Slashdot Mirror

Don't run normal users under the Administrator account and use Chrome. Also there are a ton of resources on hardening windows out there. If you are familiar enough to know how to install and configure Linux and even if you aren't, then something like this should be trivial http://krebsonsecurity.com/201...
I'm hardly saying Windows is somehow better or more secure then Linux, just that with a little planning you can avoid having your computer get ruined every time your kids use it.

Instead of a government theoretically beholden to the Constitution theoretically being held responsible for their actions, we get a corporation practically beholden to nobody but its shareholders selling the information to practically all comers (LexisNexis, anyone?)

In theory, this is shit. In practice, it's worse.

The report posted above is not one of the the really hot shit ones. The real stinkers are these two: The ThreatExpert Report iSIGHT Partners Report

https://krebsonsecurity.com/20...
That's an article about the value a hacked device can deliver to a bad guy. Most of those things won't apply, but a botherder could use your thermostat to send spam. He could also open a reverse command shell to act as a staging point to dig into your internal network from inside your router's firewall, and use it to launch an attack on your banking PC, perhaps.

In case you doubt this could happen, it just did. http://www.businessinsider.com...

Doesn't appear that way to me..

The actual report on the software installed on the agent makes it pretty clear that the information was being gathered locally and forwarded internally to a collection point before being sent to Russia, like I suggested in previous threads:

http://krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf

The point of sale machines try to make a connection to \\10.116.240.31\c$\WINDOWS\twain_32 -- an obvious store-and-forward point on the network for exporting the card data otuside of Target. Hackers compromised this box, likely named ttcopscli3acs, since the credentials passed to 10.116.240.31 were ttcopscli3acs\Best1_user with a password of BackupU$r.

It also made port 80 requests to 10.116.240.31 -- the server the hackers "owned" inside of Target.

The rest of the breakdown only details the registry changes that happen when you install a service -- which was the install vector. There isn't a discussion of how the skimming/scanning/card-stealing software was distributed, but...

IT WAS OBVIOUS THEY WERE ALREADY INSIDE THE NETWORK - they (p)owned servers - so it's a reasonable guess that they just deployed the software without needing any hole on the workstations.

The twain_32 folder is one of those things that casual inspection would overlook - and obviously did.

You can always reduce things. They can sell a smaller subsets.

This. Thefuck is this article? The guy who broke the breach also pointed out where the cards were getting sold at too. This article is a muse on a blog by a supposed "pundit" (pundit, n.: one whose insistence of credibility is the only thing greater than their ignorance).

You can always reduce things. They can sell a smaller subsets.

This. Thefuck is this article? The guy who broke the breach also pointed out where the cards were getting sold at too. This article is a muse on a blog by a supposed "pundit" (pundit, n.: one whose insistence of credibility is the only thing greater than their ignorance).

I have LogMeIn Professional and use it for work. It works well - my main problem with it is that they had a security leak (or sold their user address database), as all the folks who used tagged email addresses for LogMeIn started getting spam on those tagged email addresses.

To this day, LogMeIn refuses to admit there was any leak or anything was sold or anything of the sort. This, despite quite a few tech professionals who know what they're doing seeing this spam.

I still use LogMeIn, but I trust them a hell of a lot less now. :-/

Discussions:

http://community.logmein.com/t5/Miscellaneous-Offtopic/LogMeIn-leaked-my-email-address/td-p/88548

http://krebsonsecurity.com/2012/12/logmein-docusign-investigate-breach-claims/

A Barracuda will always be able to help in those cases where you forget your password.

http://krebsonsecurity.com/2013/01/backdoors-found-in-barracuda-networks-gear/

They tend to get upity about people they don't know about touching cash registers too. Though, maybe you could go unnoticed, they also seldom tell you up front "we keep our security footage for 10 days" so its not like you can be sure that you were not recorded doing it.

Despite these measures, somebody managed to tamper with POS terminals in dozens of Michaels stores across the US in 2011 (and ALDI markets the year before) and get away with it. In this case they were skimming PINs. The Secret Service investigated, and two guys were caught a year later. But the guys convicted were ATM cash withdrawers hired for the job, not the masterminds or the POS tamperers.

So you are advocating that journalists keep all their data on computer because we all know that if data is encrypted that computers are impregnable fortresses of data security -NOT. When data brokerage services, hundreds of U.S. companies, the Iranian nuclear program, and banks are hacked, botnets run wild, not to mention the NSA spying I would argue that even if you had an IT security department you might be safer keeping only paper records.

