Wednesday, August 27, 2014

You Don't Need Tor to Access the Darkest Corners of the Internet



You might think you know what the dark net is. It's all those sites that host drug markets, radical forums, child porn, and anything and everything else, and which can only be accessed by special software. Right?

That's a big part of it, but not the whole story. Just ask researcher and author Jamie Bartlett, whose new book, The Dark Net, delves into some of these questionable and under-explored spaces, and he'll tell you we should look wider—and closer to home—when we think about the dark net. Perhaps the darkest parts of the internet are just a few clicks away.

To many, the 'dark net' is a colloquial term for the sites beyond the reach of indexing search engines like Google. They are typically accessed through the Tor browser, which encrypts your internet traffic and recognises the .onion protocol, with the best known being the Silk Road marketplace.


You Don't Need Tor to Access the Darkest Corners of the Internet



You might think you know what the dark net is. It's all those sites that host drug markets, radical forums, child porn, and anything and everything else, and which can only be accessed by special software. Right?

That's a big part of it, but not the whole story. Just ask researcher and author Jamie Bartlett, whose new book, The Dark Net, delves into some of these questionable and under-explored spaces, and he'll tell you we should look wider—and closer to home—when we think about the dark net. Perhaps the darkest parts of the internet are just a few clicks away.

To many, the 'dark net' is a colloquial term for the sites beyond the reach of indexing search engines like Google. They are typically accessed through the Tor browser, which encrypts your internet traffic and recognises the .onion protocol, with the best known being the Silk Road marketplace.


Google Releases Security Updates for Chrome



Google has released Chrome 37.0.2062.94 for Windows, Mac and Linux. This update includes 50 security fixes some of which could allow a remote attacker to obtain unauthorized access or cause a denial of service.

US-CERT encourages users and administrators to review the Google Chrome release blog and apply the necessary updates.

Google Releases Security Updates for Chrome



Google has released Chrome 37.0.2062.94 for Windows, Mac and Linux. This update includes 50 security fixes some of which could allow a remote attacker to obtain unauthorized access or cause a denial of service.

US-CERT encourages users and administrators to review the Google Chrome release blog and apply the necessary updates.

Friday, August 22, 2014

Backoff Point-of-Sale Malware Campaign



US-CERT is aware of Backoff malware compromising a significant number of major enterprise networks as well as small and medium businesses.

US-CERT encourages administrators and operators of Point-of-Sale systems to review the Backoff malware alert to help determine if your network may be affected.

Organizations that believe they have been infected with Backoff are also encouraged to contact their local US Secret Service Field Office.

Backoff Point-of-Sale Malware Campaign



US-CERT is aware of Backoff malware compromising a significant number of major enterprise networks as well as small and medium businesses.

US-CERT encourages administrators and operators of Point-of-Sale systems to review the Backoff malware alert to help determine if your network may be affected.

Organizations that believe they have been infected with Backoff are also encouraged to contact their local US Secret Service Field Office.

Advanced Fraud Solutions Recognized in 2014 Inc. 5000 list


KERNERSVILLE, N.C. -- Advanced Fraud Solutions, a leading fraud and risk detection software provider has been recognized by Inc. magazine on its prestigious 2014 Inc. 5000 list, an exclusive ranking of America’s fastest-growing private companies.

“We’re honored to be recognized by Inc. magazine,” said Lawrence Reaves, CEO of AFS. “We continually strive to help our customers eliminate fraud and identify transaction risk, our achievements would not exist without their success. We are excited that we can improve their overall growth with our own.”

The Inc. 5000 is a challenging list to make. For 33 years, Inc. has welcomed the fastest-growing companies in America into a very exclusive club.

“The median company on the list grew a mind-boggling 516 percent. Those are results most companies could only dream of,” said Eric Shurenberg, editor-in-chief of Inc.

AFS has also been a recipient of the Triad Business Journal’s Business Journal Fast 50 award, recognizing the 50 fastest growing companies in the Greensboro and Winston-Salem, North Carolina, area.

About Advanced Fraud Solutions LLC

Based in Kernersville, North Carolina, Advanced Fraud Solutions identifies risk for financial organizations at the earliest points of detection with software that enables the organization to eliminate fraud and ensure compliance. Protecting more than 400 customers with fraud and risk detection software at teller, branch, ATM, mobile, remote deposit and item processing channels. For more information, please visit www.advancedfraudsolutions.com.

Source and Full Story Here: http://www.nctechnews.com/2014/08/advanced-fraud-solutions-recognized-in.html

Advanced Fraud Solutions Recognized in 2014 Inc. 5000 list


KERNERSVILLE, N.C. -- Advanced Fraud Solutions, a leading fraud and risk detection software provider has been recognized by Inc. magazine on its prestigious 2014 Inc. 5000 list, an exclusive ranking of America’s fastest-growing private companies.

“We’re honored to be recognized by Inc. magazine,” said Lawrence Reaves, CEO of AFS. “We continually strive to help our customers eliminate fraud and identify transaction risk, our achievements would not exist without their success. We are excited that we can improve their overall growth with our own.”

The Inc. 5000 is a challenging list to make. For 33 years, Inc. has welcomed the fastest-growing companies in America into a very exclusive club.

“The median company on the list grew a mind-boggling 516 percent. Those are results most companies could only dream of,” said Eric Shurenberg, editor-in-chief of Inc.

AFS has also been a recipient of the Triad Business Journal’s Business Journal Fast 50 award, recognizing the 50 fastest growing companies in the Greensboro and Winston-Salem, North Carolina, area.

About Advanced Fraud Solutions LLC

Based in Kernersville, North Carolina, Advanced Fraud Solutions identifies risk for financial organizations at the earliest points of detection with software that enables the organization to eliminate fraud and ensure compliance. Protecting more than 400 customers with fraud and risk detection software at teller, branch, ATM, mobile, remote deposit and item processing channels. For more information, please visit www.advancedfraudsolutions.com.

Source and Full Story Here: http://www.nctechnews.com/2014/08/advanced-fraud-solutions-recognized-in.html

Thursday, August 21, 2014

United Parcel Service Confirms Security Breach



UPS Stores, a subsidiary of United Parcel Service, said on Wednesday that a security breach may have led to the theft of customer credit and debit data at 51 UPS franchises in the United States.

