Dec 30 2015

Linode DDoS Attack – Merry Xmas Sysadmins

So the Linode DDoS attack – seems like this xmas has been a terrible time for sys admins, along with what happened to Steam and A Small Orange (100+ hours down). A whole lot of work during the most drunken holiday of the year, not fun. And yes it affected me too, work wise everything [...] The post Linode DDoS Attack – Merry Xmas...

Read the full post at
Dec 30 2015

Google slams AVG for exposing Chrome user data with “security” plugin

Safer browsing... except someone can watch everything you search?

A free plugin installed by AVG AntiVirus bypassed the security of Google's Chrome browser, potentially exposing the browsing histories and other personal data of customers to the Internet. The vulnerability, demonstrated in an exploit by a Google researcher earlier this year, has now been patched after initial stumbling attempts by AVG, according to a discussion of the bug in Google's security research discussion list.

AVG's "Web TuneUp" tool is a free download from the Chrome Store intended to provide reputation-based protection against malicious websites, and it was "force-installed" by AVG AntiVirus in a way that broke the security checks Chrome uses to test for malicious plugins and malware. The plugin works by sending the Web addresses of sites visited by the user to AVG's servers to check them against a database of known malicious sites. But the way the plugin was constructed meant that information could be easily exploited by an attacker through cross-site scripting [XSS], according to a post by Google Security researcher Tavis Ormandy on December 15.

"This extension adds numerous JavaScript API's to Chrome, apparently so that they can hijack search settings and the new tab page," Ormandy wrote. "The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API. Anyway, many of the API's are broken."

Read 5 remaining paragraphs | Comments

Dec 29 2015

Microsoft may have your encryption key; here’s how to take it back

(credit: Linus Bohman)

As happens from time to time, somebody has spotted a feature in Windows 10 that isn't actually new and has largely denounced it as a great privacy violation.

The Intercept has written that if you have bought a Windows PC recently then Microsoft probably has your encryption key. This is a reference to Windows' device encryption feature. We wrote about this feature when it was new, back when Microsoft introduced it in Windows 8.1 in 2013 (and before that, in Windows RT.

Device encryption is a simplified version of the BitLocker drive encryption that made its debut in Windows Vista in 2006. The full BitLocker requires a Pro or Enterprise edition of Windows, and includes options such as integration with Active Directory, support for encrypting removable media, and the use of passwords or USB keys to unlock the encrypted disk. Device encryption is more restricted. It only supports internal system drives, and it requires the use of Secure Boot, Trusted Platform Module 2.0 (TPM), and Connected Standby-capable hardware. This is because Device encryption is designed to be automatic; it uses the TPM to store the password used to decrypt the disk, and it uses Secure Boot to ensure that nothing has tampered with the system to compromise that password.

Read 12 remaining paragraphs | Comments

Dec 29 2015

Happy 6th Birthday, KrebsOnSecurity!

You know you’re getting old when you can’t remember your own birthday (a reader tipped me off). Today is the sixth anniversary of this site’s launch! KrebsOnSecurity turns 6! I’m pretty sure that’s like middle age in Internet years.

sixfingersAbsolutely none of this would be possible without you, Dear Reader. You have supported, encouraged and inspired me in too many ways to count these past years. The community that’s sprung up around here has been a joy to watch, and essential to the site’s success. Thank you!

I tried for at least one post per weekday in 2015, and came close, publishing some 206 entries this year (not counting this one). The frequency of new posts suffered a bit from September to November, when I was on the road nearly 24/7 for a series of back-to-back speaking gigs. Fun fact: Since its inception, this site has featured some 1,200 stories that generated more than 62,000 reader comments.

Here’s wishing you all a very happy, healthy, wealthy and safe New Year.  Below are some of the KrebsOnSecurity posts that readers found most popular in 2015 (minus the Ashley Madison and Lizard Squad stuff), along with one or two of my personal favorites in no particular order.

How I Learned to Stop Worrying and Embrace the Security Freeze — Credit monitoring services offered in the wake of umpteen breaches this year won’t stop ID thieves from stealing your good name.

What’s in a Boarding Pass Barcode? – Sometimes the stories intended to be written in a “hey-did-you-know” format turn into national news. Who knew?

How Carders Can Use eBay as a Virtual ATM – “Triangulation fraud” is big business.

Sign Up at the IRS Before Crooks Do It For You – This story about how ID thieves used the IRS’s own site to steal taxpayer data was published three months before the IRS acknowledged that some 330,000 taxpayers had been impacted.

Intuit Failed at Know-Your-Customer Basics – Much of the tax refund fraud problem can be traced back to poor or non-existent authentication at online tax preparation firms, like TurboTax.

Hacker Who Sent Me Heroin Faces Charges in the U.S. – A stranger-than-fiction story about a cybercrime kingpin who tried to frame me for drug possession and failed spectacularly.

Bluetooth ATM Skimming Series in Mexico – I traveled to Cancun in September to chronicle the work of an ATM skimming gang that was bribing ATM technicians to get access to the insides of the cash machines.

Gas Theft Gangs Fuel Pump Skimming Scams – It’s truly remarkable how much effort crooks will put into extracting value from stolen credit and debit cards.

Inside Target Corp., Days After 2013 Breach – I got to look at a confidential, internal penetration test that Target commissioned just days after learning it had lost 40 million credit cards. It wasn’t pretty.

A Day in the Life of a Stolen Healthcare Record – Healthcare organizations have some serious and difficult security challenges ahead of them. I think that explains the reader interest in this story, coupled with the fact that there are so few stories out there about stolen medical info showing up for sale in the cybercrime underground.