Technology

TWiT 702: Millsplain It to Me

This week in tech - Sun, 01/20/2019 - 16:08
  • Apple's Tim Cook Calls for Data Privacy.
  • 773M Passwords Pwned - How to Find Out If Yours Was.
  • Amazon Tries to Make Alexa Sound "Newsy."
  • Google Buys Fossil.
  • 74% of Facebook Users are Clueless.
  • Facebook's 10 Year Challenge.
  • Atari Founder Making Alexa Board Games.
  • Stop Using Windows Phone!
  • Tokyo Hotel Fires Half its Robots.

Host: Leo Laporte

Guests: Sebastian Peak, Mikah Sargent, and Wesley Faulkner

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Sponsors:

Categories: Podcasts, Technology

773M Password ‘Megabreach’ is Years Old

Krebs on Security - Thu, 01/17/2019 - 13:11

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it “the largest collection ever of breached data found.” But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.

The dump, labeled “Collection #1” and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely “made up of many different individual data breaches from literally thousands of different sources.”

KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.

Here’s a screenshot of a subset of that seller’s current offerings, which total almost 1 Terabyte of stolen and hacked passwords:

The 87GB “Collection1” archive is one of but many similar tranches of stolen passwords being sold by a particularly prolific ne’er-do-well in the underground.

As we can see above, Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached — “Sanixer.” So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.

Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his “freshest” offering. Rather, he sort of steered me away from that archive, suggested that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which he said are not all pictured in the above screen shot and total more than 4 terabytes in size, are less than a year old, Sanixer explained.

By way of explaining the provenance of Collection #1, Sanixer said it was a mix of “dumps and leaked bases,” and then he offered an interesting screen shot of his additional collections. Click on the image below and notice the open Web browser tab behind his purloined password trove (which is apparently stored at Mega.nz): Troy Hunt’s published research on this 773 million Collection #1.

Sanixer says Collection #1 was from a mix of sources. A description of those sources can be seen in the directory tree on the left side of this screenshot.

Holden said the habit of collecting large amounts of credentials and posting it online is not new at all, and that the data is far more useful for things like phishing, blackmail and other indirect attacks — as opposed to plundering inboxes. Holden added that his company had already derived 99 percent of the data in Collection #1 from other sources.

“It was popularized several years ago by Russian hackers on various Dark Web forums,” he said. “Because the data is gathered from a number of breaches, typically older data, it does not present a direct danger to the general user community. Its sheer volume is impressive, yet, by account of many hackers the data is not greatly useful.”

A core reason so many accounts get compromised is that far too many people have the nasty habit(s) of choosing poor passwords, re-using passwords and email addresses across multiple sites, and not taking advantage of multi-factor authentication options when they are available.

If this Collection #1 has you spooked, changing your password(s) certainly can’t hurt — unless of course you’re in the habit of re-using passwords. Please don’t do that. As we can see from the offering above, your password is probably worth way more to you than it is to cybercriminals (in the case of Collection #1, just .000002 cents per password).

For most of us, by far the most important passwords are those protecting our email inbox(es). That’s because in nearly all cases, the person who is in control of that email address can reset the password of any services or accounts tied to that email address – merely by requesting a password reset link via email. For more on this dynamic, please see The Value of a Hacked Email Account.

Your email account may be worth far more than you imagine.

And instead of thinking about passwords, consider using unique, lengthy passphrases — collections of words in an order you can remember — when a site allows it. In general, a long, unique passphrase takes for more effort to crack than a short, complex one. Unfortunately, many sites do not let users choose passwords or passphrases that exceed a small number of characters, or they will otherwise allow long passphrases but ignore anything entered after the character limit is reached.

If you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong and unique passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

Finally, if you haven’t done so lately, mosey on over to twofactorauth.org and see if you are taking full advantage of multi-factor authentication at sites you trust with your data. The beauty of multi-factor is that even if thieves manage to guess or steal your password just because they hacked some Web site, that password will be useless to them unless they can also compromise that second factor — be it your mobile device or security key.

