Krebs on Security

Site original : Krebs on Security

⇐ retour index

Mise à jour

Mise à jour de la base de données, veuillez patienter...

Oracle, LifeLock Settle FTC Deception Charges

lundi 21 décembre 2015 à 22:30

The U.S. Federal Trade Commission this past week announced it reached settlements with software giant Oracle and identity protection firm LifeLock over separate charges of allegedly deceiving users and customers about security. LifeLock agreed to pay $100 million for violating a 2010 promise to cease deceptive advertising practices. Oracle’s legal troubles with the FTC stem from its failure to fully remove older, less secure versions of Java when consumers installed the latest Java software.

javamessThe FTC sued Oracle over years of failing to remove older, more vulnerable versions of Java SE when consumers updated their systems to the newest Java software.  Java is installed on more than 850 million computers, but only recently (in Aug. 2014) did the company change its updater software to reliably remove older versions of Java during the installation process.

According to the FTC’s complaint, since acquiring Java in 2010, Oracle was aware of significant security issues affecting older versions of Java SE. The FTC charges that Oracle was aware of the insufficiency of its update process.

“Internal documents stated that the ‘Java update mechanism is not aggressive enough or simply not working,’ and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers,” the FTC said “The security issues allowed hackers’ to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks.”

Few sites require Java to display content anymore, and most regular users can likely do without the program given the incessant security holes introduced by the program and its record of being abused by malicious software to infect millions of systems. See this post for a more detailed breakdown of why I’ve so often encouraged readers to junk Java, and advice for users who absolutely still need to have Java installed. If you’re not sure whether you have Java installed, check out this page that Oracle has put up to help users detect and remove installations of Java.


The FTC’s $100 million settlement with LifeLock represents a record for monetary awards obtained by the agency It stems from alleged violations of a previous deceptive advertising settlement the company reached with the FTC back in 2010.

An ad for LifeLock services.

An ad for LifeLock services.

According to the FTC, LifeLock failed to establish and maintain a comprehensive information security program to protect users’ sensitive personal information — including their social security, credit card and bank account numbers. The FTC also alleged LifeLock falsely advertised that it protected consumers’ sensitive data with the same high-level safeguards used by financial institutions, and that it would send alerts “as soon as” it received any indication that a consumer may be a victim of identity theft.

The court documents related to the latest LifeLock settlement are still sealed, so it’s unclear how exactly LifeLock allegedly failed to protect customers’ sensitive personal data. Interestingly, the lone dissenter in the LifeLock case was FTC Commissioner Maureen K. Ohlhausen, who said she disagreed with the ruling because the commission hadn’t produced evidence that LifeLock somehow failed to secure its customer data, and noted that the company has complied with payment card industry security standards for accepting and handling credit card data.

For its part, LifeLock says in a statement that “there is no evidence that LifeLock has ever had any of its customers data stolen, and the FTC did not allege otherwise.”

This October 2015 story from includes interesting perspective from Virginia Attorney Ken Cuccinelli, whose investigation into LifeLock’s business practices culminated in a class-action lawsuit pitting the FTC and 34 other state attorneys general against the company. According to that interview, Cuccinelli’s beef with LifeLock seems to have centered around allegations of false advertising about the level and quality of LifeLock’s identity protection service, as opposed to any specific data security issues at LifeLock.

“The problem, according to Cuccinelli, was not so much that LifeLock offered a flawed service, but that they were misrepresenting the level of security that they in fact provided,” wrote William Deutsch. “For years, LifeLock had been claiming to be an airtight guarantee against all forms of identity theft. LifeLock’s service is most effective against new account fraud, which is why members can expect an alert when someone tries to open up a new account in their name. But according to the Federal Trade Commission, the service wasn’t as effective in securing customers against the abuse of existing accounts, nor did it offer much protection against medical and employment related fraud.”

I have consistently urged readers to understand the limitations of credit monitoring services, which countless companies offer consumers each year in response to data breaches that expose customer personal and payment data. As I’ve noted time and again, credit monitoring services are unlikely to block thieves from opening new lines of credit in your name; the most you can hope for is that these services will alert you when the thieves succeed in getting new credit using your good name.

Credit monitoring services are useful for ID theft victims who are seeking help in removing fraudulent inquiries from their credit report. But if you want true protection against new account fraud committed in your name, place a security freeze on your credit file with the major credit bureaus. This article explains more about what’s involved in a security freeze and how to protect you and your family.

Password Thieves Target E-Giftcard Firm Gyft

vendredi 18 décembre 2015 à 16:14

Digital gift card retailer Gyft has forced a password reset for some of its users. The move comes in response to the theft of usernames and passwords from a subset of Gyft customers.

gyftMountain View, Calif. based Gyft lets customers buy and use gift cards entirely from their mobile devices. Acting on a tip from a trusted source in the cybercrime underground who reported that a cache of account data on Gyft customers was on offer for the right bidder, KrebsOnSecurity contacted Gyft to share intelligence and to request comment.

Gyft declined to comment on the record for this story. But company officials insist their platforms were never breached — pointing instead to an unnamed third party.

Gyft did confirm attackers were able to acquire usernames and passwords for a subset of Gyft customers, and that it had forced a password reset for those accounts.

The company has not disclosed publicly how many customers it has, but insiders said the percentage of users affected was in the “high single digits.” Two Gyft executives told KrebsOnSecurity they first learned of the issue about three weeks ago, and that all of the affected accounts were being monitored for suspicious activity.

Gyft was acquired in July 2014 by payment giant First Data, a company that has traditionally specialized in processing credit cards and managing ATMs.

The attack on Gyft is likely to be of particular interest to enthusiasts of the virtual currency Bitcoin. Founded in 2012, Gyft has long been a favorite of bitcoin account holders because it’s consistently been one of the easiest ways to exchange bitcoins for digital gift cards that can be used at everyday businesses.

Cyber crooks very often recycle stolen credentials by trying the username/email address and password pairs at dozens of other retailers online, knowing that a good percentage of consumers will reuse the same credentials at multiple sites. If you re-used your Gyft username and password at other sites (tsk-tsk!) it’s time to change those passwords.

Companies can beef up customer account security by requiring users to sign up for two-step or multi-factor authentication, a process wherein the customer must provide a special one-time code sent to a mobile device in addition to a username and password. Enabling two-step authentication helps blunt the threat from stolen customer credentials because the thieves also would need to have access to the user’s mobile device in order to hijack the account.

A cursory examination of Gyft’s user platform suggests the company does not yet offer two-step authentication for its online site, nor does it require users to supply a mobile number. However, at a Bitcoin conference in Africa this year, Gyft founder Vinny Lingham reportedly told the audience the company was considering adding the security feature.

Banks: Card Breach at Landry’s Restaurants

jeudi 17 décembre 2015 à 19:55

Fraud analysts in the banking industry tell KrebsOnSecurity that the latest hospitality firm to suffer a credit card breach is likely Landry’s Inc., a company that manages a nationwide stable of well-known restaurants — including Bubba Gump, Claim Jumper, McCormick & Schmick’s, and Morton’s. 

Update, 2:57 p.m. ET: Landry’s has acknowledged an investigation. Their press release is available here (PDF).


Original story:

Houston-based Landry’s Inc. owns and operates more than 500 properties, such as Landry’s Seafood, Chart House and Rainforest Cafe. Last week, I began hearing from banking industry sources who said fraud patterns on cards they’d issued to customers strongly suggested a breach at the restaurateur. Industry sources told this author that the problem appears to have started in May 2015 and may still be impacting some Landry’s locations.

It remains unclear how many of Landry’s 500 properties may be affected. The company says it is investigating reports of unauthorized charges on certain payment cards after the cards were used legitimately at some of its restaurants. An online FAQ about the incident posted to Landry’s site says the company does not yet know the extent of the breach.

Restaurants are a prime target for credit card thieves, mainly because they traditionally have not placed a huge emphasis on securing their payment systems. The attackers typically exploit security vulnerabilities or weaknesses in point-of-sale devices to install malicious software that steals credit and debit card data.

