While we were being distracted by the Yahoo half-billion-user data breach, within the last few days, Krebs On Security, a blog which I often reference here was slammed with a distributed denial-of-service (DDoS) attack of gargantuan proportions, literally silencing the blog. This was after the venerable Brian Krebs published papers on the vDOS owners. vDOS is an attack-for-hire service hosted in Israel.
Hey, what a surprise, after Krebs, a well-known security blogger (and researcher) made the people behind the attack-for-hire service also well-known, he was himself targeted by the world's largest DDoS attack! These are rich teenagers - they earned more than $600,000 (well, in Bitcoin!) in two years. Apparently their service is in great demand.
How do we know this? Oh it figures - vDOS got hacked and their client base was fully extracted and published (this is known as being "doxed", a term which I sometimes use). And Krebs obtained the information in July. This, and the fact that the FBI took notice, is why those cyber-criminal-teenagers Itay Huri and Yarden Bidani (known as AppleJ4ck) were arrested in Israel.
It's possible that these teenagers, after being arrested in Israel, were simply drafted into the Israeli Defense Forces (IDF), because they are both 18 years old (my speculation). Now they can't use the internet for 30 days.
Wow! I was sure it was just going to be a slap on the hand for these two.
Seriously, I hope they can be extradited to the US for prosecution.
The curious thing is that the documents Krebs found indicated that vDOS was literally responsible for the majority of the DDoS attacks on the web, and that the number of packets and data sent might indeed have been Internet-crippling. Apparently DDoS attackers are now taking over personal home routers and using them to accomplish their attacks, which can result on a MUCH larger number of packets being sent because literally anybody can be sending them.
When a security blog gets hit and you are temporarily in the dark about a current threat, you will need to refer to some other security blogs. Here is a decent list.
If you get hacked, you can find out if your data was included in a recent massive breach at haveibeenpwned.com.
If you have more serious concerns, there is a company, terbiumlabs.com, that can persistently search the dark web for your personal info. The info you enter is encrypted on the client side (open your computer) so even they don't know what you are searching for. This is particularly useful for corporate customers, when they're breached, and also for companies monitoring their information security (infoSec).
Showing posts with label data breach. Show all posts
Showing posts with label data breach. Show all posts
Sunday, September 25, 2016
Tuesday, August 9, 2016
Big Time Infosec Issue!
Updated: five more point-of-sale systems breached. More info on how long the breach existed. And yet more info on where the compromises might have hit you. More identity information for Carbanak.
Did you ever get a message in a email that says: "We're letting you know your card may have been part of a compromise at an undisclosed merchant."? And not to worry because "We're Issuing You a New Card To Help Keep Your Information Safe". In title case, no less (thanks, daring fireball, for that link).
Apparently the time has come when data compromise becomes huge. Anybody who watches Mr. Robot probably knows that credit card hacking is a serious issue, and can get much more serious. We keep closing insecure points as they are discovered, of course. But, it seems, there are still plenty of ways to get into our credit card data stream.
One such way is through the Oracle MICROS system that handles point-of-sale transactions with credit cards (specifically at restaurants, delis, and hospitality points of sale). Apparently it is possible to rootkit these transaction processors, take control of them, and capture your name, credit card number, and secret code as it goes by. And, of course, send that data to the identity thieves.
Update: five more systems are reported by Forbes to be hacked, possibly by the same Russian cybercrime gang. These are UK-based Cin7, ECRS, Bankcard Services' Navy Zebra, PAR Technology, and Uniwell.
What Happened?
According to Krebs on Security, malware was placed on some internal Oracle server at their retail division. They thought it was just a small number of systems until they upgraded their security software to a new version. And at that point, they realized more than 700 systems were compromised! From there, it spread into the MICROS point-of-sale processors that accept your credit card and verify little things like that little gold chip on it. That was supposed to make the credit card SO much more secure.
The bottom line for us, the customers, is that the breach was detected only on July 25, 2016. And here's the catch: they don't really know how long it's even been active. Could be months.
Update: Bad news! There is info from HEI hotels that the breach might have existed since March, 2015.
Who Did It?
This is a very sophisticated hack. This was no script kiddie.
Apparently the Carbanak cybergang is responsible. According to Kaspersky, they stole $1B by attacking bank system intranets in an advanced persistent threat (APT) campaign culminating last February. This gang is a big time threat, and we have stumbled onto one more page in their playbook.
It gets even more interesting. Carbanak is connected to a Mr. Tverinov, as reported by Krebs, and supported by the sleuthing of Ron Guilmette. Artim Tverinov is CEO of InfoKube, a Russian security firm, that builds the LioN anti-virus application. A Trojan horse?
It's not rocket science - Krebs, while communicating with the shadowy Mr. Tverinov through the Vkontakte Russian social-media site, literally eye-witnessed Tverinov's Vkontakte page get deleted! This was followed by a direct-email denial of any and all wrongdoing.
Supposedly Russia arrested 50 alleged members of the Carbanak cybercrime gang on June 1, 2016. Kaspersky Lab helped to identify the hackers charged, but Tverinov wasn't among them.
It also seems that Carbanak was using a C&C server that is tied to the FSB (the successor of the KGB). This according to Security Affairs.
Update: Carbanak is sometimes also known as Anunak.
Where Was I Most Likely Compromised?
This would have occurred at a chain restaurant, or perhaps a modern restaurant that is taking advantage of modern technology. And you would have used your credit card to pay. Unfortunately, this is not too unlikely a scenario, is it?
You might have seen a colorful point-of-sale display on a tablet or monitor (like this one) at a restaurant, hotel, deli, charcuterie, or even a burger chain.
Update: Forbes, in the same article as the above update, reports that your credit card might have been compromised at Donald Trump's Hotel group, Hyatt, Kimpton, or one of 1000 Wendy's restaurants. Also consult the list of hotels in the HEI list.
The Big Android Hack
Qualcomm GPUs and kernel modules are vulnerable to being rootkit'ed. This involves a huge number (900 million) Android devices. They are called the QuadRooter vulnerabilities, as explained by security researcher Adam Donenfeld in his blog post. This affects the Samsung Galaxy 7, the most popular Android device.
On another note, the Blackberry DTEK 50, "the most secure smartphone in the world" utilizes a Qualcomm 8992 Snapdragon 808 Hexa-Core, 64 bit with Adreno 418, 600MHz GPU. And so it is also vulnerable to four of the flaws.
Did you ever get a message in a email that says: "We're letting you know your card may have been part of a compromise at an undisclosed merchant."? And not to worry because "We're Issuing You a New Card To Help Keep Your Information Safe". In title case, no less (thanks, daring fireball, for that link).
Apparently the time has come when data compromise becomes huge. Anybody who watches Mr. Robot probably knows that credit card hacking is a serious issue, and can get much more serious. We keep closing insecure points as they are discovered, of course. But, it seems, there are still plenty of ways to get into our credit card data stream.
One such way is through the Oracle MICROS system that handles point-of-sale transactions with credit cards (specifically at restaurants, delis, and hospitality points of sale). Apparently it is possible to rootkit these transaction processors, take control of them, and capture your name, credit card number, and secret code as it goes by. And, of course, send that data to the identity thieves.
Update: five more systems are reported by Forbes to be hacked, possibly by the same Russian cybercrime gang. These are UK-based Cin7, ECRS, Bankcard Services' Navy Zebra, PAR Technology, and Uniwell.
What Happened?
According to Krebs on Security, malware was placed on some internal Oracle server at their retail division. They thought it was just a small number of systems until they upgraded their security software to a new version. And at that point, they realized more than 700 systems were compromised! From there, it spread into the MICROS point-of-sale processors that accept your credit card and verify little things like that little gold chip on it. That was supposed to make the credit card SO much more secure.
The bottom line for us, the customers, is that the breach was detected only on July 25, 2016. And here's the catch: they don't really know how long it's even been active. Could be months.
Update: Bad news! There is info from HEI hotels that the breach might have existed since March, 2015.
Who Did It?
This is a very sophisticated hack. This was no script kiddie.
Apparently the Carbanak cybergang is responsible. According to Kaspersky, they stole $1B by attacking bank system intranets in an advanced persistent threat (APT) campaign culminating last February. This gang is a big time threat, and we have stumbled onto one more page in their playbook.
It gets even more interesting. Carbanak is connected to a Mr. Tverinov, as reported by Krebs, and supported by the sleuthing of Ron Guilmette. Artim Tverinov is CEO of InfoKube, a Russian security firm, that builds the LioN anti-virus application. A Trojan horse?
It's not rocket science - Krebs, while communicating with the shadowy Mr. Tverinov through the Vkontakte Russian social-media site, literally eye-witnessed Tverinov's Vkontakte page get deleted! This was followed by a direct-email denial of any and all wrongdoing.
Supposedly Russia arrested 50 alleged members of the Carbanak cybercrime gang on June 1, 2016. Kaspersky Lab helped to identify the hackers charged, but Tverinov wasn't among them.
It also seems that Carbanak was using a C&C server that is tied to the FSB (the successor of the KGB). This according to Security Affairs.
Update: Carbanak is sometimes also known as Anunak.
Where Was I Most Likely Compromised?
This would have occurred at a chain restaurant, or perhaps a modern restaurant that is taking advantage of modern technology. And you would have used your credit card to pay. Unfortunately, this is not too unlikely a scenario, is it?
You might have seen a colorful point-of-sale display on a tablet or monitor (like this one) at a restaurant, hotel, deli, charcuterie, or even a burger chain.
Update: Forbes, in the same article as the above update, reports that your credit card might have been compromised at Donald Trump's Hotel group, Hyatt, Kimpton, or one of 1000 Wendy's restaurants. Also consult the list of hotels in the HEI list.
The Big Android Hack
Qualcomm GPUs and kernel modules are vulnerable to being rootkit'ed. This involves a huge number (900 million) Android devices. They are called the QuadRooter vulnerabilities, as explained by security researcher Adam Donenfeld in his blog post. This affects the Samsung Galaxy 7, the most popular Android device.
On another note, the Blackberry DTEK 50, "the most secure smartphone in the world" utilizes a Qualcomm 8992 Snapdragon 808 Hexa-Core, 64 bit with Adreno 418, 600MHz GPU. And so it is also vulnerable to four of the flaws.
Subscribe to:
Posts (Atom)