Categories: Technology, Virus Info

The Linux Link Tech Show Episode 792

The Linux Link Tech Show - Wed, 01/16/2019 - 07:30
chromebooks why, ces gaming laptops, games
Categories: Podcasts, Technology

SN 697: Zerodium

Security Now - Tue, 01/15/2019 - 19:06
  • The implications of the recent increase in bounty for the purchase of 0-day vulnerabilities.
  • The intended and unintended consequences of last week's Windows Patch Tuesday.
  • Speaking of unintended consequences, the US Government shutdown has had some, too!
  • A significant privacy failure in WhatsApp.
  • Another Ransomware decryptor (with a twist).
  • Movement on the DNS-over-TLS front.
  • An expectation of the cyberthreat landscape for 2019.
  • A cloudy forecast for The Weather Channel App.
  • A successful 51% attack against the Ethereum Classic cryptocurrency.
  • Another court reversing compelled biometric authentication.
  • An update on the lingering death of Flash... now in hospice care.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

Categories: Podcasts, Technology

“Stole $24 Million But Still Can’t Keep a Friend”

Krebs on Security - Tue, 01/15/2019 - 17:52

Unsettling new claims have emerged about Nicholas Truglia, a 21-year-old Manhattan resident accused of hijacking cell phone accounts to steal tens of millions of dollars in cryptocurrencies from victims. The lurid details, made public in a civil lawsuit filed this week by one of his alleged victims, paints a chilling picture of a man addicted to thievery and all its trappings. The documents suggest that Truglia stole from his father and even a dead man — all the while lamenting that his fabulous new wealth brought him nothing but misery.

The unflattering profile was laid out in a series of documents tied to a lawsuit lodged by Michael Terpin, a cryptocurrency investor who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a “SIM swap” on his mobile phone account at AT&T in early 2018. Terpin also is pursuing a $200 million civil lawsuit against AT&T in connection with the theft.

Authorities arrested Truglia on November 14, 2018 on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from a different Silicon Valley executive. But Terpin’s civil lawsuit (PDF) maintains that evidence was revealed at Truglia’s bail hearing that he had texted his father and multiple friends to brag about the $24 million hack on the day of Terpin’s theft, allegedly offering to take friends to the Super Bowl with “porn star escorts.”

Terpin’s lawsuit includes a large number of supporting documents, including an affidavit filed by Chris David, a 25-year-old New York City resident who claims to have been an acquaintance of Truglia’s until he began to unravel the source of his new friend’s overnight riches.

In his affidavit (PDF), David describes himself as a self-employed private jet broker who met Truglia in a fitness center attached to Truglia’s luxury apartment building. Truglia allegedly struck up a conversation about booking private jets with his cryptocurrency. When the two met again a few days later, David says Truglia showed him accounts on his mobile phone and computer indicating he had over $7 million in cash in a JP Morgan account and more than $12 million in various cryptocurrencies.

“At the same time, Nick showed me two thumb drives (Trezors),” David recounted. “One had over $40 million in cash value of various cryptos, and the other one had over $20 million cash value of various cryptos.”

David said Truglia initially explained his wealth by saying he’d made the money by mining cryptocurrencies, but that Truglia later would admit he stole the funds.

“Over the next few months, Nick and I socialized at nightclubs, local bars, the gym, and in his apartment playing video games,” David recounted. “Gradually, I got to know Nick. He does not have a job or visible means of support. His typical day is to get up late, go to the gym, eat at the deli across the street, play video games late into the night and he had no friends. Nick was an egotistical braggart about his life and wealth. For example, once at a crowded lounge, he said: ‘Chris, I have more money than all of the people here tonight.'”

David started documenting Truglia’s activities after he and several of his friends were arrested for allegedly stealing Truglia’s laptop, mobile phone and Trezor drive. That incident, recounted in this New York Post story  and in David’s own testimony, indicates that Truglia later recanted the accusation and chalked it up to confusion resulting from a heavy night of drinking.

According to David, when Truglia wasn’t bragging about his wealth he was displaying it openly: He lived in a $6,000 per month apartment, wore a Rolex watch which he claimed cost $100,000, and boasted he was going to purchase a $250,000 McLaren sports car. David also said he recorded conversations with Truglia in which the latter admitted to stealing $24 million from Terpin.

David said he even witnessed Truglia attempting a SIM swap at a Times Square AT&T store in August 2018. Here’s David’s account of that hijack effort, which allegedly failed when Truglia declined to pay the target’s overdue phone bill:

The affidavit states that later in the month David took screen shots of a now-defunct Twitter account that Truglia allegedly used (@erupts), which included six different messages about what the theft of $24 million had wrought.

Tweets from the account @erupts, allegedly penned by Nicholas Truglia.

