0 Comments
I recently heard from a police detective who was seeking help identifying some strange devices found on two Romanian men caught maxing out stolen credit cards at local retailers. Further inspection revealed the devices to be semi-flexible data transfer wands that thieves can use to extract stolen ATM card data from “deep-insert skimmers,” wafer-thin fraud devices made to be hidden inside of the card acceptance slot on a cash machine. The investigator agreed to share the photos if I kept his identity out of this story. He told KrebsOnSecurity that the two men were thought to be part of a crime gang active in the northeast United States, and that the almost 4-inch orange plastic wands allow thieves to download data from a deep insert skimmer. Depending on how the deep-insert skimmer is built, thieves may be able to use the wands to retrieve card data without having to remove the skimmer from the throat of the ATM. Deep insert skimmers are different from typical insert skimmers in that they are placed in various positions within the card reader transport, behind the shutter of a motorized card reader and completely hidden from the consumer at the front of the ATM. Here’s a look at these insert skimmer wands (for want of a better term): This is what the wand (left) looks like when inserted into a deep-insert skimmer (right): The following image shows three data transfer wands and three insert skimmers seized from compromised ATMs: Charlie Harrow, solutions manager for ATM maker NCR Corp., said he has not physically examined the devices pictured above, but that they appear to have a USB interface on one end (the end that plugs into whatever device the crooks use to download stolen card data from the deep-insert skimmer) and a low profile header on the other. “USB connectors are too big generally to put on a skimmer, especially the newer deep insert skimmers,” Harrow said. “Those devices have very low profile connections such that the overall device thickness is kept to a minimum.” Once you know about all the ways that skimmer thieves are coming up with to fleece banks and consumers, it’s difficult not to go through life seeing every ATM as potentially compromised. I’m constantly banging and pulling on the poor machines and half expecting half hoping parts to come unglued. I’m always disappointed, but it hasn’t stopped me all the same. Truthfully, you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life. So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. When possible, stick to ATMs that are physically installed at a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on Saturdays after business hours — when they know the bank won’t be open again for more than 24 hours. Lastly but most importantly, covering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs. Shockingly, few people bother to take this simple, effective step, as detailed in this skimmer tale from 2012, wherein I obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear. For more on how these insert skimmers work, check out Crooks Go Deep With ‘Deep Insert’ Skimmers. If you’re here because, like me, you find skimmers of all kinds fascinating, please see my series All About Skimmers. from https://krebsonsecurity.com/2017/08/dumping-data-from-deep-insert-skimmers/ Last week, security firm DirectDefense came under fire for over-hyping claims that Cb Response, a cybersecurity product sold by competitor Carbon Black, was leaking proprietary from customers who use it. Carbon Black responded that the bug identified by its competitor was a feature, and that customers were amply cautioned in advance about the potential privacy risks of using the feature. Now Carbon Black is warning that an internal review has revealed a wholly separate bug in Cb Response that could in fact result in some customers unintentionally sharing sensitive files. As noted in last week’s story, DirectDefense warned about a problem with Cb Response’s use of Google’s VirusTotal — a free tool that lets anyone submit a suspicious file and have it scanned against dozens of commercial anti-malware tools. There is also a paid version of VirusTotal that allows customers to examine any file uploaded to the service. Specifically, DirectDefense claimed that Cb Response’s sharing of suspicious files with VirusTotal could expose sensitive data because VirusTotal allows paying customers to download any files submitted by other users. DirectDefense labeled the bug “the world’s largest pay-for-play data exfiltration botnet.” Numerous industry analysts leapt to Carbon Black’s defense — with some even calling “bullshit” on the findings — pointing out that plenty of other vendors submit files through Virustotal and that DirectDefense was merely trying to besmirch a competitor’s product. But earlier this week, Carbon Black began quietly notifying customers that an internal review of the claims revealed a completely different bug that could result in some benign customer files being miscategorized as executable files and inadvertently uploaded to Virustotal for scanning. “On Thursday, we discovered a bug affecting a small percentage of our Cb Response customers,” said Mike Viscuso, co-founder and chief technology officer at Carbon Black. “Our review is still ongoing, but based on what we learned to date it requires a very specific customer configuration, and we have already taken steps to remediate the bug and protect our customers.” Viscuso said this bug appears to affect a small number of Cb Response customers who have enabled VirusTotal submissions and use the program on a Mac OS in the presence of specific third-party applications. For example, he said, when a Mac user opens Spotify, the popular music service will read a configuration file in a way that causes Cb Response to classify regular content files (e.g., Microsoft Word, PDF, .TXT) as an unknown binary file. A binary file is computer-readable but not human readable; for example, executable programs (e.g., .exe files on Windows) are stored as binary files. According to Viscuso, the bug was introduced in the Mac version of Cb Response roughly three months ago. He said part of the problem seems to stem from the file classification tool that ships with the Cb Response — explaining that the tool sometimes misclassifies corrupted binary files. One of the most common sources of corrupted binary files are antivirus products, which often modify suspected malicious binaries after placing the files in quarantine to ensure the programs can’t be accidentally run. The Carbon Black discovery comes as more software-as-a-service providers are seeking ways