Thieves can encode the stolen data onto new plastic and use the counterfeit cards at big box retailers like Best Buy and Target. Indeed, multiple sources in the banking industry say they are now seeing fraudulent purchases at big box stores on cards that all were used at apparently compromised Landry’s locations.

Skimmers Found at Some Calif., Colo. Safeways

mercredi 16 décembre 2015 à 06:10

Sources at multiple financial institutions say they are tracking a pattern of fraud indicating that thieves have somehow compromised the credit card terminals at checkout lanes within multiple Safeway stores in California and Colorado. Safeway confirmed it is investigating skimming incidents at several stores.


Banking sources say they’ve been trying to figure out why so many customers in the Denver and Englewood areas of Colorado were seeing their debit cards drained of cash at ATMs after shopping at Safeways there. The sources compared notes and found that all of the affected customers had purchased goods from one of several specific lanes in different compromised stores (the transaction data includes a “terminal ID” which can be useful in determining which checkout lanes were compromised.

Safeway spokesperson Brian Dowling said the fraud was limited to a handful of stores, and that the company has processes and procedures in place to protect customers from fraudulent activity.

“We have an excellent track record in this area,” Dowling said. “In fact, we inspect our store’s pin pads regularly and from time to time find a skimmer, but findings have been limited and small in scale. We immediately contact law enforcement and take steps to minimize customer impact.”

Dowling said the problem of checkout skimmers is hardly limited to Safeway, and he hinted that perhaps other retailers have been hit by this same group.

“This is not unique to our company, and we understand some other retailers may have been more significantly impacted,” Dowling said, declining to elaborate.

Safeway would not name the affected locations, but bank industry sources say the fraud was traced back to Colorado locations in Arvada, Conifer, Denver, Englewood and Lakewood. In California, banks there strongly suspect Safeway locations in Castro Valley and Menlo Park may also have been hit. Those sources say ATM fraud has been linked to customers using their debit cards at those locations since early September 2015.

In order to steal card data and personal identification numbers (PINs) from Safeway customers, the thieves would have had to open up the card processing terminals at each checkout lane. Once inside, the thieves can install a device that sits between the keypad and the electronics underneath to capture and store PINs, as well as a separate apparatus that siphons account data when customers swipe their cards at the register.

Either that, or the skimmer crooks would have to secretly swap out existing card terminals at checkout lanes with pre-compromised terminals of the exact same design. In any case, skimming incidents involving checkout lanes in retail locations generally involve someone on the inside at the affected retailer.

In late 2012, bookseller Barnes & Noble disclosed that it had found modified point-of-sale devices at 60 locations nationwide. The year prior, Michaels Stores said it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced card machines to include technology capable of siphoning customer payment card data and PINs.

Sadly, I don’t have any skimmer photos to share from this story, but I have written about the growing sophistication of these point-of-sale skimming devices. Here’s a look at one compromised card reader, and the handiwork that went into the thieves’ craft. Descriptions and images from other skimming devices can be found in my series All About Skimmers.

The mass-issuance of chip-based credit and debit cards by U.S. banks to consumers should eventually help minimize these types of scams, but probably not for some time yet. Most cards will continue to have all of the cardholder data stored in plain text on the magnetic strip of these chip-based cards for several years to come. As long as merchants continue to let customers swipe instead of “dip,” we’ll continue to see skimmers just about everywhere swiping is still allowed.

Remember that you are not liable for fraudulent card charges, but that it’s still your responsibility to alert their card issuer quickly to any unauthorized charges. So keep a close eye on your bank statements. Also, this attack is another reminder of why it makes more sense to shop with a credit vs. a debit card: Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

Update: According to reporting from the Denver Post, the Safeway incident affected three stores in Colorado. All of the affected lanes were self-checkout lanes, the publication reported.

