Category: Security Alerts

There is an active exploitation of a security flaw in all versions of Microsoft Word right now.  The various online media have been saying this is a targeted attack but i’m seeing general infestations with this security issue.  If your machines aren’t updated you first need to get all of your gear updated and then there is a patch available to repair the Word problem.  Keep in mind this issue is capable and has bypassed several anti-malware packages:  Norton, Microsoft security essentials, AVG are the ones I’ve seen bypassed.  I’ve not had any clients behind Sophos utm products infected yet.  it is not known if Office 2003 and older will get updated as they have officially gone out of support and aren’t being updated on a regular basis.  If you are running office 2003 or lower you need to upgrade now.  Either install Libreoffice or Contact ETC Maryland for assistance.  if you install Libreoffice you also must uninstall Microsoft Office or you aren’t protected.

This issue is called a Zero day exploit which means the flaw wasn’t found by the “good guys” before it was actively being used by various attackers.  I’ve had 3 machines come in within days of each other infected with malware that used this exploit.  The fix is available online or you can call ETC so I can get your security updated and get you protected against this latest threat.  Here is the Microsoft security bulletin and the automated fixit is here.  You have to manually run this file on every affected machine.  This only protects against the latest exploit.  If you have not kept current on the other windows updates you are open to other issues that this fixit won’t protect you against.  A more comprehensive fix it being worked on but until it is available this fixit is the best solution that ETC Maryland is able to recommend.



The hits to Linksys(now Belkin) routers keep coming.  It’s really gotten to the point I can’t recommend these any longer.  Might be time for a spike in Sophos UTM home installations?


Bizarre attack infects Linksys routers with self-replicating malware | Ars Technica.

First it was Target.  Then Neimen Marcus notified.  Next was Michael’s.  Now it is White Lodging’s turn.  I’ll simply quote from Brian Kreb’s article: 

White Lodging, a company that maintains hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin appears to have suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013, KrebsOnSecurity has learned.

Earlier this month, multiple sources in the banking industry began sharing data indicating that they were seeing a pattern of fraud on hundreds of cards that were all previously used at Marriott hotels from roughly March 23, 2013 on through the end of last year. But those sames sources said they were puzzled by the pattern of fraud, because it was seen only at specific Marriott hotels, including locations in Austin, Chicago Denver, Los Angeles, Louisville and Tampa.

Turns out, the common thread among all of those Marriott locations is that they are managed by Merrillville, Indiana-based White Lodging Services Corporationwhich bills itself as “a fully-integrated owner, developer and manager of premium brand hotels.” According to the company’s Web site, White Lodging’s property portfolio includes 168 full service hotels in 21 states, with more than 30 restaurants.

White Lodging declined to offer many details, saying in an emailed statement that “an investigation is in progress, and we will provide meaningful information as soon as it becomes available.”

Marriott also issued a statement, noting that “one of its franchisees has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels.” The statement continues:

They are in the midst of the investigation and are in close contact with the banks and credit cards companies.  We are working closely with the franchisee as they investigate the matter.  Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide.  As this impacts customers of Marriott hotels we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely.”

Other hotel chains franchised by White Lodging — including Hilton and Starwood Hotels (which owns the Sheraton and Westin brands) — could not be immediately reached for comment.

Sources say the breach appears to have affected mainly restaurants, gift shops and other establishments within hotels managed by White Lodging — not the property management systems that run the hotel front desk computers which handle guests checking in and out. In the case of Marriott, for example, all Marriott establishments operated as a franchise must use Marriott’s property management system. As a result, the breach impacted only those Marriott guests who used their cards at White Lodging-managed gift shops and restaurants.