“Stole 24 million but still can’t keep a friend,” reads another tweet allegedly tied to Truglia’s account:

David says Truglia even acknowledged stealing $15,000 after hacking into his own father’s accounts. According to David, Truglia’s dad asked to be repaid, and that his son agreed to return the money — but in bitcoin. In the image below — which David claims was a screenshot he took of a mobile phone chat conversation between Truglia and his father — the elder expresses mystification and frustration about how to complete the transaction.

A screen shot David says he took of an alleged chat conversation between Truglia and his father regarding repayment of $15,000.

In the affidavit, David also testifies that he saw Truglia in possession of a fake New York State driver’s license which had the name and identifying information of a deceased man named Quentin Capobianco, but with Truglia’s photo on the license.

A copy of this phony drivers’ license was documented by investigators with the Regional Enforcement Allied Computer Team, or REACT — a task force in Santa Clara, Calif. that is almost singularly focused on tracking down criminals who use unauthorized SIM swaps to steal virtual currencies (for a deep dive into the workings of the REACT Task Force, see my November 2018 story, Busting SIM Swappers and SIM Swap Myths).

David said he took this photograph of a license Truglia had in his possession; the license includes Truglia’s photograph but the information of a dead man that Truglia allegedly SIM swapped.

That REACT Task Force investigation report (PDF) was included in Terpin’s lawsuit, and it lays out how detectives tied Truglia to SIM swaps that allegedly gave him access to Capobianco’s accounts at Coinbase, a virtual currency trading and purchasing platform.

David testified that despite Truglia’s ill-gotten riches, he was constantly borrowing small amounts of cash and was otherwise tight with his money. Much like David’s testimony, a related memo (PDF) filed by REACT Detective Caleb Tuttle suggests that Truglia was in the process of being evicted from his pricey Manhattan apartment because he refused to pay his rent.

A snippet from a memo filed about Truglia by REACT Task Force Detective Caleb Tuttle.

Truglia is currently being held by Santa Clara authorities on a $1.4 million bond. His next court date is April 10. Neither Truglia nor his attorney could be immediately reached for comment. Members of the REACT Task Force declined to comment for this story.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

But SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone that the attackers control. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many banks and online services rely on text messages to send users a one-time code that needs to be entered in addition to a password for online authentication. However, many online services let customers reset their password merely by using their mobile phones.

All four major wireless carriers — AT&T, SprintT-Mobile and Verizon — let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

For more on ways to minimize your chances of becoming the next SIM swapping victim, check out the “What Can You Do?” section at the conclusion of this story.

Categories: Technology, Virus Info

Courts Hand Down Hard Jail Time for DDoS

Krebs on Security - Mon, 01/14/2019 - 12:37

Seldom do people responsible for launching crippling cyberattacks face justice, but increasingly courts around the world are making examples of the few who do get busted for such crimes. On Friday, a 34-year-old Connecticut man received a whopping 10-year prison sentence for carrying out distributed denial-of-service (DDoS) attacks against a number of hospitals in 2014. Also last week, a 30-year-old in the United Kingdom was sentenced to 32 months in jail for using an army of hacked devices to crash large portions of Liberia’s Internet access in 2016.

Daniel Kaye. Photo: National Crime Agency

Daniel Kaye, an Israel-U.K. dual citizen, admitted attacking an African phone company in 2016, and to inadvertently knocking out Internet access for much of the country in the process. Kaye launched the attack using a botnet powered by Mirai, a malware strain that enslaves hacked Internet of Things (IoT) devices like poorly-secured Internet routers and Web-based cameras for use in large-scale cyberattacks.

According to court testimony, Kaye was hired in 2015 to attack Lonestar, Liberia’s top mobile phone and Internet provider. Kaye pocketed $10,000 for the attack, which was alleged to have been paid for by an individual working for Cellcom, Lonestar’s competitor in the region. As reported by Israeli news outlet Haaretz, Kaye testified that the attack was ordered by the CEO of Cellcom Liberia.

In February 2017, authorities in the United Kingdom arrested Kaye an extradited him to Germany to face charges of knocking more than 900,000 Germans offline in a Mirai attack in November 2016. Prosecutors withheld Kaye’s full name throughout the trial in Germany, but in July 2017 KrebsOnSecurity published findings that named Kaye as the likely culprit. Kaye ultimately received a suspended sentence for the attack in Germany, and was sent back to the U.K. to face charges there.

The July 2017 KrebsOnSecurity investigation also linked Kaye to the development and sale of a sophisticated piece of spyware named GovRAT, which is documented to have been used in numerous cyber espionage campaigns against governments, financial institutions, defense contractors and more than 100 corporations.