13 Million MacKeeper Users Exposed

lundi 14 décembre 2015 à 21:51

The makers of MacKeeper — a much-maligned software utility many consider to be little more than scareware that targets Mac users — have acknowledged a breach that exposed the usernames, passwords and other information on more than 13 million customers and, er…users. Perhaps more interestingly, the guy who found and reported the breach doesn’t even own a Mac, and discovered the data trove merely by browsing Shodan — a specialized search engine that looks for and indexes virtually anything that gets connected to the Internet.

mackeeperIT helpdesk guy by day and security researcher by night, 31-year-old Chris Vickery said he unearthed the 21 gb trove of MacKeeper user data after spending a few bored moments searching for database servers that require no authentication and are open to external connections.

Vickery told Shodan to find all known instances of database servers listening for incoming connections on port 27017. “Ports” are like doorways that govern access into and out of specific areas of a server, and each port number generally maps to one or a handful of known Web applications and services. Port 27017 happens to be associated with MongoDB, a popular database management system.

In short order, Vickery’s request turned up four different Internet addresses, all of which he later learned belonged to Kromtech, the company that makes MacKeeper.

“There are a lot of interesting, educating and intriguing things that you can find on Shodan,” Vickery said. “But there’s a lot of stuff that should definitely not be out there, and when I come across those I try to notify the owner of the affected database.”

Vickery said he reached out the company, which responded quickly by shuttering public access to its user database, and publicly thanking him for reporting it.

“Some 13 million customer records leaked from is aware of a potential vulnerability in access to our data storage system and we are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use,” the company said in a statement published to its site totday. “We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.”

Kromtech said all customer credit card and payment information is processed by a 3rd party merchant and was never at risk.

“Billing information is not transmitted or stored on any of our servers. We do not collect any sensitive personal information of our customers,” the statement continues. “The only customer information we retain are name, products ordered, license information, public ip address and their user credentials such as product specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licenses.”

Vickery said Kromtech told him its database had been inadvertently exposed as a result of a server misconfiguration that was introduced just last week. But Vickery said he doubts that’s the case, because some of the Shodan records he found that pointed back to Kromtech’s database were dated mid-November 2015.

“The funny thing is, I don’t even own a Mac, and I had never heard of MacKeeper until last night,” Vickery said. “I didn’t know it was some sort of scamming scareware or software that pushes itself on people. The irony here is pretty thick.”

Vickery said he was able to connect to the database that Shodan turned up for him just by cutting and pasting the information into a commercial tool built to browse Mongo databases. Asked whether he’s worried that some clueless organization or overzealous prosecutor might come after him for computer hacking, Vickery said he’s not concerned (for background, see the controversy over bone-headed cases brought against researchers under the Computer Fraud and Abuse Act).

“It’s a concern, but I’ve made peace with that and you can’t live your life in fear,” he said. “I feel pretty confident that if you configure a server for public access — without authentication — and it gets publicly accessed, that’s not a crime.”

I admire Vickery’s courage and straightforward approach, and his story is a good reminder about the importance of organizations using all of the resources available to them to find instances of public access to sensitive or proprietary data that shouldn’t be public.  Consider taking the time to learn how to use Shodan (it’s actually fairly intuitive, but some data may only be available to paying subscribers); use it to see if your organization has unnecessarily exposed databases, networking devices, security cameras and other “Internet of Things” devices.

Finally, if you’re a MacKeeper customer and you re-used your MacKeeper user password at other sites, it’s now time change that password at the other sites — and not just to your new MacKeeper password! For more password do’s and don’ts, check out this primer.

Error happened! 0 - SQLite3::exec(): database disk image is malformed In: /home/cochisebee/www/autoblog/autoblogs/autoblog.php:285 #0 [internal function]: exception_error_handler(2, 'SQLite3::exec()...', '/home/cochisebe...', 285, Array) #1 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(285): SQLite3->exec('INSERT INTO art...') #2 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(418): VroumVroum_Blog->insertOrUpdateArticle('https://krebson...', 'Chinese Antivir...', 'https://krebson...', 1600380201, '

The ...') #3 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(932): VroumVroum_Blog->update() #4 /home/cochisebee/www/autoblog/autoblogs/krebsonsecuritycom_4eab703a256df265f3abda6134d777218e00ffe9/index.php(1): require_once('/home/cochisebe...') #5 {main}