Category Archives: Hacks

Home Internet Router Hack Steals Banking Credentials

An attack that was originally spotted in August affecting DLink routers has spread to over 100,000 routers including 70 different models.

The attack originally targeted Brazilian banking customers by compromising their internet router, changing the DNS server and pointing them to a bogus, look-alike banking site.  From there, they steal your credentials.

Not satisfied with the catch, the attackers are ramping up their attack.  It looks for default and easy to guess router admin passwords and other router vulnerabilities.

This attack is going to be difficult to stop if people do not deal with it.

What to do?

Make sure that your router’s admin interface is not accessible from the Internet.  It is difficult to secure it, so just make it invisible.

For banking, make sure that you use two factor authentication.  While not impossible, it makes the hacker’s job much harder.

Change default router passwords to ones that are hard to guess.

Finally, make sure that you patch your router regularly or configure it to automatically patch itself.

Make your local hacker work to get into your network.

Source: The Register .

Facebooktwitterredditlinkedinmailby feather

Voice Phishing Scams Are Getting Better

Former WaPo columnist turned security sleuth (after the Washington Post eliminated his position because cyber security was not important) reported on several recent vishing (voice phishing) scams, two of which involved large sums of money.

These are a word to the wise, both personally and for businesses.

In the first case, Matt Haughey, creator of the community blog MetaFilter and a writer at Slack received 3 calls in a row from his credit union.  After ignoring two of them, he answered the third and it was a phishing attack.

The scammer claimed that they had blocked two phony looking charges made in Ohio on his debit card.  She knew and was able to tell him the last four digits on his credit card.

He asked for a replacement card because he was about to travel and the caller said he could keep using his card until he got back, but they would block suspect charges.  The scammer read him his entire home address and then asked for his PIN (so that the caller could empty his bank account).  Also she asked for the CVV2 code on the back of his card (so that she could make phony cards and phony charges).

This information was all she needed to clone the card at an ATM.

When he visited his Credit Union in person, he discovered that he had been had and that his bank account was $2,900 lighter from a charge in Atlanta and $500 more lighter from an ATM withdrawal.  The very nice scammer left him with $300 in the bank.

The second attack was on Cabel Sasser, founder of a Mac and iOS software company called Panic.

Again he received a call, this time claiming to be from the Wells fraud department.    His corporate card had been charged for a $10,000 charge for metal air ducts (how, exactly, do you convert that to cash?).

After he disputed the charge the bank sent him a new card.  That card was hit for a $20,000 bogus charge for custom bathtubs.

He was trying to figure out how this was happening (I have an idea, but if you are curious, you will have to contact me) when he got the bogus fraud department call.

Do you have the card?  What is the CVV2 number?  Key in a new PIN.  Key in your current PIN.  The caller told him the last four of his social to calm his fears.

After $30,000 in fraud, his antennae were up so he told the fraudster he would call the bank back using the number on the card.  Surprise – no new fraud and they didn’t call.

The article goes on to give two more examples.  I regularly get these calls and love to have fun with the scamsters, but I am a little strange.

So what should you do?

#1 – Be aware that these scams are rampant.  The reason they are rampant is that they work very well.

#2  – DO NOT TRUST callerid.  There is no security whatsoever in the callerid system.  I could call you and have it appear that the call was from President Trump.  

#3 – Understand that with all of the breaches, there is virtually no information that is not in the wild.  One thing that I do is lie on security questions.  That definitely makes things harder, but you have to (a) not repeat the lies from company to company and (b) remember what your lie was.  I use my password manager for that.  If it asks what my favorite color is (I don’t have one), I might answer orange one time, blue the next and green the third time.  As long as I record my answers, I am good.  I do understand that this involves a lot of work, so most people are not up for that.

#4 – last, but most important, if you RECEIVE a call from <your bank> , DO NOT ASSUME that it is your bank.  I know that is a stretch, but $30,000 later, Cabel learned that lesson.  

Call back.  Visit your bank in person.  Call the local branch.  If you have a person at the bank that you have a relationship with (a personal banker), call that person.  

This whole scam model works because people are too quick to trust.

I know that is a terrible thing to say, but it is also terrible to get your bank account cleaned out.

All I can say is beware  —- Its out there on a massive scale.  BECAUSE IT WORKS!

Information for this post came from Brian Krebs.

 

Facebooktwitterredditlinkedinmailby feather

Facebook Hack Compromises 50 Million

Ancient Chinese Proverb: May You Live In Interesting Times.

Well welcome to interesting times.

Today, Facebook said that the accounts of 50 million users were compromised.

The hackers compromised the security “tokens” that Facebook uses to authenticate users and not the passwords themselves.  Facebook revoked those users “tokens” to stop them from continuing to be used.

Later in the day Facebook said that they revoked another 40 million user’s tokens because they might have been compromised.

Finally, to put a cherry on top of things, Facebook admitted that any site that you log into with your Facebook ID may have been compromised too.

So now not only does Facebook have to investigate, but so do sites like Tinder, Instagram, Spotify, AirBnB and thousands of other sites.