to alert customers who may be inadvertently sharing sensitive data. Amazon recently launched Amazon Macie, a new security service that uses machine learning to discover and classify sensitive data such as personal information in AWS, alerting customers when such data is moved, accessed or otherwise publicly available. Viscuso said the company was considering whether it, too, could offer any additional service that might help customers prevent the accidental sharing of content files to third-party services like VirusTotal. In the meantime, he said, Carbon Black is providing a full list of uploaded files to affected customers, asking them to report whether the files were binaries or content files. from https://krebsonsecurity.com/2017/08/carbon-emissions-oversharing-bug-puts-security-vendor-back-in-spotlight/ The New York Times this week published a fascinating story about a young programmer in Ukraine who’d turned himself in to the local police. The Times says the man did so after one of his software tools was identified by the U.S. government as part of the arsenal used by Russian hackers suspected of hacking into the Democratic National Committee (DNC) last year. It’s a good read, as long as you can ignore that the premise of the piece is completely wrong. The story, “In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking,” details the plight of a hacker in Kiev better known as “Profexer,” who has reportedly agreed to be a witness for the FBI. From the story:
The Times’ reasoning for focusing on the travails of Mr. Profexer comes from the “GRIZZLYSTEPPE” report, a collection of technical indicators or attack “signatures” published in December 2016 by the U.S. government that companies can use to determine whether their networks may be compromised by a number of different Russian cybercrime groups. The only trouble is nothing in the GRIZZLYSTEPPE report said which of those technical indicators were found in the DNC hack. In fact, Prefexer’s “P.A.S. Web shell” tool — a program designed to insert a digital backdoor that lets attackers control a hacked Web site remotely — was specifically not among the hacking tools found in the DNC break-in. That’s according to Crowdstrike, the company called in to examine the DNC’s servers following the intrusion. In a statement released to KrebsOnSecurity, Crowdstrike said it published the list of malware that it found was used in the DNC hack, and that the Web shell named in the New York Times story was not on that list.Robert M. Lee is founder of the industrial cybersecurity firm Dragos, Inc. and an expert on the challenges associated with attribution in cybercrime. In a post on his personal blog, Lee challenged The Times on its conclusions. “The GRIZZLYSTEPPE report has nothing to do with the DNC breach though and was a collection of technical indicators the government compiled from multiple agencies all working different Russian related threat groups,” Lee wrote. “The threat group that compromised the DNC was Russian but not all Russian groups broke into the DNC,” he continued. “The GRIZZLYSTEPPE report was also highly criticized for its lack of accuracy and lack of a clear message and purpose. I covered it here on my blog but that was also picked up by numerous journalists and covered elsewhere [link added]. In other words, there’s no excuse for not knowing how widely criticized the GRIZZLYSTEPPE report was before citing it as good evidence in a NYT piece.” Perhaps in response to Lee’s blog post, The Times issued a correction to the story, re-writing the above-quoted and indented paragraph to read:
[Side note: Profexer may well have been doxed by this publication just weeks after the GRIZZLYSTEPPE report was released.] This would not be the first time the GRIZZLYSTEPPE report provided fodder for some too-hasty hacking conclusions by a major newspaper. On December 31 2016, The Washington Post published a breathless story reporting that an electric utility in Vermont had been compromised by Russian hackers who had penetrated the U.S. electric grid. The Post cited unnamed “U.S. officials” saying the Vermont utility had found a threat signature from the GRIZZLYSTEPPE report inside its networks. Not long after the story ran, the utility in question said it detected the malware signature in a single laptop that was not connected to the grid, and the Post was forced to significantly walk back its story. Matt Tait, a senior fellow at the Robert Strauss Center for International Security and Law at UT Austin, said indicators of compromise or IOCs like those listed in the GRIZZLYSTEPPE report have limited value in attributing who may be responsible for an online attack. “It’s a classic problem that these IOCs indicate you may be compromised, but they’re not very good for attribution,” Tait said. “The Grizzly Steppe report is a massive file of signatures, and loads of people have run those, found various things on their network, and then assumed it’s all related to the DNC hack. But there’s absolutely no tie between the DNC hack that in any way involved this P.A.S. Web shell.” If it’s not always clear how seriously to take conclusions from Uncle Sam about the sources of cybercrime, it certainly doesn’t help when intelligence agencies are still relying on discredited sources of information about the sources of cyberattacks. As Mr. Lee observed at the top of his blog post, the Twitter account for the U.S. Defense Intelligence Agency tweeted on Aug. 14, 2017: “Cyber attacks going on right now #DoDIIS17”. The DIA tweet included a brief video of the global threat map produced by Norse Corp., a company whose lovely but otherwise misguided efforts at cyber attack attribution have been repeatedly denounced by Lee and other cybersecurity experts. For more on how Norse self-destructed from the inside, see my Jan. 2016 story, Sources: Security Firm Norse Corp. Imploding. One final note: Wired.com has a lengthy but tremendous new story worth reading called A Guide to Russia’s High Tech Tool Box for Subverting US Democracy. It makes a convincing case that the real, long-term goal of Russian state-sponsored hacking activity is to sow public and popular distrust in the democratic process and to weaken democratic institutions inside countries that support the North Atlantic Treaty Organization (NATO). from https://krebsonsecurity.com/2017/08/blowing-the-whistle-on-bad-attribution/ |
ABOUT MEHi my name is Anthony I am 32 years old from Houston. I am working in local store selling electronic devices. I have been interested in eclectronics since childhood and I like to reacd about it. Archives
April 2019
Categories |