Technology

Lessen the Impact of Cheap Clients

Technibble - Thu, 06/06/2019 - 06:00

In this video, I share a tip to lessen the impact of cheap clients, if you can’t avoid them entirely. Transcription: Bryce Whitty here from Technibble.com, and in this video I want to explain why you want technologically unsavvy clients, but not cheap clients. So its no surprise that you will want to avoid cheap […]

Source: Lessen the Impact of Cheap Clients - Technibble.com

Categories: Technology

The Linux Link Tech Show Episode 812

The Linux Link Tech Show - Wed, 06/05/2019 - 08:30
couchbase, ci, jenkins, linux mint, pinebook, linux, godzilla
Categories: Podcasts, Technology

SN 717: The Nansh0u Campaign

Security Now - Tue, 06/04/2019 - 19:52

• Checking in on the BlueKeep RDP vulnerability
• The planned shutdown of one of the most "successful" affiliate-based ransomware systems
• An update on the anti-Robocalling problem
• Russian and Chinese militaries plan to quit using Windows
• Apple's announcement yesterday of their forthcoming "Sign in with Apple" service
• The Nansh0u campaign, apparently sourced from China, has successfully compromised many tens of thousands of servers exposed to the Internet.

We invite you to read our show notes at https://www.grc.com/sn/SN-717-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

Categories: Podcasts, Technology

LabCorp: 7.7 Million Consumers Hit in Collections Firm Breach

Krebs on Security - Tue, 06/04/2019 - 15:45

Medical testing giant LabCorp. said today personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm. That third party — the American Medical Collection Agency (AMCA) — also recently notified competing firm Quest Diagnostics that an intrusion in its payments Web site exposed personal, financial and medical data on nearly 12 million Quest patients.

Just a few days ago, the news was all about how Quest had suffered a major breach. But today’s disclosure by LabCorp. suggests we are nowhere near done hearing about other companies with millions of consumers victimized because of this incident: The AMCA is a New York company with a storied history of aggressively collecting debt for a broad range of businesses, including medical labs and hospitals, direct marketers, telecom companies, and state and local traffic/toll agencies.

In a filing today with the U.S. Securities and Exchange Commission, LabCorp. said it learned that the breach at AMCA persisted between Aug. 1, 2018 and March 30, 2019. It said the information exposed could include first and last name, date of birth, address, phone, date of service, provider, and balance information.

“AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance),” the filing reads. “LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.”

LabCorp further said the AMCA has informed LabCorp “it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.”

The LabCorp disclosure comes just days after competing lab testing firm Quest Diagnostics disclosed that the hack of AMCA exposed the personal, financial and medical data on approximately 11.9 million patients.

Quest said it first heard from the AMCA about the breach on May 14, but that it wasn’t until two weeks later that AMCA disclosed the number of patients affected and what information was accessed, which includes financial information (e.g., credit card numbers and bank account information), medical information and Social Security Numbers.

Quest says it has since stopped doing business with the AMCA and has hired a security firm to investigate the incident. Much like LabCorp, Quest also alleges the AMCA still hasn’t said which 11.9 million patients were impacted and that the company was withholding information about the incident.

The AMCA declined to answer any questions about whether the breach of its payment’s page impacted anyone who entered payment data into the company’s site during the breach. But through an outside PR firm, it issued the following statement:

“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system,” reads a written statement attributed to the AMCA. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”

The statement continues:

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”

ANALYSIS

The AMCA also does business under the name “Retrieval-Masters Credit Bureau,” a company that has been in business since 1977. Retrieval-Masters also has an atrocious reputation for allegedly harassing consumers for debts they never owed.

A search on the company’s name at the complaints page of the Consumer Financial Protection Bureau (CFPB) turns up almost 700 complaints for Retrieval-Masters. The company has an abysmal “F” rating from the Better Business Bureau, with 60 complaints closed against it in the last three years.

Reviewing a number of those complaints reveals some of the AMCA’s other current and/or previous clients, including New Jersey’s EZPass system. Recent consumer complaints about the AMCA also invoke the name of American Traffic Solutions, which services rental car fleets and processes some 50 million toll transactions per year. ATS did not respond to requests for comment.