Chelsea Lee, a UPS spokeswoman, said the company began investigating its systems for indications of a security breach on July 31, the day The New York Times reported that the Department of Homeland Security and the Secret Service would be issuing a bulletin warning retailers that hackers had been scanning networks for remote access capabilities, then installing so-called malware that was undetectable by antivirus products.

UPS hired an information security firm and discovered that the malware was on its in-store cash register systems at 51 of its locations in 24 states, roughly 1 percent of UPS’s 4,470 franchises throughout the United States.

In a statement, the company said that customers who had used their debit or credit cards at affected locations, which are listed on the UPS website, from Jan. 20 to Aug. 11, 2014 may have been exposed to the malware, though it said exposure began after March 26 in most cases. UPS said it had eliminated the malware as of Aug. 11.

United Parcel Service Confirms Security Breach



UPS Stores, a subsidiary of United Parcel Service, said on Wednesday that a security breach may have led to the theft of customer credit and debit data at 51 UPS franchises in the United States.

Chelsea Lee, a UPS spokeswoman, said the company began investigating its systems for indications of a security breach on July 31, the day The New York Times reported that the Department of Homeland Security and the Secret Service would be issuing a bulletin warning retailers that hackers had been scanning networks for remote access capabilities, then installing so-called malware that was undetectable by antivirus products.

UPS hired an information security firm and discovered that the malware was on its in-store cash register systems at 51 of its locations in 24 states, roughly 1 percent of UPS’s 4,470 franchises throughout the United States.

In a statement, the company said that customers who had used their debit or credit cards at affected locations, which are listed on the UPS website, from Jan. 20 to Aug. 11, 2014 may have been exposed to the malware, though it said exposure began after March 26 in most cases. UPS said it had eliminated the malware as of Aug. 11.

Wednesday, August 20, 2014

CHS Hacked via Heartbleed Vulnerability



As many of you may have already been aware, a breach at Community Health Systems (CHS) affecting an estimated 4.5 million patients was recently revealed. TrustedSec obtained the first details on how the breach occured and new information relating to this breach. The initial attack vector was through the infamous OpenSSL “heartbleed” vulnerability which led to the compromise of the information.

This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation. Attackers were able to glean user credentials from memory on a CHS Juniper device via the heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN.

CHS Hacked via Heartbleed Vulnerability



As many of you may have already been aware, a breach at Community Health Systems (CHS) affecting an estimated 4.5 million patients was recently revealed. TrustedSec obtained the first details on how the breach occured and new information relating to this breach. The initial attack vector was through the infamous OpenSSL “heartbleed” vulnerability which led to the compromise of the information.

This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation. Attackers were able to glean user credentials from memory on a CHS Juniper device via the heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN.

Mount Olive insurance agent facing fraud charges



MOUNT OLIVE, N.C. — A Mount Olive insurance agent is accused of using his clients’ personal information to get bigger commissions, authorities said Tuesday.

The North Carolina Department of Insurance said Manargo Victor Boykin, 52, of the 600 block of N.C. Highway West, used driver’s license numbers and dates of birth from several clients to write auto insurance coverage for other clients so they could obtain better rates.

Boykin, who worked for Sentry Insurance Company, received about $55,000 in commission from the fraudulent applications between 2010 and 2014, authorities said.

Mount Olive insurance agent facing fraud charges



MOUNT OLIVE, N.C. — A Mount Olive insurance agent is accused of using his clients’ personal information to get bigger commissions, authorities said Tuesday.

The North Carolina Department of Insurance said Manargo Victor Boykin, 52, of the 600 block of N.C. Highway West, used driver’s license numbers and dates of birth from several clients to write auto insurance coverage for other clients so they could obtain better rates.

Boykin, who worked for Sentry Insurance Company, received about $55,000 in commission from the fraudulent applications between 2010 and 2014, authorities said.

Tuesday, August 19, 2014

Hackers steal data from 4.5 million hospital patients, some in north Alabama



NEW YORK (CNNMoney) — Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.

Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.

Anyone who received treatment from a network-owned hospital in the last five years — or was merely referred there by an outside doctor — is affected.

The large data breach puts these people at heightened risk of identity fraud. That allows criminals to open bank accounts and credit cards on their behalf, take out loans and ruin personal credit history.

Hackers steal data from 4.5 million hospital patients, some in north Alabama



NEW YORK (CNNMoney) — Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.

Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.

Anyone who received treatment from a network-owned hospital in the last five years — or was merely referred there by an outside doctor — is affected.

The large data breach puts these people at heightened risk of identity fraud. That allows criminals to open bank accounts and credit cards on their behalf, take out loans and ruin personal credit history.

Jewel-Osco Warns Customers Of Data Breach


CHICAGO (CBS) – Officials at Jewel-Osco were warning customers of a data breach that might have given hackers access to credit card and debit card information, but said there is no evidence the data has been misused.

Jewel’s parent company, AB Acquisition, said the unauthorized access of customer data might have started as early as June 22, and ended as late as July 17.

“Third-party data forensics experts are supporting an ongoing investigation. AB Acquisition has not determined that any cardholder data was in fact stolen, and currently it has no evidence of any misuse of any such data,” the company said in a statement on its website. “AB Acquisition believes that the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores.”

The company said the data breach appeared to impact Jewel-Osco stores in Illinois, Indiana, and Iowa; Albertsons stores in California, Idaho, Montana, North Dakota, Nevada, Oregon, Utah, Washington, and Wyoming; and Shaw’s and Star Markets stores in Maine, Massachusetts, New Hampshire, Rhode Island, and Vermont.


Jewel-Osco Warns Customers Of Data Breach


CHICAGO (CBS) – Officials at Jewel-Osco were warning customers of a data breach that might have given hackers access to credit card and debit card information, but said there is no evidence the data has been misused.

Jewel’s parent company, AB Acquisition, said the unauthorized access of customer data might have started as early as June 22, and ended as late as July 17.

“Third-party data forensics experts are supporting an ongoing investigation. AB Acquisition has not determined that any cardholder data was in fact stolen, and currently it has no evidence of any misuse of any such data,” the company said in a statement on its website. “AB Acquisition believes that the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores.”

The company said the data breach appeared to impact Jewel-Osco stores in Illinois, Indiana, and Iowa; Albertsons stores in California, Idaho, Montana, North Dakota, Nevada, Oregon, Utah, Washington, and Wyoming; and Shaw’s and Star Markets stores in Maine, Massachusetts, New Hampshire, Rhode Island, and Vermont.


Alert (TA14-212A) Backoff Point-of-Sale Malware



Systems Affected
Point-of-Sale Systems

Overview

This advisory was prepared in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS. The purpose of this release is to provide relevant and actionable technical indicators for network defense.

Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop [1] Apple Remote Desktop,[2] Chrome Remote Desktop,[3] Splashtop 2,[4] Pulseway[5], and LogMeIn[6] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.

USSS, NCCIC/US-CERT and Trustwave Spiderlabs have been working together to characterize newly identified malware dubbed "Backoff", associated with several PoS data breach investigations. At the time of discovery and analysis, the malware variants had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious.

Similar attacks have been noted in previous PoS malware campaigns [7] and some studies state that targeting the Remote Desktop Protocol with brute force attacks is on the rise.[8] A Mitigation and Prevention Strategies section is included to offer options for network defenders to consider.
Description


“Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”).

These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:
Scraping memory for track data
Logging keystrokes
Command & control (C2) communication
Injecting malicious stub into explorer.exe

The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.

Variants

Based on compiled timestamps and versioning information witnessed in the C2 HTTP POST requests, “Backoff” variants were analyzed over a seven month period. The five variants witnessed in the “Backoff” malware family have notable modifications, to include:

1.55 “backoff”
Added Local.dat temporary storage for discovered track data
Added keylogging functionality
Added “gr” POST parameter to include variant name
Added ability to exfiltrate keylog data
Supports multiple exfiltration domains
Changed install path
Changed User-Agent

1.55 “goo”
Attempts to remove prior version of malware
Uses 8.8.8.8 as resolver

1.55 “MAY”
No significant updates other than changes to the URI and version name

1.55 “net”
Removed the explorer.exe injection component

1.56 “LAST”
Re-added the explorer.exe injection component
Support for multiple domain/URI/port configurations
Modified code responsible for creating exfiltration thread(s)
Added persistence techniques

Command & Control Communication

All C2 communication for “Backoff” takes place via HTTP POST requests. A number of POST parameters are included when this malware makes a request to the C&C server.
op : Static value of ‘1’
id : randomly generated 7 character string
ui : Victim username/hostname
wv : Version of Microsoft Windows
gr (Not seen in version 1.4) : Malware-specific identifier
bv : Malware version
data (optional) : Base64-encoded/RC4-encrypted data

The ‘id’ parameter is stored in the following location, to ensure it is consistent across requests:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

If this key doesn’t exist, the string will be generated and stored. Data is encrypted using RC4 prior to being encoded with Base64. The password for RC4 is generated from the ‘id’ parameter, a static string of ‘jhgtsd7fjmytkr’, and the ‘ui’ parameter. These values are concatenated together and then hashed using the MD5 algorithm to form the RC4 password. In the above example, the RC4 password would be ‘56E15A1B3CB7116CAB0268AC8A2CD943 (The MD5 hash of ‘vxeyHkSjhgtsd7fjmytkrJosh @ PC123456).

File Indicators:

The following is a list of the Indicators of Compromise (IOCs) that should be added to the network security to search to see if these indicators are on their network.

1.4

Packed MD5: 927AE15DBF549BD60EDCDEAFB49B829E

Unpacked MD5: 6A0E49C5E332DF3AF78823CA4A655AE8

Install Path: %APPDATA%\AdobeFlashPlayer\mswinsvc.exe

Mutexes:

uhYtntr56uisGst

uyhnJmkuTgD

Files Written:

%APPDATA%\mskrnl

%APPDATA%\winserv.exe

%APPDATA%\AdobeFlashPlayer\mswinsvc.exe

Static String (POST Request): zXqW9JdWLM4urgjRkX

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent: Mozilla/4.0

URI(s): /aircanada/dark.php

1.55 “backoff”

Packed MD5: F5B4786C28CCF43E569CB21A6122A97E

Unpacked MD5: CA4D58C61D463F35576C58F25916F258

Install Path: %APPDATA%\AdobeFlashPlayer\mswinhost.exe

Mutexes:

Undsa8301nskal

uyhnJmkuTgD

Files Written:

%APPDATA%\mskrnl

%APPDATA%\winserv.exe

%APPDATA%\AdobeFlashPlayer\mswinhost.exe

%APPDATA%\AdobeFlashPlayer\Local.dat

%APPDATA%\AdobeFlashPlayer\Log.txt

Static String (POST Request): ihasd3jasdhkas

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

URI(s): /aero2/fly.php

1.55 “goo”

Pa cked MD5: 17E1173F6FC7E920405F8DBDE8C9ECAC

Unpacked MD5: D397D2CC9DE41FB5B5D897D1E665C549

Install Path: %APPDATA%\OracleJava\javaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%\nsskrnl

%APPDATA%\winserv.exe

%APPDATA%\OracleJava\javaw.exe

%APPDATA%\OracleJava\Local.dat

%APPDATA%\OracleJava\Log.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent:

URI(s): /windows/updcheck.php

1.55 “MAY”

Packed MD5: 21E61EB9F5C1E1226F9D69CBFD1BF61B

Unpacked MD5: CA608E7996DED0E5009DB6CC54E08749

Install Path: %APPDATA%\OracleJava\javaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%\nsskrnl

%APPDATA%\winserv.exe

%APPDATA%\OracleJava\javaw.exe

%APPDATA%\OracleJava\Local.dat

%APPDATA%\OracleJava\Log.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent:

URI(s): /windowsxp/updcheck.php

1.55 “net”

Packed MD5: 0607CE9793EEA0A42819957528D92B02

Unpacked MD5: 5C1474EA275A05A2668B823D055858D9

Install Path: %APPDATA%\AdobeFlashPlayer\mswinhost.exe

Mutexes:

nUndsa8301nskal

Files Written:

%APPDATA%\AdobeFlashPlayer\mswinhost.exe

%APPDATA%\AdobeFlashPlayer\Local.dat

%APPDATA%\AdobeFlashPlayer\Log.txt

Static String (POST Request): ihasd3jasdhkas9

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent:

URI(s): /windowsxp/updcheck.php

1.56 “LAST”

Packed MD5: 12C9C0BC18FDF98189457A9D112EEBFC

Unpacked MD5: 205947B57D41145B857DE18E43EFB794

Install Path: %APPDATA%\OracleJava\javaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%\nsskrnl

%APPDATA%\winserv.exe

%APPDATA%\OracleJava\javaw.exe

%APPDATA%\OracleJava\Local.dat

%APPDATA%\OracleJava\Log.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

HKCU\SOFTWARE\\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath

HKLM\SOFTWARE\\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

URI(s): /windebug/updcheck.php
Impact


The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.
Solution


At the time this advisory is released, the variants of the “Backoff’ malware family are largely undetected by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain up‐to‐date AV signatures and engines as new threats such as this are continually being added to your AV solution. Pending AV detection of the malware variants, network defenders can apply indicators of compromise (IOC) to a variety of prevention and detection strategies.[9],[10],[11] IOCs can be found above.

The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals. Information security professionals recommend a defense in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature, the following strategies provide an approach to minimize the possibility of an attack and mitigate the risk of data compromise:

Remote Desktop Access
Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.[12]
Limit the number of users and workstation who can log in using Remote Desktop.
Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).[13]
Change the default Remote Desktop listening port.
Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.[14]
Require two-factor authentication (2FA) for remote desktop access.[15 ]
Install a Remote Desktop Gateway to restrict access.[16 ]
Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL.[17],[18]
Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks.
Limit administrative privileges for users and applications.
Periodically review systems (local and domain controllers) for unknown and dormant users.

Network Security
Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound (e.g., egress) firewall rules in which compromised entities allow ports to communicate to any IP address on the Internet. Hackers leverage this configuration to exfiltrate data to their IP addresses.
Segregate payment processing networks from other networks.
Apply access control lists (ACLs) on the router configuration to limit unauthorized traffic to payment processing networks.
Create strict ACLs segmenting public-facing systems and back-end database systems that house payment card data.
Implement data leakage prevention/detection tools to detect and help prevent data exfiltration.
Implement tools to detect anomalous network traffic and anomalous behavior by legitimate users (compromised credentials).

Cash Register and PoS Security
Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website.
Install Payment Application Data Security Standard-compliant payment applications.
Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system.
Assign a strong password to security solutions to prevent application modification. Use two-factor authentication (2FA) where feasible.
Perform a binary or checksum comparison to ensure unauthorized files are not installed.
Ensure any automatic updates from third parties are validated. This means performing a checksum comparison on the updates prior to deploying them on PoS systems. It is recommended that merchants work with their PoS vendors to obtain signatures and hash values to perform this checksum validation.
Disable unnecessary ports and services, null sessions, default users and guests.
Enable logging of events and make sure there is a process to monitor logs on a daily basis.
Implement least privileges and ACLs on users and applications on the system.
References



[1] Windows Remote Desktop
[2] Apple Remote Desktop
[3] Chrome Remote Desktop
[4] Splashtop
[5] Windows Pulseway
[6] LogMeIn Official Site
[7] Attacker’s brute-force POS systems utilizing RDP in global botnet operation
[8] Brute force RDP attacks depend on your mistakes
[9] Understanding Indicators of Compromise (IOC)
[10] Using Indicators of Compromise in Malware Forensics
[11] Indicators of Compromise: The Key to Early Detection
[12] Configuring Account Lockout
[13] Securing Remote Desktop for System Administrators
[14] Account Lockout and Password Concepts
[15] NIST Guide to Enterprise Telework and Remote Access Security
[16] Installing RD Gateway
[17] Networking and Access Technologies
[18] Secure RDS Connections with SSL

Alert (TA14-212A) Backoff Point-of-Sale Malware



Systems Affected
Point-of-Sale Systems

Overview

This advisory was prepared in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS. The purpose of this release is to provide relevant and actionable technical indicators for network defense.

Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop [1] Apple Remote Desktop,[2] Chrome Remote Desktop,[3] Splashtop 2,[4] Pulseway[5], and LogMeIn[6] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.

USSS, NCCIC/US-CERT and Trustwave Spiderlabs have been working together to characterize newly identified malware dubbed "Backoff", associated with several PoS data breach investigations. At the time of discovery and analysis, the malware variants had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious.

Similar attacks have been noted in previous PoS malware campaigns [7] and some studies state that targeting the Remote Desktop Protocol with brute force attacks is on the rise.[8] A Mitigation and Prevention Strategies section is included to offer options for network defenders to consider.
Description


“Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”).

These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:
Scraping memory for track data
Logging keystrokes
Command & control (C2) communication
Injecting malicious stub into explorer.exe

The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.

Variants

Based on compiled timestamps and versioning information witnessed in the C2 HTTP POST requests, “Backoff” variants were analyzed over a seven month period. The five variants witnessed in the “Backoff” malware family have notable modifications, to include:

1.55 “backoff”
Added Local.dat temporary storage for discovered track data
Added keylogging functionality
Added “gr” POST parameter to include variant name
Added ability to exfiltrate keylog data
Supports multiple exfiltration domains
Changed install path
Changed User-Agent

1.55 “goo”
Attempts to remove prior version of malware
Uses 8.8.8.8 as resolver

1.55 “MAY”
No significant updates other than changes to the URI and version name

1.55 “net”
Removed the explorer.exe injection component

1.56 “LAST”
Re-added the explorer.exe injection component
Support for multiple domain/URI/port configurations
Modified code responsible for creating exfiltration thread(s)
Added persistence techniques

Command & Control Communication

All C2 communication for “Backoff” takes place via HTTP POST requests. A number of POST parameters are included when this malware makes a request to the C&C server.
op : Static value of ‘1’
id : randomly generated 7 character string
ui : Victim username/hostname
wv : Version of Microsoft Windows
gr (Not seen in version 1.4) : Malware-specific identifier
bv : Malware version
data (optional) : Base64-encoded/RC4-encrypted data

The ‘id’ parameter is stored in the following location, to ensure it is consistent across requests:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

If this key doesn’t exist, the string will be generated and stored. Data is encrypted using RC4 prior to being encoded with Base64. The password for RC4 is generated from the ‘id’ parameter, a static string of ‘jhgtsd7fjmytkr’, and the ‘ui’ parameter. These values are concatenated together and then hashed using the MD5 algorithm to form the RC4 password. In the above example, the RC4 password would be ‘56E15A1B3CB7116CAB0268AC8A2CD943 (The MD5 hash of ‘vxeyHkSjhgtsd7fjmytkrJosh @ PC123456).

