how ID thieves were abusing the service to revisit tax refund on innocent taxpayers two years running.

Last week, this blog told the story of Becky Wittrock, a certified public accountant (CPA) from Sioux Falls, S.D., who received an IP PIN in 2014 after crooks tried to impersonate her to the IRS. Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016.

The problem, as Wittrock’s case made clear, is that IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

In a statement issued Monday evening, the IRS said that as part of its ongoing security review, the agency was temporarily suspending the Identity Protection PIN tool on IRS.gov.

“The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PINs online and is looking at further strengthening the security features on the tool,” the agency said.

According to the IRS, of the 2.7 million IP PINs sent to taxpayers by mail for the current filing season, about 5 percent of those – approximately 130,000 – used the online tool to try retrieving a lost or forgotten IP PIN. The agency said that through the end of February 2016, the IRS had confirmed and stopped 800 fraudulent returns using an IP PIN.

“For taxpayers retrieving a lost IP PIN, the IRS emphasizes it has put strengthened processes and filters in place for this tax season to review these tax returns,” the statement continued. “These strengthened review procedures – which are invisible to taxpayers – have helped detect potential identity theft and stopped refund fraud. Taxpayers who have been issued an IP PIN should continue to file their tax returns as they normally would. The online tool is primarily used by taxpayers who have lost their IP PINs and need to retrieve their numbers. Most taxpayers receive their IP PIN via mail and never use the online tool.”

Eight hundred taxpayers may not seem like a lot of folks impacted by this security weakness, but then again the IRS doesn’t release stats on fraud it may have missed. Also, the agency has a history of significantly revising the victim numbers upwards in incidents like these.

For example, the very same weakness caused the IRS last year to disable online access to its “Get Transcript” feature (the IRS disabled access to the Get Transcript tool in May 2015). The IRS originally said a little over 100,000 people were impacted by the Get Transcript weakness, a number it later revised to 340,000 and last month more than doubled again to more than 700,000 taxpayers.