My guess is we will soon hear about many other companies and millions more consumers impacted by this breach at the AMCA. Certainly, companies like Quest and LabCorp. have a duty to ensure contractors are properly safeguarding their patients’ personal, medical and financial information.

But this AMCA incident is the latest example of a breach at a little-known company that nevertheless holds vast quantities of sensitive data that was being shared or stored in ways that were beyond the control of affected consumers.

On May 24, KrebsOnSecurity broke the news that the Web site for Fortune 500 real estate title insurance giant First American Financial [NYSE:FAF] leaked 885 million documents related to mortgage deals going back to 2003, until notified by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.

Many readers wrote in to say they’d never heard of First American, but it is the largest title insurance company in the United States. Title insurance is generally required for all home mortgages, and it protects the buyer from any previously unknown claims against the property. First American currently handles about one in every four title insurance transactions — usually as part of the mortgage closing process — which means tens of millions of Americans were potentially exposed by the company’s inexplicably lax security.

Categories: Technology, Virus Info

Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware

Krebs on Security - Mon, 06/03/2019 - 18:16

For almost the past month, key computer systems serving the government of Baltimore, Md. have been held hostage by a ransomware strain known as “Robbinhood.” Media publications have cited sources saying the Robbinhood version that hit Baltimore city computers was powered by “Eternal Blue,” a hacking tool developed by the U.S. National Security Agency (NSA) and leaked online in 2017. But new analysis suggests that while Eternal Blue could have been used to spread the infection, the Robbinhood malware itself contains no traces of it.

On May 25, The New York Times cited unnamed security experts briefed on the attack who blamed the ransomware’s spread on the Eternal Blue exploit, which was linked to the global WannaCry ransomware outbreak in May 2017.

That story prompted a denial from the NSA that Eternal Blue was somehow used in the Baltimore attack. It also moved Baltimore City Council President Brandon Scott to write the Maryland governor asking for federal disaster assistance and reimbursement as a result.

But according to Joe Stewart, a seasoned malware analyst now consulting with security firm Armor, the malicious software used in the Baltimore attack does not contain any Eternal Blue exploit code. Stewart said he obtained a sample of the malware that he was able to confirm was connected to the Baltimore incident.

“We took a look at it and found a pretty vanilla ransomware binary,” Stewart said. “It doesn’t even have any means of spreading across networks on its own.”

Stewart said while it’s still possible that the Eternal Blue exploit was somehow used to propagate the Robbinhood ransomware, it’s not terribly likely. Stewart said in a typical breach that leads to a ransomware outbreak, the intruders will attempt to leverage a single infection and use it as a jumping-off point to compromise critical systems on the breached network that would allow the malware to be installed on a large number of systems simultaneously.

“It certainly wouldn’t be the go-to exploit if your objective was to identify critical systems and then only when you’re ready launch the attack so you can do it all at once,” Stewart said. “At this point, Eternal Blue is probably going to be detected by internal [security] systems, or the target might already be patched for it.”

It is not known who is behind the Baltimore ransomware attack, but Armor said it was confident that the bad actor(s) in this case were the same individual(s) using the now-suspended twitter account @Robihkjn (Robbinhood). Until it was suspended at around 3:00 p.m. ET today (June 3), the @Robihkjn account had been taunting the mayor of Baltimore and city council members, who have refused to pay the ransom demand of 13 bitcoin — approximately $100,000.

In several of those tweets, the Twitter account could be seen posting links to documents allegedly stolen from Baltimore city government systems, ostensibly to both prove that those behind the Twitter account were responsible for the attack, and possibly to suggest what may happen to more of those documents if the city refuses to pay up by the payment deadline set by the extortionists — currently June 7, 2019 (the attackers postponed that deadline once already).

Some of @robihkjn’s tweets taunting Baltimore city leaders over non-payment of the $100,000 ransomware demand. The tweets included links to images of documents allegedly stolen by the intruders.

Over the past few days, however, the tweets from @Robinhkjn have grown more frequent and profanity-laced, directed at Baltimore’s leaders. The account also began tagging dozens of reporters and news organizations on Twitter.

Stewart said the @Robinhkjn Twitter account may be part of an ongoing campaign by the attackers to promote their own Robbinhood ransomware-as-a-service offering. According to Armor’s analysis, Robbinhood comes with multiple HTML templates that can be used to substitute different variables of the ransom demand, such as the ransom amount and the .onion address that victims can use to negotiate with the extortionists or pay a ransom demand.