File Indicators:

The following is a list of the Indicators of Compromise (IOCs) that should be added to the network security to search to see if these indicators are on their network.

1.4

Packed MD5: 927AE15DBF549BD60EDCDEAFB49B829E

Unpacked MD5: 6A0E49C5E332DF3AF78823CA4A655AE8

Install Path: %APPDATA%\AdobeFlashPlayer\mswinsvc.exe

Mutexes:

uhYtntr56uisGst

uyhnJmkuTgD

Files Written:

%APPDATA%\mskrnl

%APPDATA%\winserv.exe

%APPDATA%\AdobeFlashPlayer\mswinsvc.exe

Static String (POST Request): zXqW9JdWLM4urgjRkX

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent: Mozilla/4.0

URI(s): /aircanada/dark.php

1.55 “backoff”

Packed MD5: F5B4786C28CCF43E569CB21A6122A97E

Unpacked MD5: CA4D58C61D463F35576C58F25916F258

Install Path: %APPDATA%\AdobeFlashPlayer\mswinhost.exe

Mutexes:

Undsa8301nskal

uyhnJmkuTgD

Files Written:

%APPDATA%\mskrnl

%APPDATA%\winserv.exe

%APPDATA%\AdobeFlashPlayer\mswinhost.exe

%APPDATA%\AdobeFlashPlayer\Local.dat

%APPDATA%\AdobeFlashPlayer\Log.txt

Static String (POST Request): ihasd3jasdhkas

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

URI(s): /aero2/fly.php

1.55 “goo”

Pa cked MD5: 17E1173F6FC7E920405F8DBDE8C9ECAC

Unpacked MD5: D397D2CC9DE41FB5B5D897D1E665C549

Install Path: %APPDATA%\OracleJava\javaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%\nsskrnl

%APPDATA%\winserv.exe

%APPDATA%\OracleJava\javaw.exe

%APPDATA%\OracleJava\Local.dat

%APPDATA%\OracleJava\Log.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent:

URI(s): /windows/updcheck.php

1.55 “MAY”

Packed MD5: 21E61EB9F5C1E1226F9D69CBFD1BF61B

Unpacked MD5: CA608E7996DED0E5009DB6CC54E08749

Install Path: %APPDATA%\OracleJava\javaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%\nsskrnl

%APPDATA%\winserv.exe

%APPDATA%\OracleJava\javaw.exe

%APPDATA%\OracleJava\Local.dat

%APPDATA%\OracleJava\Log.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent:

URI(s): /windowsxp/updcheck.php

1.55 “net”

Packed MD5: 0607CE9793EEA0A42819957528D92B02

Unpacked MD5: 5C1474EA275A05A2668B823D055858D9

Install Path: %APPDATA%\AdobeFlashPlayer\mswinhost.exe

Mutexes:

nUndsa8301nskal

Files Written:

%APPDATA%\AdobeFlashPlayer\mswinhost.exe

%APPDATA%\AdobeFlashPlayer\Local.dat

%APPDATA%\AdobeFlashPlayer\Log.txt

Static String (POST Request): ihasd3jasdhkas9

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent:

URI(s): /windowsxp/updcheck.php

1.56 “LAST”

Packed MD5: 12C9C0BC18FDF98189457A9D112EEBFC

Unpacked MD5: 205947B57D41145B857DE18E43EFB794

Install Path: %APPDATA%\OracleJava\javaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%\nsskrnl

%APPDATA%\winserv.exe

%APPDATA%\OracleJava\javaw.exe

%APPDATA%\OracleJava\Local.dat

%APPDATA%\OracleJava\Log.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

HKCU\SOFTWARE\\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath

HKLM\SOFTWARE\\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

URI(s): /windebug/updcheck.php
Impact


The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.
Solution


At the time this advisory is released, the variants of the “Backoff’ malware family are largely undetected by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain up‐to‐date AV signatures and engines as new threats such as this are continually being added to your AV solution. Pending AV detection of the malware variants, network defenders can apply indicators of compromise (IOC) to a variety of prevention and detection strategies.[9],[10],[11] IOCs can be found above.

The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals. Information security professionals recommend a defense in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature, the following strategies provide an approach to minimize the possibility of an attack and mitigate the risk of data compromise:

Remote Desktop Access
Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.[12]
Limit the number of users and workstation who can log in using Remote Desktop.
Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).[13]
Change the default Remote Desktop listening port.
Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.[14]
Require two-factor authentication (2FA) for remote desktop access.[15 ]
Install a Remote Desktop Gateway to restrict access.[16 ]
Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL.[17],[18]
Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks.
Limit administrative privileges for users and applications.
Periodically review systems (local and domain controllers) for unknown and dormant users.

Network Security
Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound (e.g., egress) firewall rules in which compromised entities allow ports to communicate to any IP address on the Internet. Hackers leverage this configuration to exfiltrate data to their IP addresses.
Segregate payment processing networks from other networks.
Apply access control lists (ACLs) on the router configuration to limit unauthorized traffic to payment processing networks.
Create strict ACLs segmenting public-facing systems and back-end database systems that house payment card data.
Implement data leakage prevention/detection tools to detect and help prevent data exfiltration.
Implement tools to detect anomalous network traffic and anomalous behavior by legitimate users (compromised credentials).

