Category Archives: Hacks

VISA SAYS: Ongoing Cyber Attacks at Gas Pumps

Visa published an alert that says that point of sale (PoS) system of North American Fuel Dispenser Merchants (as in gas stations and the folks that make the systems that allow you to “pay at the pump”) are being targeted in credit card skimming attacks.

The attack is ongoing, increasing and coordinated – by cybercrime groups.

The Visa fraud disruption unit alert described several attacks.  While stores were supposed to installed chip readers by 2015 (if they don’t they get to pay for any fraud linked to their lack of chip card readers) but gas stations got an extension and are just now installing chip readers in pumps (they were supposed to do it by October 2019, but now they have until October 2020).

One of the benefits of chip readers is that the card information is encrypted at the pump and not decrypted until it arrives at the gas station’s bank.  Since most pumps still have not been upgraded, the data does not get encrypted until it leaves the gas station, if at all.

This means that if the hacker can get malware installed in the gas station they can likely read the credit cards.

Here is the part that affects all businesses:

Individual gas stations are independent from the brands, for the most part, and many are completely independent.  That makes them small businesses that don’t have an IT department.

The attacks usually start by infecting the computer in the office – someone is bored and surfs the web.  They visit a sketchy web site and click on an infection link.

Because gas station owners are not IT or security experts, everything is on the same network – as is often the case in many (most?) small to medium sized businesses.

What businesses need to do is SEGMENT their networks – separate different parts of their business from each other – the WiFi should be separate from the credit card system from the smart TV, from the gas pumps, etc.

Doing that makes it MUCH harder for hackers in any business to get to where they want.  In the Target breach, the hackers compromised a server used by vendors to get projects and submit invoices, but that server, because of a lack of segmentation, could talk to the credit card system.

It takes a little work to design a correctly segmented network that will limit the damage that hackers can do while still letting your employees do what they need to do, but recovering from an attack takes a lot more work than preventing one.

On a separate note, if you are concerned about your credit card getting compromised at a gas pump, you can a couple of things to improve your odds:

  • Use a pump closest to the store – it is the least likely to have a skimmer attached.  That won’t help if the hacker installs malware on the station’s network though
  • Patronize gas stations that have upgraded their pumps (those are the ones that tell you to leave your card in the reader until they ask you to remove it)
  • Pay inside – sometimes but not always – that computer gets upgraded before the pumps get upgraded.  Watch how they process your card – if they swipe it, it hasn’t been upgraded.  If they insert it and wait, it has been
  • Last option, if you have to, pay cash

Gas stations are frequent targets because crooks can get to the pump at 3:00 in the morning when no one is there and they have really poor cybersecurity, except, MAYBE, for stations that are owned by the oil companies themselves.  Apparently, according to Visa, that is becoming a real problem, but it is a great opportunity for other businesses to get ahead of the attacks.

Source: Bleeping Computer

 

Facebooktwitterredditlinkedinmailby feather

In Case You Thought Russia Was Done Meddling With Elections …

Politics is a pretty interesting game.

In the United States, almost everyone, except the President, thinks that Russia interfered with the 2016 US Presidential elections.

In the UK, there is a report – that the current Prime Minister Boris Johnson has refused to release – on Russian interference in British politics, with some accusing Johnson of a coverup.

Likely in both cases, there are additional agendas.

There is a British election this week after Johnson was unable to get Parliament to agree to his plan for leaving the EU (sound familiar?  The last British PM lost her job for the same reason).  And since politics is a full contact sport everywhere, Johnson’s competitor for the job, Jeremy Corbyn, released some documents that say that Johnson would offer to sell Britain’s National Health Service (NHS) to United States corporations in a trade deal with President Trump.  In Britain, the NHS is considered a national treasure and offering to privatize it to a foreign company is not considered a route to getting yourself elected.  Corbyn “declined” to say where he got the documents and the British government says that they think the documents are real.

One of the places these documents were posted was the social media site Reddit.

Reddit said this past week that the document leak was part of a Russian influence operation known as Secondary Infektion.  It is likely that Secondary Infektion is part of the Russian hacking group Sandworm (if you are interested in this kind of intrigue, I highly recommend the book Sandworm), which is part of Russia’s military Intelligence known as GRU.  As a result of their investigation, Reddit has banned 61 accounts.  Of course, there is nothing to stop the Russians from creating new accounts.

