0 Comments
Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you. The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses. Some examples of how being a modern-day Luddite can backfire are well-documented, such as when scammers create online accounts in someone’s name at the Internal Revenue Service, the U.S. Postal Service or the Social Security Administration. Other examples may be far less obvious. Consider the case of a consumer who receives their home telephone service as part of a bundle through their broadband Internet service provider (ISP). Failing to set up a corresponding online account to manage one’s telecommunications services can provide a powerful gateway for fraudsters. Carrie Kerskie is president of Griffon Force LLC, a company in Naples, Fla. that helps identity theft victims recover from fraud incidents. Kerskie recalled a recent case in which thieves purchased pricey items from a local jewelry store in the name of an elderly client who’d previously bought items at that location as gifts for his late wife. In that incident, the perpetrator presented a MasterCard Black Card in the victim’s name along with a fake ID created in the victim’s name (but with the thief’s photo). When the jewelry store called the number on file to verify the transactions, the call came through to the impostor’s cell phone right there in the store. Kerskie said a follow-up investigation revealed that the client had never set up an account at his ISP (Comcast) to manage it online. Multiple calls with the ISP’s customer support people revealed that someone had recently called Comcast pretending to be the 86-year-old client and established an online account. “The victim never set up his account online, and the bad guy called Comcast and gave the victim’s name, address and Social Security number along with an email address,” Kerskie said. “Once that was set up, the bad guy logged in to the account and forwarded the victim’s calls to another number.” Incredibly, Kerskie said, the fraudster immediately called Comcast to ask about the reason for the sudden account changes. “While I was on the phone with Comcast, the customer rep told me to hold on a minute, that she’d just received a communication from the victim,” Kerskie recalled. “I told the rep that the client was sitting right beside me at the time, and that the call wasn’t from him. The minute we changed the call forwarding options, the fraudster called customer service to ask why the account had been changed.” Two to three days after Kerskie helped the client clean up fraud with the Comcast account, she got a frantic call from the client’s daughter, who said she’d been trying her dad’s mobile phone but that he hadn’t answered in days. They soon discovered that dear old dad was just fine, but that he’d also neglected to set up an online account at his mobile phone provider. “The bad guy had called in to the mobile carrier, provided his personal details, and established an online account,” Kerskie said. “Once they did that, they were able transfer his phone service to a new device.” OFFLINE BANKINGMany people naively believe that if they never set up their bank or retirement accounts for online access then cyber thieves can’t get access either. But Kerskie said she recently had a client who had almost a quarter of a million dollars taken from his bank account precisely because he declined to link his bank account to an online identity. “What we found is that the attacker linked the client’s bank account to an American Express Gift card, but in order to do that the bad guy had to know the exact amount of the microdeposit that AMEX placed in his account,” Kerskie said. “So the bad guy called the 800 number for the victim’s bank, provided the client’s name, date of birth, and Social Security number, and then gave them an email address he controlled. In this case, had the client established an online account previously, he would have received a message asking to confirm the fraudulent transaction.” After tying the victim’s bank account to a prepaid card, the fraudster began slowly withdrawing funds in $5,000 increments. All told, thieves managed to siphon almost $170,000 over a six month period. The victim’s accounts were being managed by a trusted acquaintance, but the withdrawals didn’t raise alarms because they were roughly in line with withdrawal amounts the victim had made previously. “But because the victim didn’t notify the bank within 60 days of the fraudulent transactions as required by law, the bank only had to refund the last 60 days worth of fraudulent transactions,” Kerskie said. “We were ultimately able to help him recover most of it, but that was a whole other ordeal.” Kerskie said many companies try to fight fraud on accounts belonging to customers who haven’t set up a corresponding online account by sending a letter via snail mail to those customers when account changes are made. “But not everyone does that and if the thief who’s taking advantage of the situation is smart, he’ll simply set up an online account and change the billing address, so the customer never gets that notice,” Kerskie said. MARK YOUR TERRITORYKerskie said it’s a good idea for people with older relatives to help those individuals ensure they have set up and manage online identities for their various accounts — even if those relatives never intend to access any of the accounts online. Helping those relatives place a security freeze on their credit files with the four major credit bureaus (and with another, little known bureau that many mobile providers rely upon for credit checks) can go a long way toward preventing new account fraud. Adding two-factor authentication (whenever it is available) and/or establishing a customer-specific personal identification number (PIN) also can help secure online access. For those who can’t be convinced to use a password