Cash Register and PoS Security
Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website.
Install Payment Application Data Security Standard-compliant payment applications.
Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system.
Assign a strong password to security solutions to prevent application modification. Use two-factor authentication (2FA) where feasible.
Perform a binary or checksum comparison to ensure unauthorized files are not installed.
Ensure any automatic updates from third parties are validated. This means performing a checksum comparison on the updates prior to deploying them on PoS systems. It is recommended that merchants work with their PoS vendors to obtain signatures and hash values to perform this checksum validation.
Disable unnecessary ports and services, null sessions, default users and guests.
Enable logging of events and make sure there is a process to monitor logs on a daily basis.
Implement least privileges and ACLs on users and applications on the system.
References



[1] Windows Remote Desktop
[2] Apple Remote Desktop
[3] Chrome Remote Desktop
[4] Splashtop
[5] Windows Pulseway
[6] LogMeIn Official Site
[7] Attacker’s brute-force POS systems utilizing RDP in global botnet operation
[8] Brute force RDP attacks depend on your mistakes
[9] Understanding Indicators of Compromise (IOC)
[10] Using Indicators of Compromise in Malware Forensics
[11] Indicators of Compromise: The Key to Early Detection
[12] Configuring Account Lockout
[13] Securing Remote Desktop for System Administrators
[14] Account Lockout and Password Concepts
[15] NIST Guide to Enterprise Telework and Remote Access Security
[16] Installing RD Gateway
[17] Networking and Access Technologies
[18] Secure RDS Connections with SSL

Monday, August 18, 2014

Breach of Patient Identification Information



US-CERT is aware of a breach of sensitive patient identification information affecting approximately 4.5 million patients and customers of Community Health Systems, Inc. As part of DHS, US-CERT is working together with the FBI and the Department of Health and Human Services to assist in sharing specific vulnerabilities and mitigations with the healthcare industry to prevent additional breaches from occurring.

US-CERT recommends that individuals who suspect they may have been victimized as a result of this breach report any incidents to the FBI's Internet Crime Complaint Center. Tips and advice to stay safe online can be found at STOP. THINK. CONNECT.

Breach of Patient Identification Information



US-CERT is aware of a breach of sensitive patient identification information affecting approximately 4.5 million patients and customers of Community Health Systems, Inc. As part of DHS, US-CERT is working together with the FBI and the Department of Health and Human Services to assist in sharing specific vulnerabilities and mitigations with the healthcare industry to prevent additional breaches from occurring.

US-CERT recommends that individuals who suspect they may have been victimized as a result of this breach report any incidents to the FBI's Internet Crime Complaint Center. Tips and advice to stay safe online can be found at STOP. THINK. CONNECT.

Thursday, August 14, 2014

Man Sentenced to 10 Years in Prison on Child Pornography Charges



I usually do not post on things like this but these people need their names published everywhere on the net.



CHARLOTTE, NC—On Wednesday, August 13, 2014, Chief U.S. District Judge Frank D. Whitney sentenced Charles Kevin Bridges to 121 months in prison on federal child pornography charges, announced Anne M. Tompkins, U.S. Attorney for the Western District of North Carolina. Bridges was ordered to register as a sex offender and to serve the rest of his life under court supervision after he is released from prison. Judge Whitney also ordered Bridges to pay $3,000 as restitution to a child pornography victim.

U.S. Attorney Tompkins is joined in making today’s announcement by John A. Strong, Special Agent in Charge of the Federal Bureau of Investigation, Charlotte Division and Chief Stacy Conley of the Gastonia Police Department.

In March 2014, Bridges, 56, of Kings Mountain, N.C. pleaded guilty to one count of receiving child pornography and one count of possession of child pornography. According to filed documents and statements made in court, in January 2013, a law enforcement officer conducting an investigation downloaded images and videos containing child pornography from Bridges’ computer, using a peer-to-peer network. Law enforcement executed a search warrant at Bridges’ residence and seized a laptop computer and a USB drive. Court records indicate that a forensic examination revealed that Bridges possessed an extensive collection of images and videos depicting children as young as toddlers engaging in sexual acts with adults.

Bridges has been in federal custody since his bond was revoked in March 2013. He will be transferred to the custody of the Federal Bureau of Prisons upon designation of a federal facility. Federal sentences are served without the possibility of parole.

Man Sentenced to 10 Years in Prison on Child Pornography Charges



I usually do not post on things like this but these people need their names published everywhere on the net.



CHARLOTTE, NC—On Wednesday, August 13, 2014, Chief U.S. District Judge Frank D. Whitney sentenced Charles Kevin Bridges to 121 months in prison on federal child pornography charges, announced Anne M. Tompkins, U.S. Attorney for the Western District of North Carolina. Bridges was ordered to register as a sex offender and to serve the rest of his life under court supervision after he is released from prison. Judge Whitney also ordered Bridges to pay $3,000 as restitution to a child pornography victim.

U.S. Attorney Tompkins is joined in making today’s announcement by John A. Strong, Special Agent in Charge of the Federal Bureau of Investigation, Charlotte Division and Chief Stacy Conley of the Gastonia Police Department.

In March 2014, Bridges, 56, of Kings Mountain, N.C. pleaded guilty to one count of receiving child pornography and one count of possession of child pornography. According to filed documents and statements made in court, in January 2013, a law enforcement officer conducting an investigation downloaded images and videos containing child pornography from Bridges’ computer, using a peer-to-peer network. Law enforcement executed a search warrant at Bridges’ residence and seized a laptop computer and a USB drive. Court records indicate that a forensic examination revealed that Bridges possessed an extensive collection of images and videos depicting children as young as toddlers engaging in sexual acts with adults.

Bridges has been in federal custody since his bond was revoked in March 2013. He will be transferred to the custody of the Federal Bureau of Prisons upon designation of a federal facility. Federal sentences are served without the possibility of parole.

LulzSec supergrass Sabu led attacks against Turkey – report



Just months after reports emerged that LulzSec "kingpin" turned FBI snitch Hector Xavier Monsegur had allegedly led cyber-attacks against foreign governments while under FBI control, a "cache of sealed court documents" has provided some more startling reading.

Monsegur – who prosecutors insist is "Sabu", a leading figure in hacktivist group Lulzsec – cut a deal with Feds that saw him receive a "time served" sentence of seven months and a one year supervision order back in May instead of the 20-plus years imprisonment that his numerous offences might have attracted without his co-operation in law enforcement investigations against other hackers.


