Virus Info

Phishers Are Upping Their Game. So Should You.

Krebs on Security - Thu, 12/07/2017 - 17:35

Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.

A brand new (and live) PayPal phishing page that uses SSL (https://) to appear more legitimate.

According to stats released this week by anti-phishing firm Phishlabs, nearly 25 percent of all phishing sites in the third quarter of this year were hosted on HTTPS domains — almost double the percentage seen in the previous quarter.

“A year ago, less than three percent of phish were hosted on websites using SSL certificates,” wrote Crane Hassold, the company’s threat intelligence manager. “Two years ago, this figure was less than one percent.”

A currently live Facebook phishing page that uses https.

As shown in the examples above (which KrebsOnSecurity found in just a few minutes of searching via phish site reporting service Phishtank.com), the most successful phishing sites tend to include not only their own SSL certificates but also a portion of the phished domain in the fake address.

Why are phishers more aggressively adopting HTTPS Web sites? Traditionally, many phishing pages are hosted on hacked, legitimate Web sites, in which case the attackers can leverage both the site’s good reputation and its SSL certificate.

Yet this, too, is changing, says Phishlabs’ Hassold.

“An analysis of Q3 HTTPS phishing attacks against PayPal and Apple, the two primary targets of these attacks, indicates that nearly three-quarters of HTTPS phishing sites targeting them were hosted on maliciously-registered domains rather than compromised websites, which is substantially higher than the overall global rate,” he wrote. “Based on data from 2016, slightly less than half of all phishing sites were hosted on domains registered by a threat actor.”

Hassold posits that more phishers are moving to HTTPS because it helps increase the likelihood that users will trust that the site is legitimate. After all, your average Internet user has been taught for years to simply “look for the lock icon” in the browser address bar as assurance that a site is safe.

Perhaps this once was useful advice, but if so its reliability has waned over the years. In November, Phishlabs conducted a poll to see how many people actually knew the meaning of the green padlock that is associated with HTTPS websites.

“More than 80% of the respondents believed the green lock indicated that a website was either legitimate and/or safe, neither of which is true,” he wrote.

What the green lock icon indicates is that the communication between your browser and the Web site in question is encrypted; it does little to ensure that you really are communicating with the site you believe you are visiting.

At a higher level, another reason phishers are more broadly adopting HTTPS is because more sites in general are using encryption: According to Let’s Encrypt, 65% of web pages loaded by Firefox in November used HTTPS, compared to 45% at the end of 2016.

Also, phishers no longer need to cough up a nominal fee each time they wish to obtain a new SSL certificate. Indeed, Let’s Encrypt now gives them away for free.

The major Web browser makers all work diligently to index and block known phishing sites, but you can’t count on the browser to save you:

So what can you do to make sure you’re not the next phishing victim?

Don’t take the bait: Most phishing attacks try to convince you that you need to act quickly to avoid some kind of loss, cost or pain, usually by clicking a link and “verifying” your account information, user name, password, etc. at a fake site. Emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email.

Phishers count on spooking people into acting rashly because they know their scam sites have a finite lifetime; they may be shuttered at any moment. The best approach is to bookmark the sites that store your sensitive information; that way, if you receive an urgent communication that you’re unsure about, you can visit the site in question manually and log in that way. In general, it’s a bad idea to click on links in email.

Links Lie: You’re a sucker if you take links at face value. For example, this might look like a link to Bank of America, but I assure you it is not. To get an idea of where a link goes, hover over it with your mouse and then look in the bottom left corner of the browser window.

Yet, even this information often tells only part of the story, and some links can be trickier to decipher. For instance, many banks like to send links that include ridiculously long URLs which stretch far beyond the browser’s ability to show the entire thing when you hover over the link.

The most important part of a link is the “root” domain. To find that, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you.

“From” Fields can be forged: Just because the message says in the “From:” field that it was sent by your bank doesn’t mean that it’s true. This information can be and frequently is forged.

If you want to discover who (or what) sent a message, you’ll need to examine the email’s “headers,” important data included in all email.  The headers contain a lot of information that can be overwhelming for the untrained eye, so they are often hidden by your email client or service provider, each of which may have different methods for letting users view or enable headers.

Describing succinctly how to read email headers with an eye toward thwarting spammers would require a separate tutorial, so I will link to a decent one already written at About.com. Just know that taking the time to learn how to read headers is a useful skill that is well worth the effort.

Keep in mind that phishing can take many forms: Why steal one set of login credentials for a single brand when you can steal them all? Increasingly, attackers are opting for approaches that allow them to install a password-snarfing Trojan that steals all of the sensitive data on victim PCs.

So be careful about clicking links, and don’t open attachments in emails you weren’t expecting, even if they appear to come from someone you know. Send a note back to the sender to verify the contents and that they really meant to send it. This step can be a pain, but I’m a stickler for it; I’ve been known to lecture people who send me press releases and other items as unrequested attachments.

If you didn’t go looking for it, don’t install it: Password stealing malware doesn’t only come via email; quite often, it is distributed as a Facebook video that claims you need a special “codec” to view the embedded content. There are tons of variations of this scam. The point to remember is: If it wasn’t your idea to install something from the get-go, don’t do it.

Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy.

When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that with a “+” sign just to the left of the “@” sign in your email address. For example, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder.

That way, if anyone other than the company I gave this custom address to starts spamming or phishing it, that may be a clue that example.com shared my address with others (or that it got hacked!). I should note two caveats here. First, although this functionality is part of the email standard, not all email providers will recognize address variations like these. Also, many commercial Web sites freak out if they see anything other than numerals or letters, and may not permit the inclusion of a “+” sign in the email address field.

Categories: Technology, Virus Info

Anti-Skimmer Detector for Skimmer Scammers

Krebs on Security - Tue, 12/05/2017 - 13:37

Crooks who make and deploy ATM skimmers are constantly engaged in a cat-and-mouse game with financial institutions, which deploy a variety of technological measures designed to defeat skimming devices. The latest innovation aimed at tipping the scales in favor of skimmer thieves is a small, battery powered device that provides crooks a digital readout indicating whether an ATM likely includes digital anti-skimming technology.

A well-known skimmer thief is marketing a product called “Smart Shield Detector” that claims to be able to detect a variety of electronic methods used by banks to foil ATM skimmers.

The device, which sells for $200, is called a “Smart Shield Detector,” and promises to detect “all kinds of noise shields, hidden shields, delayed shields and others!”