"Link to indictment contained within too."

'There were 801 listings under the category "Digital Goods," including offerings for pirated media content, hacked accounts at various online services such as Amazon and Netflix, and more malicious software. For example, one listing, totled "HUGE Hacking Pack **150++ HACKING TOOLS & PROGRAMS**," described the item being sold as a "hacking pack loaded with keyloggers, RATs, banking trojans, and other various malware."' link

Nope.
http://krebsonsecurity.com/wp-content/uploads/2013/10/UlbrichtCriminalComplaint.pdf

That was a fairly interesting read, although the "Based on my training and experience, I know...." phrase got a little redundant. Federal agents must have that setup as a macro, or have a script that just replaces the beginning of every sentence. It sounds like the dude was generally pretty careful, but he basically slipped up by logging into gmail and leaving clues on social networking (linkedin).

Nope.
http://krebsonsecurity.com/wp-content/uploads/2013/10/UlbrichtCriminalComplaint.pdf
TLDR version:
A user named altoids advertised SR on various forums very early on.
Later the same user wanted some dev work done, used a gmail address as contact.
Same gmail address leads to a LinkedIn profile ... and a name and address.
Seize that dudes computers.
Find keys to the kingdom for the SR servers.

Private sector data companies don't have a leak-proof record either http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/

I posted a comment on his blog a while ago where I questioned the validity of the results of his research that caught a lot of attention a while back. For example, one of his biggest finds was that that one of the scammer' name is Vasily Ivanovich Petrov, which is just a placeholder name just like Joe Public in Russian. He never approved my comment or provided any feedback. If he was an actual researcher, he wouldn't silence reasonable criticism towards him.

It's sad to see him get one meaningless article after another on Slashdot.

I posted a suggestion to the Pope on how to run the Catholic church and he never approved the comment. This proves he's a fake, right?

I posted a comment on his blog a while ago where I questioned the validity of the results of his research that caught a lot of attention a while back. For example, one of his biggest finds was that that one of the scammer' name is Vasily Ivanovich Petrov, which is just a placeholder name just like Joe Public in Russian. He never approved my comment or provided any feedback. If he was an actual researcher, he wouldn't silence reasonable criticism towards him.

It's sad to see him get one meaningless article after another on Slashdot.

Or even better, http://krebsonsecurity.com/2013/07/mail-from-the-velvet-cybercrime-underground/

http://krebsonsecurity.com/

There is also an interesting report from Krebs on Security, about how underground web actors talk about moving to new digital currencies.

Your comparison to HSBC fails because (1) HSBC was not specifically set up to facilitate money laundering and other criminal activity, and (2) the vast majority of HSBC's business is not in support of criminal activity.

I would love to know how they found out that majority of LR customers were criminals. There is no evidence of it in the in the indictment, just the claim.

For all the talk about "ZOMG the US government/New World Order/Illuminati is going to take our moneez!" in this thread, I'm surprised there's been absolutely no mention of what Liberty Reserve was often used for: the crimeware trade.

Head over to Krebs on Security for a better idea of why shutting down Liberty Reserve is a Good Thing.

They disabled Java Web Start too, so whole corporations and government departments are suddently shut down.

Whole government departments shut down? Holy ground batman, it's the promised cyber Pearl Harbour, and it's not the Iranians, it's Apple!

Quoting Brian Krebs:

This is a buggy program that seems to produce a reliable stream of zero-day exploit opportunities for malware writers. So, if you don't need it, junk it.

So Apple's move is a commendable one. If corporations really want the security nightmare that is Java, they can re-enable it themselves, it's Joe Sixpack end-user that needs protection, which is what Apple is doing.

(And this is completely ignoring the question of which government departments are running on OS X rather than Windows).

I don't get it. What do you have against Bitcoin? Has it killed your dog or something?

Your post is a stream of non-sequiturs. Yes, the primary exchange was hacked ... once ... and it resulted in a minor loss that the exchange covered from their own profits. Users did not lose any money. Yes, very tiny ad-hoc "one man and his dream" exchanges have also been hacked, but hardly anyone used them, so again, impact was very minimal. Do you think US banks never get hacked or robbed? Think again.

Many US banks have unbelievably woeful security that results in accounts being routinely emptied. Consumer accounts are insured by the government but business and organizational accounts aren't, yet many of them are protected by nothing more than a password or secret question/answer. That's absurd. Now nothing stops you under-protecting your Bitcoins, but at least you can upgrade to more security if you want. You're not at the mercy of your local bank.

What on earth makes you think that starting a "virtual business is more trivial than a physical business"? Did you step out of a timewarp from the 70s? Do you think competing with Amazon is inherently easier than competing with your local supermarket? Exchanges, as you note, rely heavily on their users trust in their security (as do all financial institutions). That's what stops them "simply reforming under a new identity". They'd be starting from zero and have no advantage over anyone else. And FYI financial regulations do apply to Bitcoin exchanges as they would any other online currency exchange. That's one reason the big ones all demand government issued ID in the same way a bank would.

Feel free to laugh at people who are using a next-generation financial system. It's been many years and Bitcoin is still around and doing fine, so I doubt anyone will care.

But the best way to avoid a cyberheist is to not have your computer systems infected in the first place. The trouble is, it's becoming increasingly difficult to tell when a system is or is not infected. That's why I advocate the use of a Live CD approach for online banking." link

Or don't use Microsoft Windows ...

To whom does that license plate belong to?

MS suggests to use EMET (a tool that enfonrces ASLR and DEP), but Brian Krebs reports that this does not really plug the hole

Do you check all atms, gas pumps, etc that you use for card skimmers? http://krebsonsecurity.com/all-about-skimmers/ , http://www.thelocal.de/national/20110818-37041.html and http://boston.cbslocal.com/2011/11/17/atm-skimming-device-found-at-eastern-bank-in-taunton/

They are getting pretty good at making realistic ones. And in some cases have gotten them inside gas pumps.

If that was addressed to me: yes, I do, always. Although as you say, some skimmers now are undetectable to customer.

Do you check all atms, gas pumps, etc that you use for card skimmers? http://krebsonsecurity.com/all-about-skimmers/ , http://www.thelocal.de/national/20110818-37041.html and http://boston.cbslocal.com/2011/11/17/atm-skimming-device-found-at-eastern-bank-in-taunton/

They are getting pretty good at making realistic ones. And in some cases have gotten them inside gas pumps.

Huh? Are you sure about that?

“As today’s arrests show, the modern, high-tech bank heist does not require a gun, a mask, a note, or a getaway car. It requires only the Internet and ingenuity,” Manhattan U.S. Attorney Preet Bharara said in a written statement. “And it can be accomplished in the blink of an eye, with just a click of the mouse."

If Owen is jaded, it may have something to do with the legal nightmare he and his company had to endure after the theft. A month following the cyber heist, the firm’s bank – Plains Capital Bank – sued Hillary Machinery in a preemptive bid to convince a judge to declare that the bank’s online security was commercially reasonable and capable of protecting customers from the latest cyber threats.

Both parties later settled the dispute for an undisclosed amount. But there are many similar cases now working their way through U.S. courts, as more and more businesses and banks tussle over who is responsible for cyber heists that frequently net thieves hundreds of thousands of dollars.

More often than not, victimized businesses are left holding the bag. That’s because unlike consumers – who under U.S. law cannot be held liable for fraud against their accounts if they report the unauthorized activity promptly – businesses enjoy no such protections.

Too bad it require java support. I removed it since it's security risk overweight its benefit

Those sorts of devices are actually pretty common, and vary from obvious boxes that clip on the bottom of the existing readers to an entire fake fascia for ATMs.
They come back, get the device/SD card/data wirelessly. And makes a clone of the card from a blank.

Krebs has a whole section on it. http://krebsonsecurity.com/tag/atm-skimmer/

They should have to tell us who the processor is, by law.

It’s not clear how many cards were breached in the processor attack, but a sampling from one corner of the industry provides some perspective. On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised. PSCU said fraudulent activity had been detected on a relatively small number of those cards — 876 accounts — and that the activity was geographically dispersed.

https://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/#more-14393

No, it's real. I saw it on Krebs earlier. http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/

And slashdot gets increasingly pathetic. Well, if anyone cares to RTFA:
http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html

Not a whole lot of info from any source, Krebs seems to be the best though:
http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/#more-14393

Do you also verify where every debit card reader is physically connected, and audit that none of the electronics are malicious and skimming your data? link

As was said before, yet you trust the waitress to wander off into another room for several minutes with your card? Do you even know what a skimmer is? Do you realize you've likely given your card AND pin to several of them already at your local ATM? This is no less secure and far more convenient and cheaper for the merchants. Electronic banking is fundamentally broken, this isn't making it worse.

