Updates for Spectre and Meltdown

Jason Howell and Megan Morrone talk to Ed Bott from the Ed Bott Report on ZDNet about what every Windows Admin needs to know about Spectre and Meltdown and four steps to keeping a level head during this vulnerability and the next. Plus, what might have happened if the update had been able to come out on Microsoft’s Patch Tuesday as planned, instead of being rushed because of the embargo breach.

Advertisements

This Week in Tech 648: Distracted by the Robots

The best explanation for the Meltdown and Spectre computer flaws comes from a comic strip. Apple eats crow over slowing iPhones. Magic Leap might not be vaporware after all – will this lead to the death of smartphones? CES 2018 predictions. Prediction #1: no Ajit Pai. SWATting death: who is to blame? Border agents phone searches are way up just as new rules limiting searches are drafted. Please stop giving this man money: Juicero founder now hawking bacteria-filled “raw water.”

Here’s what you should know, and do, about the Yahoo breach

By Lucian Constantin | IDG News Service | PCWorld

Yahoo’s announcement that state-sponsored hackers have stolen the details of at least 500 million accounts shocks both through scale—it’s the largest data breach ever—and the potential security implications for users.

That’s because Yahoo, unlike MySpace, LinkedIn and other online services that suffered large breaches in recent years, is an email provider; and email accounts are central to users’ online lives. Not only are email addresses used for private communications, but they serve as recovery points and log-in credentials for accounts on many other websites.

An email compromise is one of the worst data breaches that a person could experience online, so here’s what you should know:

Fifty shades of hashing

Yahoo said that the “vast majority” of the stolen account passwords were hashed with bcrypt. Hashing is a one-way cryptographic operation that transforms data into a set of random-looking characters that serves as its unique representation—this is called a hash.

Hashes are not supposed to be reversible, so they’re a good way to store passwords. You take input, such as a password, pass it through a hashing algorithm and compare it to a previously stored hash.

This provides a way to verify passwords at log-in time without actually storing them in plain text in the database. But not all hashing algorithms offer equal protection against password cracking attacks that attempt to guess which plaintext password generated a specific hash.

Unlike the ageing MD5, which is quite easy to crack if implemented without additional security measures, bcrypt is considered a much stronger algorithm. This means that in theory, the likelihood of hackers cracking “the vast majority” of Yahoo passwords is very low.

But here’s the problem: Yahoo’s wording suggests that most, but not all passwords were hashed with bcrypt. We don’t know how many passwords were hashed with another algorithm, or which one it was. The fact that this hasn’t been specified in Yahoo’s announcement or FAQ page suggests that it’s an algorithm that’s weaker than bcrypt and that the company didn’t want to give away that information to attackers.

In conclusion, there’s no way to tell if your account was among those whose passwords were hashed with bcrypt or not, so the safest option at this point is to consider your email compromised and to do as much as damage control as possible.

Don’t keep emails just because you can

Once hackers break into an email account they can easily discover what other online accounts are tied to that address by searching for sign-up emails. These are the welcome messages that most websites send when users open a new account, and which users rarely delete. These days most email providers offer enough storage space that users won’t ever have to worry about deleting messages.

Aside from exposing the links between an email address and accounts on various websites, those sign-up emails can also expose the specific account names chosen by the user, if different from their email address.

If you’re among the people who don’t delete welcome emails and other automatic notifications sent by websites, such as password resets, then you might want to consider doing so and even go back to clean your mailbox of such communications.

Sure, there might be other ways for hackers to find out if you have an account on a certain website, or even a number of websites, but why make it easier for them to compile a full list?

Be careful when asked for your personal details

Among the account information that hackers stole from Yahoo were real names, telephone numbers, dates of birth and, in some cases, unencrypted security questions and answers. Some of those details are sensitive and are also used for verification by banks and possibly government agencies.

There are very few cases when a website should have your real date of birth, so be judicious about providing it.

