Monthly Archives: April 2015

The March 31 release of Firefox 37 introduced the opportunistic encryption feature to the browser. By Friday that feature had been disabled in a 37.0.1 update after a researcher found a critical vulnerability that could be exploited.

Security researcher Muneaki Nishimura identified the flaw.

“If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server,” according to an advisory. “As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a [MitM], replacing the original certificate with their own.”

Other critical issues addressed in Firefox 37.0.1 included use-after-free vulnerabilities, memory corruption crashes, and miscellaneous memory safety hazards. The update also fixed a flaw in the Android version of the browser that allowed privileged URLs to bypass restrictions.

Via: scmagazine

Globally, 36 percent of users don’t think it’s necessary to back up their data, a survey from Avast has revealed.

In Russia that number rose to nearly 50 percent in the study, which measured the data preservation habits of more than 288,000 people in countries around the world, including the U.S., Mexico, Russia, Germany and India.

At the same time, 64 percent of respondents reported that they were more concerned with the data in their device than just the device alone. A quarter of the people surveyed felt their contacts were the most important pieces of information on their phones. Of those who did report backing up their data, 41 percent do it monthly while, a small portion, eight percent, back up their data daily.

Via: scmagazine

Microsoft has stepped up its efforts to put privacy controls in the hands of its customers and keep up with evolving standards around tracking by no longer enabling Do Not Track (DNT) as “the default state in Windows Express Settings,” according to a blog penned by the company’s Chief Privacy Officer (CPO) Brendon Lynch.

While it may seem counter-intuitive from a privacy standpoint, after all DNT “was welcomed by many” two years ago when it made its way into Internet Explorer 10 (IE 10) for protecting users from unwanted tracking, concerns had arisen over whether the tactic reflected true user choice, especially, Lynch said, since efforts were afoot to establish an “industrywide standard for user tracking preferences.”

After continued refinement of the language of how “users express a preference regarding tracking” by the World Wide Web Consortium (W3C), Microsoft is “updating our approach to DNT to eliminate any misunderstanding about whether our chosen implementation will comply with the W3C standard,” Lynch wrote.

The language in the latest draft of the W3C’s standard says that “‘Key to that notion of expression is that the signal sent MUST reflect the user’s preference, not the choice of some vendor, institution, site, or network-imposed mechanism outside the user’s control; this applies equally to both the general preference and exceptions,” Lynch noted. “‘The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user.'”

Last year, Yahoo ditched the DNT setting, saying that the web browser technology, meant to prevent third parties from collecting users’ web browsing activities, had failed to become an efficient, “user-friendly” standard. And AOL followed suit, amending its privacy policy to stress it wouldn’t follow DNT requests, noting that the lack of a standard on the requests allowed companies to interpret them as they saw fit.

While DNT will not be the default in Windows Express Setting any longer, Microsoft “will provide customers with clear information on how to turn this feature on in the browser settings should they wish to do so,” Lynch wrote. “This change will apply when customers set up a new PC for the first time, as well as when they upgrade from a previous version of Windows or Internet Explorer.”

Future versions of Microsoft browsers will “clearly communicate to consumers whether the DNT signal is turned off or on, and make it easy for them to change the setting,” Lynch said.

Via: scmagazine

According to a recent analysis of federal energy records, the nation’s power grid experiences cyber and physical attacks nearly once every four days.

The investigation revealed that the critical infrastructure of the US power grid sustained 362 attacks between 2011 and 2014, causing outages or other power disturbances to the US Department of Energy. In the majority of these instances, the suspects responsible for these attacks were never identified.

“A widespread outage lasting even a few days, could disable devices ranging from ATMs to cellphones to traffic lights, and could threaten lives if heating, air conditioning and health care systems exhaust their backup power supplies,” read the USA Today report.

The examination, led by USA Today and more than 10 Gannett newspapers and TV stations across the country, analyzed thousands of pages of official government records, federal energy data, as well as a survey of more than 50 electric utilities.

Key findings from the study revealed:

• The industry’s security guidelines are written and enforced by an organization funded by the power industry itself. The number of security penalties it issued decreased by 30% from 2013 to 2014.
  
• Critical equipment, including transformers, is often visible in plain sight, merely protected by chain-link fencing and a few security cameras.
  
• Less severe cyber attacks occurred more often than once every four days.
  

As former chairman of the Federal Energy Regulatory Commission Jon Wellinghoff explains, the issue of power grid security becomes even more alarming considering its reliance on other physical equipment and a small number of critical substations.

The result is the high likelihood of “cascading failures” – in other words, the failure of a single element requires energy to be extracted from other areas. If multiple operations fail simultaneously, this cascading effect could leave millions in the dark for days, weeks or even longer.

“Those critical nodes, in fact, can be attacked in one way or another,” said Wellinghoff. “You have a very vulnerable system that will continue to be vulnerable until we figure out a way to break it out into more distributed systems.”

Tripwire Senior Security Analyst Ken Westin adds this risk continues to increase as more critical infrastructure becomes connected to IT networks, which are in turn, connected to the Internet.

“Most industrial control systems use antiquated software and protocols intended for stability and efficiency, not security, as these systems were not originally designed to be accessed by the modern interconnected networks we have today,” said Westin.

Previous incidents impacting the industry have led to small yet essential steps to the improvement of policies and procedures protecting the nation’s power grid.

In 2013, a coordinated attack against a northern California Pacific Gas & Electric Metcalf substation served as a wake-up call to the industry. As a result of the incident, FERC ordered the implementation of new rules for physical security, requiring utilities to identify potentially vulnerable critical infrastructure and map out security plans.

“It’s one of those things: One is too many, so that’s why we have to pay attention. The threats continue to evolve, and we have to continue to evolve as well.”

–Cheryl LaFleur, Federal Energy Regulatory Commission Chairman

 Additionally, PG&E announced a $100 million investment in 2014 over the next three years on substation security for several high-priority facilities, including enhanced intruder detection systems.

The company also partnered with other utilities and industry associations to share information in a collaborative effort to identity new and innovative ways to further protect the electric power industry.

Nonetheless, records from hundreds of other recent incidents prove that similar weaknesses continue to threaten the security of thousands of electric facilities across the nation, opening the gate for more cyber and physical attacks to come.

Via: tripwire

While observing the evolution of point-of-sale malware, called NewPosThings, Trend Micro traced suspicious traffic back to two U.S. airports.

The NewPosThings malware family was uncovered last September by Arbor Networks, and in a Wednesday blog post, Trend Micro threat analyst Jay Yaneza revealed that recent malware attempts to connect to NewPosThings’ control hub were seen. The traffic resolved to IP addresses associated with the unnamed airports, he explained.

Of note, Trend Micro found variants of the malware that targeted 64-bit Windows systems and higher, as opposed to earlier iterations of NewPosThings that were compatible with 32-bit versions.

“Similar to the previous 32-bit version reported last year, the 64-bit sample is a multifunction Trojan that includes added functionalities and routines,” Yaneza wrote. “These include RAM scraper capabilities, keylogging routines, dumping virtual network computing (VNC) passwords, and information gathering.”

In recent months, researchers have detected noticeable changes in the malware, including the fact that the latest variant of NewPosThings, version 3.0, disables security warnings on systems and uses custom packers with added anti-debugging methods.

In regards to the suspicious traffic coming from two airports, Yaneza said that – combined with reports last month of a credit card breach at Los Angeles International Airport (LAX) – there appears to be trend of POS attackers targeting travelers.

“No matter which country, airports represent one of the busiest establishments where there are transactions being made all year round,” he wrote. “This further reinforces the fact that POS malware, and the threat actors behind it, may have definitely matured to branch out to targets other than large retailers or small merchants.”

In a Friday interview with SCMagazine.com, Christopher Budd, global threat communications manager at Trend Micro, said that, “In a post-Target world, anything that takes a credit card is going to be something that attackers are going to look at” as a possible attack vector. Cybercriminals also take advantage of the fact that many consumers “suffer from idea compartmentalization,” not considering that card terminals at the last airport they traveled through, may be just as appealing, if not more, to credit card data thieves as those belonging to big box retailers, he explained.

“That’s why POS attacks are so viable right now, because from an attacker’s point of view, [these avenues] are nearly as attractive as PCs,” Budd said.

Via: scmagazine

In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America.

Experian ‘protection’ offered for Target victims.

Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity. My take: If you’re being offered free monitoring, it probably can’t hurt to sign up, but you shouldn’t expect the service to stop identity thieves from ruining your credit.

Avivah Litan, a fraud analyst at Gartner Inc., said offering credit monitoring has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud).

“These are basically PR vehicles for most of the breached companies who offer credit report monitoring to potentially compromised consumers,” Litan said. “Breached companies such as Target like to offer it as a good PR move even though it does absolutely nothing to compensate for the fact that a criminal stole credit card mag stripe account data. My advice for consumers has been – sure get it for free from one of the companies where your data has been compromised (and surely these days there is at least one).  But don’t expect it to help much – by the time you get the alert, it’s too late, the damage has been done.  It just shortens the time to detection so you may have a slightly improved chance of cleaning up the damage faster.  And you can get your credit reports three times a year from the government website for free which is almost just as good so why pay for it ever?”

FRAUD ALERT BREAKDOWN

Normally, I place fraud alerts on my credit file every 90 days, as allowed by law. This step is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.

Most consumers don’t know this (few consumers know the names of the three main credit bureaus), but there is actually a fourth credit bureau that you should alert: Innovis. This bureau follows the same rules as the big three, and you may file a fraud alert with them at this link.

Fraud alerts last 90 days, and you can renew them as often as you like (a recurring calendar entry can help with this task); consumers who can demonstrate that they are victims or are likely to be victims of identity theft can apply for a long-term fraud alert that lasts up to 7 years (a police report and other documentation may be required).

I’m not sure what happened last year, but I believe some fraudsters managed to apply for credit in my name right after my 90-day fraud alert had expired. In any case, I received a call from AllClearID (formerly Debix), a credit monitoring service that I’ve used for nearly two years now. AllClearID called to tell me someone had made several applications for credit withCapital One.

AllClearID quickly conferenced in a representative from Capital One’s fraud team, but Capital One wouldn’t tell us anything about the application unless I gave them every piece of information about me they didn’t already have. We went round and round with Capital One for hours about this, but got nowhere; I refused to hand over more personal information just to prove to them I wasn’t the one who made the application, and each new representative we spoke with made us retell the story from the beginning.

In all, I had several fraudulent applications for credit in my name, and while none of them were granted, each resulted in a “hard pull” against my credit file. Anytime a creditor pulls your credit file for the purposes of checking an application for new credit, it dings your credit score down a few notches. And as Evan Hendricks writes in his primer on the credit industry (Credit Scores & Credit Reports: How the System Really Works, and What You Can Do), “the worse your credit score, the more you pay for mortgages, loans, credit cards, and insurance. Conversely, the better your credit score, the more favorable terms you will get on interest rates and premiums.”

Unfortunately, another thing that often happens with fraudulent applications is that thieves use only part of your real information — mixing your name and Social Security number with an alternate address, for example. This is what happened on two of the fraudulent applications for credit in my name, with the result that this incorrect data was added to my credit file.

AllClearID has been tremendously professional, and quickly alerted me each time Capital One pulled my credit file. But the company could do nothing to stop creditors from pulling my file, or fraudsters from making new applications in my name. The biggest help they’ve been so far is in getting Capital One to remove the fraudulent (score-dinging) credit pulls from my file, and in scrubbing the fraudulent data from my credit file (actually, that part is ongoing: Trans Union has steadfastly ignored requests to remove bogus addresses on my file, necessitating AllClear’s filing of an official complaint with the Consumer Financial Protection Bureau).

I asked several experts that I trust for their views on credit monitoring services in general, and to explain their benefits and weaknesses. I also wanted to know why none of the credit monitoring services will offer to renew 90-day fraud alerts on behalf of customers.

Julie Ferguson, a board member of the Identity Theft Resource Center, said a lawsuit by Experian against Lifelock effectively killed that service for virtually all credit monitoring services, with the exception of Equifax.

“After Experian sued Lifelock, none of the banks wanted to distribute and sell it as a service,” Ferguson said. “Equifax will still. Nobody else does anymore, not even Experian.”

Ferguson also stressed that there are varying levels of protection services offered by the credit bureaus and private companies, and that although many of them are priced similarly ($10-$15 per month), they vary widely in the services they provide.

Take, for example, the ProtectMyID package that Experian contracted with Target to offer customers following last year’s massive data breach. The service will monitor your credit report daily and alert you of any changes, and includes up to $1 million in identity theft protection insurance. The service also offers users a fraud resolution agent if identity theft does surface, and it provides a free copy of the user’s credit report (Experian is required by law to provide a free copy of your credit report each year anyway, via annualcreditreport.com). Those who sign up for the free service still have to pay extra to see a copy of their credit scores.

“The ‘protection’ provided by these services is really all over the map once you delve into the services they provide,” Ferguson said. “Some will give you credit monitoring only on one credit bureau, while others will monitor your file at all three.”

Avivah Litan, a fraud analyst with Gartner Inc., rattled off a long list of reasons why credit monitoring services aren’t much use to most consumers.

-Most won’t tell you if a new wireless or cable service has been taken out in your name.

-They do nothing to monitor your bank account transactions, credit card accounts (for fraudulent charges), retirement accounts, brokerage accounts, loyalty accounts and more. And these are all areas where consumers should be very concerned about account takeover.

-They do nothing to tell you if a bad guy has hijacked your identity for non-financial purposes, i.e. to get a new driver’s license, passport or other identity document.  Of course a bad guy impersonating a consumer using a forged identity document can end up in prison, causing lots of problems for the victim whose identity was hijacked.

-They do nothing to stop tax fraud (typically tax refund fraud) against you.  Same is true for other government benefit programs, i.e. medicare fraud, Medicaid fraud, welfare fraud, andSocial Security fraud.

“In short, they only give consumers limited help with a very small percentage of the crimes that can be inflicted on them,” Litan said. “And consumers can get most of that limited help for free via the government website or free monitoring from a breached entity where their data inevitably was compromised.”

DO THESE SERVICES HELP AT ALL?

“They help if it’s too hard for you to look through your free credit report and make sense of all the activity in it,” Litan said. “Also they can alert you faster than the free credit report does, depending on timing of the infraction and when you look at your free credit report.”

Litan added that some services — such as Lifelock — have a few extra bells and whistles. For example, Lifelock sometimes gets information (such as from the Early Warning System) when profile information on your bank account has changed (e.g. change of address).

“They also have access to most mobile carrier account application data,” Litan said. “Equifax has some extra utility company data.  So, some of these firms have access to some extra data than can help in other scenarios.”

While most plans offer identity theft insurance — usually advertised as up to $1 million — most of that is coverage consumers already have under existing laws and Visa/MC zero liability rules, Litan says.

“On top of that they reimburse ID theft victims for some legal fees and some minor expenses like postage stamps,” Litan said. “But if someone takes out a mortgage in your name and now you owe the bank $100k or more – nobody covers that, and that’s what they need to cover.”

Ferguson said credit monitoring services are most useful for people who have already been victimized or for those who are likely to be victimized (by an jilted spouse/lover, or stalker, for example). For those individuals, it makes sense to purchase a plan that offers triple credit bureau monitoring for maximum protection. The main downside of this approach is that a fraudulent application for credit can result in a deluge of alerts, emails and phone calls from all three bureaus simultaneously.

ALTERNATIVES TO CREDIT MONITORING

As mentioned above, placing a fraud alert on your credit file every 90 days is the cheapest (as in free) way to block creditors from granting new lines of credit in your name, and from unnecessarily dinging your credit score.

You are entitled to a free copy of your credit report from each of the three major credit bureaus annually. The only site you need to obtain this free copy is annualcreditreport.com, or by phone via 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring.

If you have been the victim of identity theft, or if you don’t anticipate needing to take out a loan or apply for new lines of credit anytime soon and you’d rather not deal with fraud alerts, placing a freeze on your credit file may be the smarter option.

A security freeze gives consumers the choice to “freeze” or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name. As Consumers  Union writes, “when a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor or seller of services will not be able to check the credit file. When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed.”

Forty-nine states and the District of Columbia now have laws on the books allowing consumers to freeze their credit (Michigan is the holdout). Many of these laws allow the placement of a freeze for free if the consumer has a police report documenting an identity theft episode; for those without an ID theft scare notched on their belt, most states allow for the placement of a freeze for a $10 fee. See this site for more details on the various state freeze laws and instructions on how to obtain them.

Consumers also can reduce their exposure to identity theft by opting out of unsolicited credit card or insurance offers. Doing this, via www.optoutprescreen.com, or 888-5OPT-OUT, should block most unsolicited applications and reduce the incidence of identity theft. Doing so removes your name, address and personal identifiers from lists supplied by the Equifax, Experian, TransUnion and Innovis credit reporting agencies that are used for preapproved and pre-screened offers of credit or insurance.