Here is why this is interesting.

Hacks are old school. YAWN!

This is the first mega hack after the effective date of GDPR.  Sure British Airways lost 380,000 credit cards, but this is 50-90 million users just on Facebook alone.  We DO NOT KNOW if other sites were affected that share logins, but if they do, this could affect dozens to hundreds of companies and hundreds of millions of accounts.  All of them COULD be fined under GDPR.  If that happens, they will likely sue Facebook.  Of course Facebook’s software license agreement with other sites like Tinder and Spotify probably says that they use the software at their own risk, but the courts MAY rule that this is negligence and not covered by that disclaimer.  If such a disclaimer exists.  Would companies like Spotify and AirBnB actually agree to terms like that?  Maybe.  That is why this is such an interesting day.  BTW,  my token was apparently hacked as login was revoked.  So was Zuck’s.  Karma. 🙂

Remember that fines could go (but likely would not go) as high as 4% of Facebook’s global revenue.

Facebook is already talking to Helen Dixon.  Helen is Ireland’s Data Protection Commissioner and in a large sense, Facebook’s destiny in this breach – and their wallet – is in Helen’s hands.  I would say, right now, her hands are full.

So what should you do?

Depends on your level of paranoia. 

First, I would change my Facebook password and the password on any other sites that use the same password.  Since we do not THINK that passwords were taken but rather tokens, this is a precaution.

Second, enable two factor authentication.  Facebook’s two factor process is really simple.  When you log in you get a pop up on your phone asking if it is you.  If you click yes, you are logged in.

Third – and this is the most painful one – those sites that you log into with your Facebook userid and password – create a local account.  I know.  It is a pain in the ….. but so is having multiple accounts compromised.  Even if they figure out in this case that didn’t happen, what about next time?  Security. Convenience.  Pick one and only one.

Information for this post came from Business Insider.

Facebooktwitterredditlinkedinmailby feather

Credit Card Theft Continues to Rise

The hackers seem to be winning.

One solution I have advocated for over the last many years to reduce credit card fraud is a technique called credit card tokenization.  When a merchant accepts a credit card, that card information is immediately tokenized and that token is all that the merchant keeps.  If they need to rerun the credit card, say for a monthly recurring charge, they present that token to their payment processor and they get paid.  If hackers steal the tokens, it does them no good because those tokens can be locked down to that merchant or even to that server.

So the hackers innovate, even though the vast majority of merchants don’t tokenize.

They slip a tiny bit of code (15 lines) into a library that MANY merchants use and it watches for a credit card passing through.  They grab the card info before it is encrypted and before it is tokenized.

Since online transactions do not take advantage of chip technologu (yet), this card information can be used in other online environments.

This week’s announcement is NewEgg.Com, a computer hardware and software seller.  The hackers ran wild from mid August to mid September.  The malware is called MageCart.

This is the same malware that attacked Ticketmaster and also British Airways.

Along with thousands of other sites.

So What do you do?

If you are a merchant, you have to deal with the lack of security on your web server that could allow a bad guy to install MageCart.  Since this is buried inside some other software that you use as part of the your development.   Eliminating this is part of what the DoD calls SCRM or Supply Chain Risk Management.  Not easy, but absolutely required.

If you buy things online, you can protect yourself by shopping locally.  🙂

Sure.  That is not gonna happen.

But there are a couple of things you can do.

Sign up for text alerts from your bank or credit card company so that you get notified EVERY time you card gets used.  In real time.  That way, at least, you can kill the card before even the first transaction clears.

Second, you can use one of the vendors that single use credit card numbers.  The biggest issuer that does this that I am aware of is Capital One.  Their service, called ENO (one spelled backwards), includes a browser plugin that automatically issues disposable card numbers that are uniquely tied to a single merchant.  If the number is stolen, it can’t be used at a different merchant and while that card number is tied to your actual card, the actual card number is never exposed so that if that one site is hacked, only that card number has to be replaced, not every one.  And, since they have a browser plugin, the process is pretty simple to use.

The last option I have is to use prepaid cards.  Most banks offer them.  Chase calls theirs Chase Liquid, for example.  Sometimes the bank charges a few bucks a month for the service, but often you can get them to waive that.  That card is tied to your online userid but the account does not draw from any other account.  If you, for example, leave $100 in that account, that is the max the bad guys will get and you will be reimbursed by the bank if the charge is unauthorized.  The challenge is that you have to manage having exactly the right amount of money in that account, so the Capital One strategy is a lot easier.

Information for this post came from The Hacker News.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for Week Ending Sep 21, 2018

New Web Attack Will Crash Your iPhone, iPad or Mac

A new CSS-based web attack will crash and restart your i-device with just 15 lines of code.  The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use. Anything that renders HTML on iOS is affected. That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email. TechCrunch tested the exploit running on the most recent mobile software iOS 11.4.1, and confirm it crashes and restarts the phone.  Source:  Techcrunch

Ajit Pai Says California Net Neutrality Law Radical and Illegal

Ajit Pai, Chairman of the FCC and the guy who repealed the FCC net neutrality policy said that California’s new bill replacing that repealed FCC policy is illegal.   Why?  Because, he says, that it is preempted by Federal law.  This is the same guy who said the FCC didn’t have the power to regulate net neutrality.  Do they?  Don’t they?  Are you confused too?