Folks our Credit Card technology is stone age based.  What’s worse is the security regulations regulating these card’s data is even more ancient.  Most of the regulations are semi-voluntary.  Couple that with no real consequences for the firms involved and fraud is not only common it’s rampant.  Until some real consequences for these fraudulent breaches come into effect(such as 5% of the annual GROSS income for the breached entity upon the first offense doubling for each subsequent breach over the next 5 years) and this nonsense would stop very quickly.  right now free monitoring is simply a cost of doing business for these large firms.

People have been getting riled up about the latest Facebook permission.  There’s good reason to be concerned.  facebooktextpermission

Now the official response:  If you add a phone number to your account, this allows us to confirm your phone number automatically by finding the confirmation code that we send via text message.


What does this mean?  FACEBOOK IS READING YOUR TEXTS!  Now for many folks they don’t care and that’s fine.  Whoever, If you are a high security entity(HIPAA, accountant, lawyer..etc etc etc) then you most likely have all kinds of information going through your texts including “private” stuff form your customers.  Facebook scans ALL texts looking for these codes form itself.  given past warnings about Facebook’s invasive abilities do you honestly think they won’t slurp the rest?  They might not now but I’m sure the will since you gave them permission to do so.

That’s two apps gone from my phone now.  Starbucks and Facebook.  While a smartphone isn’t secure in the leasta9blackberry is the only exception) jsut handing over everything is something you can put a throttle on.

The latest breach isn’t Target’s first breach it turns out.  Back in 2005 they were compromised as well.  If this report is true many retailers have not upgraded to modern security on their front ends in over 10 years.  If this is true the big box stores are going to have serious problems for quite some time.


A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country.

Target and Neiman Marcus in 2013? No: This oh-so-familiar attack occurred in 2005.

That’s when Albert Gonzalez and cohorts – including two Russian accomplices — launched a three-year digital rampage through the networks of Target, TJ Maxx, and about half a dozen other companies, absconding with data for more than 120 million credit and debit card accounts. Gonzalez and other members of his team were eventually caught, and he’s now serving two concurrent sentences for his role, amounting to 20 years and a day in prison, but the big-box breaches go on.

The latest string of hacks attacking Target, Neiman Marcus, and others raise an obvious question: How is it possible that nearly a decade after the Gonzalez gang pulled off their heists, little has changed in the protection of bank card data?

Target got off easy in the first breach: A spokeswoman told Reuters that only an “extremely limited” number of payment card numbers were stolen from the company by Gonzalez and his gang. The other companies weren’t as lucky: TJX, Hannaford Brothers grocery chain, the Dave & Busters restaurant chain, Office Max, 7-Eleven, BJ’s Wholesale Club, Barnes & Noble, JC Penney, and, most severely, Heartland Payment Systems, were all hit hard.

This time around, if past is prelude, Target will be forced to pay out millions in fines to the card companies if it’s found that the retailer failed to properly secure its network, as well as pay reparation to any banks who had to issue new cards to customers. In addition, class-action lawsuits are already being filed against Target by customers, and lawmakers are lining up to make an example of the retailer.

But Target’s latest misfortune should have come as a surprise to no one — least of all to Target itself. The security measures that it and other companies implement to protect consumer data have long been known to be inadequate. Instead of overhauling a poor system that never worked, however, the card industry and retailers have colluded in perpetuating a myth that they’re doing something to protect customer data — all to stave off regulation and expensive fixes.

“It’s a big failure of the whole industry,” says Gartner analyst Avivah Litan. “This is going to keep getting worse, and this was totally predictable a few years ago and no one did anything. Everyone got worked up, and no one did anything.”

via Target Got Hacked Hard in 2005. Here’s Why They Let It Happen Again | Threat Level |

NM’s breach is more significant than Target’s because of the length of the known compromise.  Folks the same advice i gave for Target now goes to NM.  If you used the same card at Target and NM  and you’ve already re-issued that’s good.  If you don’t know which one it is it’s time to re-issue them all.


The computer network at Neiman Marcus was penetrated by hackers as far back as July, and the breach was not fully contained until Sunday, according to people briefed on the investigation.