The U.K.’s National Crime Agency called Kaye perhaps the most significant cyber criminal yet caught in Britain. A report on the trial from the BBC says Kaye wept as he was taken away to jail.

Here across the pond, 34-year-old Martin Gottesfeld was sentenced to 10 years in prison and ordered to pay $443,000 in restitution for damages caused by a series of DDoS attacks he launched against several Boston-area hospitals in 2014. Like Kaye, Gottesfeld was identified thanks to clue he left behind on the Internet: Prosecutors reportedly linked him to a video he uploaded to Youtube about the attack campaign.

The Boston Globe reports that Gottesfeld and his wife in 2016 tried to flee to Cuba in a rented boat, but the trip didn’t go as planned. It seems the high seas had their own denial-of-service in store for the Gottesfelds: They were rescued from the Gulf of Mexico by a Disney ship that answered Martin’s SOS distress call and brought them back to the United States.

Ten years may seem like a stiff sentence for DDoS and fleeing from justice, but as the recipient of hundreds of DDoS attacks over the years I can’t say it bothers me one bit — especially considering how few of the anonymous cowards responsible for DDoS attacks are ever held accountable.

Cue the usual comments here about how these guys deserved jobs and not jail, but I for one am glad the courts are starting to recognize that these are real and costly crimes that deserve equally real consequences. Remember: Don’t do the crime if you can’t do the time.

Categories: Technology, Virus Info

TWiT 701: Safe Bladder Space

This week in tech - Sun, 01/13/2019 - 19:15

All of our favourite products and trends at CES 2019!

  • Impossible Burger
  • Health and wearables
  • Amazon vs Google
  • Smart products and "Smart" products
  • Laptops
  • 5G
  • Wireless power
  • Toilet tech and ultrasonic bladder monitoring

Host: Leo Laporte

Guests: Fr. Robert Ballecer, SJ, Cherlynn Low, and Stacey Higginbotham

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Sponsors:

Categories: Podcasts, Technology

Secret Service: Theft Rings Turn to Fuze Cards

Krebs on Security - Thu, 01/10/2019 - 09:27

Street thieves who specialize in cashing out stolen credit and debit cards increasingly are hedging their chances of getting caught carrying multiple counterfeit cards by relying on Fuze Cards, a smartcard technology that allows users to store dozens of cards on a single device, the U.S. Secret Service warns.

A Fuze card can store up to 30 credit/debit cards. Image: Fuzecard.com

Launched in May 2017, the Fuze Card is a data storage device that looks like a regular credit card but can hold account data for up to 30 credit cards. The Fuze Card displays no credit card number on either side, instead relying on a small display screen on the front that cardholders can use to change which stored card is to be used to complete a transaction.

After the user chooses the card data to be used, the card data is made available in the dynamic magnetic stripe on the back of the card or via the embedded smart chip. Fuze cards also can be used at ATMs to withdraw funds.

An internal memo the U.S. Secret Service shared with financial industry partners states that Secret Service field offices in New York and St. Louis are currently working criminal investigations where Fuze Cards have been used by fraud rings.

The memo, a copy of which was obtained by KrebsOnSecurity, states that card theft rings are using Fuze Cards to avoid raising suspicions that may arise when shuffling through multiple counterfeit cards at the register.

“The transaction may also appear as a declined transaction but the fraudster, with the push of a button, is changing the card numbers being used,” the memo notes.

Fraud rings often will purchase data on thousands of credit and debit cards stolen from hacked point-of-sale devices or obtained via physical card skimmers. The data can be encoded onto any card with a magnetic stripe, and then used to buy high-priced items at retail outlets — or to withdrawn funds from ATMs (if the fraudsters also have the cardholder’s PIN).

But getting caught holding dozens of counterfeit or stolen cards is tough to explain to authorities. Hence, the allure of the Fuze Card, which may appear to the casual observer to be just another credit card in one’s wallet.

“While this smart card technology makes up a small portion of fraudulent credit cards currently, investigators should be aware of the potential for significant increases in fraud loss amounts with the emergence of this smart card technology,” the Secret Service memo concludes.

Fuze Card did not respond to requests for comment.

In many ways, it is unsurprising that thieves are turning to this new technology to perpetrate credit card fraud, which is something of a constant cat-and-mouse game that employs ever-changing techniques. For evidence of this, one need only look to the constant innovations that fraudsters come up with to deploy physical card skimmers at ATMs and retail checkout lanes.