It will be a good source for ATM faceplates that skimmers can hide their gear under...

That's why the only site I allow ads on is krebsonsecurity.com. Brian Krebs reviews every ad that runs on his site. When some criminals tried to sneak in a 'malvertising' ad he saw it, stopped it (actually the ad network flagged it first) and posted about what had happened.
If it's not too much work for one man to do, then any big site should be able to put in the effort. Anyone who won't gets blocked.

Macs are general use PCs and have proven to be virus/worm/problem free for years in the hands of "normal" users.

They haven't proven shit, as there are still many exploits out for the mac, they just silently fix them or take three years to get around to it. Fact is there have been tons of exploits for OSX but the fanbois and apple do their best to pretend it doesn't exist. Then you have the fact that apple is usually the first the fall in pwntoown.

Apart from the ignored viruses and how their computers always get owned first in hacking competitions they're great products, just don't go on a bullshit run with a spiel about how amazing osx is at security. It's not it's terrible and it's not even on Apple's radar. They're focused on UX not security.

Detail it to Brian Krebs. He would be a very good source of information on what to do.

http://krebsonsecurity.com/

Yes, but even in the case of "normal usage looking transactions", any decent credit card company will immediately refund the purchase if you call them and tell them you noticed a purchase on your bill that you did not make. I have done this before; never had an un-authorized purchase stay on my account for longer than it took to report, with both my Visa (Bank of Nova Scotia) and my AmEx accounts. The credit card companies want people to use their cards for things like online purchases, and react extremely quickly to reverse any fraudulent charges; they want you to have a good experience using their services. Interestingly enough, one fraudulent purchase someone made with my card info was a donation to the United Way: they were testing to see if the info was valid, and once the donation went through, they moved on to trying to buy cellphones at a Bell outlet. Now, fraudulent bank transfers from PERSONAL accounts are also reversed, but it can take a long time to make the bank do that. Fraudulent bank transfers from BUSINESS accounts are not protected, and often the bank will fight you in court and try to not not refund you. Brian Krebs has lots of info on fraudulent bank transfers on his blog at http://krebsonsecurity.com/ Buying stuff via credit card is the safest way to make online/electronic purchases: at least if the bad guys steal your financial information, you can easily/quickly undo the damage with a single phone call. Same goes for offline purchases as well, I suppose. It can take forever to get a bank to refund your money if the crooks used a card skimmer and grabbed your bank card info and PIN while you were buying gasoline at the local station, then emptied your account from a bank machine.

Basically, if you've ever had to remove fake anti-virus software from a PC or a Mac, there's a good chance that Chronopay were involved somewhere.

Not a joke, I was actually astounded (mainly, @ their nerve):

Criminal Classifieds - Malware Writers Wanted:

http://krebsonsecurity.com/2011/06/criminal-classifieds-malware-writers-wanted/

APK

P.S.=> Will wonders NEVER cease?

... apk

Well at least people already know the suspect.

Not a typo, here is an example of a recent prosecution -- http://www.fbi.gov/news/pressrel/press-releases/fbi-slovenian-and-spanish-police-arrest-mariposa-botnet-creator-operators -- Andy many more are behing hunted down Brian Krebs writes about: http://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/#more-8707

You might want to check with HB Gary on that.

“They didn’t just pick on any company, but we try to protect the US government from hackers. They couldn’t have chosen a worse company to pick on.” -Greg Hoglund, co-founder HBGary Source: http://krebsonsecurity.com/2011/02/hbgary-federal-hacked-by-anonymous/

That guy's a really well-known security author/researcher, mostly from his books and from the rootkit devel community rootkit.com, which now seems to be down as well. Take a look at http://krebsonsecurity.com/2011/02/hbgary-federal-hacked-by-anonymous/

They managed to social engineer a site network admin into giving them SSH access. Hoglund has apparently given a phone interview of some sort, but I can't find a transcription if one exists.

You are retarded. It looks like the security firm was showing how social media reveals more information than people think. In fact, they explicitly stated that they had no data worth providing to the authorities (nothing criminally actionable), nor were they planning on it. "Anonymous activists should be able to see — if they read the email they’ve stolen — that HBGary ultimately decided not to publicly air any of the members it had identified"

So it looks like they were planning on showing how to use social media to connect the dots, not sending people to prison. Besides, anything they find could have easily been done by the Feds already anyway. It's all internet-sourced material.