The combination of Johnson’s refusal to release the report on past Russian hacking of British elections and the posting of and Corbyn’s use of these new documents indicates that Russian interference in worldwide politics has not stopped or slowed down.

It also means that, short of a miracle, Russia will likely interfere with the US elections next year.  Using cyber theft (DNC emails, Clinton Emails, Boris Johnson documents) is far easier than hacking into a whole bunch of election machines and changing votes, so that is likely the route the Russians will take next year.

Whether Russia’s release of the Boris Johnson documents will affect this week’s British Prime Minister’s election is unknown and even if Johnson loses, he can blame many factors other than Russia for his loss.

Still, is shows that politics remains a full contact sport – a reality that is not likely to change anytime soon.

Information for this post came from the Guardian.

 

Facebooktwitterredditlinkedinmailby feather

Feds Offer $5 Mil For Evil Corp. Leader

Not sure if this is inspired by the Mr. Robot Series (Evil Corp) or not, but this guy is in big trouble now.

He is being charged with conspiracy, conspiracy to commit fraud, wire fraud, bank fraud and intentional damage to a computer.

The feds say that he stole tens of millions using the banking trojans Dridex and Zeus.  He drives a custom Lamborghini, they say.

In addition to putting out the arrest warrant, Treasury is sanctioning his company.

While I don’t think that President Trump’s bestie, Vladimir Putin, is going to turn the guy over to us, as a high roller, the treasury sanctions mean that he cannot access the U.S. financial system – banks, credit cards, wire transfers, etc. will all be frozen if he  tries.  He also cannot travel to all of those beautiful, warm, scenic vacation spots he is used to.  I hear Kiev is nice this time  of year, however.  If he goes through customs in any country we have an extradition treaty with, he will be immediately arrested.  That recently happened when a Russian hacker visited Israel.  He is now in federal custody awaiting trial in the United States after spending 4 years in a nice Israeli prison.

$5 million is the largest reward the feds have ever offered for something like this.

Of course, in the decade that he has been active, he stole tens of millions of dollars from his victims by using those trojans to empty their bank accounts.  By 2015 Dridex was among the active banking trojans in the wild.

The trojan would transfer money to the account of a “money mule” and the mules would then forward the money on to the bad guys, keeping a slice for themselves.

The trojan targeted banks, companies, cities; even non-profits, as well as individuals.

Separately, the FBI issued an alert about this trojan.  It is pretty active, stealing people’s money.  Still.   It can interfere with your web browsing (redirecting you to attacker controlled web sites), among other nasty actions.  This version can even lead to a ransomware attack, encrypting files on your computer.   Sometimes the attack is combined with Powershell Empire, which allows it to do reconnaissance and move laterally to other machines on your network.  This combination would allow it to encrypt all computers on your network.

If you do not have access to the FBI alert, contact me;  I cannot post it publicly but I can provide a copy to appropriate people.

While the FBI is not saying, given the size of the reward offered and also the alert, there must be a lot of (stolen) money involved.

Information for this post came from Threat Post and the FBI.

Facebooktwitterredditlinkedinmailby feather

British Nuke Plant Attack Kept Quiet

The nuclear power industry has always been nervous about people’s fear of some form of nuclear meltdown.  Whether it was Three Mile Island or Chernobyl, the spectre of something bad happening at a nuclear plant has been the story of made for TV movies.

The UK Telegraph newspaper has obtained information, using a freedom of information request, that indicates that the UK National Cyber Security Center, part of the GCHQ (sort of equivalent to the US NSA), has been helping a British nuclear plant recover from a cyber attack.

This news comes after reports last year from the FBI and DHS that the Russians (and not the Chinese) have been have been attacking our critical infrastructure, at least since 2016.

Because they are worried that people will freak out, they are keeping the details of who was hacked and what was hacked secret.  I am sure that will make people feel better.  Unless the attack was really bad.  In which case not knowing and speculating might be better than knowing.

The document, from a Nuclear Decommissioning Agency Board Meeting was dated March 13, 2019.  The Telegraph says that it is likely the first KNOWN successful cyber attack on a British nuclear plant.  I am not sure how comforting that is.  They are not suggesting that it is the first successful attack but rather the first successful attack that we have heard about.

Since no one is providing details, we don’t know whether this is a Chernobyl-style issue or a random computer virus on an office computer.  On the other  hand, if they had to ask GCHQ for help, I am guessing that it is not an office virus.

One security expert pointed out that if you assume whichever nuke plant or plants were hacked are no less secure than the ones that haven’t been hacked YET, it isn’t smart to tell other hackers how this or these plants were hacked.

