Select Page

Hackers Prefer to Steal Identity of Victims Aged 30 Years or Younger

When does being older give you an advantage besides a discount at Denny’s?  When it comes to being targeted by hackers.  A recent UK study shows people in the UK aged 30 years, or younger, are the most targeted by hackers for identity fraud.  In 2015, there was a 52% increase in fraud for victims aged 30 or younger, according to Cifas, a UK fraud prevention service.

 

The report showed that:

  • Only 34 per cent of 18-24 year olds say they learned about online security when they were at school
  • 50 per cent of the 18-24 year olds surveyed believe they would never fall for an online scam (compared to the national average of 37 per cent)
  • Only 57 per cent of 18-24 year olds report thinking about how secure their personal details are online (compared to 73 per cent for the population as a whole)
  • Adults aged 18-24 years are less likely to install anti-virus software on their mobile phone than the national average (27 per cent compared to 37 per cent)

 

With 86% of identity fraud in the UK for 2015 committed online, Cifas’ data shows that young people are the most exposed to losing personal data such as their name, date of birth, address and bank account info through social media.  To highlight the problem, they even published a short video about it which can be found here.  Using a black van in the video adds to the creepiness. </shudder>.  Some additional insight and info can be found here.

Have I Been pwned Introduces ‘Unverified’ Breaches

When is a breach not a breach?  When there are too many unanswered questions, apparently.  Have I Been pwned (HIBP), the database of breaches, is owned and operated by Troy Hunt who performs due diligence on each breach before adding it to HIBP.  A recent supposed breach of Badoo account information was presented as a breach to Hunt who then did his normal checking and cross checking of the data to verify its veracity.  Hunt, unfortunately, could not come to a definitive conclusion about whether the data actually came from Badoo.  Per Hunt:

 

“[S]ometimes there are breaches where I just can’t be certain of the authenticity, yet there are many indicators which point to an actual breach. The incident sits in that grey area between “very unlikely to be legitimate” and “almost certainly legitimate”.”

 

Hunt’s post on the analysis of the ‘Badoo’ data and his introduction of ‘unverified breaches’ can be found here, but whether a breach is a verified or unverified breach seems to boil down to these basic factors:

  • The service provider confirms (or denies) there was a breach
  • The data itself is consistent and has sufficient detail (or not)
  • There is confirmation (or denial) of data accuracy from breached users
  • Testing of the data against the site’s password reset tool is successful (or not)

 

If it does not pass all of these tests but looks like data from something then best be safe and report it, even if it has to be qualified as unverified.

 

What does this mean to end users?  Despite the new ‘unverified breaches’ category, I see the end result for the user as the same; you need to change your password and change it now.  Changing your password because it might be used by someone else has now become the Internet equivalent of turning around at the end of the block and driving back home to see if you left the iron on.  Just do it, it’s usually really simple, and you’ll sleep (and drive) better.

 

Even the Court Says Password Sharing Bad

The U.S. Court of Appeals for the Ninth Circuit has ruled that a former employee of a company, whose computer access credentials were revoked, had acted “without authorization” in violation of the Computer Fraud and Abuse Act (CFAA), when he and other former employees used the login credentials of a current employee to gain access to data on the employer’s computers.

 

David Nosal, and two other former employees at executive search firm Korn/Ferry International, used a password shared by Nosal’s former executive assistant, Jacqueline Froehlich-L’Heureaux, to download confidential data.  Nosal did not himself access or download any information from the Korn/Ferry database, but was held liable for the conduct of his colleagues who acted on his behalf and at his request.  Nosal had set up his own competing firm and hired two other Korn/Ferry employees.  Before leaving their employment at Korn/Ferry, Nosal’s colleagues began downloading confidential information from a Korn/Ferry database to use at their new business.  Although the former employees were authorized to access the database as current Korn/Ferry employees, their downloads on behalf of Nosal violated Korn/Ferry’s confidentiality and computer use policies, the U.S. Court of Appeals for the Ninth Circuit said in its opinion.  The former employees tried to cover their tracks by using the login credentials of Froehlich-L’Heureaux, Nosal’s former assistant.  The assistant gave her username and password to Nosal’s colleagues to use.  Per the court:

 

“Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access,” according to the opinion, which said that the access falls squarely within the CFAA’s prohibition on access “without authorization.” Password sharing was prohibited by a confidentiality agreement that Korn/Ferry required each new employee to sign, the court said.

 

The dissenting judge on the three judge panel wrote that this case is about password sharing, and that “the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals”.  What does this mean for end users?  It looks like it means that in order for a company to get the protection of the CFAA, there must be a “no-sharing passwords” policy in effect and employees, old and new, will need to acknowledge this in writing.  This would put the “authorization” test in place and allow the CFAA to apply.  Employees who break the password sharing rule could then be subject to the penalties of the CFAA.  It also it means don’t share your password!  The full legalese can be found here.