Also, don’t provide real answers to security questions, if you can avoid it. Make something up that you can remember and use that as answer. In fact, Yahoo doesn’t even recommend using security questions anymore, so you can go into your account’s security settings and delete them.

Check your email forwarding rules regularly

Email forwarding is one of those “set it and forget it” features. The option is buried somewhere in the email account settings that you never check and if it’s turned on there’s little to no indication that it’s active.

Hackers know this. They only need to gain access to your email account once, set up a rule to receive copies of all your emails and never log back in again. This also prevents the service from sending you notifications about repeated suspicious log-ins from unrecognized devices and IP addresses.

Two-factor authentication everywhere

Turn on two-factor authentication—this is sometimes called two-step verification—for any account that supports it. This will prompt the online service to ask for a one-time-use code sent via text message or generated by a smartphone app, in addition to the regular password, when you try to access the account from a new device.

It’s an important security feature that could keep your account secure even if hackers steal your password. And Yahoo offers it, so take advantage of it.

Don’t reuse passwords; just don’t

There are many secure password management solutions available today that work across different platforms. There’s really no excuse for not having unique, complex passwords for every single account that you own. If you do want memorable passwords for a few critical accounts use passphrases instead: sentences made up of words, numbers and even punctuation marks.

Here comes phishing

Large data breaches are typically followed by email phishing attempts, as cybercriminals try to take advantage of the public interest in such incident.

These emails can masquerade as security notifications, can contain instructions to download malicious programs that are passed as security tools, can direct users to websites that ask them for additional information under the guise of “verifying” their accounts and so on.

Be on the lookout for such emails and make sure that any instructions that you decide to follow in response to a security incident came from the affected service provider or a trusted source.

UK spy agency says to hackers: Come work for us

The UK government surveillance agency GCHQ needs more hackers. The normally secretive agency has taken the unusual step of posting a job advert – and a press release – about its hunt for IT security staff.

It’s the first time GCHQ has openly recruited for what it describes as ‘computer network operations specialists’.

The job description throws a little more light on the role: “In cyber security roles, our operations specialists may find themselves working in a team, or seeking to defend government systems against criminals seeking to steal information, identities or money,” it says.

What’s particularly interesting is that while the agency is looking for staff to work in cyberdefence – the relatively standard job of detecting and preventing attempts to attack the UK’s critical national infrastructure – it’s also looking for ‘cyber intelligence’ experts who will take a more exotic approach.

“Cyber intelligence specialists might need to develop software to access the computers of a terrorist group, or carry out operations to retrieve vital online clues about the location and identity of members of an organised crime ring,” GCHQ said.

We know from the Snowden revelations that GCHQ has a long history of using such techniques. Among other things, it has been accused of involvement in the hacking of SIM maker Gemalto in an attempt to grab encryption keys used for mobile phones, and of launching a distributed denial-of-service attack against Anonymous hacktivists (in both cases GCHQ said all of its work “is carried out in accordance with a strict legal and policy framework”).

So why go public now?

Partly it’s because – thanks to such news stories and leaks – everybody now knows that GCHQ does this sort of thing, so there’s little point in pretending anymore.

GCHQ’s more public stance is also a reflection of greater openness about the capabilities of the intelligence service: the UK government recently published a set of draft guidelines which lay out how spies can use electronic hacking and bugging devices, in order to provide a legal framework for the activities of the UK’s security and intelligence agencies at home and abroad.

Some of this openness is a (reluctant) result of Snowden, some of it the result of the gradual maturing in cyberdefence and offensive strategies: for example, the US is being much more open about its cyber capabilities. As a result, these sorts of activities are slowly emerging from the shadows.

Being more open about recruitment could help the agency find candidates who would otherwise be reluctant to apply. That matters because GCHQ is hardly the only organization hiring when it comes to IT security.

There’s a national and international shortage of security experts, and other recruiters – like the big banks – have got much deeper pockets. In contrast, GCHQ is offering a starting salary of £27,913 and you’ll need to pass security check too.

