Monday, September 15, 2014

Care and Maintenance of Your Hard Drive

How to Take Care of the Hard Drive in Your Windows Machine
How to Take Care of the Hard Drive in Your Windows Machine
The hard drive isn't the most spectacular bit of hardware, but it's essential to keep your PC running smoothly. If it goes kaput, it takes all of your precious data and your applications with it. So to keep your hard drive happy, healthy and running smoothly by following these straightforward tips.
We're focusing on traditional hard drives here, the large capacity disks more commonly found in desktops and all-in-ones. If you've got a nippy SSD installed in your system then a lot of these points don't apply, as there are no moving parts and data is automatically optimized.

Get rid of what you don't need

If your hard drive is cluttered up with applications you never run and files you never look at, Windows and the disk itself has to work harder to find the information you are interested in. It's a bit like trying to walk barefoot across a floor littered with Lego pieces—it's much easier if everything you don't need has been cleared away.
Applications can be uninstalled from the Control Panel or by right-clicking on their icons on the Start screen. They'll take their settings files, registry entries and other paraphernalia along with them too, leaving you with a much more efficient and lean system that's easier to move around in.
How to Take Care of the Hard Drive in Your Windows Machine
If you want to hire in a professional for the job then Revo Uninstaller and Iobit Uninstaller are two of the best free tools we've seen in this area. They'll really pull up a program by its roots and make sure everything is cleared away, finding temporary files and obscure settings entries that Windows alone might miss. Revo Uninstaller includes a "hunter mode" that zeroes in on applications that aren't listed in the standard programs list.
The same principles apply to personal files too. Clear out junk you don't need for a happier hard drive. This could be anything from a duplicate copy of the Godzilla movie to a setup program that you've finished with. Right-click on your hard drive in File Explorer, choose Properties and you'll find a Disk Clean-up tool that can look for redundant data for you; CCleaner is an excellent third-party freeware program that does a similar job.

Regularly optimize your drive

As time goes by and your hard drive fills up, Windows has to split up files to fit them in on disk. It's a problem that compounds as the weeks and months pass, which is why you need to stay on top of it. Fortunately the operating system takes care of most of this automatically.
Right-click on your drive in File Explorer and choose Properties from the menu that pops up. Open the Tools tab and you'll find a utility for checking for errors on the drive as well as the defrag program—click Optimize to run a manual optimization and to check that Windows is scheduling frequent check-ups of the state of your drive.
How to Take Care of the Hard Drive in Your Windows Machine
Power options are worth looking into, as well. You wouldn't leave your car idling in the driveway all day, so don't have your hard drive chugging away when it's not necessary. Hard drives don't live forever and you don't want to exert the disks without a good reason. From Control Panel, choose Hardware and Sound and then Power Options to bring up the current power plans.
By default, the hard drive spin down setting (found via Change advanced power settings) is set to 20 minutes of inactivity, which is about right; if you don't take many breaks from your PC then you can reduce this a little, but you don't want to be in a situation where your hard drive is sleeping and waking every time you take your hands away from the keyboard.

Keep it cool

Hard drives love running at room temperature—anything too hot (or indeed too cold) can play havoc with the delicate mechanisms inside the disk unit. Using a laptop in bed brings up quite a few potential problems, one of which is overheating, which can increase the strain on your hard drive and the likelihood of it wilting.
Along the same lines, make sure your desktop, laptop or all-in-one has plenty of room in which to work. Keep those desk cabinets, pot plants and winter scarves at a good distance so that the ventilation systems on your machine can work as they're intended to. If dust starts to build up around the ventilation ports at the sides of your computer then clean it away.
How to Take Care of the Hard Drive in Your Windows Machine
Hard drives are very good at reporting back their current state of health and there are dozens of helpful freeware utilities that can tap into this data. HDDScan is a good option for this, as isSpeccy (from the developers of the aforementioned CCleaner). DiskCheckup is another good option worth checking out and it's free for non-commercial use.
These utilities can report back on the temperature and performance of your installed hard drives, giving you an early warning system if something should go wrong. It goes without saying that you should always have backups in place—but then you already knew that, didn't you?
[Header image: Stockfoto / Shutterstock.com]

Wednesday, August 27, 2014

Feds warn first responders of dangerous hacking tool: Google Search

“Google dorking” warning from DHS and FBI calls out “advanced search” as a threat.