No doubt, fraudsters engaged in money laundering via virtual currencies like bitcoin will be doubly interested in Fuze Cards in the coming months. Fuze Card says that later this year it plans to launch FuzeX, which contains the same amenities of the Fuze Card and will allow users to conduct purchases using virtual currencies.

Categories: Technology, Virus Info

Patch Tuesday, January 2019 Edition

Krebs on Security - Wed, 01/09/2019 - 07:46

Microsoft on Tuesday released updates to fix roughly four dozen security issues with its Windows operating systems and related software. All things considered, this first Patch Tuesday of 2019 is fairly mild, bereft as it is of any new Adobe Flash updates or zero-day exploits. But there are a few spicy bits to keep in mind. Read on for the gory details.

The updates released Tuesday affect Windows, Internet Explorer and Edge, Office, Sharepoint, .NET Framework and Exchange. Patches are available for all client and server versions of Windows, but none of the “critical” flaws — those that can lead to a remote system compromise without any help from users — apply to Windows 7 or Windows 8.1, according to Martin Brinkmann at Ghacks.net.

Mercifully, none of the vulnerabilities fixed in Tuesday’s bundle are being actively exploited, although one (CVE-2019-0579) was publicly disclosed prior to the patch release, meaning attackers may have had a head start figuring out how to exploit it. This bug is one of 11 that Microsoft fixed in its Jet Database Engine.

Among the more eyebrow-raising flaws fixed this week is CVE-2019-0547, a weakness in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”). According to security vendor Tenable, this is the most severe bug of the entire patch batch.

“In order to exploit the vulnerability, an attacker would need to be able to send a specially crafted DHCP response to its target, allowing them to run arbitrary code on the client machine,” said Satnam Narang, senior research engineer at Tenable.

Tuesday’s update bundle also includes a fix that Microsoft released late last month as an emergency patch to plug a zero-day flaw in Internet Explorer (CVE-2018-8653) that attackers are already exploiting. Experts at Recorded Future say that vulnerability continues to be exploited in the wild, with several exploit kits now including the publicly released proof-of-concept code into their platforms.

“If you have not patched this vulnerability yet, it should be the number one priority,” writes Allan Liska, senior solutions architect at Recorded Future.

It generally can’t hurt for Windows users to wait a day or two after Microsoft releases monthly security updates before installing the fixes; occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out.

Case in point: Computerworld’s Woody Leonhard notes that multiple organizations are reporting problems with their file-sharing operations after installing this month’s patch rollup.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. Also, it’s a good idea to get in the habit of backing up your data before installing Windows updates.

Adobe released an update for its Flash Player plugin, but alas there don’t appear to be any security fixes in it. However, the company last Thursday did release new versions of its Adobe Acrobat and Reader that correct at least two critical vulnerabilities in each.

If you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Categories: Technology, Virus Info

The Linux Link Tech Show Episode 791

The Linux Link Tech Show - Wed, 01/09/2019 - 07:30
joes server, digital comic books, solr indexing, rabbitmq, single board
Categories: Podcasts, Technology

SN 696: Here Comes 2019!

Security Now - Tue, 01/08/2019 - 20:05
  • The NSA announces the forthcoming release of an internal powerful reverse-engineering tool for examining and understanding other people's code.
  • Emergency out-of-cycle patches from both Adobe and Microsoft.
  • PewDiePie hacker strikes again.
  • Prolific 0-day dropper SandboxEscaper ruffles some feathers.
  • A new effort by the US government to educate industry about the risks of Cyber attacks.
  • Welcome news on the ransomware front.
  • VERY welcome news of a new Windows 10 feature.
  • A note about a just-published side-channel attack on OS page caches.

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

Categories: Podcasts, Technology

Dirt-Cheap, Legit, Windows Software: Pick Two

Krebs on Security - Tue, 01/08/2019 - 08:00

Buying heavily discounted, popular software from second-hand sources online has always been something of an iffy security proposition. But purchasing steeply discounted licenses for cloud-based subscription products like recent versions of Microsoft Office can be an extremely risky transaction, mainly because you may not have full control over who has access to your data.

Last week, KrebsOnSecurity heard from a reader who’d just purchased a copy of Microsoft Office 2016 Professional Plus from a seller on eBay for less than $4. Let’s call this Red Flag #1, as a legitimately purchased license of Microsoft Office 2016 is still going to cost between $70 and $100. Nevertheless, almost 350 other people had made the same purchase from this seller over the past year, according to eBay, and there appear to be many auctioneers just like this one.