Admittedly, high-paid corporate jobs in financial services and the like don’t offer exciting work taking on organised crime but equally they don’t want you relocate to Cheltenham or Scarborough, either.

All of this means that, for once, even for GCHQ, a bit of publicity can’t hurt.

via UK spy agency says to hackers: Come work for us | ZDNet.

Why hackers may be stealing your credit card numbers for years

While conducting a penetration test of a major Canadian retailer, Rob VandenBrink bought something from the store. He later found his own credit card number buried in its systems, a major worry.

The retailer, which has hundreds of stores across Canada, otherwise had rock-solid security and was compliant with the security guidelines known as the Payment Card Industry’s Data Security Standards (PCI-DSS), said VandenBrink, a consultant with the IT services company Metafore.

But a simple configuration error allowed him to gain remote access. From there, he found the retailer was vulnerable to the same problem that burned Target, Neiman Marcus, Michaels, UPS Store and others: card data stored in memory that is vulnerable to harvesting by malicious software.

The problem is growing worse. The U.S. Department of Homeland Security and Secret Service warned last month that upwards of 1,000 businesses may be infected by malware on their electronic cash registers, known in the industry as point-of-sale devices.

So why are the data thieves winning? Security analysts say point-of-sale malware is neither new nor particularly sophisticated. Programs such as Backoff, BlackPOS and JackPOS hunt down clear-text payment card details jammed in a jumble of data in a computer’s memory, a process known as “RAM scraping.”

Merchants who handle card data are required to be PCI-DSS compliant or face liability if cardholder data leaks. But the latest security specification, PCI-DSS version 3.0, doesn’t mandate that merchants use technologies that encrypt card data from the moment a person’s card is swiped, referred to as point-to-point encryption.

Using that kind of technology would eliminate the in-memory malware problem, security experts say.

The PCI Security Standards Council, which develops PCI-DSS, did recommend last Wednesday that merchants switch to using that kind of encryption technology.

But retailers often have long technology refresh cycles, so it could be five to seven years before most move to it. Fraud is expected to migrate from big retailers that resolve the weaknesses to smaller ones who have not, said Avivah Litan, a Gartner analyst who consults with banks and card companies.

“In general, I think we are stuck with these point of sale breaches for many years,” Litan said.

Full Story: Why hackers may be stealing your credit card numbers for years | PCWorld.

Hackers target Domino’s Pizza, demand $40,000 ransom for customer data

Hackers have targeted Domino’s Pizza servers and claim to have downloaded details of over 650,000 customers. The group, calling itself Rex Mundi, has said that unless the company pays up €30,000 EUR (around $40,600 USD / £24,000 GBP) by today, it will publish the full database online.

The database includes details of more than 592,000 customers of the pizza chain in France, and a further 58,000 in Belgium. The group said that the records include “customers’ full names, addresses, phone numbers, email addresses, passwords and delivery instructions. (Oh, and their favorite pizza topping as well, because why not).”

Rex Mundi said that it had contacted Domino’s in France and Belgium to tell them of the vulnerability on their servers “and to offer them not to release this data in exchange for 30,000 Euros.” In its post, made several days after the hack, the group said: “So far, Domino’s Pizza has not replied to our demands. We would also like to point out that both of their websites are still up and vulnerable.”

As The Telegraph reports today, Domino’s France has publicly acknowledged the hack and contacted users to recommend that they change their passwords. Meanwhile, the head of Domino’s Netherlands, Andre ten Wolde, has also commented, despite Dutch customers apparently not being affected by the breach.

He told Dutch-language Belgian newspaper De Standaard: “There are clear indications that something is broken on our server. The information contained in them is protected. Financial data, such as credit cards, has not been stolen.” He added that the company would not be paying the ransom demand.

The hackers have already posted a sample of customer data online, and say that they will post the database in its entirety if they do not receive the payment that they demand by 8pm CET today (Monday, June 16).

via Hackers target Domino’s Pizza, demand $40,000 ransom for customer data – Neowin.