It appears to be a relatively simple machine that gives a digital numeric indicator of whether an ATM uses any of a variety of anti-skimming methods. One of the most common is known as “frequency jamming,” which uses electronic signals to scramble both the clock (timing) and the card data itself in a bid to confuse skimming devices.

“You will see current level within seconds!,” the seller enthuses in an online ad for the product, a snippet of which is shown above. “Available for sale after November 1st, market price 200usd. Preorders available at price 150usd/device. 2+ devices for your team – will give discounts.”

According to the individual selling the Smart Shield Detector, a readout of 15 or higher indicates the presence of some type of electronic shield or jamming technology — warning the skimmer thief to consider leaving that ATM alone and to find a less protected machine. In contrast, a score between 3-5 is meant to indicate “no shield,” i.e., that the ATM is ripe for compromise.

KrebsOnSecurity shared this video with Charlie Harrow, solutions manager for ATM maker NCR Corp. Harrow called the device “very interesting” but said NCR doesn’t try to hide which of is ATM include anti-skimming technologies — such as those that claim to be detectable by the Smart Shield Detector.

“We don’t hide the fact that our ATMs are protected against this type of external skimming attack,” Harrow said. “Our Anti-Skimming product uses a uniquely shaped bezel so you can tell just by looking at the ATM that it is protected (if you know what you are looking for).”

Harrow added that NCR doesn’t rely on secrecy of design to protect its ATMs.

“The bad guys are skilled, resourced and determined enough that sooner or later they will figure out exactly what we have done, so the ATM has to be safe against a knowledgeable attacker,” he said. “That said, a little secret sauce doesn’t hurt, and can often be very effective in stopping specific attack [methods] in the short term, but it can’t be relied on to provide any long term protection.”

The best method for protecting yourself against ATM skimmers doesn’t require any fancy gadgets or technology at all: It involves merely covering the PIN pad with your hand while you enter your PIN!

That’s because the vast majority of skimming attacks involve two components: A device that fits over or inside the card reader and steals data from the card’s magnetic stripe, and a tiny hidden camera aimed at the PIN pad. While thieves who have compromised an ATM you used can still replicate your ATM card, the real value rests in your PIN, without which the thieves cannot easily drain your checking or savings account of cash.

Also, be aware of your physical surroundings while using an ATM; you’re probably more apt to get mugged physically than virtually at a cash machine. Finally, try to stick to cash machines that are physically installed inside of banks, as these tend to be much more challenging for thieves to compromise than stand-alone machines like those commonly found at convenience stores.

KrebsOnSecurity would like to thank Alex Holden, founder of Milwaukee, Wisc. based Hold Security, for sharing the above video.

Are you fascinated by skimming devices? Then check out my series, All About Skimmers, which looks at all manner of skimming scams, from fake ATMs and cash claws to PIN pad overlays and gas pump skimmers.

Categories: Technology, Virus Info

Hacked Password Service Leakbase Goes Dark

Krebs on Security - Sun, 12/03/2017 - 22:39

Leakbase, a Web site that indexed and sold access to billions of usernames and passwords stolen in some of the world largest data breaches, has closed up shop. A source close to the matter says the service was taken down in a law enforcement sting that may be tied to the Dutch police raid of the Hansa dark web market earlier this year.

Leakbase[dot]pw began selling memberships in September 2016, advertising more than two billion usernames and passwords that were stolen in high-profile breaches at sites like linkedin.com, myspace.com and dropbox.com.

But roughly two weeks ago KrebsOnSecurity began hearing from Leakbase users who were having trouble reaching the normally responsive and helpful support staff responsible for assisting customers with purchases and site issues.

Sometime this weekend, Leakbase began redirecting visitors to haveibeenpwned.com, a legitimate breach alerting service run by security researcher Troy Hunt (Hunt’s site lets visitors check if their email address has shown up in any public database leaks, but it does not store corresponding account passwords).

Leakbase reportedly came under new ownership after its hack in April. According to a source with knowledge of the matter but who asked to remain anonymous, the new owners of Leakbase dabbled in dealing illicit drugs at Hansa, a dark web marketplace that was dismantled in July by authorities in The Netherlands.

The Dutch police had secretly seized Hansa and operated it for a time in order to gather more information about and ultimately arrest many of Hansa’s top drug sellers and buyers. 

According to my source, information the Dutch cops gleaned from their Hansa takeover led authorities to identify and apprehend one of the owners of Leakbase. This information could not be confirmed, and the Dutch police have not yet responded to requests for comment. 

A message posted Dec. 2 to Leakbase’s Twitter account states that the service was being discontinued, and the final message posted to that account seems to offer paying customers some hope of recovering any unused balances stored with the site.

“We understand many of you may have lost some time, so in an effort to offer compensation please email, refund@leakbase.pw Send your LeakBase username and how much time you had left,” the message reads. “We will have a high influx of emails so be patient, this could take a while.”

My source noted that these last two messages are interesting because they are unlike every other update posted to the Leakbase Twitter account. Prior to the shutdown message on Dec. 2, all updates to that account were done via Twitter’s Web client; but the last two were sent via Mobile Web (M2).

Ironically, Leakbase was itself hacked back in April 2017 after a former administrator was found to be re-using a password from an account at x4b[dot]net, a service that Leakbase relied upon at the time to protect itself from distributed denial-of-service (DDoS) attacks intended to knock the site offline.

X4B[dot]net was hacked just days before the Leakbase intrusion, and soon after cleartext passwords and usernames from hundreds of Leakbase users were posted online by the hacker group calling itself the Money Team.

Many readers have questioned how it could be illegal to resell passwords that were leaked online in the wake of major data breaches. The argument here is generally that in most cases this information is already in the public domain and thus it can’t be a crime to index and resell it.

However, many legal experts see things differently. In February 2017, I wrote about clues that tied back to a real-life identity for one of the alleged administrators of Leakedsource, a very similar service (it’s worth noting that the subject of that story also was found out because he re-used the same credentials across multiple sites).

In the Leakedsource story, I interviewed Orin Kerr, director of the Cybersecurity Law Initiative at The George Washington University. Kerr told me that owners of services like Leakbase and Leakedsource could face criminal charges if prosecutors could show these services intended for the passwords that are for sale on the site to be used in the furtherance of a crime.

Kerr said trafficking in passwords is clearly a crime under the Computer Fraud and Abuse Act (CFAA).