You may already be dorking.
In a restricted intelligence document distributed to police, public safety, and security organizations in July, the Department of Homeland Security warned of a “malicious activity” that could expose secrets and security vulnerabilities in organizations’ information systems. The name of that activity: “Google dorking.”
“Malicious cyber actors are using advanced search techniques, referred to as ‘Google dorking,’ to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks,” the for-official-use-only Roll Call Release warned. “By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities.”
That’s right, if you’re using advanced operators for search on Google, such as “site:arstechnica.com” or “filetype:xls,” you’re behaving like a “malicious cyber actor.” Some organizations will react to you accessing information they thought was hidden as if you were a cybercriminal, as reporters at Scripps found out last year. Those individuals were accused of “hacking” the website of free cellphone provider TerraCom after discovering sensitive customer data openly accessible from the Internet via a Google search and an “automated “ hacking tool: GNU’s Wget.
But this warning from the DHS and the FBI was mostly intended to give law enforcement and other organizations a sense of urgency to take a hard look at their own websites’ security. Local police departments have increasingly become the target of “hacktivists.” Recent examples include attacks on the Albuquerque Police Department’s network in March following the shooting of a homeless man and attacks on St. Louis County police networks in response to the recent events in Ferguson, Missouri.

Bad queries

Enlarge / A quick "dorking" query for a common PHP backdoor reveals 25 sites already rooted and ready for those up to no good.
It’s true that Google hacking, or “dorking,” has been used by hackers and penetration testers for years. Just as the National Security Agency can use its XKeyscore surveillance data as a targeting system for more intrusive attacks on intelligence targets, hackers can use Google to find and target vulnerable sites—including ones where the work of hacking has already been done for them. A single query based on the signature of a common PHP-based “shell” malware can be used as a backdoor to access the operating system of affected websites. This search turns up a list of two dozen sites that have been hacked with the backdoor left open—most of them in Russia and Romania.
David Helkowski, the consultant who hacked the University of Maryland’s website and gained access to personal data in a university database, told Ars that he used Google advanced search to discover pages within UMD sites that allowed arbitrary Web executable files to be uploaded to them. Google searches allowed him to discover exploits that pre-existed on the site.
The DHS and the FBI called out two “dorking” incidents in particular to underscore the dire threat posed by not properly configuring robots.txt on websites. One of those was the October 2013 breach of more than 35,000 websites running vulnerable versions of the vBulletin Web bulletin board. The report says that a “dorking” query was used by hackers to identify websites that were still using an unpatched version of the software. The hackers could then attack them with open source exploit tools. Google was also allegedly used by attackers to target a vulnerable FTP server at Yale in 2011, exposing the Social Security numbers of 43,000 people.
There’s also a penetration testing tool called Diggity Project that can build automated queries against Google or Bing to locate files containing passwords, remote administration interfaces, and other vulnerabilities in Web-accessible computer systems. Diggity was called out specifically in the DHS/FBI intelligence report: “It contains both offensive and defensive tools and over 1,600 pre-made dork queries that leverage advanced search operators.”

Only you can prevent dorking

The Diggity Project is intended as a tool to help organizations secure their websites by finding the holes exposed by Google queries before someone with ill intent does. There’s also a vast database of tested-and-true Google queries in the Google Hacking Database hosted within Offensive Security’s Exploit Database site (though accessing the site, ironically, may be blocked by application firewalls used by Federal agencies because they contain keywords associated with Web malware).
These tools expose what Google already indexed. The best defense is to not have sensitive content indexed in the first place (or, if possible, to not have it on servers that face the public Internet to begin with—but let’s not get too far ahead of ourselves). The DHS and FBI recommended using Google’s Webmaster tools to remove things that shouldn’t have been indexed from their cache; they also suggested the liberal application of robots.txt files to tell Google and Bing to not spider down particular directory paths.
To seasoned Web hands, all of this sounds glaringly obvious. But considering the nature of the websites operated by many state, local, and regional agencies—and much of the Federal government for that matter—it’s worth stating the obvious. The same is true for thousands of private websites on the Internet operated by businesses and individuals. The sites may not seem important enough in themselves to secure, but they may inadvertently be connected to sensitive customer or employee information.