Via: krebsonsecurity

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.

Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service(IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.

Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.

“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”

In the following weeks, Kasper contacted the IRS, who told him they had no new information on his case. When he tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

“When I called the IRS to fix this, and spent another hour on hold, they explained they could not tell me what the email address was due to privacy regulations,” Kasper recalled. “They also said they could not change the email address, all they could do was ban access to eServices for my account, which they did. It was something at least.”

FORM 4506

Undeterred, Kasper researched further and discovered that he could still obtain a copy of the fraudulent return by filling out the IRS Form 4506 (PDF) and paying a $50 processing fee. Several days later, the IRS mailed Kasper a photocopy of the fraudulent return filed in his name — complete with the bank routing and account number that received the $8,936 phony refund filed in his name.

“That’s right, $50 just for the right to see my own return,” Kasper said. “And once again the right hand does not know what the left hand is doing, because it cost me just $50 to get them to ignore their own privacy rules. The most interesting thing about this strange rule is that the IRS also refuses to look at the account data itself until it is fully investigated. Banks are required by law to report suspicious refund deposits, but the IRS does not even bother to contact banks to let them know a refund deposit was reported fraudulent, at least in the case of individual taxpayers who call, confirm their identity and report it, just like I did.”

Kasper said the transcript indicates the fraudsters filed his refund request using the IRS web site’s own free e-file website for those with incomes over $60,000. It also showed the routing number for First National Bank of Pennsylvania and the checking account number of the individual who got the deposit plus the date that they filed: January 31, 2015.

The transcript suggests that the fraudsters who claimed his refund had done so by copying all of the data from his previous year’s W2, and by increasing the previous year’s amounts slightly. Kasper said he can’t prove it, but he believes the scammers obtained that W2 data directly from the IRS itself, after creating an account at the IRS portal in his name (but using a different email address) and requesting his transcript.

“The person who submitted it somehow accessed my tax return from the previous year 2013 in order to list my employer and salary from that year, 2013, then use it on the 2014 return, instead,” Kasper said. “In addition, they also submitted a corrected W-2 that increased the withholding amount by exactly $6,000 to increase their total refund due to $8,936.”

MONEY MULING

On Wednesday, March 18, 2015, Kasper contacted First National Bank of Pennsylvania whose routing number was listed in the phony tax refund request, and reached their head of account security. That person confirmed a direct deposit by the IRS for $8,936.00 was made on February 9, 2015 into an individual checking account specifying Kasper’s full name and SSN in the metadata with the deposit.

“She told me that she could also see transactions were made at one or more branches in the city of Williamsport, PA to disburse or withdraw those funds and that several purchases were made by debit card in the city of Williamsport as well, so that at this point a substantial portion of the funds were gone,” Kasper said. “She further told me that no one from the IRS had contacted her bank to raise any questions about this account, despite my fraud report filed February 9, 2015.”

The head of account security at the bank stated that she would be glad to cooperate with the Williamsport Police if they provided the required legal request to allow her to release the name, address, and account details. The bank officer offered Kasper her office phone number and cell phone to share with the cops. The First National employee also mentioned that the suspect lived in the city of Williamsport, PA, and that this individual seemed to still be using the account.

Kasper said the local police in his New York hometown hadn’t bothered to respond to his request for assistance, but that the lieutenant at the Williamsport police department who heard his story took pity on him and asked him to write an email about the incident to his captain, which Kasper said he sent later that morning.

Just two hours later, he received a call from an investigator who had been assigned to the case. The detective then interviewed the individual who held the account the same day and told Kasper that the bank’s fraud department was investigating and had asked the person to return the cash.

“My tax refund fraud case had gone from stuck in the mud to an open case, almost overnight,” Kasper sad. “Or at least it seemed to be that simple. It turned out to be much more complex.”

For starters, the woman who owned the bank account that received his phony refund — a student at a local Pennsylvania university — said she got the transfer after responding to a Craigslist ad for a moneymaking opportunity.

Kasper said the detective learned that money was deposited into her account, and that she sent the money out to locations in Nigeria via Western Union wire transfer, keeping some as a profit, and apparently never suspecting that she might be doing something illegal.