Specifically, Section A6 of the CFAA, which makes it a crime to “knowingly and with intent to defraud traffic in any password or similar information through which a computer may be accessed without authorization, if…such trafficking affects interstate or foreign commerce.”

“CFAA quite clearly punishes password trafficking,” Kerr said. “The statute says the [accused] must be trafficking in passwords knowingly and with intent to defraud, or trying to further unauthorized access.”

Categories: Technology, Virus Info

Former NSA Employee Pleads Guilty to Taking Classified Data

Krebs on Security - Sat, 12/02/2017 - 12:44

A former employee for the National Security Agency pleaded guilty on Friday to taking classified data to his home computer in Maryland. According to published reports, U.S. intelligence officials believe the data was then stolen from his computer by hackers working for the Russian government.

Nghia Hoang Pho, 67, of Ellicott City, Maryland, pleaded guilty today to “willful retention of national defense information.” The U.S. Justice Department says that beginning in April 2006 Pho was employed as a developer for the NSA’s Tailored Access Operations (TAO) unit, which develops specialized hacking tools to gather intelligence data from foreign targets and information systems.

According to Pho’s plea agreement, between 2010 and March 2015 he removed and retained highly sensitive classified “documents and writings that contained national defense information, including information classified as Top Secret.”

Pho is the third NSA worker to be charged in the past two years with mishandling classified data. His plea is the latest — and perhaps final — chapter in the NSA’s hunt for those responsible for leaking NSA hacking tools that have been published online over the past year by a shadowy group calling itself The Shadow Brokers.

Neither the government’s press release about the plea nor the complaint against Pho mention what happened to the classified documents after he took them home. But a report in The New York Times cites government officials speaking on condition of anonymity saying that Pho had installed on his home computer antivirus software made by a Russian security firm Kaspersky Lab, and that Russian hackers are believed to have exploited the software to steal the classified documents.

On October 5, 2017, The Wall Street Journal reported that Russian government hackers had lifted the hacking tools from an unnamed NSA contractor who’d taken them and examined them on his home computer, which happened to have Kaspersky Antivirus installed.

On October 10, The Times reported that Israeli intelligence officers looked on in real time as Russian government hackers used Kaspersky’s antivirus network as a kind of improvised search tool to scour computers around the world for the code names of American intelligence programs.

For its part, Kaspersky has said its software detected the NSA hacking tools on a customer’s computer and sent the files to the company’s anti-malware network for analysis. In a lengthy investigation report published last month, Kaspersky said it found no evidence that the files left its network, and that the company deleted the files from its system after learning what they were.

Kaspersky also noted that the computer from which the files were taken was most likely already compromised by “unknown threat actors.” It based that conclusion on evidence indicating the user of that system installed a backdoored Microsoft Office 2013 license activation tool, and that in order to run the tool the user must have disabled his antivirus protection.

The U.S. Department of Homeland Security (DHS) issued a binding directive in September ordering all federal agencies to cease using Kaspersky software by Dec. 12.

Pho faces up to 10 years in prison. He is scheduled to be sentenced April 6, 2018.

A note to readers: This author published a story earlier in the week that examined information in the metadata of Microsoft Office documents stolen from the NSA by The Shadow Brokers and leaked online. That story identified several individuals whose names were in the metadata from those documents. After the guilty plea entered this week and described above, KrebsOnSecurity has unpublished that earlier story.

Categories: Technology, Virus Info

Carding Kingpin Sentenced Again. Yahoo Hacker Pleads Guilty

Krebs on Security - Fri, 12/01/2017 - 18:15

Roman Seleznev, a Russian man who is already serving a record 27-year sentence in the United States for cybercrime charges, was handed a 14-year sentence this week by a federal judge in Atlanta for his role in a credit card and identity theft conspiracy that prosecutors say netted more than $50 million. Separately, a Canadian national has pleaded guilty to charges of helping to steal more than a billion user account credentials from Yahoo.

Seleznev, 33, was given the 14-year sentence in connection with two prosecutions that were consolidated in Georgia: The 2008 heist against Atlanta-based credit card processor RBS Worldpay; and a case out of Nevada where he was charged as a leading merchant of stolen credit cards at carder[dot]su, at one time perhaps the most bustling fraud forum where members openly marketed a variety of cybercrime-oriented services.

Roman Seleznev, pictured with bundles of cash. Image: US DOJ.

Seleznev’s conviction comes more than a year after he was convicted in a Seattle court on 38 counts of cybercrime charges, including wire fraud and aggravated identity theft. The Seattle conviction earned Seleznev a 27-year prison sentence — the most jail time ever given to an individual convicted of cybercrime charges in the United States.

This latest sentence will be served concurrently — meaning it will not add any time to his 27-year sentence. But it’s worth noting because Seleznev is appealing the Seattle verdict. In the event he prevails in Seattle and gets that conviction overturned, he will still serve out his 14-year sentence in the Georgia case because he pleaded guilty to those charges and waived his right to an appeal.

Prosecutors say Seleznev, known in the underworld by his hacker nicknames “nCux” and “Bulba,” enjoyed an extravagant lifestyle prior to his arrest, driving expensive sports cars and dropping tens of thousands of dollars at lavish island vacation spots. The son of an influential Russian politician, Seleznev made international headlines in 2014 after he was captured while vacationing in The Maldives, a popular destination for Russians and one that many Russian cybercriminals previously considered to be out of reach for western law enforcement agencies.

However, U.S. authorities were able to negotiate a secret deal with the Maldivian government to apprehend Seleznev. Following his capture, Seleznev was whisked away to Guam for more than a month before being transported to Washington state to stand trial for computer hacking charges.

The U.S. Justice Department says the laptop found with him when he was arrested contained more than 1.7 million stolen credit card numbers, and that evidence presented at trial showed that Seleznev earned tens of millions of dollars defrauding more than 3,400 financial institutions.

Investigators also reportedly found a smoking gun: a password cheat sheet that linked Seleznev to a decade’s worth of criminal hacking. For more on Seleznev’s arrest and prosecution, see The Backstory Behind Carder Kingpin Roman Seleznev’s Record 27-Year Sentence, and Feds Charge Carding Kingpin in Retail Hacks.

In an unrelated case, federal prosecutors in California announced a guilty plea from Karim Baratov, one of four men indicted in March 2017 for hacking into Yahoo beginning in 2014. Yahoo initially said the intrusion exposed the usernames, passwords and account data for roughly 500 million Yahoo users, but in December 2016 Yahoo said the actual number of victims was closer to one billion (read: all of its users). 