If Pai intervenes, I am sure this will go all the way up to the Supreme Court – who may or may not hear the argument.

He said this at a talk conservative think thank in Portland.  Maine, like about 30 other states, is in the process of creating its own net neutrality law.  If he thought that the states would bow down to him when he repealed the FCC policy, apparently, he was wrong.

Also apparently, his beef is with zero rating, a practice where a carrier doesn’t charge you if you use their service or use a service that has paid them a lot of money, but does charge you to use a service who has not written them a big check.  His theory, apparently, is that if poor people must (due to financial constraints) use only those services that write a carrier a big check, that will, somehow, promote an open and innovative Internet.  Source:  Motherboard

Another Day, Another Crypto Currency Exchange Hacked

Japanese crypto currency exchange Zaif was hacked to the tune of $60 Million of Bitcoin, Bitcoin Cash and Monacoin.  About a third of that was owned by the exchange;  the rest owned by customers.

For now, withdrawals and deposits have been halted, with no specified time when it might – or might not – resume.  If ever.

The company says that they will compensate  users who lost $40 million or so and have sold the majority of the company for $5 billion yen (roughly the amount of money not owned by them that was stolen).

Assuming that deal actually closes, they figure out how the attack happened and fix the problem … and, and, and.  Japan’s financial regulator has stepped into the poop pile.

I assume that if and when customers actually get access to their money – the part that wasn’t stolen – they will find someplace else to store their crypto currency.  That likely means the end of Zaif, no matter what.

In the mean time, they will just have to hang out and wait to see what happens.  Source: Bloomberg.

3 Billion Malicious Logins Per Month This Year

According to Akamai, there were over 3 billion malicious logins per month between January and April and over 8 billion malicious logins during May and June at sites that they front end.

Many malicious login attempts come from the technique of credential stuffing where hackers take credentials exposed during hacks and try them on other web sites.  For example, try the 3 billion exposed Yahoo passwords on Facebook or online banking sites.  Even though we tell people not to reuse passwords, they do anyway.

According to Akamai, one large bank was experiencing 8,000 accounts being compromised per month.

One bank experienced over 8 million malicious login attempts in a single 48 hour period.  I bet some of these attempts worked.  A load like that will impact the bank’s ability to serve real customers.  Source:  Help Net Security.

Facebooktwitterredditlinkedinmailby feather

Researchers Hack Tesla Key Fob in 2 Seconds

Researchers have figured out how to hack a Telsa’s key fob in under two seconds.  That’s impressive.  Remotely.  I think in this case remotely means that they do not have to touch the fob or the car, but they have to be pretty damn close to it – in radio range of the fob.  Still, it is not particularly hard to be nearby the car.

The researchers say that the technique should work on any keyless entry system, but maybe that isn’t quite true.

Tesla’s keyless entry system is made by Pektron and they are using relatively weak encryption.  We have actually seen this exact problem with other cars like the system that VW uses and sells to many other manufacturers (which I have written about in the past).  So if may be fair that other manufacturers have similar problems, but not necessarily the same.  But maybe not all.

Because computers are fast and can support a lot of data, the researchers made a table of all 2 to the 16th possible encryption key codes.  That is only 6 terabytes – a disk that you can easily put on a PC, never mind a more powerful computer.

Then you need about $600 of hardware to intercept the owner unlocking the car.  You get the encrypted code that way.

Then all you have to do is scan this table that you built to find the matching entry and voila, you can clone the fob.  This MAY BE true for other manufacturers as well.  As I recall, the VW hack was even easier.

Telsa attempted to defend itself by saying that other car makers have crappy security too.  Not much of a defense.

So what do you do?

First, maybe passive entry is not the most secure thing in the world, so do you really NEED it, or is it just a cool toy.

Second, make sure that your insurance will replace your car if it is stolen in this manner.

In the case of Telsa, they warned their customers to disable passive entry.  That may be an option for other cars too.  If you can disable it, do so.

Telsa has created a new key fob that you can BUY, but you need to upgrade the software in the car first.  The software is free, the fob is not.  Still, if it is reasonably priced, you should probably do it.

Owners of other vehicles should check with the dealer for updates and probably scan Google periodically to see if their particular system has been hacked.

Telsa has also added a PIN code to its alarm system, but you have to enable it.

Generally, there is a trade off between security and convenience.  This is an example of it.    

Check the options in your car and select, maybe, the most secure one instead of the easiest.  Typically the dealer will explain the easiest one because that is also the coolest one.  Leaving the key in the car is also easy, but I don’t recommend that either.

Unless you are ready to buy a new car.  In which case, what color do you like?

Information for this post came from Motherboard.

 

Facebooktwitterredditlinkedinmailby feather