“We’ve come to the conclusion Robbinhood was set up to be a multi-tenant ransomware-as-a-service offering,” Stewart said. “And we’re wondering if maybe this is all an effort to raise the name recognition of the malware so the authors can then go on the Dark Web and advertise it.”

This redacted message is present on the Dark Web panel set up by the extortionists to accept payment for the Baltimore ransomware incident and to field inquiries or pleas from them. The message repeats the last tweet from the @robihkjn Twitter account and conclusively ties that account to the attackers. Image: Armor.

There was one other potential — albeit likely intentional — clue that Stewart said he found in his analysis of the malware: Its code included the text string “Valery.” While this detail by itself is not particularly interesting, Stewart said an earlier version of the GandCrab ransomware strain would place a photo of a Russian man named Valery Sinyaev in every existing folder where it would encrypt files. PCRisk.com, the company that blogged about this connection to the GandCrab variant, asserts Mr. Sinyaev is a respectable finance professional who has nothing to do with GandCrab.

The timing of the GandCrab connection is notable because just last week, the creators of GandCrab announced they were shutting down their ransomware-as-a-service product, allegedly after earning more than $2 billion in ransom payments.

Finally, since we’re on the subject of major ransomware attacks and scary exploits, it’s a good time to remind readers about the importance of applying the latest security updates from Microsoft, which last month took the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003. Microsoft did this to head off another WannaCry-like outbreak from mass-exploitation of a newly discovered flaw that Redmond called imminently “wormable.”

That vulnerability exists in Windows XP, Windows 2003, Windows 7, Windows Server 2008 R2, and Windows Server 2008. In a reminder about the urgency of patching this bug, Microsoft on May 30 published a post saying while it hasn’t seen any widespread exploitation of the flaw yet, it took about two months after Microsoft released a fix for the Eternal Blue exploit in March 2017 for WannaCry to surface.

“Almost two months passed between the release of fixes for the EternalBlue vulnerability and when ransomware attacks began,” Microsoft warned. “Despite having nearly 60 days to patch their systems, many customers had not. A significant number of these customers were infected by the ransomware.”

Categories: Technology, Virus Info

TWiT 721: Google+ is Still Up

This week in tech - Sun, 06/02/2019 - 18:01
  • Google Down! Is it 768K Day?
  • Huawei Stops Making Phones
  • WWDC Preview: Is iTunes Doomed?
  • WWDC Preview: Is the Mac Pro Doomed?
  • WWDC 2019 Preview: Is Intel Doomed?
  • WWDC Preview: Is Non-mobile Computing Doomed?
  • WWDC Preview: Will Apple Free the Watch?
  • WWDC Preview: Is your Eyesight Doomed?
  • WWDC Preview: iPhone Privacy Ruined by 3rd Party Apps
  • The Final iPod Touch Just Launched
  • Apple's Monopoly Propaganda Push
  • Foxconn: Tariffs in China and Mexico, Nothing Going in Wisconsin
  • Alexa, Delete What I Said Today
  • DOJ "Investigating" Google
  • Will Amazon Buy Boost Mobile? Will Microsoft?
  • BlueKeep Still Threatening 1M Windows Computers
  • Microsoft's Modern OS Manifesto
  • The US Requires All Immigrants to Provide Social Media Details
  • The UK Wants in on Your Encrypted Chats
  • Australian Cops Spy on You in McDonald's
  • North Face Gets Busted Spamming Wikipedia
  • RIP BBM
  • T-Series Beats PewDiePie to 100 Million
  • Play Cuphead on your Tesla

Host: Leo Laporte

Guests: Iain Thomson, Lisa Schmeiser, and Wesley Faulkner

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Sponsors:

Categories: Podcasts, Technology

NY Investigates Exposure of 885 Million Mortgage Documents

Krebs on Security - Fri, 05/31/2019 - 07:58

New York regulators are investigating a weakness that exposed 885 million mortgage records at First American Financial Corp. [NYSE:FAF] as the first test of the state’s strict new cybersecurity regulation. That measure, which went into effect in March 2019 and is considered among the toughest in the nation, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful.