Baratov, 22, is a Canadian and Kazakh national who lived in Canada (he’s now being held in California). He was charged with being hired by two Russian FSB officer defendants in this case — Dmitry Dokuchaev, 33, and Igor Sushchin, 43 — to hack into the email accounts of thousands of individuals. According to prosecutors, Baratov’s role in the charged conspiracy was to hack webmail accounts of individuals of interest to the FSB and send those accounts’ passwords to Dokuchaev in exchange for money.

Karim Baratov, a.k.a. “Karim Taloverov,” as pictured in 2014 on his own site, mr-karim.com.

Baratov operated several business that he advertised openly online that could be hired to hack into email accounts at the world’s largest email providers, including Google, Yahoo and Yandex. As part of his plea agreement, Baratov not only admitted to agreeing and attempting to hack at least 80 webmail accounts on behalf of one of his FSB co-conspirators, but also to hacking more than 11,000 webmail accounts in total from in or around 2010 until his arrest by Canadian authorities.

Shortly after Baratov’s arrest and indictment, KrebsOnSecurity examined many of the email hacking services he operated and that were quite clearly tied to his name. One such business advertised the ability to steal email account passwords without actually changing the victim’s password. According to prosecutors, Baratov’s service relied on “spear phishing” emails that targeted individuals with custom content and enticed recipients to click a booby-trapped link.

For example, one popular email hacking business registered to Baratov was xssmail[dot]com, which for several years advertised the ability to break into email accounts of virtually all of the major Webmail providers. XSS is short for “cross-site-scripting.” XSS attacks rely on vulnerabilities in Web sites that don’t properly parse data submitted by visitors in things like search forms or anyplace one might enter data on a Web site.

Archive.org’s cache of xssmail.com

In the context of phishing links, the user clicks the link and is actually taken to the domain he or she thinks she is visiting (e.g., yahoo.com) but the vulnerability allows the attacker to inject malicious code into the page that the victim is visiting.

This can include fake login prompts that send any data the victim submits directly to the attacker. Alternatively, it could allow the attacker to steal “cookies,” text files that many sites place on visitors’ computers to validate whether they have visited the site previously, as well as if they have authenticated to the site already.

Baratov pleaded guilty to nine counts, including one count of aggravated identity theft and eight violations of the Computer Fraud and Abuse Act. His sentencing hearing is scheduled for Feb. 20, 2018. The aggravated identity theft charge carries a mandatory two-year sentence; each of the other counts is punishable by up to 10 years in jail and fines of $250,000, although any sentence he receives will likely be heavily tempered by U.S. federal sentencing guidelines.

Meanwhile, Baratov’s co-defendant Dokuchaev is embroiled in his own legal worries in Russia, charges that could carry a death sentence. He and his former boss Sergei Mikhailov — once deputy chief of the FSB’s Center for Information Security — were arrested in December 2016 by Russian authorities and charged with treason. Also charged with treason in connection with that case was Ruslan Stoyanov, a senior employee at Russian security firm Kaspersky Lab.

There are many competing theories for the reasons behind their treason charges, some of which are explored in this Washington Post story. I have my own theory, detailed in my January 2017 piece, A Shakeup in Russia’s Top Cybercrime Unit.

Categories: Technology, Virus Info

MacOS High Sierra Users: Change Root Password Now

Krebs on Security - Tue, 11/28/2017 - 15:34

A newly-discovered flaw in macOS High Sierra — Apple’s latest iteration of its operating system — allows anyone with local (and, apparently in some cases, remote) access to the machine to log in as the all-powerful “root” user without supplying a password. Fortunately, there is a simple fix for this until Apple patches this inexplicable bug: Change the root account’s password now.

Update, Nov. 29, 11:40 a.m. ET: Apple has released a patch for this flaw. More information on the fix is here. The update is available via the App Store app on your Mac. Click Updates in the App Store toolbar, then use the Update buttons to download and install any updates listed.

Original story:

For better or worse, this glaring vulnerability was first disclosed today on Twitter by Turkish software developer Lemi Orhan Ergin, who unleashed his findings onto the Internet with a tweet to @AppleSupport:

“Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?”

High Sierra users should be able to replicate the exploit by accessing System Preferences, then Users & Groups, and then click the lock to make changes. Type “root” with no password, and simply try that several times until the system relents and lets you in.

How does one change the root password? It’s simple enough. Open up a Terminal (in the Spotlight search box just type “terminal”) and type “sudo passwd root”.

Many people responding to that tweet said they were relieved to learn that this extremely serious oversight by Apple does not appear to be exploitable remotely. However, sources who have tested the bug say it can be exploited remotely if a High Sierra user a) has not changed the root password yet and b) has enabled “screen sharing” on their Mac.

Likewise, multiple sources have now confirmed that disabling the root account does not fix the problem because the exploit actually causes the account to be re-enabled.

There may be other ways that this vulnerability can be exploited: I’ll update this post as more information becomes available. But for now, if you’re using macOS High Sierra, take a moment to change the root password now, please.

Categories: Technology, Virus Info

Name+DOB+SSN=FAFSA Data Gold Mine

Krebs on Security - Fri, 11/24/2017 - 05:55

KrebsOnSecurity has sought to call attention to online services which expose sensitive consumer data if the user knows a handful of static details about a person that are broadly for sale in the cybercrime underground, such as name, date of birth, and Social Security Number. Perhaps the most eye-opening example of this is on display at fafsa.ed.gov, the Web site set up by the U.S. Department of Education for anyone interested in applying for federal student financial aid.

Update, Nov. 28, 12:34 p.m. ET: The Education Department says not all of the data elements mentioned below are accessible on a FAFSA applicant if someone merely knows the static details about that person. Read on for their response to this story.

Original story:

Short for the Free Application for Federal Student Aid, FAFSA is an extremely lengthy and detailed form required at all colleges that accept and award federal aid to students.

Visitors to the login page for FAFSA have two options: Enter either the student’s FSA ID and password, or choose “enter the student’s information.” Selecting the latter brings up a prompt to enter the student’s first and last name, followed by their date of birth and Social Security Number.

Anyone who successfully supplies that information on a student who has applied for financial aid through FAFSA then gets to see a virtual colonoscopy of personal information on that individual and their family’s finances — including almost 200 different data elements.

