Category: Security Alerts


I am not trying to spread the “stranger danger” fear-mongering here.  If you are a parent, grandparent or any other kind of close relative please read the linked article at the bottom of this post.  I have been following this since it began.  More details are becoming known.  I’m not doing the blame the victim game here but unsafe online behavior contributed to this crime.  Parents PLEASE know what your children are doing.

In my experience this is usually the cause of mis-communication or a lack of communication.  Technology is part of the solution but a good parental relationship will do better than any technology.

I was recently at the Brunswick Business Expo and I was disseminating the following documents:

1.  This is a set of tips for adults in regards to online safety

2. This is a set of  steps for youth in regards to online safety.

3.  This is a “contract” between your youth and yourselves.  This provides a framework for communications between the adults and the youth for proper online behavior.  It also provides the foundation for a clear set of expectations from both sides of the conversation.

I am not saying this is the end all be all but I hope you find it useful.  There are technological things that can be done to aid caregivers in supervision of their youth.  If you have any questions contact us.

On November 10, a 12-year-old girl left her home in the Baltimore suburb of Nottingham at 7:30am, heading to her middle school. She never returned home. When her mother called the school later, she discovered that her daughter had not even arrived. Suddenly, Baltimore County Police were calling in the FBI to assist in their search for a missing person.

According to police reports, “an unfamiliar blue pick-up truck with North Carolina license plates” was spotted by neighbors near Jane Doe’s home that morning. (While the girl’s name was previously published in Baltimore local media, we’ll refer to her by the name used in recent court documents—Jane Doe—because of her age and because of the nature of the crime allegedly committed against her.) Over the next four days, the investigation of Jane Doe’s disappearance led to a ranch house on a cul-de-sac 340 miles away in Raleigh, North Carolina. That’s where North Carolina Alcohol Law Enforcement agents working under the direction of the FBI eventually found the kidnapped girl—along with a 32-year-old probationer named Victor Yanez Arroyo.

The girl is now back with her family, but according to arrest documents, Jane Doe told authorities that “at the residence, Arroyo had non-consensual sex with her two times.” Arroyo was arrested and now faces a wave of state and federal charges.

Luckily, the FBI and other law enforcement agencies had Doe’s real name and several aspects of her digital identity to work with, including her Xbox Live gamer tag, her Apple iCloud account, and her social media chat accounts. All of these digital identities played a role in the forensics work used to track down Jane Doe’s abductor.

But they also played a major role in her abduction.

via 12-year-old’s online life brings an abductor to her doorstep | Ars Technica.

Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning.

The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the secure sockets layer and transport layer security (TLS) protocols, according to a Microsoft advisory. A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server.

While the advisory makes reference to vulnerabilities targeting Windows servers, the vulnerability is rated critical for client and server versions of Windows alike, an indication the remote-code bug may also threaten Windows desktops and laptop users as well. Amol Sarwate, director of engineering at Qualys, told Ars the flaw leaves client machines open if users run software that monitors Internet ports and accepts encrypted connections.

“If they install software that listens on port, then that machine would be vulnerable,” he said. An example would be “if they run Windows 7 but install an FTP server on it that accepts connections from outside, or a Web server on a client.”

Tuesday’s disclosure means that every major TLS stack—including Apple SecureTransport , GNUTLS, OpenSSL, NSS, and now Microsoft SChannel—has had a severe vulnerability this year. In some cases, the flaws merely allowed attackers to bypass encryption protections, while others—most notably the Heartbleed bug in OpenSSL and the one patched Tuesday in Windows, allowed adversaries to steal highly sensitive data and execute malicious code on vulnerable systems respectively.

Microsoft’s advisory said there are no mitigating factors and no workarounds for the bug. A separate exploitation index assessed real-world attacks as “likely” for both newer and older Windows releases. The advisory said there is no evidence pointing to in-the-wild exploits against Windows users at the time it was drafted. MS14-066 was one of 16 updates Microsoft scheduled for this month’s Patch Tuesday batch. They include a fix for a zero-day vulnerability already under attack in highly targeted espionage attacks.

It took less than 12 hours after the disclosure of the catastrophic Heartbleed bug for it to be turned against Yahoo and other sites. Anyone who uses a Windows computer—especially if it runs a Web or e-mail server—should ensure Tuesday’s update is installed immediately.

via Potentially catastrophic bug bites all versions of Windows. Patch now | Ars Technica.

I don’t always agree with Steve Gibson.  On this particular attack the one thing that makes this a non-issue is that you have to have active malicious code running in the browser.  Once your machine is compromised in any way you aren’t secure, it is really that simple.  You can listen to Steve talk about this and get a text transcription on the Security Now episode page.