The company disclosed the data theft of customer information late last week, saying it first learned in mid-December of suspicious activity that involved credit cards used at its stores. It issued another notice on Thursday, elaborating slightly.

The latest notice said that “some of our customers’ payment cards were used fraudulently after making purchases at our stores. We have taken steps to notify those affected customers for whom we have contact information.”

The company apologized again, and said it did not believe the customers’ Social Security numbers or birth dates — key pieces of personal data — had been compromised.

Neiman Marcus defended its decision not to disclose anything until last week, saying it waited to confirm evidence. The company said nothing about when the attack began and when it was contained.

Neiman has not publicly given any estimate of how many credit card numbers were stolen, or how many customers were affected. Joe Raedle/Getty Images

In a call with credit card companies on Monday, though, Neiman acknowledged that the attack had only been fully contained a day earlier, and that the time stamp on the first intrusion was in mid-July, people briefed on the call said, speaking on the condition of anonymity because of the investigation.

The issue at Neiman appears to have gone on for significantly longer than the widespread attack on Target. In Target’s case, however, the data that was stolen appears to be much more significant and ripe for fraud. Target has said card numbers from 40 million customers were stolen, along with encrypted PINs for debit cards. It also estimated that other personal information belonging to 70 million people had been stolen by the hackers.

Neiman Marcus said on Thursday that it had “no knowledge of any connection” between its data breach and Target’s.

via Breach at Neiman Marcus Went Undetected From July to December –

There’s not much more to say.  If you have the Starbucks app on your phone get it off of there and don’t put it back on.  Starbucks has a lazy attitude towards security and it appears they aren’t going to change that anytime soon.


The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.

The issue appears to be an example of convenience trumping security. One of the reasons for the Starbucks mobile app’s popularity is its extreme ease of use. Customers need only enter their password once when activating the payment portion of the app and then use the app to make unlimited purchases without having to key in the password or username again. (Only when adding money to the app is the password required.)

Starbucks could have chosen not to store the password on the phone, but users would then be forced to key in their username and password every time they wanted to use the app to make a purchase.

“A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud,” said Charlie Wiggs, general manager and senior vice president for U.S. markets at mobile vendor Mozido. “Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn’t overexpose their consumers and their brand.”

“Yes, it does surprise me,” said Gartner security analyst Avivah Litan. “I would have expected more out of Starbucks. At least they should have informed consumers.”

And apparently Starbucks could have done that. Two executives — Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman — said in a telephone interview that they have known for an unspecified period of time that the credentials were being stored in clear text. “We were aware,” Brotman said. “That was not something that was news to us.”

via Evan Schuman: Starbucks caught storing mobile passwords in clear text.

So Target was running Windows XP embedded and it appears they will for quite some time as it’s going to take quote a while to replace all of their vulnberable windows based POS systems with something else.  The problem is even if they switch to something else if the underlying operating system(no matter what it is) isn’t kept up to date with patches it may take longer but they wil get owned again.  It appears in Target’s case however their web server was broken into which lead these folks to have admin level(or system level in the case of windows) for months.  You can bet the thieves made off with EVERYTHING.  Also unless they’ve wiped the infected machine and started over they’ll probably get owned again..and again…and again.

If you are a business with  POS system you need to see what the underlying operating system is.  If it is windows based..especially the xp or any other embedded version you need to upgrade it(xp) or replace it(embedded).  Either one of these can have malware installed through the pos terminals or many other means.  If you aren’t sure about your systems please contact ETC Maryland immediately

The article text below is only an excerpt.  Please read at the links for more details and links.  it is a bit technical.  If you want assistance in making sense of this contact ETC Maryland.