The information returned includes all of these data fields:

1. Student’s Last Name:
2. Student’s First Name:
3. Student’s Middle Initial:
4. Student’s Permanent Mailing Address:
5. Student’s Permanent City:
6. Student’s Permanent State:
7. Student’s Permanent ZIP Code:
8. Student’s Social Security Number:
9. Student’s Date of Birth:
10. Student’s Telephone Number:
11. Student’s Driver’s License Number:
12. Student’s Driver’s License State:
13. Student’s E-mail Address:
14. Student’s Citizenship Status:
15. Student’s Alien Registration Number:
16. Student’s Marital Status:
17. Student’s Marital Status Date:
18. Student’s State of Legal Residence:
19. Was Student a Legal Resident Before January 1, 2012?
20. Student’s Legal Residence Date:
21. Is the Student Male or Female?
22. Register Student With Selective Service System?
23. Drug Conviction Affecting Eligibility?
24. Parent 1 Educational Level:
25. Parent 2 Educational Level:
26. High School or Equivalent Completed?
27a. Student’s High School Name:
27b. Student’s High School City:
27c. Student’s High School State:
28. First Bachelor’s Degree before 2017-2018 School Year?
29. Student’s Grade Level in College in 2017-2018:
30. Type of Degree/Certificate:
31. Interested in Work-study?
32. Student Filed 2015 Income Tax Return?
33. Student’s Type of 2015 Tax Form Used:
34. Student’s 2015 Tax Return Filing Status:
35. Student Eligible to File a 1040A or 1040EZ?
36. Student’s 2015 Adjusted Gross Income:
37. Student’s 2015 U.S. Income Tax Paid:
38. Student’s 2015 Exemptions Claimed:
39. Student’s 2015 Income Earned from Work:
40. Spouse’s 2015 Income Earned from Work:
41. Student’s Total of Cash, Savings, and Checking Accounts:
42. Student’s Net Worth of Current Investments:
43. Student’s Net Worth of Businesses/Investment Farms:
44a. Student’s Education Credits:
44b. Student’s Child Support Paid:
44c. Student’s Taxable Earnings from Need-Based Employment Programs:
44d. Student’s College Grant and Scholarship Aid Reported in AGI:
44e. Student’s Taxable Combat Pay Reported in AGI:
44f. Student’s Cooperative Education Earnings:
45a. Student’s Payments to Tax-Deferred Pensions & Retirement Savings:
45b. Student’s Deductible Payments to IRA/Keogh/Other:
45c. Student’s Child Support Received:
45d. Student’s Tax Exempt Interest Income:
45e. Student’s Untaxed Portions of IRA Distributions:
45f. Student’s Untaxed Portions of Pensions:
45g. Student’s Housing, Food, & Living Allowances:
45h. Student’s Veterans Noneducation Benefits:
45i. Student’s Other Untaxed Income or Benefits:
45j. Money Received or Paid on Student’s Behalf:
46. Student Born Before January 1, 1994?
47. Is Student Married?
48. Working on Master’s or Doctorate in 2017-2018?
49. Is Student on Active Duty in U.S. Armed Forces?
50. Is Student a Veteran?
51. Does Student Have Children He/She Supports?
52. Does Student Have Dependents Other than Children/Spouse?
53. Parents Deceased?/Student Ward of Court?/In Foster Care?
54. Is or Was Student an Emancipated Minor?
55. Is or Was Student in Legal Guardianship?
56. Is Student an Unaccompanied Homeless Youth as Determined by High School/Homeless Liaison?
57. Is Student an Unaccompanied Homeless Youth as Determined by HUD?
58. Is Student an Unaccompanied Homeless Youth as Determined by Director of Homeless Youth Center?
59. Parents’ Marital Status:
60. Parents’ Marital Status Date:
61. Parent 1 (Father’s/Mother’s/Stepparent’s) Social Security Number:
62. Parent 1 (Father’s/Mother’s/Stepparent’s) Last Name:
63. Parent 1 (Father’s/Mother’s/Stepparent’s) First Name Initial:
64. Parent 1 (Father’s/Mother’s/Stepparent’s) Date of Birth:
65. Parent 2 (Father’s/Mother’s/Stepparent’s) Social Security Number:
66. Parent 2 (Father’s/Mother’s/Stepparent’s) Last Name:
67. Parent 2 (Father’s/Mother’s/Stepparent’s) First Name Initial:
68. Parent 2 (Father’s/Mother’s/Stepparent’s) Date of Birth:
69. Parents’ E-mail Address:
70. Parents’ State of Legal Residence:
71. Were Parents Legal Residents Before January 1, 2012?
72. Parents’ Legal Residence Date:
73. Parents’ Number of Family Members in 2017-2018:
74. Parents’ Number in College in 2017-2018 (Parents Excluded):
75. Parents Received Medicaid or Supplemental Security Income?
76. Parents Received SNAP?
77. Parents Received Free/Reduced Price Lunch?
78. Parents Received TANF?
79. Parents Received WIC?
80. Parents Filed 2015 Income Tax Return?
81. Parents’ Type of 2015 Tax Form Used:
82. Parents’ 2015 Tax Return Filing Status:
83. Parents Eligible to File a 1040A or 1040EZ?
84. Is Parent a Dislocated Worker?
85. Parents’ 2015 Adjusted Gross Income:
86. Parents’ 2015 U.S. Income Tax Paid:
87. Parents’ 2015 Exemptions Claimed:
88. Parent 1 (Father’s/Mother’s/Stepparent’s) 2015 Income Earned from Work:
89. Parent 2 (Father’s/Mother’s/Stepparent’s) 2015 Income Earned from Work:
90. Parents’ Total of Cash, Savings, and Checking Accounts:
91. Parents’ Net Worth of Current Investments:
92. Parents’ Net Worth of Businesses/Investment Farms:
93a. Parents’ Education Credits:
93b. Parents’ Child Support Paid:
93c. Parents’ Taxable Earnings from Need-Based Employment Programs:
93d. Parents’ College Grant and Scholarship Aid Reported in AGI:
93e. Parents’ Taxable Combat Pay Reported in AGI:
93f. Parents’ Cooperative Education Earnings:
94a. Parents’ Payments to Tax-Deferred Pensions & Retirement Savings:
94b. Parents’ Deductible Payments to IRA/Keogh/Other:
94c. Parents’ Child Support Received:
94d. Parents’ Tax Exempt Interest Income:
94e. Parents’ Untaxed Portions of IRA Distributions:
94f. Parents’ Untaxed Portions of Pensions:
94g. Parents’ Housing, Food, & Living Allowances:
94h. Parents’ Veterans Noneducation Benefits:
94i. Parents’ Other Untaxed Income or Benefits:
95. Student’s Number of Family Members in 2017-2018:
96. Student’s Number in College in 2017-2018:
97. Student Received Medicaid or Supplemental Security Income?
98. Student Received SNAP?
99. Student Received Free/Reduced Price Lunch?
100. Student Received TANF?
101. Student Received WIC?
102. Is Student or Spouse a Dislocated Worker?
103a. First Federal School Code:
103b. First Housing Plans:
103c. Second Federal School Code:
103d. Second Housing Plans:
103e. Third Federal School Code:
103f. Third Housing Plans:
103g. Fourth Federal School Code:
103h. Fourth Housing Plans:
103i. Fifth Federal School Code:
103j. Fifth Housing Plans:
103k. Sixth Federal School Code:
103l. Sixth Housing Plans:
103m. Seventh Federal School Code:
103n. Seventh Housing Plans:
103o. Eighth Federal School Code:
103p. Eighth Housing Plans:
103q. Ninth Federal School Code:
103r. Ninth Housing Plans:
103s. Tenth Federal School Code:
103t. Tenth Housing Plans:
104. Date Completed:
105. Signed By:
106. Preparer’s Social Security Number:
107. Preparer’s Employer Identification Number (EIN):
108. Preparer’s Signature:

According to the Education Department, nearly 20 million students filled out this form in the 2015/2016 application cycle.

Update: The process described above was based on a demonstration this author saw while sharing a screen with a KrebsOnSecurity reader who had a family member apply for aid through FAFSA. But an Education Department spokesperson took strong exception to my experience, saying that while someone armed with an applicant’s SSN and date of birth would be able to view some of the less sensitive data elements related to an application that has already been submitted and processed, seeing the more sensitive data requires and additional authentication step.

The spokesperson said the data is displayed across several pages that require manual advancement, and that before the pages with financial data are shown the visitor is prompted to supply a username and password that all users are required to create when they start the application process. The agency said that without those credentials, the system should not display the rest of the data.

In cases where a student has saved but not completed an application, the spokesperson said, the applicant is prompted to create a “save key,” or temporary password that needs to be supplied before the financial data is displayed.

Original story: What indications are there that ID thieves might already be aware of this personal data treasure trove? In March 2017, the Internal Revenue Service (IRS) disabled an automated tool on its Web site that was used to help students and their families apply for federal financial aid — citing evidence that identity thieves were abusing it to siphon data used to commit tax refund fraud with the IRS.

The IRS found that identity thieves were abusing the automated tool — which pulled data directly from the FAFSA Web site — in order to learn the adjusted gross income (AGI) of applicant families. The AGI is crucial to successfully filing a tax refund request in someone’s name at the IRS.

On Oct. 1, the IRS brought its FAFSA data retrieval tool back online, adding additional authentication measures. In addition, the AGI data is now masked when it is electronically transferred into the FAFSA application.

Think it’s hard to find someone’s SSN and DOB? Think again. There are a multitude of Web sites on the open Internet and Dark Web alike that sell access to SSN and DOB data on hundreds of millions of Americans — all for the price of about $4-5 worth of Bitcoin.

Somehow, we need to move away from allowing online access to such a deep vein of consumer data just by supplying static data points that are broadly compromised in a thousand breaches and on sale very cheaply in the cybercrime underground.

Until that happens, anyone who is applying for federal student aid or has a child who applied should strongly consider taking several steps:

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

Consider placing a “security freeze” on your credit files with the major credit bureaus. See this tutorial about why a security freeze — also known as a “credit freeze,” may be more effective than credit monitoring in blocking ID thieves from assuming your identity to open up new lines of credit. Keep in mind that having a security freeze on your credit file won’t stop thieves from committing tax refund fraud in your name; the only real defense against that is to file your taxes as early as possible — before the fraudsters can do it for you.

Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. Instructions for doing that are here.

Categories: Technology, Virus Info

Correcting the Record on vDOS Prosecutions

Krebs on Security - Tue, 11/21/2017 - 06:11

KrebsOnSecurity recently featured a story about a New Mexico man who stands accused of using the now-defunct vDOS attack-for-hire service to hobble the Web sites of several former employers. That piece stated that I wasn’t aware of any other prosecutions related to vDOS customers, but as it happens there was a prosecution in the United Kingdom earlier this year of a man who’s admitted to both using and helping to administer vDOS. Here’s a look at some open-source clues that may have led to the U.K. man’s arrest.

Jack Chappell, outside of a court hearing in the U.K. earlier this year.

In early July 2017, the West Midlands Police in the U.K. arrested 19-year-old Stockport resident Jack Chappell and charged him with aiding the vDOS co-founders — two Israeli men who were arrested late year and charged with running the service.

Until its demise in September 2016, vDOS was by far the most popular and powerful attack-for-hire service, allowing even completely unskilled Internet users to launch crippling assaults capable of knocking most Web sites offline. vDOS made more than $600,000 in just two of the four years it was in operation, launching more than 150,000 attacks against thousands of victims (including this site).

For his part, Chappell was charged with assisting in attacks against Web sites for some of the world’s largest companies, including Amazon, BBC, BT, Netflix, T-Mobile, Virgin Media, and Vodafone, between May 1, 2015 and April 30, 2016.

At the end of July 2017, Chappell pleaded guilty to those allegations, as well as charges of helping vDOS launder money from customers wishing to pay for attacks with PayPal accounts.

A big factor in that plea was the leak of the vDOS attacks, customer support and payments databases to this author and to U.S. law enforcement officials in the fall of 2016. Those databases provided extremely detailed information about co-conspirators, paying customers and victims.

But as with many other cybercrime investigations, the perpetrator in this case appears to have been caught thanks to a combination of several all-too-common factors, including password re-use, an active presence on the sprawling English-language hacking community Hackforums, and domain names registered in his real name. In combination, these clues provide a crucial bridge between Chappell’s online and real-world identities.

A simple search at domaintools.com for the name Jack Chappell and “UK” returns a handful of results, including the domain fractal[dot]hf. That domain was registered in June 2015 to a Jack Chappell in Stockport, using the email address me@jackchappell.co[dot]uk [full disclosure: Domaintools is an advertiser on this site].