Sabu operated as a "rooter" – someone who can gain root access to systems – in multiple attacks including assaults against HBGary, Fox Television and Nintendo.

Now the Daily Dot reports that Sabu helped forge an alliance between his group "AntiSec" and the politically motivated Turkish "Red Hack" hacking crew.

The news site says it got its hands on a "cache of sealed court documents", which it says show how Sabu recruited Jeremy Hammond, who was sent to jail over the Stratfor hack, to hack into foreign government websites from a list provided.

LulzSec supergrass Sabu led attacks against Turkey – report



Just months after reports emerged that LulzSec "kingpin" turned FBI snitch Hector Xavier Monsegur had allegedly led cyber-attacks against foreign governments while under FBI control, a "cache of sealed court documents" has provided some more startling reading.

Monsegur – who prosecutors insist is "Sabu", a leading figure in hacktivist group Lulzsec – cut a deal with Feds that saw him receive a "time served" sentence of seven months and a one year supervision order back in May instead of the 20-plus years imprisonment that his numerous offences might have attracted without his co-operation in law enforcement investigations against other hackers.


Sabu operated as a "rooter" – someone who can gain root access to systems – in multiple attacks including assaults against HBGary, Fox Television and Nintendo.

Now the Daily Dot reports that Sabu helped forge an alliance between his group "AntiSec" and the politically motivated Turkish "Red Hack" hacking crew.

The news site says it got its hands on a "cache of sealed court documents", which it says show how Sabu recruited Jeremy Hammond, who was sent to jail over the Stratfor hack, to hack into foreign government websites from a list provided.

Wednesday, August 13, 2014

Iran's Internet Users Outsmart Government in Cat-and-Mouse Censorship Game



Tor, a popular online anonymity tool used by many Iranians to bypass Internet censorship, was blocked from late July until the beginning of August. The block prevented 75 percent of the network's estimated 40,000 daily users in Iran from connecting to Tor.

The Iranian government periodically releases new filtering rules intended to block Tor traffic, to which the Tor community typically responds with a same-day antidote for the block.

Tor has been of particular sensitivity since it was widely used by activists, protesters and citizen journalists during the 2009 Green Movement. The software, used by digital activists worldwide, allows users to reach their target website by tunneling through a network of intermediary servers, a process that anonymizes the users along the way and makes their identities indecipherable for ISPs, thus allowing them to circumvent government-imposed censorship. Tor is an open source software and has a large community of users and developers who work to detect and eliminate security flaws and bugs, along with filtering by governments.

On July 30, the Tor project reported users couldn't access regular Tor connections in Iran. Tor metrics also showed a drop in the number of users connecting to the service on a daily basis.

Iran's Internet Users Outsmart Government in Cat-and-Mouse Censorship Game



Tor, a popular online anonymity tool used by many Iranians to bypass Internet censorship, was blocked from late July until the beginning of August. The block prevented 75 percent of the network's estimated 40,000 daily users in Iran from connecting to Tor.

The Iranian government periodically releases new filtering rules intended to block Tor traffic, to which the Tor community typically responds with a same-day antidote for the block.

Tor has been of particular sensitivity since it was widely used by activists, protesters and citizen journalists during the 2009 Green Movement. The software, used by digital activists worldwide, allows users to reach their target website by tunneling through a network of intermediary servers, a process that anonymizes the users along the way and makes their identities indecipherable for ISPs, thus allowing them to circumvent government-imposed censorship. Tor is an open source software and has a large community of users and developers who work to detect and eliminate security flaws and bugs, along with filtering by governments.

On July 30, the Tor project reported users couldn't access regular Tor connections in Iran. Tor metrics also showed a drop in the number of users connecting to the service on a daily basis.

Google Releases Security Updates for Chrome



Google has released security updates to address multiple vulnerabilities in Chrome, Chrome OS and Chrome for Android. Some of these vulnerabilities could potentially allow an attacker to obtain sensitive information or cause a denial of service.

Updates available include:
Chrome 36.0.1985.143 for Windows, Mac, Linux, and all Chrome OS devices
Chrome 36.0.1985.135 for Android

US-CERT encourages users and administrators to review the Google Chrome release blog and apply the necessary updates.

Google Releases Security Updates for Chrome



Google has released security updates to address multiple vulnerabilities in Chrome, Chrome OS and Chrome for Android. Some of these vulnerabilities could potentially allow an attacker to obtain sensitive information or cause a denial of service.

Updates available include:
Chrome 36.0.1985.143 for Windows, Mac, Linux, and all Chrome OS devices
Chrome 36.0.1985.135 for Android

US-CERT encourages users and administrators to review the Google Chrome release blog and apply the necessary updates.

Friday, August 8, 2014

Police looking to ID $7,400 bank fraud suspect



GREENVILLE, N.C. -Police need your help to identify a bank fraud suspect.

Officers say the suspect made false deposits through various ATMS in order to inflate and manipulate several newly opened accounts. He then fraudulently withdrew the money before the bank systems caught up with it. The total loss is estimated to be about $7,400.

It happened over the course of a week, from May 29 – June 4.

Police looking to ID $7,400 bank fraud suspect



GREENVILLE, N.C. -Police need your help to identify a bank fraud suspect.

Officers say the suspect made false deposits through various ATMS in order to inflate and manipulate several newly opened accounts. He then fraudulently withdrew the money before the bank systems caught up with it. The total loss is estimated to be about $7,400.

It happened over the course of a week, from May 29 – June 4.

Wednesday, August 6, 2014

Russian Gang Amasses Over a Billion Internet Passwords



A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.

Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.


Russian Gang Amasses Over a Billion Internet Passwords



A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.

Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.


Tuesday, August 5, 2014

'Team work' leads to felony arrest



Aug. 04--Sampson Sheriff's officials are touting last week's arrest of a 46-year-old Autryville man on an insurance fraud charge as an example of how partnerships between local and state agencies can make a difference in the fight against crime.

Durwood Bradley Horne was arrested July 28 and charged with one count insurance fraud and one count obtaining money/property by false pretenses, both felonies.