On May 24, KrebsOnSecurity broke the news that First American had just fixed a weakness in its Web site that exposed approximately 885 million documents — many of them with Social Security and bank account numbers — going back at least 16 years. No authentication was needed to access the digitized records.

On May 29, The New York Times reported that the inquiry by New York’s Department of Financial Services is likely to be followed by other investigations from regulators and law enforcement.

First American says it has hired a third-party security firm to investigate, and that it shut down external access to the records.

The Times says few people outside the real estate industry are familiar with First American, but millions have entrusted their data to the company when they go to close the deal on buying or selling a new home.

“First American provides title insurance and settlement services for property sales, which typically require buyers to hand over extensive financial records to other parties in their transactions,” wrote Stacy Cowley. “The company is one of the largest insurers in the United States, handling around one in every four transactions, according to the American Land Title Association.”

News also emerged this week that First American is now the target of a class action lawsuit alleging the Fortune 500 mortgage industry giant “failed to implement even rudimentary security measures.”

Categories: Technology, Virus Info

Canada Uses Civil Anti-Spam Law in Bid to Fine Malware Purveyors

Krebs on Security - Thu, 05/30/2019 - 16:21

Canadian government regulators are using the country’s powerful new anti-spam law to pursue hefty fines of up to a million dollars against Canadian citizens suspected of helping to spread malicious software.

In March 2019, the Canadian Radio-television and Telecommunications Commission (CRTC) — Canada’s equivalent of the U.S. Federal Communications Commission (FCC), executed a search warrant in tandem with the Royal Canadian Mounted Police (RCMP) at the home of a Toronto software developer behind the Orcus RAT, a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015.

The CRTC was flexing relatively new administrative muscles gained from the passage of Canada’s Anti-Spam Legislation (CASL), which covers far more than just junk email. Section 7 of CASL deals with the alteration of transmission data, including botnet activity. Section 8 involves the surreptitious installation of computer programs on computers or networks including malware and spyware.

And Section 9 prohibits an individual or organization from aiding, inducing, procuring or causing to be procured the doing of any of the above acts.

CRTC Director Neil Barratt said this allows his agency to target intermediaries who, through their actions or through inaction, facilitate the commission of CASL violations. Businesses found to be in violation of CASL can be fined up to $10 million; individuals can face up to a $1 million fine.

“We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada and to ultimately improve security for people here and hopefully elsewhere,” Barratt said in an interview with KrebsOnSecurity.

“CASL defines spam as commercial electronic messages without consent or the installation of software without consent or the intercepting of electronic messages,” Barratt said. “The installation of software is under Section 8, and this is one of the first major investigations under that statute.”

Barratt added that the CRTC also was counting on CASL to help tidy up the reputation of the Canadian Web hosting industry.

“We’ve been trying to make sure that service providers operating in Canada — whether or not they are Canadian — are not unduly contributing to the infection of machines and hosting malware,” Barratt said. “We have great power in CASL and Section 9 makes it a violation to aid in the doing of a violation. And this extends quite broadly, across email service providers and various intermediaries.”

The enforcement division of the CRTC recently took action against two companies — Datablocks Inc. and Sunlight Media Network Inc — for having violated CASL section 9 by disseminating online ads that caused malicious computer programs to be downloaded onto the computers of unsuspecting victims.

Under CASL, and for the purposes of verifying compliance or determining whether any of sections 6 to 9 were violated, the CRTC may compel individuals and organizations to provide any information in their possession or control, and ask a justice of the peace to issue a warrant authorizing entry into a place of residence.

It’s good to see a civil anti-spam law being used to go after people involved in selling malware couched as legitimate software, as seems to be the case with the Orcus RAT investigation. A relatively competent remote access trojan author can earn a tidy income selling their wares, but CASL may give Canadians interested in this line of a work a reason to reconsider if the end result is a million dollar fine.

More to the point, Canada (anecdotally at least) seems to have far more than its fair share of computer criminals, and yet unfortunately far less appetite than many other western countries for prosecuting those individuals criminally. In this regard, CASL offers a welcome alternative.

“One of the key takeaways of CASL was that it wasn’t just about emails that were annoying people, but also the use of email as a vector to mislead or defraud people and cause harm to computers and computer networks,” Barratt said. “Our parliamentarians decided to ensure the legislature covered a broad ambit. The search warrant executed in this case was a great example of criminal and civil law enforcement working together by using our unique tools and powers under the act to achieve the greatest good we could.”

Categories: Technology, Virus Info

Why Managed Services?

Technibble - Thu, 05/30/2019 - 06:00

In this video I share the benefits of Managed Services over Break/Fix for a Computer Business. Transcription: Bryce Whitty here from Technibble.com. The other day I had a viewer ask why I am always talking about managed services. It’s a great question and a good idea to go back to basics about why we do […]

Source: Why Managed Services? - Technibble.com

Categories: Technology

Should Failing Phish Tests Be a Fireable Offense?

Krebs on Security - Wed, 05/29/2019 - 11:39

Would your average Internet user be any more vigilant against phishing scams if he or she faced the real possibility of losing their job after falling for one too many of these emails? Recently, I met someone at a conference who said his employer had in fact terminated employees for such repeated infractions. As this was the first time I’d ever heard of an organization actually doing this, I asked some phishing experts what they thought (spoiler alert: they’re not fans of this particular teaching approach).

John LaCour is founder and chief technology officer of PhishLabs, a Charleston, S.C. based firm that helps companies educate and test employees on how not to fall for phishing scams. The company’s training courses offer customers a way to track how many employees open the phishing email tests and how many fall for the lure.

LaCour says enacting punitive measures for employees who repeatedly fall for phishing tests is counterproductive.

“We’ve heard from some of our clients in the financial industry that have similar programs where there are real consequences when people fail the tests, but it’s pretty rare across all types of businesses to have a policy that extreme,” LaCour said.

“There are a lot of things that organizations can do that aren’t as draconian and still have the desired effect of making security posture stronger,” he said. “We’ve seen companies require classroom training on the first failure, to a manager has to sit through it with you on the second time, to revoking network access in some cases.”

LaCour said one of the most common mistakes he sees is companies that purchase a tool to launch simulated phishing campaigns just to play “gotcha” with employees.

“It really demotivates people, and it doesn’t really teach them anything about how to be more diligent about phishing attacks,” he said. “Each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy. Otherwise, it just creates resentment among employees.”

Rohyt Belani, CEO of Leesburg, Va.-based security firm Cofense (formerly PhishMe), said anti-phishing education campaigns that employ strongly negative consequences for employees who repeatedly fall for phishing tests usually create tension and distrust between employees and the company’s security team.

“It can create an environment of animosity for the security team because they suddenly become viewed as working for Human Resources instead of trying to improve security,” Belani said. “Threatening people usually backfires, and they end up becoming more defiant and uncooperative.”

Cofense provides a phish reporting system and encourages customers to have their employees flag suspected phishing attacks (and tests), and Belani said those employee reports can often stymie real phishing attacks.

“So what happens a lot of times is a person may click on link in a real phishing email, and three seconds later realize, ‘Oops, I shouldn’t have clicked, let me report it anyway’,” Belani said. “But if that person knew there was a punitive angle to doing so, they’re more likely not to report it and to say, ‘You know what, I didn’t do it. Where’s the proof I clicked on the link?'”

LaCour says PhishLabs encourages clients to use positive reinforcement in their employee training campaigns.

“Recognition — where employees and departments that do especially well are acknowledged — is very common,” LaCour said. “We also see things like small gifts or other things that companies would typically use to reward employees, such as gift cards or small bonuses for specific departments or people.”

LaCour said his offices make a game out of it.

“We make it competitive where we post the scores of each department and the lowest scoring department has to buy lunch for the rest of the department,” he said. “It teaches people there are real consequences and that we all need to be diligent when it comes to phishing.”

What about you, dear readers? Does your employer do phishing awareness training and testing? What incentives or disincentives are tied to those programs? Sound off in the comments below.