After purchasing the item, the buyer said he received the following explanatory (exclamatory?) email from the seller — “Newhotsale68” from Vietnam:

Hello my friend!
Thank you for your purchase:)

Very important! Office365 is a subscription product and does not require any KEY activation. Account + password = free lifetime use

1. Log in with the original password and the official website will ask you to change your password!

2. Be sure to remember the modified new password. Once you forget your password, you will lose Office365!

3. After you change your password, log on to the official website to start downloading and installing Office365!

Your account information:

* USERMANE : (sent username)
Password Initial: (sent password)
Microsoft Office 365 access link:

Http://portal.office.com/

Sounds legit, right?

This merchant appears to be reselling access to existing Microsoft Office accounts, because in order to use this purchase the buyer must log in to Microsoft’s site using someone else’s username and password! Let’s call this Red Flag #2.

More importantly, the buyer can’t change the email address associated with the license, which means whoever owns that address can likely still assume control over any licenses tied to it. We’ll call this Ginormous Red Flag #3.

“The username that you use to register and activate Office is one that they provide to you in their email when you buy the license on eBay,” wrote the reader who alerted me about this dodgy transaction. “You never use your own email account to register, you have to log in with theirs. Once you’re inside the account you can’t change the username to your email account because the admin locked it down.”

Here’s what the profile looked like when the reader tried to change details tied to the license.

This version of Office prompts the user to sync all data and documents over to a 5TB Microsoft OneDrive account. What could go wrong?

“You can sign out of their Microsoft account to break the connection to the OneDrive account,” the reader said. “By default it had me signed in and I bet most people installing this just click next and stay signed in.”

That’s not all: The account was set up so that the administrator (seller) maintained control over specific apps on the Office installation, including OneNote and Class Notebook.

“I guess maybe the end result of all of this are the old adages, ‘you get what you pay for’ and, ‘if it sounds too good to be true than it probably is,'” the reader said at the conclusion of his email.

Couldn’t have said it better myself.

Categories: Technology, Virus Info

TWiT 700: A Carwash for Your Face

This week in tech - Sun, 01/06/2019 - 18:59
  • Apple tanks on Tim Cook's earnings warning - is the golden age of iPhone over?
  • Are Facebook and Google too big to Fail? No. Here's why.
  • China and the US duel over security, AI, and quantum computing.
  • Qualcomm vs Apple legal battles heat up.
  • Fortnite and Pokemon Go rake in the dough in 2018.
  • Amazon wins big over the holiday season.
  • Microsoft wants to give you control over your digital data.
  • For the 1st time in 20 years, an entire year's worth of books, movies, and art enter's the public domain.
  • The 10-second toothbrush, the Kurigization of Things (KoT) and more reasons why you shouldn't go to CES 2019.

Host: Leo Laporte

Guests: Iain Thomson, Mike Elgan, and Alex Wilhelm

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Sponsors:

Categories: Podcasts, Technology

Apple Phone Phishing Scams Getting Better

Krebs on Security - Thu, 01/03/2019 - 12:21

A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that display’s Apple’s logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then requests a call back from Apple’s legitimate customer support Web page, the fake call gets indexed in the iPhone’s “recent calls” list as a previous call from the legitimate Apple Support line.

Jody Westby is the CEO of Global Cyber Risk LLC,  a security consulting firm based in Washington, D.C. Westby said earlier today she received an automated call on her iPhone warning that multiple servers containing Apple user IDs had been compromised (the same scammers had called her at 4:34 p.m. the day before, but she didn’t answer that call). The message said she needed to call a 1-866 number before doing anything else with her phone.

Here’s what her iPhone displayed about the identity of the caller when they first tried her number at 4:34 p.m. on Jan. 2, 2019:

What Westby’s iPhone displayed as the scam caller’s identity. Note that it lists the correct Apple phone number, street address and Web address (minus the https://).

Note in the above screen shot that it lists Apple’s actual street address, their real customer support number, and the real Apple.com domain (albeit without the “s” at the end of “http://”). The same caller ID information showed up when she answered the scammers’ call this morning.

Westby said she immediately went to the Apple.com support page (https://www.support.apple.com) and requested to have a customer support person call her back. The page displayed a “case ID” to track her inquiry, and just a few minutes later someone from the real Apple Inc. called her and referenced that case ID number at the start of the call.