manager, even writing down all of the account details and passwords on a slip of paper can be helpful, provided the document is secured in a safe place. This process is doubly important, Kerskie said, for parents and relatives who have just lost a spouse. “When someone passes away, there’s often an obituary in the paper that offers a great deal of information about the deceased and any surviving family members,” she said. “And the bad guys absolutely love obits.” Eschewing accounts on popular social media platforms also can have consequences, mainly because most people have enough information about themselves online that anyone can create an account in their name and start messaging friends and family members with various fraud schemes. “I always tell people if you don’t want to set up an online account for social media that’s fine, but make sure you tell your friends and family, ‘If you ever get a social media request from me, just ignore it because I’ll never do that,'” Kerskie advised. In summary, plant your flag online or — as Kerskie puts it — “mark your territory” — before fraudsters do it for you. And consider helping less Internet-savvy friends and family members to do the same. “It can save a lot of headache,” she said. “The sad reality is that criminals very often only need to answer two or three questions to commit fraud in your name, whereas victims typically need to spend hours of their time and answer dozens of questions to undo the resulting fraud.” from https://krebsonsecurity.com/2018/06/plant-your-flag-mark-your-territory/ Previous stories here on the proliferation of card-skimming devices hidden inside fuel pumps have offered a multitude of security tips for readers looking to minimize their chances of becoming the next victim, such as favoring filling stations that use security cameras and tamper-evident tape on their pumps. But according to police in San Antonio, Texas, there are far more reliable ways to avoid getting skimmed at a fuel station. San Antonio, like most major U.S. cities, is grappling with a surge in pump skimming scams. So far in 2018, the San Antonio Police Department (SAPD) has found more than 100 skimming devices in area fuel pumps, and that figure already eclipses the total number of skimmers found in the area in 2017. The skimmers are hidden inside of the pumps, and there are often few if any outward signs that a pump has been compromised. In virtually all cases investigated by the SAPD, the incidents occurred at filling stations using older-model pumps that have not yet been upgraded with physical and digital security features which make it far more difficult for skimmer thieves to tamper with fuel pumps and siphon customer card data (and PINs from debit card users). Lt. Marcus Booth is the financial crimes unit director for the SAPD. Booth said most filling stations in San Antonio and elsewhere use legacy pumps that have a vertical card reader and a flat, membrane-based keypad. In addition, access to the insides of these older pumps frequently is secured via a master key that opens not only all pumps at a given station, but in many cases all pumps of a given model made by the same manufacturer. In contrast, Booth said, newer and more secure pumps typically feature a horizontal card acceptance slot along with a raised metallic keypad — much like a traditional payphone keypad and referred to in the fuel industry as a “full travel” keypad: Booth said the SAPD has yet to see a skimming incident involving newer pump models like the one pictured directly above. “Here in San Antonio, many of these stations with these older keypads and card slots were getting hit all the time, sometimes weekly,” he said. “But as soon as those went over to newer gear, we’ve seen zero problems.” According to Booth, the newer pumps include not only custom keys for each pump, but also tamper protections that physically shut down a pump if the machine is improperly accessed. What’s more, these more advanced pumps do a better job of compartmentalizing individual components, very often enclosing the electronics that serve the card reader and keypad in separately secured metal cages. “Pretty much all these full travel metallic keypads are encrypted, and if you disconnect them they disable themselves and can only be re-enabled by technician,” Booth told KrebsOnSecurity. “Also, if the pump is opened improperly, it disables itself. These two specific items: The card reader or the pad, if you pull power to them they’re dead, and then they can only be re-enabled by an authorized technician.” Newer pumps may also include more modern mobile payment options — such as Apple Pay — although many stations with pumps that advertise this capability have not yet enabled it, which allows customers to pay for fuel without ever sharing their credit or debit card account details with the fuel station. One reason that pump skimmers seem to be more pervasive is that authorities across the country are doing a better job of working with banks and federal investigators to determine fuel stations that appear to be compromised. The flip side is that thieves are generally opportunistic, and tend to focus on targeting systems that offer the least resistance and lowest hanging fruit. Unfortunately, there is still a ton of low-hanging fruit, and these newer and more secure pump systems remain the exception rather than the rule, Booth said. In December 2016, Visa delayed by three years a deadline for fuel station owners to install payment terminals at the pump that are capable of handling more secure chip-based cards. The chip card technology standard, also known as EMV (short for Europay, MasterCard and Visa) makes credit and debit cards far more expensive and difficult for thieves to clone. Under previous credit card association rules, station owners that didn’t have chip-ready readers in place by Oct. 2017 would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip (currently, card-issuing banks eat most of the fraud costs from fuel skimming). Currently, fuel stations have until Oct. 1, 2020 to meet the liability shift deadline. Some pump skimming devices are capable of stealing debit card PINs as well, so it’s a good idea to avoid paying with a debit card at the pump. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance). This advice often runs counter to the messaging pushed by fuel station owners themselves, many of whom offer lower prices for cash or debit card transactions. That’s because credit card transactions typically are more expensive to process. In summary, if you have the choice, look for fuel pumps with raised keypads and horizontal card slots. And keep in mind that it may not be the best idea to frequent a particular filling station simply because it offers the lowest prices: Doing so could leave you with hidden costs down the road. If you enjoyed this story, check out my series on all things skimmer-related: All About Skimmers. Looking for more information on fuel pump skimming? Have a look at some of these stories. from https://krebsonsecurity.com/2018/06/how-to-avoid-card-skimmers-at-the-pump/ The U.S. Supreme Court today ruled that the government needs to obtain a court-ordered warrant to gather location data on mobile device users. The decision is a major development for privacy rights, but experts say it may have limited bearing on the selling of real-time customer location data by the wireless carriers to third-party companies. At issue is Carpenter v. United States, which challenged a legal theory the Supreme Court outlined more than 40 years ago known as the “third-party doctrine.” The doctrine holds that people who voluntarily give information to third parties — such as banks, phone companies, email providers or Internet service providers (ISPs) — have “no reasonable expectation of privacy.” That framework in recent years has been interpreted to allow police and federal investigators to obtain information — such as mobile location data — from third parties without a warrant. But in a 5-4 ruling issued today that flies in the face of the third-party doctrine, the Supreme Court cited “seismic shifts in digital technology” allowing wireless carriers to collect “deeply revealing” information about mobile users that should be protected by the 4th Amendment to the U.S. Constitution, which is intended to shield Americans against unreasonable searches and seizures by the government. Amy Howe, a reporter for SCOTUSblog.com, writes that the decision means police will generally need to get a warrant to obtain cell-site location information, a record of the cell towers (or other sites) with which a cellphone connected. The ruling is no doubt a big win for privacy advocates, but many readers have been asking whether this case has any bearing on the sharing or selling of real-time customer location data by the mobile providers to third party companies. Last month, The New York times revealed that a company called Securus Technologies had been selling this highly sensitive real-time location information to local police forces across the United States, thanks to agreements the company had in place with the major mobile providers. It soon emerged that Securus was getting its location data second-hand through a company called 3Cinteractive, which in turn was reselling data from California-based “location aggregator” LocationSmart. Roughly two weeks after The Times’ scoop, KrebsOnSecurity broke the news that anyone could look up the real time location data for virtually any phone number assigned by the major carriers, using a buggy try-before-you-buy demo page that LocationSmart had made available online for years to showcase its technology. Since those scandals broke, LocationSmart disabled its promiscuous demo page. More importantly, AT&T, Sprint, T-Mobile and Verizon all have said they are now in the process of terminating agreements with third-parties to share this real-time location data. Still, there is no law preventing the mobile providers from hashing out new deals to sell this data going forward, and many readers here have expressed concerns that the carriers can and eventually will do exactly that. So the question is: Does today’s Supreme Court ruling have any bearing whatsoever on mobile providers sharing location data with private companies? According to SCOTUSblog’s Howe, the answer is probably “no.” “[Justice] Roberts emphasized that today’s ruling ‘is a narrow one’ that applies only to cell-site location records,” Howe writes. “He took pains to point out that the ruling did not ‘express a view on matters not before us’ – such as obtaining cell-site location records in real time, or getting information about all of the phones that connected to a particular tower at a particular time. He acknowledged that law-enforcement officials might still be able to obtain cell-site location records without a warrant in emergencies, to deal with ‘bomb threats, active shootings, and child abductions.'” However, today’s decision by the high court may have implications for companies like Securus which have marketed the ability to provide real-time mobile location data to law enforcement officials, according to Jennifer Lynch, a senior staff attorney with the Electronic Frontier Foundation, a nonprofit digital rights advocacy group. “The court clearly recognizes the ‘deeply revealing nature’ of location data and recognizes we have a privacy interest in this kind of information, even when it’s collected by a third party (the phone companies),” Lynch wrote in an email to KrebsOnSecurity. “I think Carpenter would have implications for the Securus context where the phone companies were sharing location data with non-government third parties that were then, themselves, making