Categories: Technology, Virus Info

The Linux Link Tech Show Episode 811

The Linux Link Tech Show - Wed, 05/29/2019 - 08:30
pinebook, linux, smoking oysters, 3d printing
Categories: Podcasts, Technology

High-Converting Video to Market Your Managed Services

Technibble - Wed, 05/29/2019 - 06:00

There is no doubt that video is a major engagement tool on social media. Managed Service Providers need to be taking advantage of this, but it takes a ton of time and effort to create video. Because of this, we added professionally-made, MSP-specific educational videos for our White-Label Newsletter customers to use. The videos super […]

Source: High-Converting Video to Market Your Managed Services - Technibble.com

Categories: Technology

SN 716: RDP - Really Do Patch

Security Now - Tue, 05/28/2019 - 19:54

• The Internet is Doomed: BlueKeep Attacks Windows Remote Desktop Protocol
• Google Stores Unhashed G Suite Passwords
• Sandbox Escaper Drops FIVE New Zero-Day Exploits
• Microsoft's Just-released Win10 Feature Update 1903
• Security Enhancements in Firefox's Release 67

We invite you to read our show notes at https://www.grc.com/sn/SN-716-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

Categories: Podcasts, Technology

TWiT 720: Everybody Loves Furry Pikachu

This week in tech - Sun, 05/26/2019 - 20:52
  • Baltimore City Government held for Ransom by Hackers Using NSA tools
  • Own a House? Hackers Probably have your Social Security Number.
  • PlayDate: The Gaming Handheld with a Crank
  • Is Huawei Spying on Us?
  • Intel Breaks the 5.0GHz Barrier
  • Chinese Owner of Grindr Leaked User Data to Employees
  • US Air Force Being Cyber Attacked by US Navy
  • AMD Brings Ray Tracing to Computex
  • GDPR: One Year Later
  • Assange Charged under the Espionage Act
  • AI Deepfake Brings Mona Lisa to Life
  • Sonic The Hedgehog Movie Delayed Due to Disturbing GGI
  • SpaceX Launches Starlink Internet Satellites
  • The United States vs Lootboxes

Host: Leo Laporte

Guests: Patrick Norton and Brianna Wu

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Sponsors:

Categories: Podcasts, Technology

First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

Krebs on Security - Fri, 05/24/2019 - 14:47

The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.

First American Financial Corp. Image: Linkedin.

Santa Ana, Calif.-based First American is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in more than $5.7 billion in 2018.

Earlier this week, KrebsOnSecurity was contacted by a real estate developer in Washington state who said he’d had little luck getting a response from the company about what he found, which was that a portion of its Web site (firstam.com) was leaking tens if not hundreds of millions of records. He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.

And this would potentially include anyone who’s ever been sent a document link via email by First American.

KrebsOnSecurity confirmed the real estate developer’s findings, which indicate that First American’s Web site exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents.

Many of the exposed files are records of wire transactions with bank account numbers and other information from home or property buyers and sellers. Ben Shoval, the developer who notified KrebsOnSecurity about the data exposure, said that’s because First American is one of the most widely-used companies for real estate title insurance and for closing real estate deals — where both parties to the sale meet in a room and sign stacks of legal documents.

“Closing agencies are supposed to be the only neutral party that doesn’t represent someone else’s interest, and you’re required to have title insurance if you have any kind of mortgage,” Shoval said.

“The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business. You give them all kinds of private information and you expect that to stay private.”

Shoval shared a document link he’d been given by First American from a recent transaction, which referenced a record number that was nine digits long and dated April 2019. Modifying the document number in his link by numbers in either direction yielded other peoples’ records before or after the same date and time, indicating the document numbers may have been issued sequentially.

The earliest document number available on the site – 000000075 — referenced a real estate transaction from 2003. From there, the dates on the documents get closer to real time with each forward increment in the record number.

A redacted screenshot of one of many millions of sensitive records exposed by First American’s Web site.

As of the morning of May 24, firstam.com was returning documents up to the present day (885,000,000+), including many PDFs and post-dated forms for upcoming real estate closings. By 2 p.m. ET Friday, the company had disabled the site that served the records. It’s not yet clear how long the site remained in its promiscuous state, but archive.org shows documents available from the site dating back to at least March 2017.

First American wouldn’t comment on the overall number of records potentially exposed via their site, or how long those records were publicly available. But a spokesperson for the company did share the following statement:

“First American has learned of a design defect in an application that made possible unauthorized access to customer data.  At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

I should emphasize that these documents were merely available from First American’s Web site; I do not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested (although a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker).