Neither domain is online anymore, but a Google search on fractal[dot]hf reveals several mentions of this site on Hackforums — a sprawling English-language forum that until very recently hosted the most bustling open-air market for competing attack-for-hire services.

According to a review of those Hackforums postings, fractal[dot]hf was a free service that allowed users to test the size and impact of any DDoS attack tool — displaying detailed graphs showing how much data a given attack tool could hurl at an intended target. Multiple forum members told interested users that fractal[dot]hf was owned and operated by a friendly and helpful Hackforums user named Fractal.

A screenshot of the user Fractal advertising his service for measuring the size of attacks. Fractal posted this graphic to illustrate the power of an IRC-based botnet that was being sold on Hackforums in mid-2015.

Perhaps unsurprisingly, there was a very active user on vDOS who went by the same Fractal nickname, using the password “HelloWorld1998” and email address smellyjelly01@gmail.com.

The above-mentioned domain Jackchappell.co[dot]uk appears in the leaked vDOS payments database, which states that a PayPal account tied to the email address “paypal@jackchappell.co[dot]uk” was one of several PayPal accounts used to launder customer payments for online attacks.

As noted in my June 2017 piece Following the Money Hobbled vDOS Attack-for-Hire Service, vDOS was forced to round-robin customer PayPal payments through a series of accounts after academic researchers began signing up for a variety of attack-for-hire services (including vDOS) and then reporting to PayPal the email addresses tied to accounts being used to receive payments.

The paypal@jackchappell.co[dot]uk address was linked to a vDOS user account called “portalKiller” which used the password “HelloWorld8991.” Note that this password is very similar to the one used by the vDOS user Fractal — only the numbers at the end of the password have been reversed (1998/8991).

Portalkiller changed his password several times during his time on vDOS, and one of the passwords he used was “Smith8991.” An Internet search on this password turns up an account in the user database that was hacked and posted online from a similar attack-for-hire service previously run by a hacker group known as the Lizard Squad. The email address tied to that account? Smellyjelly01@gmail.com.

From reviewing Fractal’s posts and reputation on Hackforums it appears that on Dec. 28, 2015 his account received praise and positive reputation points (similar to eBay’s user “feedback” system) from M30w and AppleJ4ck, the nicknames used by the alleged co-founders of vDOS.

Positive reputation points awarded to Chappell by the co-owners of vDOS, who used the aliases “M30W” and “AppleJ4ck.”

Comments in the leaked vDOS databases also suggest Chappell was for a time one of several trusted administrators and/or support personnel of the service. vDOS routinely banned accounts for members who shared their logins, or who logged on via virtual private network (VPN) services to anonymize their connections, but many members ignored this advice.

For example, in one support ticket dated March 13, 2016, a vDOS subscriber named “Bears” who had his account banned pleaded with the administrators to reactivate (or “unban”) his account.

“Hi jeremy pls unban hi p1st i love you hi AJ i love you hi fractal i love you hi whoever else is support is swagdaddy still support?” Bears pleads.

Ironically, both of Chappell’s accounts on vDOS — Fractal and portalKiller — were ultimately banned, the latter supposedly for flouting vDOS’s no-VPN restrictions. In one customer support ticket, portalKiller explains the reason for his use of a VPN: He routinely used a VPN so that he could tunnel his connection to the United States and watch the U.S. catalog of Netflix videos.

“Account Banned’,85801,’portalKiller’,’Hi, My account was banned a couple of days ago for logging in from a VPN. Let me explain, the 82.132.234.244 IP is not a VPN it is my mobile provider (O2), which is not a proxy/VPN. The second IP was a mistake I made, I logged out and logged back in from my normal IP (81.103.71.50) after I noticed my VPN was on (I use it for Netflix). I really want you to re-consider my ban. Thanks, portalKiller.”

Fractal also was eventually banned from using vDOS, although it’s less clear why that account was banished. Perhaps Chappell no longer offered the ability to help the other vDOS administrators launder funds, or maybe he had a falling out with M30W/p1st and AppleJ4ck.

Chappell did not respond to requests for comment. His sentencing has been delayed several times since his guilty plea; it is currently slated for December 2017.

Chappell’s guilty plea reminds me that there are many others who helped launder funds for vDOS that are in all likelihood similarly exposed. Stay tuned for more updates on that front.

Categories: Technology, Virus Info

Fund Targets Victims Scammed Via Western Union

Krebs on Security - Mon, 11/20/2017 - 07:25

If you, a friend or loved one lost money in a scam involving Western Union, some or all of those funds may be recoverable thanks to a more than half-billion dollar program set up by the U.S. Federal Trade Commission.

In January 2017, Englewood, Colo.-based Western Union settled a case with the FTC and the Department of Justice wherein it admitted to multiple criminal violations, including willfully failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud. As part of the settlement, the global money transfer business agreed to forfeit $586 million.

Last week, the FTC announced that individuals who lost money to scammers who told them to pay via Western Union’s money transfer system between January 1, 2004 and January 19, 2017 can now file a claim to get their money back by going to FTC.gov/WU before February 12, 2018.

Scammers tend to rely on money transfer businesses like Western Union and MoneyGram because once the money is sent and picked up by the recipient the transaction is generally irreversible. Such scams include transfers made for fraudulent lottery and prizesfamily emergenciesadvance-fee loans, and online dating, among others.

Affected consumers can visit FTC.gov/WU to file claims, learn more, or get updates on the claims process, which could take up to a year. The graphic below seeks to aid victims in filing claims.

The FTC says some people who have already reported their losses to Western Union, the FTC, or another government agency will receive a form in the mail from the claims administrator, Gilardi & Co., which has been hired by the DOJ to return victims’ money as part of the settlement. The form will have a Claim ID and a PIN number to use when filing a claim online via FTC.gov/WU.

The agency emphasized that filing a claim is free, so consumers should not pay anyone to file a claim on their behalf. “No one associated with the claims process will call to ask for consumers’ bank account or credit card number,” the FTC advised.

This isn’t the first time a major money transfer business admitted to criminally facilitating wire fraud. In November 2012, MoneyGram International agreed to pay a $100 million fine and admit to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program.

Categories: Technology, Virus Info

R.I.P. root9B? We Hardly Knew Ya!

Krebs on Security - Wed, 11/15/2017 - 07:25

root9B Holdings, a company that many in the security industry consider little more than a big-name startup aimed at cashing in on the stock market’s insatiable appetite for cybersecurity firms, surprised no one this week when it announced it was ceasing operations at the end of the year.