that data available to the government.” Lynch said that in those circumstances, there is a strong argument the government would need to get a warrant to access the data (even if the information didn’t come directly from the phone company). “However, Carpenter’s impact in other contexts — specifically in contexts where the government is not involved — is much less clear,” she added. “Currently, there aren’t any federal laws that would prevent phone companies from sharing data with non-government third parties, and the Fourth Amendment would not apply in that context.” And there’s the rub: There is nothing in the current law that prevents mobile companies from sharing real-time location data with other commercial entities. For that reality to change, Congress would need to act. For more on the prospects of that happening and how we wound up here, check out my May 26 story, Why is Your Location Data No Longer Private? The full Supreme Court opinion in Carpenter v. United States is available here (PDF). from https://krebsonsecurity.com/2018/06/supreme-court-police-need-warrant-for-mobile-location-data/ In the wake of a scandal involving third-party companies leaking or selling precise, real-time location data on virtually all Americans who own a mobile phone, the four major wireless carriers have responded to requests from a U.S. senator for more details about how the carriers are managing access to this extremely sensitive information. While three out of four providers said they had cancelled data sharing agreements with some of the offending companies, only one — Verizon — pledged to terminate all of them and initiate a wholesale review of their location data-sharing practices. At issue are companies known in the wireless industry as “location aggregators,” entities that manage requests for real-time customer location data for a variety of purposes, such as roadside assistance and emergency response. These aggregators are supposed to obtain customer consent before divulging such information, but several recent incidents show that this third-party trust model is fundamentally broken. On May 10, 2018, The New York Times broke the story that a little-known data broker named Securus was selling local police forces around the country the ability to look up the precise location of any cell phone across all of the major U.S. mobile networks. Then it emerged that Securus had been hacked, its database of hundreds of law enforcement officer usernames and passwords plundered. We also learned that Securus’ data was ultimately obtained from a company called 3Cinteractive, which in turn obtained its data through a California-based location tracking firm called LocationSmart. On May 17, KrebsOnSecurity broke the news of research by Carnegie Mellon University PhD student Robert Xiao, who discovered that a LocationSmart try-before-you-buy opt-in demo of the company’s technology was wide open — allowing real-time lookups from anyone on anyone’s mobile device — without any sort of authentication, consent or authorization. LocationSmart disabled its demo page shortly after that story. By that time, Sen. Ron Wyden (D-Ore.) had already sent letters to AT&T, Sprint, T-Mobile and Verizon, asking them to detail any agreements to share real-time customer location data with third-party data aggregation firms. AT&T, T-Mobile and Verizon all said they had terminated data-sharing agreements with Securus. In a written response (PDF) to Sen. Wyden, Sprint declined to share any information about third-parties with which it may share customer location data, and it was the only one of the four carriers that didn’t say it was terminating any data-sharing agreements. T-Mobile and Verizon each said they both share real-time customer data with two companies — LocationSmart and another firm called Zumigo, noting that these companies in turn provide services to a total of approximately 75 other customers. Verizon emphasized that Zumigo — unlike LocationSmart — has never offered any kind of mobile location information demo service via its site. Nevertheless, Verizon said it had decided to terminate its current location aggregation arrangements with both LocationSmart and Zumigo. “Verizon has notified these location aggregators that it intends to terminate their ability to access and use our customers’ location data as soon as possible,” wrote Karen Zacharia, Verizon’s chief privacy officer. “We recognize that location information can provide many pro-consumer benefits. But our review of our location aggregator program has led to a number of internal questions about how best to protect our customers’ data. We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices.” In its response (PDF), AT&T made no mention of any other company besides Securus. AT&T indicated it had no intention to stop sharing real-time location data with third-parties, stating that “without an aggregator, there would be no practical and efficient method to facilitate requests across different carriers.” Sen. Wyden issued a statement today calling on all wireless companies to follow Verizon’s lead. “Verizon deserves credit for taking quick action to protect its customers’ privacy and security,” Wyden said. “After my investigation and follow-up reports revealed that middlemen are selling Americans’ location to the highest bidder without their consent, or making it available on insecure web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off. In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to sell their customers’ private information to these shady middle men, Americans’ privacy be damned.” Wyden’s letter asked the carriers to detail any arrangements they may have to validate that location aggregators are in fact gaining customer consent before divulging the information. Both Sprint and T-Mobile said location aggregators were contractually