Monday, August 25, 2014

DHS Employees Data Revealed

US government employees are the victims of the latest security breach. A contractor for the government has revealed that sensitive information on at least 25,000 workers has been obtained as a result of a cyber attack. The information includes standard personal details like Social Security numbers and birth dates, as well as workers' educational and criminal backgrounds. It also includes information on family members, relatives, and acquaintances.
The data is so complete because the hack targeted a company named US Investigations Services, or USIS, which handles background checks for agencies such as the Department of Homeland Security. The breach specifically included information on employees at the agency's Immigration and Customs Enforcement and U.S. Customs and Border Protection departments, according to Reuters. It could also contain information on some undercover workers. In a statement, the company said that "records including this data were exposed to unauthorized users during the cybersecurity intrusion," adding. "we do not yet know whether the data was actually taken."
The attack was first revealed earlier this month, at which time the company said that it had "all the markings of a state-sponsored attack." Only now has the breadth of the attack been revealed. If the cyber attack was executed by or for a foreign nation, experts suggest the info could be used to coerce or blackmail workers at the Department of Homeland security. The agency, created after the events of September 11th, is charged with preventing terrorist attacks on US soil, and it is in charge of border control, among other tasks. Since the attack was revealed, the agency has stopped doing work with USIS as the FBI continues its investigation into the breach.

Monday, August 18, 2014

Chinese Hackers Steal Hospital Records

Why Chinese Hackers Stole 4.5 Million US Hospital Records
This month's installment of Chinese hackers stealing your data focuses on breaches at an especially scary type of venue: hospitals. A massive hospital empire that mostly serves small towns and rural areas reports that hackers lifted 4.5 million patient records earlier this year. You might be surprised by what the hackers were after.
The attack affected Community Health Systems, the operators of 206 hospitals in 29 states. The company described the hackers as an "Advanced Persistent Threat" group from China in an SEC regulatory filing and hired a firm called Mandiant to investigate. This was a good choice since Mandiant coined the term "Advanced Persistent Threat" when describing a Chinese Army unitthat's been launching similar attacks—a New York Times report last month claimed that this unit was going after smaller federal agencies.
While it's unclear whether the hackers who attacked the hospitals are the same Chinese Army unit, the methods were similar. Re/Code sums up a Mandiant report from last year that describes these types of attacks:
On average, the hackers would spend nearly a year perusing a targeted company's systems looking for sensitive information to steal: Product development plans, manufacturing techniques, business plans and the email messages of senior executives. The point is to help Chinese companies be more competitive.
And that description appears to match up to these most recent attacks. Apparently, the Chinese hackers didn't seek out medical information but rather "non-medical patient identification data related to the Company's physician practice operations." So they're either trying to steal identities or figure out how American doctors work.
Either way, many of you can expect to receive a letter from Community Health Systems in the coming weeks. And hopefully, the inconvenience stops there. [Re/Code]

Friday, August 15, 2014

Pop-up Ad Inventor

"I'm sorry. Our intentions were good."
Ethan Zuckerman was a designer and programmer for the early web-hosting service Tripod.com when a car company freaked out. The unspecified manufacturer had bought a banner ad on a page that "celebrated anal sex," and was not too pleased at the association of its brand with sexual escapades. Tripod had the solution: what if an advert could launch in its own window? Zuckerman wrote the code for the world's first pop-up ad, and for many years it was impossible to browse without being inundated by pop-ups.
You'll still find some pop-ups in the seedier parts of the internet, of course, but they're few and far between. Thanks to work from Netscape and Opera, who were the first to add pop-up blockers into their products, the majority of web browsers now prevent sites from launching hundreds of ad windows. Regardless of public opinion, the pop-up ad was instrumental in defining advertising as the primary business model for websites, but Zuckerman now believes there's a better way. In a long essay for The Atlantic, he explains how online advertising became the behemoth that it is, and what we can do about it.

More Credit Cards Stolen


Welcome to the weekend everyone! What better way to kick things off than with the news that one of the nation’s largest supermarket operators has had its card payment system compromised at chains like Albertsons, Jewel-Osco, Shaw’s, and ACME.According to AB Acquisition LLC, which operates these chains and others, the company “recently learned of an unlawful intrusion to obtain credit and debit card payment information in some of its stores.”
The company says that it has brought in the authorities and that it working with its IT services provider and third-party data forensics experts to investigate the cause and breadth of the breach.
It looks like the hack began on June 22 and ended by July 17.
As of this morning, AB Acquisition said it could not find evidence that any cardholder data was in fact stolen, or that any cardholder information had been misused.
In a statement, the company said it “believes that the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores.”
The hack affected the following stores:
Albertsons: stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah.
ACME: stores in Pennsylvania, Maryland, Delaware and New Jersey.
Jewel-Osco: stores in Iowa, Illinois and Indiana.
Shaw’s and Star Markets: stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island.
The company says it will be posting more information on albertsons.com, acmemarkets.com, jewelosco.com, and shaws.com within 24 hours.
Customers whose cards may have been affected are being offered 12 months of complimentary consumer identity protection services. Starting today at 4 p.m. ET, concerned customers from these stores can call AllClear ID at 1-855-865-4449 to learn about this offer.