Hackers break into Mt. Gox’s servers, claim the company still has customers’ bitcoins

While the Bitcoin community is impatiently waiting for Mt. Gox to provide details on the massive hacker attack that stole 6 percent of all the Bitcoin in the world, a group of hackers, who claim to have broken into the bankrupted Bitcoin exchange’s servers, said that the company still has at least some of customers’ Bitcoins.

According to a Forbes report, the hacker group on Sunday took over the personal blog and Reddit account of Mt. Gox’s CEO Mark Karpeles to announce that the exchange has access to a portion of the Bitcoins that the company had said were stolen from customers.

To support the claim, the group uploaded a series of files including an Excel spreadsheet of over a million trades, a screenshot purportedly confirming the hackers’ access to the data, a list of Mark Karpeles’ home addresses, his personal CV, and more.

Hackers also point to a balance file, which reportedly shows a balance of 951,116 Bitcoins, to prove that Mt. Gox’s claim to have lost customers’ Bitcoins to hackers is nothing but a lie. “That fat fuck has been lying!!”, a note in the file from the hackers reportedly reads.

While the legitimacy of the database dump is yet to be verified, it could also be an accounting mismatch with the company’s actual store of Bitcoins, report says. The stolen money hasn’t yet appeared on the log of Bitcoin blockchain, the public ledger of transactions that prevents fraud and forgery in the Bitcoin economy, suggesting that whoever has it isn’t spending it at the moment.

In another, possibly related event, a user on the BitcoinTalk forum posted a message offering a 20 GB stolen database from Mt. Gox for 100 Bitcoins. According to the user, the database contains Mt. Gox users’ personal details and passport scans.

via Hackers break into Mt. Gox’s servers, claim the company still has customers’ bitcoins – TechSpot.

Target hackers have more data than they can sell

What’s the downside to successfully stealing 40 million credit card numbers from Target? Trying to sell the data.

There’s a thriving economy among cybercriminals, some of whom specialize in stealing credit card numbers to others who figure out a way to profit. But it’s also constrained by supply and demand.

Too many card numbers on the market inevitably drives the price of a set of details down. Card information, referred to in underground forums as “dumps,” are often priced according to how recently the details were stolen, its likely spending limit and whether the hackers have captured a PIN for the card.

Prices can range from a few dollars up to $100. Cybercriminals often advertise the kind of data they’ve captured from the card’s magnetic stripe, which has three so-called “tracks,” each containing data.

”Track 1” data contains a card number, the victim’s name and the card’s expiration data, and Track 2 data contains the card number and expiration data. The third track is rarely used.

”You can imagine that having a lot of stolen credit cards will not net the hackers, say $35 per card for all 40 million,” said Alex Holden, who runs a cybercrime consultancy, Hold Security. “Even if the hackers are willing to sell cards for $1 a card, no one will buy the stolen goods in these amounts.”

Target said attackers likely intercepted 40 million debit and credit card numbers between Nov. 27 to Dec. 15, 2013, one of the busiest shopping periods in the U.S. Target CEO Gregg Steinhafel said in an interview with CNBC on Sunday that malware was discovered on point-of-sale terminals.

How those terminals were infected is still a mystery. Computer security experts are keeping a close eye on underground forums where the data is traded, looking for clues as to who may be responsible.

So far, they haven’t seen much.

”We have seen some comments by other hackers that would suggest that there was no sound exist strategy by the thieves,” Holden said. “Right now, they are maybe laying low knowing that everyone is looking for them.”

via Target hackers have more data than they can sell | PCWorld.

Hackers claim to expose phone information of 4.6 million Snapchat users

Phone numbers paired with user names of over 4.6 million alleged Snapchat users were posted online by hackers, a few days after a security research group claimed a vulnerability in the social sharing service that could allow attackers to match phone numbers to Snapchat accounts.

“This database contains username and phone number pairs of a vast majority of the Snapchat users,” said a post on website SnapchatDB.info. The account has since been suspended, apparently by the hosting service. A cached version of the site can be viewed here.