obligated to obtain customer consent before sharing the data, but they provided few details about any programs in place to review claims and evidence that an aggregator has obtained consent. AT&T and Verizon each said they have processes for periodically auditing consent practices by the location aggregators, but that Securus’ unauthorized use of the data somehow flew under the radar. AT&T noted that it began its relationship with LocationSmart in October 2012 (back when it was known by another name, “Locaid”). Under that agreement, LocationSmart’s customer 3Cinteractive would share location information with prison officials through prison telecommunications provider Securus, which operates a prison inmate calling service. But AT&T said after Locaid was granted that access, Securus began abusing it to sell an unauthorized “on-demand service” that allowed police departments to learn the real-time location data of any customer of the four major providers. “We now understand that, despite AT&T’s requirements to obtain customer consent, Securus did not in fact obtain customer consent before collecting customers’ location information for its on-demand service,” wrote Timothy P. McKone, executive vice president of federal relations at AT&T. “Instead, Securus evidently relied upon law enforcement’s representation that it had appropriate legal authority to obtain customer location data, such as a warrant, court order, or other authorizing document as a proxy for customer consent.” McKone’s letter downplays the severity of the Securus incident, saying that the on-demand location requests “comprised a tiny fraction — less than two tenths of one percent — of the total requests Securus submitted for the approved inmate calling service. AT&T has no reason to believe that there are other instances of unauthorized access to AT&T customer location data.” Blake Reid, an associate clinical professor at the University of Colorado School of Law, said the entire mobile location-sharing debacle shows the futility of transitive trust. “The carriers basically have arrangements with these location aggregators that contractually say, ‘You agree not to use this access we provide you without getting customer consent’,” Reid said. “Then that aggregator has a relationship with another aggregator, and so on. So what we then have is this long chain of trust where no one has ever consented to the provision of the location information, and yet it ends up getting disclosed anyhow.” Curious how we got here and what Congress or federal regulators might do about the current situation? Check out last month’s story, Why Is Your Location Data No Longer Private. from https://krebsonsecurity.com/2018/06/verizon-to-stop-sharing-customer-location-data-with-third-parties/ Google in the coming weeks is expected to fix a location privacy leak in two of its most popular consumer products. New research shows that Web sites can run a simple script in the background that collects precise location data on people who have a Google Home or Chromecast device installed anywhere on their local network. Craig Young, a researcher with security firm Tripwire, said he discovered an authentication weakness that leaks incredibly accurate location information about users of both the smart speaker and home assistant Google Home, and Chromecast, a small electronic device that makes it simple to stream TV shows, movies and games to a digital television or monitor. Young said the attack works by asking the Google device for a list of nearby wireless networks and then sending that list to Google’s geolocation lookup services. “An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.” It is common for Web sites to keep a record of the numeric Internet Protocol (IP) address of all visitors, and those addresses can be used in combination with online geolocation tools to glean information about each visitor’s hometown or region. But this type of location information is often quite imprecise. In many cases, IP geolocation offers only a general idea of where the IP address may be based geographically. This is typically not the case with Google’s geolocation data, which includes comprehensive maps of wireless network names around the world, linking each individual Wi-Fi network to a corresponding physical location. Armed with this data, Google can very often determine a user’s location to within a few feet (particularly in densely populated areas), by triangulating the user between several nearby mapped Wi-Fi access points. [Side note: Anyone who’d like to see this in action need only to turn off location data and remove the SIM card from a smart phone and see how well navigation apps like Google’s Waze can still figure out where you are]. “The difference between this and a basic IP geolocation is the level of precision,” Young said. “For example, if I geolocate my IP address right now, I get a location that is roughly 2 miles from my current location at work. For my home Internet connection, the IP geolocation is only accurate to about 3 miles. With my attack demo however, I’ve been consistently getting locations within about 10 meters of the device.” Young said a demo he created (a video of which is below) is accurate enough that he can tell roughly how far apart his device in the kitchen is from another device in the basement. “I’ve only tested this in three environments so far, but in each case the location corresponds to the right street address,” Young said. “The Wi-Fi based geolocation works by triangulating a position based on signal strengths to Wi-Fi access points with known locations based on reporting from people’s phones.” Beyond leaking a Chromecast or Google Home user’s precise geographic location, this bug could help scammers make phishing and extortion attacks appear more realistic. Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could abuse Google’s location data to lend credibility to the fake warnings, Young notes. “The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns,” he said. “Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.” When Young first reached out to Google in May about his findings, the company replied by closing his bug report with a “Status: Won’t Fix (Intended Behavior)” message. But after being contacted by KrebsOnSecurity, Google changed its tune, saying it planned to ship an update to address the privacy leak in both devices. Currently, that update is slated to be released in mid-July 2018. According to Tripwire, the location data leak stems from poor authentication by Google Home and Chromecast devices, which rarely require authentication for connections received on a local network. “We must assume that any data accessible on the local network without credentials is also accessible to hostile adversaries,” Young wrote in a blog post about his findings. “This means that all requests must be authenticated and all unauthenticated responses should be as generic as possible. Until we reach that point, consumers should separate their devices as best as is possible and be mindful of what web sites or apps are loaded while on the same network as their connected gadgets.” Earlier this year, KrebsOnSecurity posted some basic rules for securing your various “Internet of Things” (IoT) devices. That primer lacked one piece of advice that is a bit more technical but which can help mitigate security or privacy issues that come with using IoT systems: Creating your own “Intranet of Things,” by segregating IoT devices from the rest of your local network so that they reside on a completely different network from the devices you use to browse the Internet and store files. “A much easier solution is to add another router on the network specifically for connected devices,” Young wrote. “By connecting the WAN port of the new router to an open LAN port on the existing router, attacker code running on the main network will not have a path to abuse those connected devices. Although this does not by default prevent attacks from the IoT devices to the main network, it is likely that most naïve attacks would fail to even recognize that there is another network to attack.” For more on setting up a multi-router solution to mitigating threats from IoT devices, check out this in-depth post on the subject from security researcher and blogger Steve Gibson. from https://krebsonsecurity.com/2018/06/google-to-fix-location-data-leak-in-google-home-chromecast/ In the days following revelations last September that big-three consumer credit bureau Equifax had been hacked and relieved of personal data on nearly 150 million people, many Americans no doubt felt resigned and powerless to control their information. But not Jessamyn West. The 49-year-old librarian from a tiny town in Vermont took Equifax to court. And now she’s celebrating a small but symbolic victory after a small claims court awarded her $600 in damages stemming from the 2017 breach. Just days after Equifax disclosed the breach, West filed a claim with the local Orange County, Vt. courthouse asking a judge to award her almost $5,000. She told the court that her mother had just died in July, and that it added to the work of sorting out her mom’s finances while trying to respond to having the entire family’s credit files potentially exposed to hackers and identity thieves. The judge ultimately agreed, but awarded West just $690 ($90 to cover court fees and the rest intended to cover the cost of up to two years of payments to online identity theft protection services). In an interview with KrebsOnSecurity, West said she’s feeling victorious even though the amount awarded is a drop in the bucket for Equifax, which reported more than $3.4 billion in revenue last year. “The small claims case was a lot more about raising awareness,” said West, a librarian at the Randolph Technical Career Center who specializes in technology training and frequently conducts talks on privacy and security. “I just wanted to change the conversation I was having with all my neighbors who were like, ‘Ugh, computers are hard, what can you do?’ to ‘Hey, here are some things you can do’,” she said. “A lot of people don’t feel they have agency around privacy and technology in general. This case was about having your own agency when companies don’t behave how they’re supposed to with our private information.” West said she’s surprised more people aren’t following her example. After all, if just a tiny fraction of the 147 million Americans who had their Social Security number, date of birth, address and other personal data stolen in last year’s breach filed a claim and prevailed as West did, it could easily cost Equifax tens of millions of dollars in damages and legal fees. “The paperwork to file the claim was a little irritating, but it only cost $90,” she said. “Then again, I could see how many people probably would see this as a lark, where there’s a pretty good chance you’re not going to see that money again, and for a lot of people that probably doesn’t really make things better.” Equifax is currently the target of several class action lawsuits related to the 2017 breach disclosure, but there have been a few other minor victories in state small claims courts. In January, data privacy enthusiast Christian Haigh wrote about winning an $8,000 judgment in small claims court against Equifax for its 2017 breach (the amount was reduced to $5,500 after Equifax appealed). Haigh is co-founder of litigation finance startup Legalist. According to Inc.com, Haigh’s company has started funding other people’s small claims suits against Equifax, too. (Legalist pays lawyers in plaintiff’s suits on an hourly basis, and takes a contingency fee if the case is successful.)