Founded in 2011 as root9B Technologies, the company touted itself as an IT security training firm staffed by an impressive list of ex-military leaders with many years of cybersecurity experience at the Department of Defense and National Security Agency (NSA). As it began to attract more attention from investors, root9B’s focus shifted to helping organizations hunt for cyber intruders within their networks.

By 2015, root9B was announcing lucrative cybersecurity contracts with government agencies and the infusion of millions from investors. The company’s stock was ballooning in price, reaching an all-time high in mid-May 2015.

That was just days after root9B issued a headline-grabbing report about how its cyber intelligence had single-handedly derailed a planned Russian cyber attack on several U.S. financial institutions.

The report, released May 12, 2015, claimed root9B had uncovered plans by an infamous Russian hacking group to target several banks. The company said the thwarted operation was orchestrated by Fancy Bear/Sofacy, a so-called “advanced persistent threat” (APT) hacking group known for launching sophisticated phishing attacks aimed at infiltrating some of the world’s biggest corporations.  root9B released its Q1 2015 earnings two days later, reporting record revenues.

On May 20, 2015, KrebsOnSecurity published a rather visceral dissection of that root9B report: Security Firm Redefines APT; African Phishing Threat. The story highlighted the thinness of the report’s claims, pointing to multiple contradictory findings by other security firms which suggested the company had merely detected several new phishing domains being erected by a comparatively low-skilled African phishing gang that was well-known to investigators and U.S. banks.

In mid-June 2015, an anonymous researcher who’d apparently done a rather detailed investigation into root9B’s finances said the company was “a worthless reverse-merger created by insiders with [a] long history of penny-stock wipeouts, fraud allegations, and disaster.”

That report, published by the crowd-sourced financial market research site SeekingAlpha.com, sought to debunk claims by root9B that it possessed “proprietary” cybersecurity hardware and software, noting that the company mainly acts as a reseller of a training module produced by a third party.

root9B’s stock price never recovered from those reports, and began a slow but steady decline after mid-2015. In Dec. 2016, root9B Technologies announced a reverse split of its issued and outstanding common stock, saying it would be moving to the NASDAQ market with the trading symbol RTNB and a new name — root9B Holdings. On January 18, 2017, a reshuffled root9B rang the market opening bell at NASDAQ, and got a bounce when it said it’d been awarded a five-year training contract to support the U.S. Defense Department.

The company’s founders remained upbeat even into mid-2017. On June 6, 2017 it announced that Michael Hayden, the four-star general who until recently served as director of the U.S. National Security Agency, had joined the company’s board.

On June 23, 2017, root9B issued a press release reminding everyone that the company had remained #1 on the Cybersecurity 500 for the 6th consecutive quarter. The Cybersecurity 500, by the way, rates cybersecurity firms based on their “branding and marketing.”

Nobody ever accused root9B of bad marketing. But all the press releases in the world couldn’t hide the fact that the company had never turned a profit. It lost more than $18.3 million in 2016, more than doubling a $8.03 million loss in 2015.

Since August 2017, shares of the company’s stock have fallen more than 90 percent. On Sept. 28, 2017, all of root9B Holdings’ assets were acquired by venture investment firm Tracker Capital Management LLC, and then sold at auction.

On Nov. 13, root9B Holdings issued a press release saying NASDAQ was de-listing the firm on Nov. 15 and that it was ceasing operations at the end of this year.

“With the absence of any operating assets remaining after the Foreclosure, the Company will cease any and all operations effective, December 31, 2017,” the (final?) root9B press release concludes.

Several followers on Twitter say it’s too soon to sound the death knell for root9B as a whole, pointing out that while root9B Holdings may have been gutted and sold, for now it appears the security company root9B LLC is intact and is merely going back to being a private concern.

In any case, the demise of root9B Holdings resonates loudly with that of Norse Corp., another flashy, imploded cybersecurity startup that banked heavily on attracting and touting top talent, while managing to produce very little that was useful to or actionable by anybody.

Companies like these are a reminder that your success or failure in business as in life is directly tied to what you produce — not what you promise or represent. There is no shortcut to knowledge, success or mastery, and this goes for infosec students as well as active practitioners of the craft. Focus on consistently producing quality, unique content and/or services that are of real value to others, and the rest will take care of itself.

Update, 10:30 a.m.: Added perspective from Twitter readers.

Categories: Technology, Virus Info

Adobe, Microsoft Patch Critical Cracks

Krebs on Security - Tue, 11/14/2017 - 16:12

It’s Nov. 14 — the second Tuesday of the month (a.k.a. “Patch Tuesday) — and Adobe and Microsoft have issued gobs of security updates for their software. Microsoft’s 11 patch bundles fix more than four-dozen security holes in various Windows versions and Office products — including at least four serious flaws that were publicly disclosed prior to today. Meanwhile, Adobe’s got security updates available for a slew of titles, including Flash Player, Photoshop, Reader and Shockwave.

Four of the vulnerabilities Microsoft fixed today have public exploits, but they do not appear to be used in any active malware campaigns, according to Gill Langston at security vendor Qualys. Perhaps the two most serious flaws likely to impact Windows end users involve vulnerabilities in Microsoft browsers Internet Explorer and Edge.

Qualys’ Langston reminds us that on last Patch Tuesday, Microsoft quietly released the fix for CVE-2017-13080, widely known as the KRACK vulnerability in WPA2 wireless protocol, but did not make it known until a week later, when the vulnerability was publicly disclosed. Check out the Qualys blog and this post from Ivanti for more on this month’s patches from Redmond. Otherwise, visit Windows Update sometime soon (click the Start/Windows button, then type Windows Update).

Adobe issued patches to fix at least 62 security vulnerabilities in its products, including several critical bugs in Adobe Flash Player and Reader/Acrobat.  The Flash Player update brings the browser plugin to v. 27.0.0.187 on Windows, Mac, Linux and Chrome OS.

Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version.

When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are waiting to be installed.

Standard disclaimer: Because Flash remains such a security risk, I continue to encourage readers to remove or hobble Flash Player unless and until it is needed for a specific site or purpose. More on that approach (as well as slightly less radical solutions ) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

Another, perhaps less elegant, solution is to keep Flash installed in a browser that you don’t normally use, and then to only use that browser on sites that require it.

Categories: Technology, Virus Info
Subscribe to Some Place in Ohio aggregator - Virus Info