“She has so far provided a significant amount of information, and I’m inclined to believe her story,” Kasper said. “Who would be crazy enough to deposit a fraudulent tax refund in their own checking account, as opposed to an untraceable debit card they could get at a convenience store. At the same time, wouldn’t somebody who could pull this off also have an explanation like this ready?”

The woman in question, whose name is being withheld from this story, declined multiple requests to speak with KrebsOnSecurity, threatening to file harassment claims if I didn’t stop trying to contact her. Nevertheless, she appears to have been an unwitting — if not unwilling — money mule in a scam that seeks to recruit the unwary for moneymaking schemes.

ANALYSIS

The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA)  — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.

To obtain a copy of your most recent tax transcript, the IRS requires the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four KBA questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

The KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, said Nicholas Weaver, a researcher at theInternational Computer Science Institute (ICSI) and at the University of California, Berkeley.

“I did it twice, and the first time it was related to my current address, one old address question, and one ‘which credit card did you get’ question,” Weaver said. “The second time it was two questions related to my current address, and two related to a car loan I paid off in 2007.”

The second time round, Weaver said a few minutes on Zillow.com gave him all the answers he needed for the KBA questions. Spokeo solved the “old address” questions for him with 100% accuracy.

“Zillow with my address answered all four of them, if you just assume ‘moved when I bought the house’,” he said. “In fact, I NEEDED to use Zillow the second time around, because damned if I remember when my house was built.  So with Zillow and Spokeo data, it isn’t even 1 in 256, it’s 1 in 4 the first time around and 1 in 16 the second, and you don’t need to guess blind either with a bit more Google searching.”

If any readers here doubt how easy it is to buy personal data on just about anyone, check outthe story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators. See my recent story on Apple Pay for another reminder of this fact.

Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans. The same process described to obtain a tax transcript at irs.gov works to obtain a free credit report fromannualcreditreport.com, a Web site mandated by Congress. In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.

Kasper said he’s grateful for the police report he was able to obtain from the the Pennsylvania authorities because it allows him to get a freeze on his credit file without paying the customary $5 fee in New York to place and thaw a freeze.

Credit freezes prevent would-be creditors from approving new lines of credit in your name — and indeed from even being able to view or “pull” your credit file — but a freeze will not necessarily block fraudsters from filing phony tax returns in your name.

Unless, of course, the scammers in question are counting on obtaining your tax transcripts through the IRS’s own Web site. According to the IRS, people with a credit freeze on their file must lift the freeze (with Equifax, at least) before the agency is able to continue with the KBA questions as part of its verification process.

Update: The link included in the first paragraph of this story directing readers to create an account with the IRS is currently returning the message: “We are currently experiencing technical issues and unable to process new registrations” at times.

Via: krebsonsecurity

Summary: The top-of-the-line Blackphones are said to be “NSA-proof,” despite the FBI’s new policy that demonizes encryption as a “huge problem” for law enforcement.

(Image: CNET/CBS Interactive)

The US military could soon be using encrypted smartphones as part of its efforts to improve its security across its lines of communications.

Speaking to one industry magazine earlier this week, Silent Circle chairman Mike Janke said the company will be providing the US Dept. of Defense highly-encrypted smartphones in a trial for soldiers and staff to use for “both unclassified and classified” work.

The group, which helped build the Blackphone device, is now based in Switzerland — in part to avoid the prying eyes of the US government. But that isn’t stopping the US military from trying out the device, which is approved for use by the Pentagon.

Thanks to a new feature on the device, dubbed Spaces, the locked-down phone can be used for both work and personal uses. Any data used by the employee runs through the military’s networks.

A number of devices are already “out in the field,” according to the report, along with security cleared BlackBerry devices and modified Android-based phones for “secret”-level work.

But it comes at a time when the US government and its law enforcement agencies are pushing back against encryption.

In the past week, the FBI is said to have retracted advice from its website for consumers on how to prevent smartphone and data theft in the case of a lost or stolen device.

It’s yet another step in a long list of incidents pitting the FBI against consumer encryption — including FBI director James Comey saying it puts members of the public “beyond the law.”