Nevertheless, the information exposed by First American would be a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.

Armed with a single link to a First American document, BEC scammers would have an endless supply of very convincing phishing templates to use. A database like this also would give fraudsters a constant feed of new information about upcoming real estate financial transactions — including the email addresses, names and phone numbers of the closing agents and buyers.

As noted in past stories here, these types of data exposures are some of the most common yet preventable. In December 2018, the parent company of Kay Jewelers and Jared Jewelers fixed a weakness in their site that exposed the order information for all of their online customers.

In August 2018, financial industry giant Fiserv Inc. fixed a bug reported by KrebsOnSecurity that exposed personal and financial details of countless customers across hundreds of bank Web sites.

In July 2018, identity theft protection service LifeLock corrected an information disclosure flaw that exposed the email address of millions of subscribers. And in April 2018, PaneraBread.com remedied a weakness exposing millions of customer names, email and physical addresses, birthdays and partial credit card numbers.

Categories: Technology, Virus Info

Legal Threats Make Powerful Phishing Lures

Krebs on Security - Wed, 05/22/2019 - 13:26

Some of the most convincing email phishing and malware attacks come disguised as nastygrams from a law firm. Such scams typically notify the recipient that he/she is being sued, and instruct them to review the attached file and respond within a few days — or else. Here’s a look at a recent spam campaign that peppered more than 100,000 business email addresses with fake legal threats harboring malware.

On or around May 12, at least two antivirus firms began detecting booby-trapped Microsoft Word files that were sent along with some variation of the following message:

{Pullman & Assoc. | Wiseman & Assoc.| Steinburg & Assoc. | Swartz & Assoc. | Quartermain & Assoc.} <legal@wpslaw.com>

Hi,

The following {e-mail | mail} is to advise you that you are being charged by the city.

Our {legal team | legal council | legal departement} has prepared a document explaining the {litigation | legal dispute | legal contset}.

Please download and read the attached encrypted document carefully.

You have 7 days to reply to this e-mail or we will be forced to step forward with this action.

Note: The password for the document is 123456

The template above was part of a phishing kit being traded on the underground, and the user of this kit decides which of the options in brackets actually get used in the phishing message.

Yes, the spelling/grammar is poor and awkward (e.g., the salutation), but so is the overall antivirus detection rate of the attached malicious Word document. This phishing kit included five booby-trapped Microsoft Word documents to choose from, and none of those files are detected as malicious by more than three of the five dozen or so antivirus products that scanned the Word docs on May 22 — 10 days after they were spammed out.

According to both Fortinet and Sophos, the attached Word documents include a trojan that is typically used to drop additional malware on the victim’s computer. Previous detections of this trojan have been associated with ransomware, but the attackers in this case can use the trojan to install malware of their choice.

Also part of the phishing kit was a text document containing some 100,000 business email addresses — most of them ending in Canadian (.ca) domains — although there were also some targets at companies in the northeastern United States. If only a tiny fraction of the recipients of this scam were unwary enough to open the attachment, it would still be a nice payday for the phishers.

The law firm domain spoofed in this scam — wpslaw.com — now redirects to the Web site for RWC LLC, a legitimate firm based in Connecticut. A woman who answered the phone at RWC said someone had recently called to complain about a phishing scam, but beyond that the firm didn’t have any knowledge of the matter.

As phishing kits go, this one is pretty basic and not terribly customized or convincing. But I could see a kit that tried only slightly harder to get the grammar right and more formally address the recipient doing quite well: Legitimate-looking legal threats have a way of making some people act before they think.

Don’t be like those people. Never open attachments in emails you were not expecting. When in doubt, toss it out. If you’re worried it may be legitimate, research the purported sender(s) and reach out to them over the phone if need be. And resist the urge to respond to these spammers; doing so may only serve to encourage further “mailious” correspondence.

KrebsOnSecurity would like to thank Hold Security for a heads up on this phishing kit.