Security Badge Secure?

Security conferences are a great place to learn about the latest hacking tricks, tools and exploits, but they also remind us of important stuff that was shown to be hackable in previous years yet never really got fixed. Perhaps the best example of this at last week’s annual DefCon security conference in Las Vegas came from hackers who built on research first released in 2010 to show just how trivial it still is to read, modify and clone most HID cards — the rectangular white plastic “smart” cards that organizations worldwide distribute to employees for security badges.
HID iClass proximity card.HID iClass proximity card.
Nearly four years ago, researchers at theChaos Communication Congress (CCC), a security conference in Berlin, released a paper (PDF) demonstrating a serious vulnerability in smart cards made by Austin, Texas-based HID Global, by far the largest manufacturer of these devices. The CCC researchers showed that the card reader device that HID sells to validate the data stored on its then-new line of iClass proximity cards includes the master encryption key needed to read data on those cards.
More importantly, the researchers proved that anyone with physical access to one of these readers could extract the encryption key and use it to read, clone, and modify data stored on any HID cards made to work with those readers.
At the time, HID responded by modifying future models of card readers so that the firmware stored inside them could not be so easily dumped or read (i.e., the company removed the external serial interface on new readers). But according to researchers, HID never changed the master encryption key for its readers, likely because doing so would require customers using the product to modify or replace all of their readers and cards — a costly proposition by any measure given HID’s huge market share.
Unfortunately, this means that anyone with a modicum of hardware hacking skills, an eBayaccount, and a budget of less than $500 can grab a copy of the master encryption key and create a portable system for reading and cloning HID cards. At least, that was the gist of the DefCon talk given last week by the co-founders of Lares Consulting, a company that gets hired to test clients’ physical and network security.
Lares’ Joshua Perrymon and Eric Smith demonstrated how an HID parking garage reader capable of reading cards up to three feet away was purchased off of eBay and modified to fit inside of a common backpack. Wearing this backpack, an attacker looking to gain access to a building protected by HID’s iClass cards could obtain that access simply by walking up to a employee of the targeted organization and asking for directions, a light of a cigarette, or some other pretext.
Card cloning gear fits in a briefcase. Image: Lares Consulting.Card cloning gear fits in a briefcase. Image: Lares Consulting.

Perrymon and Smith noted that, thanks to software tools available online, it’s easy to take card data gathered by the mobile reader and encode it onto a new card (also broadly available on eBay for a few pennies apiece). Worse yet, the attacker is then also able to gain access to areas of the targeted facility that are off-limits to the legitimate owner of the card that was cloned, because the ones and zeros stored on the card that specify that access level also can be modified.
Smith said he and Perrymon wanted to revive the issue at DefCon to raise awareness about a widespread vulnerability in physical security.  HID did not respond to multiple requests for comment.
“Until recently, no one has really demonstrated properly what the risk is to a business here,” Smith said. “SCADA installations, hospitals, airports…a lot of them use HID cards because HID is the leader in this space, but they’re using compromised technology. Your card might not have data center or HR access but I can get into those places within your organization just by coming up to some employee standing outside the building and bumming a light off of him.”
Organizations that are vulnerable have several options. Probably the cheapest involves the use of some type of sleeve for the smart cards. The wireless communications technology that these cards use to transmit data — called radio-frequency identification or RFID – can be blocked when not in use by storing the key cards inside a special RFID-shielding sleeve or wallet. Of course, organizations can replace their readers with newer (perhaps non-HID?) technology, and/or add biometric components to card readers, but these options could get pricey in a hurry.
A copy of the slides from Perrymon and Smith’s DefCon talk is available here.