This follows on to the revelation in October that an Indian nuclear plant was hacked – after they first said that reports of a hack was a lie.  I guess the lie was by the Indian government.

This also follows the WSJ article that said that  more than a dozen US utilities were targeted (I assume successfully) by hackers recently

In fairness we should not forget that the US hacked Iran’s nuclear program years ago.  We would say that we are the good guys, so that is okay.  Not everyone might agree with that interpretation, including Russia, so they might say that the US legitimized hacking the nuclear industry.  Source: The Telegraph .

 

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Android Malware Uses Screen Overlay to Steal Credentials and Credit Cards

Malware is like any other piece of software.  Version one is usually pretty crappy – want vendors like to affectionately call a “minimum viable product”.  Sometime minimal is loosely defined.

In this case the malware is called GINP.  The trojan has been in the wild since June.  In the five months since,  it has evolved.  It started out as a Google Play Verifier.  It stole incoming and outgoing text messages.

A later version added an “overlay” – a layer over the top of the screen that popped up when you opened an app like Facebook, WhatsApp or a bunch more.  That overlay asked for a credit card and that information went to the attackers.

The next version added code to make it harder to detect the app.

Then it morphed.  Today it is going after Spanish banks – 24 apps from 7 banks right now, but it looks like that is just a start.

You can imagine what the hackers might do with online banking credentials.

The overlays can mimic whatever they want to – they cover the whole screen.

One downside to the technique is that it requires the user to give it a specific permission generally used for apps for handicapped people called the “accessibility” permission.

Even if this app does not morph to US banks, users should be careful.

Look at what permissions an app is asking for – don’t just blindly say yes.

Look for telltale signs.  This malware is going to make it look  like you have been logged out of the app and need to log back in.  It will also ask for credit card info.  Don’t do that if it doesn’t seem right.

Turn on two factor authentication.  That way, at least, if they have your credentials, they don’t have the second factor. 

Be selective about what apps you install – and uninstall apps that you do not use any more.

Nothing is bulletproof, but make it harder for the bad guys.  Source: CSO Online

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending November 15, 2019

Bugcrowd Paid Over $500,000 in Bug Bounties in Just One Week

Bugcrowd, the crowd-sourced bug bounty management company, paid out over $500,000 in just one week for bugs that researchers found and paid out $1.6 million in October to over 550 hackers, representing 1,800 submissions.  Of those, 327 were categorized as priority 1.  These payouts are an additional way for companies to do software testing beyond what they do internally.   Since only a small percentage of companies pay bug bounties, how many other software platforms still have unfound major bugs because the researchers go where the money is?  Source: Bleeping Computer.

 

National Privacy Bill Introduced

I may have to eat these words.  But I doubt it will become law.  HR 4978, the Online Privacy Act, has been introduced.

The sponsors says it is to address the appalling lack of digital privacy rights in the U.S. due, they say, to the U.S. being in the pockets of the marketing lobbies that have a vested interest in not protecting your privacy rights because they profit from selling your data.

You, of course, get “free” services because you are the product.

The bill would create a U.S. Digital Privacy Agency and give you rights similar to what Europeans and residents of many other countries already have.  Any bets on whether it becomes law?  Source: The Internet Patrol.

 

Bug Hunters Earn $195,000 for Hacking TVs, Phones and Routers

White Hat hackers at Pwn2Own Tokyo earned a total of $195,000 in just the first day of the event.   They successfully hacked a Sony TV, an Amazon Echo, a Samsung TV and other “IoT” devices.  Just shows that IoT devices are not so secure.  Source: Security Week

 

Court Rules The Fourth Amendment Applies, Even to the Government

A Massachusetts court  has ruled Customs and ICE Need “reasonable suspicion” before searching a citizen’s computer or phone at the border.  This is, over course, the complete opposite of what Customers and ICE currently do, which is that they can search anything, any time for any reason.  The case is likely to be appealed to the Supremes, so stay tuned.  Source:  The Register

 

Trusted Platform Module (TPM) Fails with TPM-Fail Attack

The TPM is supposed to be a vault that protects your encryption keys, but researchers have found two new vulnerabilities that allow attackers to gain access to those keys. Practical attacks show that they have been able to recover encryption keys from the TPM in as little as 3 minutes, depending on the key type.  Not only does this affect computers, but it also affects many IoT devices that have security.  There are patches available from the TPM vendors.  Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather