Tag: Technology Tips

Use Of Bots Has Increased Fake Account Creations

The ThreatMetrix Cybercrime Report 2017 is out, and is a troubling read for anyone who has anything to do with data security.  As a fraud prevention company protecting nearly a billion and a half users around the world, they’re uniquely positioned to know, and their insights on the threat landscape is invaluable.

Their main finding is that hackers, scammers and fraudsters are moving away from using stolen debit and credit cards, given that these things have such a short shelf life.  On the face of it, that sounds like it might be a good thing, until you understand what they’re doing instead.

They’re making use of stolen identity data to create bogus accounts, then applying for lines of credit on their own.  Even worse, they’re taking full advantage of automation to speed the process along.  According to the report, the volume of global fraud attacks is up a mind blowing 100 percent in just two years, with 700 million incidents reported in 2017 alone.

Bots are coming to play an increasingly important role in the activity of the fraudsters, too.  Once a new, fraudulent account has been created, it’s handed off to a bot to test it and make sure it’s valid, which increases its value on the Dark Web.

How big of a problem are bots on the web these days?

According to the report, ThreatMetrix blocked 1.5 billion bot attacks last year, with some retailers reporting that more than 90% of their daily traffic is comprised of bots.

At the root, what’s driving this behavior are the increasingly common, large-scale data breaches that put  up to hundreds of millions of data records into the hands of fraudsters.  Until and unless the flow of data can be stopped, we can expect this type of activity to continue to increase.

No matter how you slice it, 2018 is going to be a very interesting and very busy year.

Mac Computers Battling New Malware For Hijacking DNS

It’s official, the first macOS malware of 2018 is here. Discovered by an independent security researcher and dubbed “OSX/MaMi,” the code is functionally similar to DNSChanger malware.

The researcher posted his findings on the Malwarebytes forum and none other than Patrick Wardle (an ex-NSA hacker) analyzed it, having this to say:

“OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways. By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads) or to insert cryptocurrency mining scripts into web pages.”

In addition to that, hooks were found in the software that would eventually allow it to:

  • Upload and download files
  • Execute commands
  • Generate simulated mouse events
  • Take screenshots

And more, although at present, these features are not yet active, which points to the malware as being a piece of code still very much in development.

At present, there are no anti-malware or antivirus programs capable of detecting this new strain. That, of course, will change in short order. However, for the time being, the best way to verify whether or not your machine is infected is to go through “System Preferences” and into the terminal app to check your DNS settings.

Two values you don’t want to see there are: 82.163.143.135 or 82.163.142.137.

If you’d rather not check manually, Patrick Wardle has created a free, open-source firewall for macOS called “Lulu,” which you can download from GitHub. This program was designed to block suspicious traffic and will prevent OSX/MaMi from stealing anything from your system.

As threats go, this one is relatively minor, but it’s still early in the year, and whomever is behind this piece of code will no doubt be making improvements on it. Stay tuned.

2 Million Credit Cards Stolen From Popular Sandwich Shop

By now, we’ve seen enough large-scale Point of Sale (POS) credit card thefts that patterns are beginning to emerge. Some companies follow the general arc of the narrative better than others, and deserve credit for doing so, but in the end, the story is about the same.

That’s certainly the case with Jason’s Deli. Recently, they discovered RAM-scraping malware on a number of their POS terminals. This has happened at a total of 164 of their locations, scattered across 14 states.

During the seven-month period before the malware was discovered, the company estimates that the credit card payment information of some two million customers was stolen. The data included credit and debit card numbers, expiration dates, the cardholder’s service and verification codes, and the cardholder’s name.

As is the case with most of these incidents, the company immediately contacted law enforcement and hired a third-party firm to assist with the forensic investigation, which is still ongoing.

Jason’s Deli’s handling of the aftermath of the incident has been well above average. However, the bottom line is that unless companies start paying increasing attention to data security, issues like these are going to continue to occur.

As a general rule, hackers prefer to go after the low-hanging fruit. There’s simply more money in attacking soft targets than hard ones. Your company doesn’t need bullet proof security in order to be safe from most hackers, it’s just got to be better than average. Although obviously, the better and more robust your digital security is, the safer you will be.

Unfortunately, this painfully obvious lesson seems to be falling on too many deaf ears. Until and unless that changes, we’ll continue reading about incidents like these. It’s costing business billions every year. Make sure your company isn’t next on the hackers’ hit list.

Blizzard Games Vulnerability Could Leave Gamers Open To Hacking

Do you play Blizzard online computer games such as World of Warcraft, Diablo III, Hearthstone, Starcraft II, or Overwatch?  If so, there’s a potential problem you need to be aware of.

Tavis Ormandy, a researcher on Google’s Project Zero team, recently discovered that the Blizzard Update Agent is vulnerable to hacking, via a technique known as “DNS Rebinding.”

The update agent is designed to accept commands to install, uninstall, change settings, update and  perform other maintenance related options. This means it has a lot of power and access to the system you’re playing the game on.

Unfortunately, because the update agent in use (JSON-RPC, port 1120) doesn’t include a validation step to check the identity of the server issuing commands, it’s possible for a hacker to insert himself into the middle of the process. This includes possibly injecting malicious commands and using the updater to hijack your machine.

Ormandy developed a proof of concept of the attack, and contacted Blizzard when he made the discovery.  The company was receptive for a time, but then suddenly and inexplicably ceased all communication.  Ormandy had this to say regarding the matter:

“Blizzard was replying to emails but stopped communicating on December 22nd.  Blizzard is no longer replying to any enquiries, and it looks like in version 5996, the Agent now has been silently patched with a bizarre solution. Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist.  I proposed they whitelist Hostnames, but apparently that solution was too elegant and simple.  I’m not pleased that Blizzard pushed this patch without notifying me or consulting me on this.”

Since Ormandy went public with his findings, Blizzard has been in contact again, stating that a more robust fix is in the works, one that will adopt the strategy of whitelisting hostnames. Meanwhile, Ormandy is continuing to test the exploit on other online games with a user base of over 100 million to see if others are also vulnerable.  If you’re an online gamer, be aware that you could be leaving the door unlocked for hackers.

Performance Issues Plague PC’s Updated With Spectre Patch

Recently a critical flaw was found inside every Intel chip made during the last decade.  The flaw makes two different exploits possible.  These exploits have been dubbed “Meltdown” and “Spectre.”

The flaws are incredibly severe, and make it possible for a hacker to gain complete, unfettered access to the targeted PC or laptop.  Although no instances of the exploit have yet been found in the wild, now that both are commonly known, it’s only a matter of time before that happens.

Based on that, and given the severity of the flaw, Intel scrambled to release an update, but here’s the catch:  The update would hurt system performance, lowering it by as much as 23%.

In the end, it didn’t matter.  To ignore the problem was simply not an option, so the company scrambled to get a fix ready and has since released it.  Unfortunately, the fix has proved to be even more problematic than was originally estimated.  In addition to degrading machine performance, it also interferes with a variety of maintenance activities and leads to an inordinate number of system reboots.

Initially, Intel advised its customers to proceed with the download in order to protect their systems, even in light of the performance degradation.  However, as the number of complaints have grown, the company reversed course and has now advised against downloading its latest update, asking users to wait for a revision to be published.

At this point, the company has not given an ETA on when the revised firmware update will be ready, but until it is, you’re placed in an awkward position.  Waiting for the update means exposing your company to risk, should a hacker target one of the machines on your network with the exploit.  Proceeding with the current firmware update means you’ll suffer performance issues, leaving you stuck between a rock and a hard place, at least for the short term.

Electronic Health Record Company “Allscripts” Hit By Ransomware

Another day, another high-profile ransomware attack.  This time, the victim was Allscripts, an EHR (Electronic Health Record) company that hospitals, pharmacies, and ambulatory centers around the country rely on.

The company’s data was thought to be safe on the cloud, but that proved not to be the case. Disruptions of services were felt by Allscripts clients around the country.

At this point, reports are sketchy, incomplete, and in many cases, contradictory.  According to Allscripts, the attack only impacted “a limited number” of applications, and that they were working to restore them.  The company’s statement continued with, “most importantly, to ensure our clients’ data is protected.  Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems.  We regret any inconvenience caused by this temporary outage.”

According to Twitter, where many of Allscripts’ customers have been talking about the issue, the problem goes much deeper. Some clients reported an inability to access critical patient data now stretching into its third day, with predictable impacts on health care delivery.

To complicate matters further, some heath care providers preemptively disconnected from Allscripts servers in a bid to protect their own networks.  Northwell Health, based out of New York, is an example.

In any case, as of the time of the writing of this piece, most, but not all of the disrupted services seem to have been restored. You can bet, based on the contradictory information surrounding the attack, that Allscripts’ handling of the incident will be discussed for a long while to come.  This will probably filed under “how not to handle a ransomware attack.”

The company’s communication was spotty and their business continuity plan seems to have failed them.  There are lessons here for all business owners.  Take heed.

iPhone Throttling Issue To Be Addressed In Upcoming Update

Recently, Apple found itself in hot water with its normally adoring user base. This happened when it became known that the company was intentionally throttling (slowing down) the speed of older iPhones.

The company’s intentions were good.  They clearly meant well.  The move was designed to even out performance in older equipment.  As cellphone batteries age, they tend to lose charge more quickly.  What was happening was that people with older equipment would drop from 20% battery to 0% in the blink of an eye, causing their old phones to simply shut down at inopportune moments.  Apple’s strategy was simply designed to help keep that from happening.

Well-intentioned or not, the company didn’t formally announce the change, and it was discovered by chance by security researchers.  Needless to say, the legions of people who still use older iPhones were not amused and the company has faced backlash from an angry user base since.

Apparently, the backlash got bad enough that they listened.  Apple just announced that as of the next OS update, version 11.3, the OS will include a toggle switch that will allow users to choose whether or not to throttle their  phones to extend battery life.