Wednesday, June 11, 2014

Stolen Credit Cards for Sale

Nationwide chain P.F. Chang’s China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide.
pfchangsOn June 9, thousands of newly-stolen credit and debit cards went up for sale onrescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang’s locations between the beginning of March 2014 and May 19, 2014.
Contacted about the banks’ claims, the Scottsdale, Arizona-based restaurant chain said it has not yet been able to confirm a card breach, but that the company “has been in communications with law enforcement authorities and banks to investigate the source.”
“P.F. Chang’s takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more,” the company said in an emailed statement. “We will provide an update as soon as we have additional information.”
A spokesperson for the U.S. Secret Service, which typically investigates breaches involving counterfeit credit and debit cards, declined to comment.
It is unclear how many P.F. Chang’s locations may have been impacted. According to the company’s Wikipedia entry, as of January 2012 there were approximately 204 P.F. Chang’s restaurants in the United States, Puerto Rico, Mexico, Canada, Argentina, Chile and the Middle East. Banks contacted for this story reported cards apparently stolen from PFC locations in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina.
The new batch of stolen cards, dubbed “Ronald Reagan” by the card shop’s owner, is the first major glut of cards released for sale on the fraud shop since March 2014, when curators of the crime store advertised the sale of some 282,000 cards stolen from nationwide beauty store chain Sally Beauty.
The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).
The most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines. The breaches at Target, Neiman MarcusMichaels and Sally Beauty all were powered by malware that thieves planted on point-of-sale systems.
Unlike with the Target and Sally Beauty batches, however, the advertisement on Rescator’s shop for cards sold under the Ronald Reagan batch does not list the total number of cards that are for sale currently. Instead, it appears to list just the first 100 pages of results, at approximately 50 cards per page. The cards range in price from $18 to $140 per card. Many factors can influence the price of an individual card, such as whether the card is a Visa or American Express card; similarly, Platinum and Business cards tend to fetch far higher prices than Classic and Standard cards.
A new ad that debuted on June 10 for a fresh batch of cards apparently stolen from PF Chang's China Bistro locations. A new ad that debuted on June 9 for a fresh batch of cards apparently stolen from PF Chang’s China Bistro locations.
The ad for the Ronald Reagan batch of cards also includes guidance for potential customers who wish to fund their accounts via Western Union or MoneyGram wire transfers, advice that strongly suggests those involved in this apparent heist are once again from Russia and Eastern Europe:
“Western Union transfers will be received in the next 48-72 hours! Money Gram transfers will be received 10-11 of June. Please note: 12, 13, 14, 15 of June are the government holidays in the drops country and Money Gram transfers will be received starting Monday June 16th. This does NOT affect Western Union transfers.”
June 12 is “Russia Day,” a national holiday in Russia since 1992 that celebrates the declaration of state sovereignty of the Russian Soviet Federative Socialist Republic on June 12, 1990. “Drops” refers to individuals hired to receive money transfers on behalf of the card shop to help fund new and existing accounts. The shop also accepts payment via Bitcoin (for hopefully obvious reasons, customers cannot pay for the goods using credit cards).
It seems likely that P.F. Chang’s only learned of this breach very recently. The cards sold under the Ronald Reagan base are advertised at “100 percent valid,” meaning that fraudsters can expect all of the cards they purchase to have not yet been canceled by the issuing banks. For a deeper dive on how valid rates are a fairly reliable indicator of the recency of a breach, see my analysis of the valid rates on cards stolen in the Target, Sally Beauty and Harbor Freight break-ins.
Rescator, a miscreant closely tied to the Target breach, advertises the new batch of cards on his crime forum.Rescator, a miscreant closely tied to the Target breach, advertises the new batch of cards on his crime forum.
For more information on Rescator, the miscreant apparently responsible for selling (if not also stealing) the cards from this apparent breach, and in the Sally Beauty and Target breaches, see this story.

Monday, June 9, 2014

More Default Password Horror

14-year-olds hack BMO ATM using manual found online

A person uses the ATM machine at the Bank of Montreal building located at King Street West and Bay Street on Friday, May 23, 2008 in Toronto.

Photograph by: Nathan Denette/National Post , Canada.com

A Winnipeg BMO branch got an unlikely security tip from two 14-year-olds when the pair managed to get into an ATM’s operating system during their lunch break last Wednesday.
The Grade 9 students, Matthew Hewlett and Caleb Turon, used an ATM operators’ manual they found online to get into the administrator mode of an ATM at a Safeway grocery store. They saw how much money was in the machine, how many transactions there had been and other information usually off-limits for the average bank customer.
“We thought it would be fun to try it, but we were not expecting it to work,” Hewlett told the Winnipeg Sun. “When it did, it asked for a password.”
They managed to crack the password on the first try, a result of BMO’s machine using one of the factory default passwords that had apparently never been changed.
They took this information to a nearby BMO branch, where staff were at first skeptical of what the two high-schoolers were telling them. Hewlett and Turon headed back to the Safeway to get proof, coming back with printouts from the ATM that clearly showed the machine had been compromised.
The teens even changed the machine’s greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.”
The BMO branch manager called security to follow up on what the teenagers had found, and even wrote them a note to take back to school as explanation for why they were late getting back to class.
According to the Sun, the note started with: “Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting BMO with security.
Ralph Marranca, a spokesperson for BMO’s head office, said no customer information was exposed when Turon and Hewlett probed the ATM’s system. He did not immediately respond to questions from Postmedia News about what steps the bank is taking to ensure security at its thousands of ATMs across the country.