Really this is only a problem is you are surfing on a public wifi point then somebody can intercept your traffic..cause an error in your secure communications and then insert themselves into your data stream.  Keep in mind ssl v3 is nearly 15 years old and has been replaced by TLS.  Really the only folks who use this..are IE6.  All modern browsers are going to fully kill ssl 3.0 support in upcoming updates…which is about time.  Really you are not in danger from this unless your are doing browser on public wifi AND using an ancient browser.  Once ssl v3 finally dies some websites may break temporarily and some browsers will break(IE6).  This isn’t nearly that dangerous as other vulnerabilities that have come up lately.  A full analysis is available here.  If you have any questions contact us.

There is an active exploitation of a security flaw in all versions of Microsoft Word right now.  The various online media have been saying this is a targeted attack but i’m seeing general infestations with this security issue.  If your machines aren’t updated you first need to get all of your gear updated and then there is a patch available to repair the Word problem.  Keep in mind this issue is capable and has bypassed several anti-malware packages:  Norton, Microsoft security essentials, AVG are the ones I’ve seen bypassed.  I’ve not had any clients behind Sophos utm products infected yet.  it is not known if Office 2003 and older will get updated as they have officially gone out of support and aren’t being updated on a regular basis.  If you are running office 2003 or lower you need to upgrade now.  Either install Libreoffice or Contact ETC Maryland for assistance.  if you install Libreoffice you also must uninstall Microsoft Office or you aren’t protected.

This issue is called a Zero day exploit which means the flaw wasn’t found by the “good guys” before it was actively being used by various attackers.  I’ve had 3 machines come in within days of each other infected with malware that used this exploit.  The fix is available online or you can call ETC so I can get your security updated and get you protected against this latest threat.  Here is the Microsoft security bulletin and the automated fixit is here.  You have to manually run this file on every affected machine.  This only protects against the latest exploit.  If you have not kept current on the other windows updates you are open to other issues that this fixit won’t protect you against.  A more comprehensive fix it being worked on but until it is available this fixit is the best solution that ETC Maryland is able to recommend.

 

 

The hits to Linksys(now Belkin) routers keep coming.  It’s really gotten to the point I can’t recommend these any longer.  Might be time for a spike in Sophos UTM home installations?

 

Bizarre attack infects Linksys routers with self-replicating malware | Ars Technica.

First it was Target.  Then Neimen Marcus notified.  Next was Michael’s.  Now it is White Lodging’s turn.  I’ll simply quote from Brian Kreb’s article: 

White Lodging, a company that maintains hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin appears to have suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013, KrebsOnSecurity has learned.

Earlier this month, multiple sources in the banking industry began sharing data indicating that they were seeing a pattern of fraud on hundreds of cards that were all previously used at Marriott hotels from roughly March 23, 2013 on through the end of last year. But those sames sources said they were puzzled by the pattern of fraud, because it was seen only at specific Marriott hotels, including locations in Austin, Chicago Denver, Los Angeles, Louisville and Tampa.

Turns out, the common thread among all of those Marriott locations is that they are managed by Merrillville, Indiana-based White Lodging Services Corporationwhich bills itself as “a fully-integrated owner, developer and manager of premium brand hotels.” According to the company’s Web site, White Lodging’s property portfolio includes 168 full service hotels in 21 states, with more than 30 restaurants.

White Lodging declined to offer many details, saying in an emailed statement that “an investigation is in progress, and we will provide meaningful information as soon as it becomes available.”

Marriott also issued a statement, noting that “one of its franchisees has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels.” The statement continues:

They are in the midst of the investigation and are in close contact with the banks and credit cards companies.  We are working closely with the franchisee as they investigate the matter.  Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide.  As this impacts customers of Marriott hotels we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely.”

Other hotel chains franchised by White Lodging — including Hilton and Starwood Hotels (which owns the Sheraton and Westin brands) — could not be immediately reached for comment.

Sources say the breach appears to have affected mainly restaurants, gift shops and other establishments within hotels managed by White Lodging — not the property management systems that run the hotel front desk computers which handle guests checking in and out. In the case of Marriott, for example, all Marriott establishments operated as a franchise must use Marriott’s property management system. As a result, the breach impacted only those Marriott guests who used their cards at White Lodging-managed gift shops and restaurants.

Folks our Credit Card technology is stone age based.  What’s worse is the security regulations regulating these card’s data is even more ancient.  Most of the regulations are semi-voluntary.  Couple that with no real consequences for the firms involved and fraud is not only common it’s rampant.  Until some real consequences for these fraudulent breaches come into effect(such as 5% of the annual GROSS income for the breached entity upon the first offense doubling for each subsequent breach over the next 5 years) and this nonsense would stop very quickly.  right now free monitoring is simply a cost of doing business for these large firms.

People have been getting riled up about the latest Facebook permission.  There’s good reason to be concerned.  facebooktextpermission

Now the official response:  If you add a phone number to your account, this allows us to confirm your phone number automatically by finding the confirmation code that we send via text message.