The trouble began after Apple began locking down iPhones and iPads last September with the latest version of its mobile software. Google followed suit, but only for limited devices. That was in part due to the revelations leaked by former government contractor and whistleblower Edward Snowden, in which documents showed near unrestrained access to data held by Apple, Google, and seven other major technology giants.

Also Read these:

Feds only have themselves to blame for Apple and Google’s smartphone encryption efforts

FBI Quietly Removes Recommendation To Encrypt Your Phone… As FBI Director Warns How Encryption Will Lead To Tears

Via: zdnet

President Obama declared a national emergency and signed an executive order empowering the government to impose sanctions against anyone viewed as a cyber threat to the United States.

This is a rather historic day for our industry, where the importance of information security has evolved from the IT department, to the boardroom, into politics and now, center stage as a critical component to our economy and way of life.

The primary objective of the order is to place sanctions on criminal hackers targeting American infrastructure and businesses from outside the US. The order gives authority to freeze assets and more power to block potential threats from the US. The order not only covers the harming of US infrastructure but also covers the stealing of intellectual property from American companies, as well as committing fraud against citizens, all of which hurt the US economy.

With the plague of retail breaches that continue to hit US-based retailers, it’s critical we look at these instances not just as individual breaches, but as a wholesale attack against our financial system. Many of those involved in these activities are overseas and are able to operate with impunity within borders of countries who shield them from US prosecution. Often times, many of these actors also work within these governments.

We have seen robo callers from outside the US defraud people claiming to be from the IRS, successfully scaring people particularly senior citizens into giving them credit card numbers using VOIP networks. The perpetrators of these acts have been able to get away with it due to available technologies that make it easy to evade detection.

I believe it is the goal of the Obama administration with this order to give the US government more power to go after criminal syndicates and fraudsters overseas.

The challenge, however, will still be attribution—you may be able to identify from what country an attack is routed through, but identifying who is behind the keyboard or phone is a different story altogether.

One of the reasons cyber-attacks and technology-enabled fraud have been so prevalent is due to the ease of evading detection and relative anonymity that a number of tools available provide.

It will be interesting to see how the Obama administration looks to enforce this act, and what resources will be applied to implement it.

Via: tripwire

AnonGhost, a group that is said to be affiliated with the global hacking group Anonymous, has released a video in which it vows to punish Israel for its “crimes in the Palestinian territories” with an “electronic Holocaust.”

The video message, which includes English and Arabic subtitles, displays images from the Gaza conflict, including footage of “Operation Protective Edge,” an air strike campaign Israel launched against Gaza last summer.

The speaker in the video cites the footage as evidence of Israel’s “endless” human right violations against the Palestinians, alleged crimes for which Anonymous vows to punish Israel.

“This is why elite cyber-squadrons, from around the world, will decide to unite in solidarity, with the Palestinian people, against Israel, as one entity to disrupt and erase Israel from cyberspace,” the video concludes. “We’ll show you on 7 April 2015 what the electronic holocaust means.”

This is not the first time a group associated with Anonymous has threatened Israel, explains Benjamin T. Decker, senior intelligence analyst at Tel Aviv-based geopolitical risk consultancy The Levantine Group.

“For the most part, this is posturing. This is actually the fourth year that Anonymous has carried out this Op Israel attack and called on their supporters to erase Israel from the internet,” he says.

“As the years have progressed we have seen that, despite their increasing sophistication in hacking techniques, we have seen less damage against Israeli cyber infrastructures, largely due to Israel’s pioneering of most cyber warfare tactics, both offensive and defensive.”

Anonymous’ hacking campaigns against Israel date back to 2012 and have struck at various Israeli targets including the Israel Defense Forces (IDF), the Bank of Israel, and the prime minister’s office.

Despite the yearly recurrence of Anonymous’ attacks, however, some doubt whether Anonymous is truly involved in #OpIsrael.

“These groups call themselves anonymous, but in reality the Op-Israel hackers responsible for the actions are mostly from the Middle East, with connections to our local conflict,”explains Daniel Cohen, a research associate at the Israel Institute for National Security Studies Cyber Warfare Program (INSS).

Cohen goes on to state he believes the hackers responsible for the yearly attacks are affiliated with Hezbollah and Hamas.

Anonymous’ targets in the Middle East have varied. Most recently, the hacking collective concluded a campaign against ISIS in which it allegedly shut down over 800 Twitter accounts associated with the terrorist group.

Via: tripwire