Westby said the Apple agent told her that Apple had not contacted her, that the call was almost certainly a scam, and that Apple would never do that — all of which she already knew. But when Westby looked at her iPhone’s recent calls list, she saw the legitimate call from Apple had been lumped together with the scam call that spoofed Apple:

The fake call spoofing Apple — at 11:44 a.m. — was lumped in the same recent calls list as the legitimate call from Apple. The call at 11:47 was the legitimate call from Apple. The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.

The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.

“I told the Apple representative that they ought to be telling people about this, and he said that was a good point,” Westby said. “This was so convincing I’d think a lot of other people will be falling for it.”

KrebsOnSecurity called the number that the scam message asked Westby to contact (866-277-7794). An automated system answered and said I’d reached Apple Support, and that my expected wait time was about one minute and thirty seconds. About a minute later, a man with an Indian accent answered and inquired as to the reason for my call.

Playing the part of someone who had received the scam call, I told him I’d been alerted about a breach at Apple and that I needed to call this number. After asking me to hold for a brief moment, our call was disconnected.

No doubt this is just another scheme to separate the unwary from their personal and financial details, and to extract some kind of payment (for supposed tech support services or some such). But it is remarkable that Apple’s own devices (or AT&T, which sold her the phone) can’t tell the difference between a call from Apple and someone trying to spoof Apple.

As I noted in my October 2018 piece, Voice Phishing Scams are Getting More Clever, phone phishing usually invokes an element of urgency in a bid to get people to let their guard down. If a call has you worried that there might be something wrong and you wish to call them back, don’t call the number offered to you by the caller. If you want to reach your bank, for example, call the number on the back of your card. If it’s another company you do business with, go to the company’s Web site and look up their main customer support number.

Relying on anything other than a number obtained directly from the company in question — such as a number obtained from a direct search on Google or another search engine — is also extremely risky. In many cases, the scammers are polluting top search engine results with phony 800-numbers for customer support lines that lead directly to fraudsters.

These days, scam calls happen on my mobile so often that I almost never answer my phone unless it appears to come from someone in my contacts list. But as this scam shows, even that’s not always a great strategy.

It’s a good idea to advise your friends and loved ones to ignore calls unless they appear to come from a friend or family member, and most importantly to just hang up the moment the caller starts asking for personal information.

Apple has not yet responded to requests for comment.

Categories: Technology, Virus Info

Cloud Hosting Provider DataResolution.net Battling Christmas Eve Ransomware Attack

Krebs on Security - Wed, 01/02/2019 - 11:32

Cloud hosting provider Dataresolution.net is struggling to bring its systems back online after suffering a ransomware infestation on Christmas Eve, KrebsOnSecurity has learned. The company says its systems were hit by the Ryuk ransomware, the same malware strain that crippled printing and delivery operations for multiple major U.S. newspapers over the weekend.

San Juan Capistrano, Calif. based Data Resolution LLC serves some 30,000 businesses worldwide, offering software hosting, business continuity systems, cloud computing and data center services.

The company has not yet responded to requests for comment. But according to a status update shared by Data Resolution with affected customers on Dec. 29, 2018, the attackers broke in through a compromised login account on Christmas Eve and quickly began infecting servers with the Ryuk ransomware strain.

Part of an update on the outage shared with Data Resolution customers via Dropbox on Dec. 29, 2018.

The intrusion gave the attackers control of Data Resolution’s data center domain, briefly locking the company out of its own systems. The update sent to customers states that Data Resolution shut down its network to halt the spread of the infection and to work through the process of cleaning and restoring infected systems.

Data Resolution is assuring customers that there is no indication any data was stolen, and that the purpose of the attack was to extract payment from the company in exchange for a digital key that could be used to quickly unlock access to servers seized by the ransomware.

A snippet of an update that Data Resolution shared with affected customers on Dec. 31, 2018.

The Ryuk ransomware strain was first detailed in an August 2018 report by security firm CheckPoint, which says the malware may be tied to a sophisticated North Korean hacking team known as the Lazarus Group.

Ryuk reportedly was the same malware that infected the Los Angeles Times‘ Olympic printing plant over the weekend, an attack that led to the disruption of newspaper printing and delivery services for a number of publications that rely on the plant — including the Los Angeles Times and the San Diego Union Tribune.