Categories: Technology, Virus Info

The Linux Link Tech Show Episode 810

The Linux Link Tech Show - Wed, 05/22/2019 - 08:30
soulcker mp3 player, pinebook, comcast, tablets
Categories: Podcasts, Technology

SN 715: CPU.fail

Security Now - Tue, 05/21/2019 - 20:10

This Week's Stories
• The next round of Intel processor information leakage problems: Microarchitectural Data Sampling vulnerabilities
• Last Tuesday's patches from Microsoft, Abode and Apple includes one for Windows XP
• Security problem for Cisco that ever has stock analysts taking notice
• Ongoing troubles with the cryptocurrency market
• Trouble with Google's Titan Bluetooth dongle
• Another monthly problem with Windows 10 updates

We invite you to read our show notes at https://www.grc.com/sn/SN-715-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

Categories: Podcasts, Technology

TWiT 719: I Am Gozor, the Lunchmaster!

This week in tech - Sun, 05/19/2019 - 18:28

This Week's Stories

  • The US vs Huawei
  • San Francisco Bans Facial Recognition
  • Chinese Owners Must Sell Grindr
  • FCC: Carriers Should Block Robocalls
  • Do You Know if Your iPhone has Been Hacked?
  • Big Tech's Problems Are Sociological, Not Psychological - Just Like Game of Thrones
  • Silicon Valley Millionaires: Silicon Valley is Bad
  • Get Off My Lawn! Is Tech Still Great?
  • Fake Joe Rogan
  • Is Medium Killing Blogs?
  • Hit By Ransomware? Just Pay the Ransom
  • ZombieLoad Fix Could Slow down Computers 40%
  • Hacking School Lunch
  • Google Knows What You Buy
  • RIP Grumpy Cat

Host: Leo Laporte

Guests: Georgia Dow, Michael Fisher, and Brian McCullough

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Sponsors:

Categories: Podcasts, Technology

Account Hijacking Forum OGusers Hacked

Krebs on Security - Sat, 05/18/2019 - 07:44

Ogusers[.]com — a forum popular among people involved in hijacking online accounts and conducting SIM swapping attacks to seize control over victims’ phone numbers — has itself been hacked, exposing the email addresses, hashed passwords, IP addresses and private messages for nearly 113,000 forum users.

On May 12, the administrator of OGusers explained an outage to forum members by saying a hard drive failure had erased several months’ worth of private messages, forum posts and prestige points, and that he’d restored a backup from January 2019. Little did the administrators of OGusers know at the time, but that May 12 incident coincided with the theft of the forum’s user database, and the wiping of forum hard drives.

On May 16, the administrator of rival hacking community RaidForums announced he’d uploaded the OGusers database for anyone to download for free.

The administrator of the hacking community Raidforums on May 16 posted the database of passwords, email addresses, IP addresses and private messages of more than 113,000 users of Ogusers[.]com.

“On the 12th of May 2019 the forum ogusers.com was breached [and] 112,988 users were affected,” the message from RaidForums administrator Omnipotent reads. “I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I’m the first to tell you the truth. According to his statement he didn’t have any recent backups so I guess I will provide one on this thread lmfao.”

The database, a copy of which was obtained by KrebsOnSecurity, appears to hold the usernames, email addresses, hashed passwords, private messages and IP address at the time of registration for approximately 113,000 users (although many of these nicknames are likely the same people using different aliases).

The publication of the OGuser database has caused much consternation and drama for many in the community, which has become infamous for attracting people involved in hijacking phone numbers as a method of taking over the victim’s social media, email and financial accounts, and then reselling that access for hundreds or thousands of dollars to others on the forum.

Several threads on OGusers quickly were filled with responses from anxious users concerned about being exposed by the breach. Some complained they were already receiving phishing emails targeting their OGusers accounts and email addresses. 

Meanwhile, the official Discord chat channel for OGusers has been flooded with complaints and expressions of disbelief at the hack. Members vented their anger at the main forum administrator, who uses the nickname “Ace,” claiming he altered the forum functionality after the hack to prevent users from removing their accounts. One user on the Discord chat summed it up:

“Ace be like:

-not replace broken hard drives, causing the site to time warp back four months
– not secure website, causing user info to be leaked
– disable selfban so people can’t leave”

It’s difficult not to admit feeling a bit of schadenfreude in response to this event. It’s gratifying to see such a comeuppance for a community that has largely specialized in hacking others. Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.

Categories: Technology, Virus Info

Pages

Subscribe to Some Place in Ohio aggregator - Technology