Days after the Equifax breach news broke, a 20-year-old Stanford University student published a free online bot that helps users sue the company in small claims court. It’s not clear if the Web site tool is still functioning, but West said it was media coverage of this very same lawsuit bot that prompted her to file. “I thought if some stupid online bot can do this, I could probably figure it out,” she recalled. If you’re a DYI type person, by all means file a claim in your local small claims court. And then write and publish about your experience, just like West did in a post at Medium.com. West said she plans to donate the money from her small claims win to the Vermont chapter of the American Civil Liberties Union (ACLU), and that she hopes her case inspires others. “Even if all this does is get people to use better passwords, or go to the library, or to tell a company, ‘No, that’s not not good enough, you need to do better,’ that would be a good thing,” West said. “I wanted to show that there are constructive ways to seek redress of grievances about lots of different things, which makes me happy. I was willing to do the work and go to court. I look at this like an opportunity to educate and inform yourself, and realize there is a step you can take beyond just rending of garments and gnashing of teeth.” from https://krebsonsecurity.com/2018/06/librarian-sues-equifax-over-2017-data-breach-wins-600/ Microsoft today pushed out a bevy of software updates to fix more than four dozen security holes in Windows and related software. Almost a quarter of the vulnerabilities addressed in this month’s patch batch earned Microsoft’s “critical” rating, meaning malware or miscreants can exploit the flaws to break into vulnerable systems without any help from users. Most of the critical fixes are in Microsoft browsers or browser components. One of the flaws, CVE-2018-8267, was publicly disclosed prior to today’s patch release, meaning attackers may have had a head start figuring out how to exploit the bug to attack Internet Explorer users. According to Recorded Future, the most important patched vulnerability is a remote code execution vulnerability in the Windows Domain Name System (DNS), which is present in all versions of supported versions of Windows from Windows 7 to Windows 10 as well as all versions of Windows Server from 2008 to 2016. “The vulnerability allows an attacker to send a maliciously crafted DNS packet to the victim machine from a DNS server, or even send spoofed DNS responses from attack box,” wrote Allan Liska, a threat intelligence analyst at Recorded Future. “Successful exploitation of this vulnerability could allow an attacker to take control of the target machine.” Security vendor Qualys says mobile workstations that may connect to untrusted Wi-Fi networks are at high risk and this DNS patch should be a priority for them. Qualys also notes that Microsoft this month is shipping updates to mitigate another variant of the Spectre vulnerability in Intel machines. And of course there are updates available to address the Adobe Flash Player vulnerability that is already being exploited in active attacks. Read more on that here. It’s a good idea to get in the habit of backing up your computer before applying monthly updates from Microsoft. Windows has some built-in tools that can help recover from bad patches, but restoring the system to a backup image taken just before installing the updates is often much less hassle and an added piece of mind when you’re sitting there praying for the machine to reboot after patching. This assumes you can get around to backing up before Microsoft decides to patch Windows on your behalf. Microsoft says by default, Windows 10 receives updates automatically, “and for customers running previous versions, we recommend they turn on automatic updates as a best practice.” Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. As always, if you experience any problems installing any of these updates, please leave a note about your issues in the comments below. Additional reading: Cisco Talos Intelligence blog take The Zero Day Initiative’s Security Update Review Microsoft Security Update Guide from https://krebsonsecurity.com/2018/06/microsoft-patch-tuesday-june-2018-edition/ Web site names ending in new top-level domains (TLDs) like .men, .work and .click are some of the riskiest and spammy-est on the Internet, according to experts who track such concentrations of badness online. Not that there still aren’t a whole mess of nasty .com, .net and .biz domains out there, but relative to their size (i.e. overall number of domains) these newer TLDs are far dicier to visit than most online destinations. There are many sources for measuring domain reputation online, but one of the newest is The 10 Most Abused Top Level Domains list, run by Spamhaus.org. Currently at the #1 spot on the list (the worst) is .men: Spamhaus says of the 65,570 domains it has seen registered in the .men TLD, more than half (55 percent) were “bad.” According to Spamhaus, a TLD may be “bad” because it is tied to spam or malware dissemination (or both). More specifically, the “badness” of a given TLD may be assigned in two ways: “The ratio of bad to good domains may be higher than average, indicating that the registry could do a better job of enforcing policies and shunning abusers. Or, some TLDs with a high fraction of bad domains may be quite small, and their total number of bad domains could be relatively limited with respect to other, bigger TLDs. Their total “badness” to the Internet is limited by their small total size.” More than 1,500 TLDs exist today, but hundreds of them were introduced in just the past few years. The nonprofit organization that runs the domain name space — the Internet Corporation for Assigned Names and Numbers (ICANN) — enabled the new TLDs in response to requests from advertisers and domain speculators — even though security experts warned that an onslaught of new, far cheaper TLDs would be a boon mainly to spammers and scammers. And what a boon it has been. The newer TLDs are popular among spammers and scammers alike because domains in many of these TLDs can be had for pennies apiece. But not all of the TLDs on Spamhaus’ list are prized for being cheaper than generic TLDs (like .com, .net, etc.). The cheapest domains at half of Spamhaus’ top ten “baddest” TLDs go for prices between $6 and $14.50 per domain. Still, domains in the remaining five Top Bad TLDs can be had for between 48 cents and a dollar each. Security firm Symantec in March 2018 published its own Top 20 list of Shady TLDs: Spamhaus says TLD registries that allow registrars to sell high volumes of domains to professional spammers and malware operators in essence aid and abet the plague of abuse on the Internet. “Some registrars and resellers knowingly sell high volumes of domains to these actors for profit, and many registries do not do enough to stop or limit this endless supply of domains,” Spamhaus’ World’s Most Abused TLDs page explains. Namecheap, a Phoenix, Ariz. based domain name registrar that in Oct. 2017 was the fourth-largest registrar, currently offers by a wide margin the lowest registration prices for three out of 10 of Spamhaus’ baddest TLDs, selling most for less than 50 cents each. Namecheap also is by far the cheapest registrar for 11 of Symantec’s Top 20 Shady New TLDs: Namecheap is easily the least expensive registrar to secure a domain in 11 of the Top 20, including .date, .trade, .review, .party, .loan, .kim, .bid, .win, .racing, .download and .stream. I should preface the following analysis by saying the prices that domain registrars charge for various TLD name registrations vary frequently, as do the rankings in these Top Bad TLD lists. But I was curious if there was any useful data about new TLD abuse at tld-list.com — a comparison shopping page for domain registrars. What I found is that although domains in almost all of the above-mentioned TLDs are sold by dozens of registrars, most of these registrars have priced themselves out of the market for the TLDs that are currently so-favored by spammers and scammers. Not so with Namecheap. True to its name, when it is the cheapest Namecheap consistently offers the lowest price by approximately 98 percent off the average price that other registrars selling the same TLD charge per domain. The company appears to have specifically targeted these TLDs with price promotions that far undercut competitors. Here’s a look at the per-domain prices charged by the registrars for the TLDs named in Spamhaus’s top 10: This a price comparison for Symantec’s Top 20 list: I asked Namecheap’s CEO why the company’s name comes up so frequently in these lists, and if there was any strategy behind cornering the market for so many of the “bad” and “shady” TLDs. “Our business model, as our name implies is to offer choice and value to everyone in the same way companies like Amazon or Walmart do,” Namecheap CEO Richard Kirkendall told KrebsOnSecurity. “Saying that because we offer low prices to all customers we somehow condone nefarious activity is an irresponsible assumption on your part. Our commitment to our millions of customers across the world is to continue to bring them the best value and choice whenever and wherever we can.” Kirkendall said expecting retail registrars that compete on pricing to stop doing that is not realistic and would be the last place he would go to for change. “On the other hand, if you do manage to secure higher pricing you will also in effect tax everyone for the bad actions of a few,” Kirkendall said. “Is this really the way to solve the problem? While a few dollars may not matter to you, there are plenty of less fortunate people out there where it does matter. They say the internet is the great equalizer, by making things cost more simply for the sake of creating barriers truly and indiscriminately creates barriers for everyone, not just for those you target.” Incidentally, should you ever wish to block all domains from any given TLD, there are a number of tools available to do that. One of the easiest to use is Google’s OpenDNS, which includes up to 30 filters for managing traffic, content and Web sites on your computer and home network — including the ability to block entire TLDs if that’s something you want to do. I’m often asked if blocking sites from loading when they’re served from specific TLDs or countries (like .ru) would be an effective way to block malware and phishing attacks. It’s important to note here that it’s not practical to assume you can block all traffic from given countries (that somehow blacklisting .ru is going to block all traffic from Russia). It also seems likely that the .com TLD space and US-based ISPs are bigger sources of the problem overall. But that’s not to say blocking entire TLDs a horrible idea for individual users and home network owners. I’d wager there are whole a host of TLDs (including all of the above “bad” and “shady” TLDs) that most users could block across the board without forgoing anything they might otherwise want to have seen or visited. I mean seriously: When was the last time you intentionally visited a site registered in the TLD for Gabon (.ga)? And while many people might never click on a .party or .men domain in a malicious or spammy email, these domains are often loaded only after the user clicks on a malicious or booby-trapped link that may not look so phishy — such as a .com or .org link. from https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ |
ABOUT MEHi my name is Anthony I am 32 years old from Houston. I am working in local store selling electronic devices. I have been interested in eclectronics since childhood and I like to reacd about it. Archives
April 2019
Categories |