 

Tor-Powered Malware for Macs

Security researchers have found a new backdoor program that allows attackers to hijack Mac systems and control them over the Tor network.  The malware, dubbed Backdoor.MAC.Eleanor by the folks at Bitdefender, is distributed as a file converter application through websites that offer Mac software.

 

The application infected with ‘Eleanor’ that users download from these sites is called ‘EasyDoc Converter’.  Once installed, ‘Eleanor’ displays a fake ‘EasyDoc Converter’ interface where users can supposedly drag and drop files for conversion, but no file conversion is done.  ‘Eleanor’ then launches a shell script In the background that installs components in a folder called “/Users/$USER/Library/.dropbox.”  No interaction with the Dropbox for Mac client has been found and it appears that this is a ploy used to thwart discovery.  ‘Eleanor’ then launches a Web service with a PHP application, a hidden service that allows attackers to connect to the affected systems over the Tor network, and an agent that posts the Tor access URLs for infected systems to a Pastebin website.  Attackers can then send commands through the URLs to affect the infected Macs.

 

The Tor network, also known as The Onion Router because of its’ many layers, is a series of servers running route anonymization software so that one’s route cannot easily be traced.  Tor has been used for years by users who wish to protect their privacy, but has lately been leveraged by Bad Actors to hide their location from the Good People of the Internet.

 

Users are alerted to the malware when they try to install it since the ‘EasyDoc Converter’ app is not digitally signed with an Apple-approved certificate.  Users will see security warnings if they try to install it.  If the user has OS X 10.11 (El Capitan) they would also need to perform a manual override in order to install the application.  More information can be found here.

 

Leak of the Week – 7/8/2016

The following are data breaches that have been reported this week:

 

Badoo – 112 Million records – Leaked data was usernames, e-mail addresses, simple MD5-hashed passwords.  The data was discovered for sale in May, though Badoo denies a breach ever occurred.  The leak appears this week because HIBP (see below) ran a check on the data and loaded into their database as an “unverified breach” (a first for HIBP).

 

Wendy’s – Now up to 1000 restaurants – Leaked data was credit card data (maybe mine!) from transactions at Wendy’s restaurants.  This breach began in the Fall of 2015 and wasn’t discovered until early this year.  Wendy’s confirmed this week that more restaurants are involved than their original estimate of 300.  Yep, 1000 is more than 300 by quite a bit.

 

Democratic National Convention – 17,000 records – Leaked data was a database of records dating back to 2013 including names, addresses, email addresses and phone numbers of people who purchased tickets to DNC events, including events attended by the President and the Vice President.  No word on whether financial data was leaked as well.

 

BIOS Exploit by Bad Researcher

A critical vulnerability that was recently found in the low-level firmware of Lenovo ThinkPad systems has now been found to exist in products from other vendors, including certain HP and GigabyteAccording to Lenovo, the vulnerability found by researcher Dmytro Oleksiuk in various ThinkPad models, was not in its own Unified Extensible Firmware Interface (UEFI) code, but in an implementation provided to Lenovo by an un-named independent UEFI vendor.  Since other manufacturers use the same third-party UEFI code, the same vulnerability applies to some of their machine models as well.

 

Already, an exploit for the vulnerability found in the Lenovo ThinkPads, dubbed ThinkPwn, has been published and can be used to execute rogue code in a CPU’s privileged System Management Mode (SMM).  The exploit can disable Windows Secure Boot, a UEFI feature that cryptographically verifies the authenticity of the OS bootloader to prevent boot-level rootkits.  Other Windows security features, like Virtual Secure Mode and Credential Guard, which depend on the UEFI to be secure, could also be circumvented.

 

ThinkPwn, was published by researcher Dmytro Oleksiuk and was not reported at all to Lenovo.  Bad researcher!  No kudos!  And I’m not kidding.  Even though Mr. Oleksiuk downplays the threat of this exploit being used… :

 

“It’s very unlikely that this vulnerability will be exploited in the wild, for regular customers there are much more chances to be killed with the lightning strike than meet any System Management Mode exploit or malware.”

 

…he still demonstrated that his ego is more important than the safety and security of others:

 

“I decided to do the full disclosure because the main goal of my UEFI series articles is to share the knowledge, not to make vendors and their users happy.”

 

So, vendors that use the vulnerable UEFI code had no warning that would give them time to develop a fix, and the public is exposed to a zero-day exploit.  Shame, Mr. Oleksiuk, shame!  Your technical prowess is overshadowed by your lack of social conscience.

End users should look to see if there is an updated version of the firmware for affected machines.  Lots of grisly detail about the UEFI vulnerabilities and the exploit, including some vulnerable ThinkPad models, can be found here.  Info on vulnerable Gigabyte motherboards can be found here.