 

What does this mean?  FACEBOOK IS READING YOUR TEXTS!  Now for many folks they don’t care and that’s fine.  Whoever, If you are a high security entity(HIPAA, accountant, lawyer..etc etc etc) then you most likely have all kinds of information going through your texts including “private” stuff form your customers.  Facebook scans ALL texts looking for these codes form itself.  given past warnings about Facebook’s invasive abilities do you honestly think they won’t slurp the rest?  They might not now but I’m sure the will since you gave them permission to do so.

That’s two apps gone from my phone now.  Starbucks and Facebook.  While a smartphone isn’t secure in the leasta9blackberry is the only exception) jsut handing over everything is something you can put a throttle on.

The latest breach isn’t Target’s first breach it turns out.  Back in 2005 they were compromised as well.  If this report is true many retailers have not upgraded to modern security on their front ends in over 10 years.  If this is true the big box stores are going to have serious problems for quite some time.

 

A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country.

Target and Neiman Marcus in 2013? No: This oh-so-familiar attack occurred in 2005.

That’s when Albert Gonzalez and cohorts – including two Russian accomplices — launched a three-year digital rampage through the networks of Target, TJ Maxx, and about half a dozen other companies, absconding with data for more than 120 million credit and debit card accounts. Gonzalez and other members of his team were eventually caught, and he’s now serving two concurrent sentences for his role, amounting to 20 years and a day in prison, but the big-box breaches go on.

The latest string of hacks attacking Target, Neiman Marcus, and others raise an obvious question: How is it possible that nearly a decade after the Gonzalez gang pulled off their heists, little has changed in the protection of bank card data?

Target got off easy in the first breach: A spokeswoman told Reuters that only an “extremely limited” number of payment card numbers were stolen from the company by Gonzalez and his gang. The other companies weren’t as lucky: TJX, Hannaford Brothers grocery chain, the Dave & Busters restaurant chain, Office Max, 7-Eleven, BJ’s Wholesale Club, Barnes & Noble, JC Penney, and, most severely, Heartland Payment Systems, were all hit hard.

This time around, if past is prelude, Target will be forced to pay out millions in fines to the card companies if it’s found that the retailer failed to properly secure its network, as well as pay reparation to any banks who had to issue new cards to customers. In addition, class-action lawsuits are already being filed against Target by customers, and lawmakers are lining up to make an example of the retailer.

But Target’s latest misfortune should have come as a surprise to no one — least of all to Target itself. The security measures that it and other companies implement to protect consumer data have long been known to be inadequate. Instead of overhauling a poor system that never worked, however, the card industry and retailers have colluded in perpetuating a myth that they’re doing something to protect customer data — all to stave off regulation and expensive fixes.

“It’s a big failure of the whole industry,” says Gartner analyst Avivah Litan. “This is going to keep getting worse, and this was totally predictable a few years ago and no one did anything. Everyone got worked up, and no one did anything.”

via Target Got Hacked Hard in 2005. Here’s Why They Let It Happen Again | Threat Level | Wired.com.

NM’s breach is more significant than Target’s because of the length of the known compromise.  Folks the same advice i gave for Target now goes to NM.  If you used the same card at Target and NM  and you’ve already re-issued that’s good.  If you don’t know which one it is it’s time to re-issue them all.

 

The computer network at Neiman Marcus was penetrated by hackers as far back as July, and the breach was not fully contained until Sunday, according to people briefed on the investigation.

The company disclosed the data theft of customer information late last week, saying it first learned in mid-December of suspicious activity that involved credit cards used at its stores. It issued another notice on Thursday, elaborating slightly.

The latest notice said that “some of our customers’ payment cards were used fraudulently after making purchases at our stores. We have taken steps to notify those affected customers for whom we have contact information.”

The company apologized again, and said it did not believe the customers’ Social Security numbers or birth dates — key pieces of personal data — had been compromised.

Neiman Marcus defended its decision not to disclose anything until last week, saying it waited to confirm evidence. The company said nothing about when the attack began and when it was contained.

Neiman has not publicly given any estimate of how many credit card numbers were stolen, or how many customers were affected. Joe Raedle/Getty Images

In a call with credit card companies on Monday, though, Neiman acknowledged that the attack had only been fully contained a day earlier, and that the time stamp on the first intrusion was in mid-July, people briefed on the call said, speaking on the condition of anonymity because of the investigation.

The issue at Neiman appears to have gone on for significantly longer than the widespread attack on Target. In Target’s case, however, the data that was stolen appears to be much more significant and ripe for fraud. Target has said card numbers from 40 million customers were stolen, along with encrypted PINs for debit cards. It also estimated that other personal information belonging to 70 million people had been stolen by the hackers.

Neiman Marcus said on Thursday that it had “no knowledge of any connection” between its data breach and Target’s.

via Breach at Neiman Marcus Went Undetected From July to December – NYTimes.com.