The information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue, according to the post. “The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it,” it added.

The hackers said they had “censored” for now the last two digits of the phone numbers in order to minimize spam and abuse, but asked people to contact them for the uncensored database, which they may agree to release under certain circumstances.

Gibson Security had published proof-of-concept code last week that takes advantage of the “find_friends” feature in the Snapchat application programming interface (API) to iterate and match the phone numbers of users to their Snapchat accounts in a short period of time. Gibson first revealed the vulnerability and other issues in August.

“Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way,” Snapchat wrote in response last week. “Over the past year we’ve implemented various safeguards to make it more difficult to do,” it added. “We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”

After the release of the SnapchatDB database, Gibson said in a Twitter message that it knew nothing about SnapchatDB, but it was a matter of time until something like it happened. “Also the exploit works still with minor fixes,” it added.

Snapchat could not be immediately reached for comment.

”People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with,” according to the post on SnapchatDB.info.

via Hackers claim to expose phone information of 4.6 million Snapchat users | PCWorld.

Beware scammers gathering data via fake social net IDs

Spear phishing is one of the most effective ways to break into a corporate network, and recent studies show that employees can be easily tricked on social media to provide the information needed to launch attacks.

A phishing attack is only as good as the information hackers are able to gather on the intended victim, who is less likely to click on a malicious link or attachment in an email that does appear to come from a trusted sender. As a result, criminals often research their targets on the Web.

For example, Websense Security Labs recently found a fake LinkedIn profile gathering information that could be used in future attacks.

The profile summary pretends to be that of “Jessica Reinsch,” a made-up employee of a real dating Web site that connects young women with older, wealthy men. The site is located in Switzerland.

While Websense did not find any malicious code on the site, the vendor did find other related domains hosting “suspicious code.” In addition, the IPs used to host the site are in the same autonomous system number (ASN) as multiple exploit kit command and control URLs, including those for RedKit and Neutrino, according to Websense.

The bogus profile had more than 400 connections with legitimate LinkedIn members, giving whoever was behind the account access to people\’s current employer, job titles, and connections on the network, which has more than 250 million members.

Jeff Debrosse, director of security research at Websense, said such information would be used to build a social graph of prominent individuals that could be used in spear-phishing attacks.

“That’s worth a lot of money to the buyers of that information,” Debrosse told CSOonline.

Businesses warned

While reconnaissance on potential victims grows more sophisticated, corporations appear to underestimate the threat. Almost 60 percent of 300 IT executives, administrators and professionals in U.S. organizations rated phishing as a “minimal” impact threat, according to an unscientific survey by ThreatSim.

While rating phishing as a low-level threat, more than one in four of the respondents reported phishing attacks that led to a “material breach within the last year.” ThreatSim defined “material” as some form of malware infection, unauthorized access, and stolen data.

During a presentation at the RSA Europe security conference in Amsterdam last week, a cyberdefense specialist described an experiment that showed the effectiveness of using fake profiles on LinkedIn and Facebook to launch an attack.

Aamir Lakhani with IT service provider World Wide Technology described how the fake profile of an attractive female named Emily Williams was used to eventually get employees of an unnamed U.S. government agency to click on a link that could easily have been used to launch malware.

The bogus profile claimed Williams was a new hire at the agency with ten years experience and a 28-year-old graduate of the Massachusetts Institute of Technology. The researchers set up information about the woman on other Web sites to make the profile seem more credible.

Within 15 hours of launching the profile, Williams had 60 Facebook and 55 LinkedIn connections with agency employees and contractors. After 24 hours, she had three job offers from other companies.

The experiment pointed to the need for continuous training in organizations to reduce the chance of employees becoming victims of phishers.

“In the military it’s called situational awareness,” Lakhani told IDG News Service. “We need to develop situational awareness for this type of attack.”

via Beware scammers gathering data via fake social net IDs | PCWorld.