A status update shared by Data Resolution with affected customers earlier today indicates the cloud hosting provider is still working to restore email access and multiple databases for clients. The update also said Data Resolution is in the process of restoring service for companies relying on it to host installations of Dynamics GP, a popular software package that many organizations use for accounting and payroll services. 

A status update shared by Data Resolution with affected customers on Jan. 2, 2018 shows the company is still struggling to restore services more than a week after the attack began.

Cloud hosting providers are often pitched as a way for companies to increase security and to better protect themselves from threats like ransomware, which scrambles data on infected systems and demands payment in exchange for a digital key needed to unlock affected systems.

At the same time, cloud providers represent an especially attractive target for ransomware attacks because they store vast amounts of data for other companies. In 2017, cloud hosting provider Cloudnine was hit by a ransomware attack, leading to an outage that lasted for several days.

Much depends on security practices maintained by each provider, according to an MIT Technology Review story last year that named cloud ransomware attacks as a top security concern for 2018

“The biggest cloud operators, like Google, Amazon, and IBM, have hired some of the brightest minds in digital security, so they won’t be easy to crack,” wrote Martin Giles. “But smaller companies are likely to be more vulnerable, and even a modest breach could lead to a big payday for the hackers involved.”

A source at a company that uses Data Resolution to manage payroll payments told KrebsOnSecurity that the cloud hosting provider said it did not attempt to pay the requested ransom, preferring to restore systems from backups instead.

Categories: Technology, Virus Info

The Linux Link Tech Show Episode 790

The Linux Link Tech Show - Wed, 01/02/2019 - 07:30
the new year, subscriptions services, cooking
Categories: Podcasts, Technology

TWiT 699: Our Year's Best

This week in tech - Sun, 12/30/2018 - 15:00

The Best of TWiT from 2018!

Host: Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Sponsors:

Categories: Podcasts, Technology

Happy 9th Birthday, KrebsOnSecurity!

Krebs on Security - Sat, 12/29/2018 - 08:51

Hard to believe we’ve gone another revolution around the Sun: Today marks the 9th anniversary of KrebsOnSecurity.com!

This past year featured some 150 blog posts, but as usual the biggest contribution to this site came from the amazing community of readers here who have generously contributed their knowledge, wit and wisdom in more than 10,000 comments.

Speaking of generous contributions, more than 100 readers have expressed their support in 2018 via PayPal donations to this site. The majority of those funds go toward paying for subscription-based services that KrebsOnSecurity relies upon for routine data gathering and analysis. Thank you.

Your correspondence and tips have been invaluable, so by all means keep them coming. For the record, I’m reachable via a variety of means, including email, the contact form on this site, and of course Facebook, LinkedIn, and Twitter (direct messages are open to all). For more secure and discreet communications, please consider reaching out via Keybase, Wicker (krebswickr), or Signal (by request).

Many of you have requested a redesign to make this site more mobile-friendly. We’d targeted for that to happen in 2018, but multiple unforeseen circumstances conspired to delay that project this year. Rest assured, that long-overdue change will be coming soon in 2019. Thanks for your patience.

Below are some of the most-read and commented-on enterprise stories throughout 2018, a year marked by a relentless onslaught of data breaches, data leaks and increasingly sneaky scams. It seems unlikely that 2019 will be any different, and while I will endeavor to keep readers abreast of the latest threats and trends, I’m also interested to hear what you would like to see more of in the coming year. So please sound off in the comments below or drop me a note.

By the way, if you’d prefer to keep up with KrebsOnSecurity posts via email, please consider signing up for the newsletter (expect ~3-4 emails per week).

Thanks again for your readership, encouragement and support. Happy New Year!

A Chief Security Concern for Executive Teams

What the Marriott Breach Says About Security

Half of All Phishing Sites Now Have the Padlock

Voice Phishing Scams Are Getting More Clever

Hanging Up on Mobile in the Name of Security

Google: Security Keys Neutralized Employee Phishing

Plant Your Flag, Mark Your Territory

Panerabread.com Leaks Millions of Customer Records

Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers

Don’t Give Away Historical Details About Yourself

Categories: Technology, Virus Info

The Linux Link Tech Show Episode 789

The Linux Link Tech Show - Wed, 12/26/2018 - 07:30
christmas stuff, video games, server upgrade woes
Categories: Podcasts, Technology

SN 695: Our Best of 2018

Security Now - Tue, 12/25/2018 - 14:00

The Best of Security Now from 2018!

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsor:

Categories: Podcasts, Technology
Subscribe to Some Place in Ohio aggregator - Technology