Cyptowall Strikes Small Town Police


We “will be paying no ransom,” vows town hit by Cryptowall ransom malware

Police computers in New Hampshire hamlet crippled by crypto-based ransomware.



The town manager of a hamlet in south eastern New Hampshire has defied demands that he pay a ransom to recover police department computer files taken hostage by Cryptowall, a newer piece of malware that encrypts hard drive contents of infected machines until victims pay for them to be decrypted.
"Make no mistake, the Town of Durham will be paying no ransom," Town Manager Todd Selig wasquoted as saying by CBS Boston news. Police department computers for the town of almost 15,000 residents were reportedly infected Thursday after an officer opened what appeared to be a legitimate file attachment to an e-mail. By Friday morning, widespread "issues" were hitting the department computer network. It was shut down by noon that day to prevent the infection from spreading to other systems.

The game may be RIGged


The department was reportedly hit by Cryptowall, a newer form of crypto malware that rivals the better known CryptoLocker. According to a blog post published Thursdayby researchers from Cisco Systems, Cryptowall has been gaining ground since April, when it was folded into the RIG exploit kit, which is software sold in underground forums that automates computer scams and malware attacks for less technically knowledgeable criminals. Cisco's Cloud Web Security service has been blocking requests tied to more than 90 infected Internet domains pushing Cryptowall scams to more than 17 percent of service customers.
Contrary to reports that the Durham Police Department infection was the result of a malicious e-mail attachment, the RIG-fueled attacks Cisco is blocking are the result of malicious advertisements served on scores of websites, including altervista.org, apps.facebook.com, www.theguardian.com, and ebay.in. The US is the country seeing the most infected ads, followed by the UK. So-called malvertising is a scourge that uses authentic-looking ads served over legitimate networks and sites to either trick end users into clicking on malicious links or to push attack code that exploits vulnerabilities to surreptitiously install malware.
"Until May 22, RIG appears to have been making use of both newly registered domains and compromised legitimate sites to both host its landing pages and serve its exploits, all from paths ending in 'proxy.php,'" the Cisco blog post stated.
The rash of Cryptowall attacks came to light the same week that federal authorities seized a massive botnet used to spread CryptoLocker. The effects of Cryptowall on Durham were characterized as disruptive but not catastrophic.
"The functions affected are the police e-mail system and word processing, as well as spreadsheets, Excel, and other administrative tasks," Selig said. "The crime records are not affected. We do back up all of our systems, so we will work to restore what may be lost."
CryptoLocker underscored the importance not just of backups, but of so-called "cold" backups that are done offline. Because CryptoLocker encrypted files on all accessible drives, it often overwrote backup files as well as original ones. In many cases, backups were intact only when they were stored in offline systems that were protected from the infected computers. The distinction could prove particularly important to Durham residents given the refusal to pay the ransom. According to Cisco, ransom demands sent to a test computer that was infected by Cryptowall were increased three times to $600, after which time the data would be irretrievable.
"This threat should be taken seriously," Cisco researchers wrote. "Other ransomware has been known to make good on its warnings of data loss."
** Be sure to read the comments on this article here. These are very interesting & informative. - MTC

McDumpals - A Professional Carding Shop

Over the past year, I’ve spent a great deal of time trolling a variety of underground stores that sell “dumps” — street slang for stolen credit card data that buyers can use to counterfeit new cards and go shopping in big-box stores for high-dollar merchandise that can be resold quickly for cash. By way of explaining this bizarro world, this post takes the reader on a tour of a rather exclusive and professional dumps shop that caters to professional thieves, high-volume buyers and organized crime gangs.
mcdumpalsjoinedThe subject of this post is “McDumpals,” a leading dumps shop that first went online in late April 2013.  Featuring the familiar golden arches and the bastardized logo, “i’m swipin’ it,”  the site’s mascot is a gangstered-up Ronald McDonald pointing a handgun at the viewer.
Nevermind that this shop is violating a ridiculous number of McDonald’s trademarks in one fell swoop: It’s currently selling cards stolen from data breaches at main street stores in nearly every U.S. state.
Like many other dumps shops, McDumpals recently began requiring potential new customers to pay a deposit (~$100) via Bitcoin before being allowed to view the goods for sale. Also typical of most card shops, this store’s home page features the latest news about new batches of stolen cards that have just been added, as well as price reductions on older batches of cards that are less reliable as instruments of fraud.
I’ve put together a slideshow (below) that steps through many of the updates that have been added to this shop since its inception. One big takeaway from this slideshow is that many shops are now categorizing their goods for sale by the state or region of the victim company.
This was a major innovation that we saw prominently on display in the card shop that was principally responsible for selling cards stolen in the Target and Sally Beauty retail breaches: In those cases, buyers were offered the ability to search for cards by the city, state and ZIP of the Target and Sally Beauty stores from which those cards were stolen. Experienced carders (as buyers are called) know that banks will often flag transactions as suspicious if they take place outside of the legitimate cardholder’s regular geographic purchasing patterns, and so carders tend to favor cards stolen from consumers who live nearby.
The slideshow may make more sense if readers familiarize themselves with a few terms and phrases that show up in the text:

GLOSSARY OF TERMS:
Base: An arbitrary name that a dumps shop assigns to a unique batch of cards stolen from a particular compromised merchant or a mix of merchants. Most often, bases are named after the state or region of the compromised merchant. Base names allow dumps shop owners to have a consistent naming convention when adding freshly stolen cards from a specific breached merchant. In addition, base names allow happy customers to have an easy way to come back to the shop and request more of the same cards; conversely, buyers who have little success “cashing out” cards from a particular base have a frame of reference with which to warn other potential buyers away from a specific batch of cards (a la “brown acid“).
BINs: Short for “Bank Identification Number,” this is the first six digits of any debit or credit credit cards, and it uniquely identifies the financial institution that issued the card. BINs are the primary method that card shops use to index wares for sale, and all buyers have their favorite BINs with which they’ve found success in the past. There are tens of thousands of BINs in use today, and few people legitimately employed in the banking industry have comprehensive BIN lists (which most banks consider proprietary). For that, you typically need to turn to the professional card shops, which track BIN usage quite closely.
Checker: A form of buyer’s insurance, this is an automated, optional service that dumps shop customers can use after purchasing cards to validate whether the cards they just bought are still active. Most advanced shops, including this one, have “moneyback” guarantees in place that will automatically refund the purchase price for any cards found to be invalid shortly after the cards are bought (usually a window of a few minutes up to a few hours), provided the customer pays the extra fee (usually 10-20 cents per card) to use the shop’s own checking service.
Discounted cards sold in "packs" or at wholesale or bulk prices.Discounted cards sold in “packs” or at wholesale or bulk prices.
Dump: Refers to a string of data that is pulled (usually by malicious software that infects cash registers or point-of-sale devices inside compromised merchants) from the magnetic stripe on the back of cards. Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.
Packs: Large bundles of dumps (often from a variety of hacked merchants in a particular region) — sold at wholesale prices. As we can see from the screenshot above left, McDumpals sells dumps packs of more than 1,000 cards at a time. For example, in the screen shot above, the site is offering a pack of 1,245 cards stolen two months ago from stores in Massachusetts and Connecticut for the bargain price of USD $10,500.
First-hand base: A batch of cards stolen from a merchant breach in which the dumps shop proprietor himself played a key role. The multiple bases of some 40 million cards stolen in the Target breach and resold via rescator[dot]so is probably the biggest example I’ve seen of a first-hand base.
Reseller: Most dumps shops rely on multiple suppliers of stolen cards. Contrary to the conventional meaning of the word, these thieves are supplying cards that are not sold anywhere else; once a card is sold, it is removed from the marketplace, and any suppliers found to be double dipping are quickly banned from the dumps community. Rather, resellers are merely stealing the cards and then selling them to the dumps shop.
Valid rate: The dumps store’s best guess about the percentage of cards from a given base that will come back as valid versus canceled by the issuing bank. If a base is advertised at a 70 percent valid rate, customers can expect an average 3 out of every 10 cards they buy from that base to be worthless. Cards advertised at valid rates in excess of 90 percent typically demand the highest prices, and are a strong indicator of a breach that has only just been discovered by the breached merchant or some of the larger financial institutions. For more granular examples of how valid rates are closely tied to the price of stolen cards, see Fire Sale on Cards Stolen in Target Breach and Sally Beauty Hit By Credit Card Breach.

People often ask if I worry about shopping online. These days, I worry more about shopping in main street stores. McDumpals is just one dumps shop, and it adds many new bases each week. There are dozens of card shops just like this one in the underground (some more exclusive than others), all selling bases from unique, compromised merchants.