The arrest, said Sheriff's Capt. Eric Pope, was the culmination of months of team work between the Sheriff's Office, the Sampson Fire Marshal's office and the N.C. Department of Insurance's Criminal Investigations Division.

The three agencies came together and formed a special task force after the report of several suspected arson cases were identified in the county, specifically the northeastern area of Sampson.

Pope said Fire Marshal Jerry Cashwell and assistant marshal Prentice Madgarbegan networking with other fire agencies in Cumberland and Harnett counties to identify suspicious fires with possible links to the Sampson cases. It was through what the captain called their "historic research" that Madgar and Cashwell learned about a suspicious vehicle fire that occurred on N.C. 24 in 2009.

'Team work' leads to felony arrest



Aug. 04--Sampson Sheriff's officials are touting last week's arrest of a 46-year-old Autryville man on an insurance fraud charge as an example of how partnerships between local and state agencies can make a difference in the fight against crime.

Durwood Bradley Horne was arrested July 28 and charged with one count insurance fraud and one count obtaining money/property by false pretenses, both felonies.

The arrest, said Sheriff's Capt. Eric Pope, was the culmination of months of team work between the Sheriff's Office, the Sampson Fire Marshal's office and the N.C. Department of Insurance's Criminal Investigations Division.

The three agencies came together and formed a special task force after the report of several suspected arson cases were identified in the county, specifically the northeastern area of Sampson.

Pope said Fire Marshal Jerry Cashwell and assistant marshal Prentice Madgarbegan networking with other fire agencies in Cumberland and Harnett counties to identify suspicious fires with possible links to the Sampson cases. It was through what the captain called their "historic research" that Madgar and Cashwell learned about a suspicious vehicle fire that occurred on N.C. 24 in 2009.

North Carolina Industrial Commission's New Fraud Alerting Tool Results in Criminal Charges Against Employers for Failure to Have Insurance



RALEIGH, N.C., Aug. 4 -- The North Carolina Department of Commerce issued the following news release:

A new fraud alerting tool recently installed by the North Carolina Industrial Commission has led to criminal charges being filed against North Carolina employers who failed to maintain workers' compensation insurance. The Noncompliant Employer Targeting System (NETS) uses data from various state agencies and produces a list of potentially noncompliant employers ranked in terms of priority. NETS went online April 14, 2014.

As part of a proactive enforcement operation in Guilford County using NETS,The North Carolina Industrial Commission identified five employers who have failed to maintain Workers' Compensation Insurance. The North Carolina Workers' Compensation Act requires that all businesses which employ three or more employees, including those operating as corporations, sole proprietorships, limited liability companies and partnerships, obtain workers' compensation insurance or qualify as self-insured employers for purposes of paying workers' compensation benefits to their employees. The Guilford County operation took place on July 21 and 22.

North Carolina Industrial Commission's New Fraud Alerting Tool Results in Criminal Charges Against Employers for Failure to Have Insurance



RALEIGH, N.C., Aug. 4 -- The North Carolina Department of Commerce issued the following news release:

A new fraud alerting tool recently installed by the North Carolina Industrial Commission has led to criminal charges being filed against North Carolina employers who failed to maintain workers' compensation insurance. The Noncompliant Employer Targeting System (NETS) uses data from various state agencies and produces a list of potentially noncompliant employers ranked in terms of priority. NETS went online April 14, 2014.

As part of a proactive enforcement operation in Guilford County using NETS,The North Carolina Industrial Commission identified five employers who have failed to maintain Workers' Compensation Insurance. The North Carolina Workers' Compensation Act requires that all businesses which employ three or more employees, including those operating as corporations, sole proprietorships, limited liability companies and partnerships, obtain workers' compensation insurance or qualify as self-insured employers for purposes of paying workers' compensation benefits to their employees. The Guilford County operation took place on July 21 and 22.

APACHE CORDOVA VULNERABILITY DISCOVERED: 10% OF ANDROID BANKING APPS POTENTIALLY VULNERABLE


IBM X-Force Finds Apache Cordova Vulnerability That Might Expose Nearly 5.8% of Android Apps

The IBM Security X-Force Research team has uncovered a serious vulnerability that affects many Android applications built on the Apache Cordova (previously PhoneGap) platform. According to AppBrain, this affects 5.8 percent of Android apps. While 5.8 percent might sound like a low percentage, some widely-used Android applications are built on Cordova. In fact, researchers found that out of the 248 applications tested containing the keyword “bank,” 25 apps were built using Cordova — roughly 10 percent. This means an attacker could steal users’ banking credentials and perform transactions, such as withdrawing or transferring funds from their bank account to another account.

APACHE CORDOVA VULNERABILITY DISCOVERED: 10% OF ANDROID BANKING APPS POTENTIALLY VULNERABLE


IBM X-Force Finds Apache Cordova Vulnerability That Might Expose Nearly 5.8% of Android Apps

The IBM Security X-Force Research team has uncovered a serious vulnerability that affects many Android applications built on the Apache Cordova (previously PhoneGap) platform. According to AppBrain, this affects 5.8 percent of Android apps. While 5.8 percent might sound like a low percentage, some widely-used Android applications are built on Cordova. In fact, researchers found that out of the 248 applications tested containing the keyword “bank,” 25 apps were built using Cordova — roughly 10 percent. This means an attacker could steal users’ banking credentials and perform transactions, such as withdrawing or transferring funds from their bank account to another account.

Friday, August 1, 2014

Sandwich Chain Jimmy John’s Investigating Breach Claims



Sources at a growing number of financial institutions in the United States say they are tracking a pattern of fraud that indicates nationwide sandwich chain Jimmy John’s may be the latest retailer dealing with a breach involving customer credit card data. The company says it is working with authorities on an investigation.

Multiple financial institutions tell KrebsOnSecurity that they are seeing fraud on cards that have all recently been used at Jimmy John’s locations.

Champaign, Ill.-based Jimmy John’s initially did not return calls seeking comment for two days. Today, however, a spokesperson for the company said in a short emailed statement that “Jimmy John’s is currently working with the proper authorities and investigating the situation. We will provide an update as soon as we have additional information.”