This is the latest in a series of moves the company has made to get back in the good graces of its users.  Previous efforts have included a public apology and an offer to reduce its fee for battery replacement to just $29.

This has been a PR disaster for the company.  It probably won’t hurt their bottom line much, but perception matters. While the company has been trying bravely to save face, the simple truth is that this was a self-inflicted and avoidable wound.

There’s a lesson here for businesses of all shapes and sizes.  Transparency matters, and if you’re going to do something that directly impacts large segments of your user base, be upfront about it and give them a viable choice.

700,000 Potentially Malicious Apps Removed From Google Last Year

Google recently released their Play Store stats for 2017.  The results are both encouraging and disheartening.  Overall, Google caught and removed more than 700,000 malicious apps from the Play Store, minimizing their impact on the company’s massive Android user base.

That’s unquestionably good news, but it comes with a bit of a dark side.  That figure represents a staggering 70 percent increase in the number of apps removed compared with 2016 figures.  The hackers are not only relentless in their efforts, but they’re picking up the pace dramatically.

Last year, Google made a significant change, putting Play Store security under the umbrella of the Google Play Project.  This system is driven by “smart” detection software that automatically scans and provides alerts for any software that exhibits questionable behavior and gets better on its own thanks to Machine Learning protocols.

So far, that approach seems to be working pretty well.  It’s not without its flaws, of course.  Google found itself in the news a few times last year when some malicious apps managed to slip through their impressive detection mechanisms, and got downloaded by several thousand users.  Even so, it’s clear that the company is committed to the process and takes the security of its users very seriously.  Given today’s digital landscape, that’s important.  That means something.

As for Google’s plans for 2018:

More of the same.  Continued, incremental improvements in the Google Play Project, continued support for the Zero-Day initiative, and keeping a watchful eye on all things security-related.  The company is by no means perfect, but it’s nice to know that we’ve got such a large company out there, fighting back.

Of course, it still falls to each individual user to be careful what apps you install on your various devices.  No matter what Google does in the coming year, due diligence is still your last, best defense.

Fitness Trackers Could Be A National Security Risk

If ever there were two phrases that didn’t seem to go together, they would probably be “Fitness trackers” and “National Security Risk.”  The very idea that a simple fitness tracker could pose such a risk seems laughable on the surface, but this is no laughing matter.

Recently, a popular fitness tracking app called “Strava” published a heat map, which displayed the activity of its massive user base from around the world.  In all, the heat map contained more than a billion activities, tracking every jog, bike ride, walk, swim, downhill, and other activity that users opted to log.

Unfortunately, this app is a favorite of military personnel, and when the heat map was published, researchers made a disturbing discovery.  In logging their physical activity, military personnel gave away the locations of their (sometimes secret) bases.

Although the data was stripped of personally identifying markers before being loaded onto the map, other researchers have been able to de-anonymize the data, tying individual activity routes to specific people.

From a national security standpoint, this is disturbing on two levels.  First, of course, is the fact that the locations of supposedly top-secret bases could be discovered so easily, and by something as innocuous as a fitness app.

Second,  and every bit as disturbing, is the fact that since it has been demonstrated that the data can be de-anonymized. This means that enemies of any existing government  can accurately locate key personnel.  Armed with an activity map that establishes a “reliable pattern of life,” it can use that data to plan carefully orchestrated attacks against specific individuals.

Needless to say, the presence of apps that know so much about us and our precise whereabouts is going to require a total rethink by government agencies around the world.  One has to wonder, how many other unintentional side effects will we see in the months and years to come?

If your Point Of Sale Uses Oracle, Update Now

Oracle is currently the third-largest provider of POS (Point of Sale) software on the market today, which means that there’s a fairly good chance you’re using an Oracle POS system.  If you are, there’s trouble ahead.  A recently discovered security flaw could put your system at risk.

Oracle has already identified and patched the security flaw, but there’s a problem.  Since POS systems are deemed “mission critical” by most businesses, System Administrators rarely schedule maintenance for them on fears that an unstable patch or update could cause undue downtime for the company.  Because of that, it will likely be a month or more before the new update finds its way to all 300,000 of the at-risk systems.

As security flaws go, this one is fairly nasty, too, as it allows a hacker to collect configuration files from any vulnerable Micros POS system.  This data can then be used to grant the hacker full, unrestricted access to the POS system,  as well as the database and server it feeds information to.

Most hackers attacking a POS would be content with simply collecting credit card details for resale on the Dark Web However, with this exploit, any sort of malware could be installed to use against the company later.

Even worse, a hacker need not be in close proximity to the device in question.  A carefully crafted HTTP request could trigger the security flaw and open the door.  Of course, if a hacker is in close proximity to the system, then there are many easier ways to infect it.  One only needs to distract the sales clerk long enough to attach a simple Raspberry Pi board equipped to run the exploit code and the damage is done.

The bottom line is, if you use an Oracle POS, make installing the latest security patch a priority.  You’ll be vulnerable until you do.