Monday, June 2, 2014

'Gameover' ZueS Botnet

The U.S. Justice Department is expected to announce today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, and rented out to an elite cadre of hackers for use in online extortion attacks, spam and other illicit moneymaking schemes.
This graphic, from 2012, shows the decentralized nature of P2P network connectivity of 23,196 PCs infected with Gameover.  Image: Dell SecureWorksThis graphic, from 2012, shows the decentralized nature of P2P network connectivity of 23,196 PCs infected with Gameover. Image: Dell SecureWorks
The sneak attack on Gameover, dubbed “Operation Tovar,” began late last week and is a collaborative effort by investigators at the FBIEuropol, and the UK’s National Crime Agency; security firms CrowdStrike,Dell SecureWorksSymantecTrend Microand McAfee; and academic researchers atVU University Amsterdam and Saarland University in Germany. News of the action first came to light in a blog post published briefly on Friday by McAfee, but that post was removed a few hours after it went online.
Gameover is based on code from the ZeuS Trojan, an infamous family of malware that has been used in countless online banking heists. Unlike ZeuS — which was sold as a botnet creation kit to anyone who had a few thousand dollars in virtual currency to spend — Gameover ZeuS has since October 2011 been controlled and maintained by a core group of hackers from Russia and Ukraine.
Those individuals are believed to have used the botnet in high-dollar corporate account takeovers that frequently were punctuated by massive distributed-denial-of-service (DDoS) attacks intended to distract victims from immediately noticing the thefts. According to the Justice Department, Gameover has been implicated in the theft of more than $100 million in account takeovers.
The curators of Gameover also have reportedly loaned out sections of their botnet to vetted third-parties who have used them for a variety of purposes. One of the most popular uses of Gameover has been as a platform for seeding infected systems with CryptoLocker, anasty strain of malware that locks your most precious files with strong encryption until you pay a ransom demand.
According to a 2012 research paper published by Dell SecureWorks, the Gameover Trojan is principally spread via Cutwail, one of the world’s largest and most notorious spam botnets (for more on Cutwail and its origins and authors, see this post). These junk emails typically spoof trusted brands, including shipping and phone companies, online retailers, social networking sites and financial institutions. The email lures bearing Gameover often come in the form of an invoice, an order confirmation, or a warning about an unpaid bill (usually with a large balance due to increase the likelihood that a victim will click the link). The links in the email have been replaced with those of compromised sites that will silently probe the visitor’s browser for outdated plugins that can be leveraged to install malware.
It will be interesting to hear how the authorities and security researchers involved in this effort managed to gain control over the Gameover botnet, which uses an advanced peer-to-peer (P2P) mechanism to control and update the bot-infected systems.
The infection and peer-to-peer (P2P) communication mechanism of Gameover ZeuS. Image: Abuse.chThe infection and peer-to-peer (P2P) communication mechanism of Gameover ZeuS. Image: Abuse.ch
The addition of the P2P component in Gameover is innovation designed to make it much more difficult for security experts, law enforcement or other Internet do-gooders to dismantle the botnet. In March 2012,Microsoft used a combination of legal maneuvering and surprise to take down dozens of botnets powered by ZeuS (and its code-cousin — SpyEye), by seizing control over the domain names that the bad guys used to control the individual ZeuS botnets.
But Gameover would be far trickier to disrupt or wrest from its creators: It uses a tiered, decentralized system of intermediary proxies and strong encryption to hide the location of servers that the botnet masters use to control the crime machine.
“Microsoft’s 2012 takedown action had no effect on the P2P version of ZeuS because of its network architecture,” reads Dell SecureWorks’s 2012 paper on Gameover. “In the P2P model of ZeuS, each infected client maintains a list of other infected clients. These peers act a massive proxy network between the P2P ZeuS botnet operators and the infected hosts. The peers are used to propagate binary updates, to distribute configuration files, and to send stolen data to the controllers.”
According to McAfee, the seizure of Gameover is expected to coincide with a cleanup effort in which Internet service providers contact affected customers to help remediate compromised PCs. The Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) today published a list of resources that may help in that effort.
Update, 11:07 a.m. ET: The Justice Department just published a complaint (PDF) that names the alleged author of the ZeuS Trojan, allegedly a Russian citizen named Evgeniy Mikhailovich Bogachev. The complaint mentions something that this blog has noted on several occasions - that the the ZeuS author used multiple nicknames, including “Slavik” and “Pollingsoon.” More court documents related to today’s action are available here.
Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. "lucky12345", "slavik", "Pollingsoon". Source: FBI.gov "most wanted, cyber. Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. “lucky12345″, “slavik”, “Pollingsoon”. Source: FBI.gov “most wanted, cyber.