Target has yet to honor a single request for comment from this publication, and the company has said nothing publicly about how this breach occurred. But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.“The bad guys were logging in remotely to that [control server], and apparently had persistent access to it,” a source close to the investigation told KrebsOnSecurity. “They basically had to keep going in and manually collecting the dumps.”It’s not clear what type of software powers the point-of-sale devices running at registers in Target’s U.S. stores, but multiple sources say U.S. stores have traditionally used a home-grown software called Domain Center of Excellence, which is housed on Windows XP Embedded and Windows Embedded for Point of Service WEPOS. Target’s Canadian stores run POS devices from Retalix, a company recently purchased by payment hardware giant NCR. According to sources, the Retalix POS systems will be rolled out to U.S. Target locations gradually at some point in the future.WHO IS ANTIKILLER?  A more full-featured Breadcrumbs-level analysis of this malware author will have to wait for another day, but for now there are some clues already dug up and assembled by Russian security firm Group-IB.Not long after Antikiller began offering his BlackPOS crimeware for sale, Group-IB published an analysis of it, stating that “customers of major US banks, such as such as Chase Newark, Delaware, Capital One Virginia, Richmond, Citibank South Dakota, Union Bank of California California, San Diego, Nordstrom FSB Debit Scottsdale, Arizona, were compromised by this malware.”In his sales thread on at least one crime forum, Antikiller has posted a video of his product in action. As noted by Group-IB, there is a split second in the video where one can see a URL underneath the window being recorded by the author’s screen capture software which reveals a profile at the Russian social networking site Group-IB goes on to link that account to a set of young Russian and Ukranian men who appear to be actively engaged in a variety of cybercrime activities, including distributed denial-of-service DDoS attacks and protests associated with the hackivist collective known as Anonymous.One final note: Dozens of readers have asked whether I have more information on other retailers that were allegedly victimized along with Target in this scheme. According to Reuters, “smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target.” Rest assured that when and if I have information about related breaches I feel confident enough about to publish, you will read about it here first.

via A First Look at the Target Intrusion, Malware — Krebs on Security.

If you have ever shopped at Target your information was taken.  100 million?  This means Target was totally compromised and they had no idea.  They’ll never be able to tell EXACTLY how many…if you are smart just assume everyone who has ever used any kind of credit/debit card at target is now “out there”.  Time to re-issue your cards…NOW.


Target’s data breach MUCH bigger than first thought – now more than 100,000,000 records | Naked Security.

When the first reports were only a limited subset of their data but a huge amount of customers I figured it was much worse.  Target was just going to bide time for AFTER the holidays to fully report.  NOw that the holidays are over the real extent is coming out.  Target of course downplays things:

Nationwide retail giant Target today disclosed that a data breach discovered last month exposed the names, mailing addresses, phone number and email addresses for up to 70 million individuals.

The disclosure comes roughly three weeks after the company acknowledged that hackers had broken in late last year and stole approximately 40 million customer debit and credit card records.

“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach,” the company said in a statement released Friday morning.  ”This theft is not a new breach, but was uncovered as part of the ongoing investigNation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.”

Target is still trying to downplay the amount of data stolen:

Target said much of the data is partial in nature,

What is Target going to do to compensate it’s customers for the coming wave of spam, identity theft and fraud?  Not to mention all the cards that have to be reissued?  Oh and how about HOW these folks go in?

in cases where Target has an email address, it will attempt to contact affected guests with informational tips to guard against consumer scams. The retail giant was quick to note that its email communications would not ask customers to provide any personal information as part of that communication.

Target Chairman Gregg Steinhafel apologized for the inconvenience that the breach may have caused customers, and said said he wanted customers to know that “understanding and sharing the facts related to this incident is important to me and the entire Target team.”

Nevertheless, the company still has not disclosed any details about how the attackers broke in. This lack of communication appears to have spooked many folks responsible for defending other retailers from such attacks, according to numerous interviews conducted by this reporter over the past few weeks.

Basically Target customers you are screwed.  Folks we need to start holding our reps and law enforcement types to account.  There are laws on the books about this type of thing…it is time they were enforced.

via Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen — Krebs on Security.