What’s New In Android 8.0 Oreo Security

In addition to the many tweaks and new features in Google’s Android 8.0 Oreo operating system introduced last month, the biggest changes are its security enhancements.

Oreo security additions are meaningful and go far beyond what recent OS updates have brought to the table.

With Android Oreo (referred to as simply O), Google has elevated security, introducing important device hardening such as Project Treble, System Alerts, device permissions and Verified Boot.

“With Android O, Google introduces a major re-architect of the Android OS framework,” said Kyle Lady, senior research and development engineer at Duo Security. “There are some big changes that will impact users, developers and device manufacturers for years to come.”

Mobile security experts point to the introduction of Project Treble in O as a major security milestone for Google. Project Treble is Google’s revamp of the Android OS framework—separating the vendor implementation (device-specific, lower-level software written by third-party manufacturers) from the Android OS framework.

One of the goals of Project Treble is to streamline the often maligned Android patching process that security experts say is one of the weakest links in Android security defenses. According to Google’s Android Security 2016 Year In Review, more than half of Android devices haven’t received a security update in the past year.

Project Treble

Project Treble aims to remedy that by making it easier, faster, and cheaper for OEMs and components manufacturers to send out Android updates.

Project Treble separates the hardware-specific drivers and firmware used by companies such as Samsung or Qualcomm from the Android operating system. The implications will be significant when it comes Google’s ability roll out OS patches without having to wait for things such as chipset compatibility. Google said by creating this modular base for Android, it will be able to support updates moving forward on older hardware that OEM partners may no longer support.

“Project Treble is part of a long term strategy that is going to help out all the Android OS stakeholders well past this latest OS release,” said Andrew Blaich, security researcher at Lookout.

With Project Treble, Google puts the Android OS framework and vender-specific implementations into different processes that communicate with each other using a standard vendor interface. The vendor interface will be maintained from version to version which means the new Android OS framework will run with minimal changes on top of an older device.

Android Compartmentalization

That strategy of segmenting parts of the Android platform and allowing for more efficient component management and better vulnerability containment should something go awry, is another meaningful part of Project Treble and part of an ongoing strategy by Google to reduce Android’s attack surface.

“Attack surface reduction means several different things. How do we make sure an application can only do what it is intended to do? How do we minimize the surface that is exposed? How do we contain processes within Android and follow the principle of least privilege?” said Nick Kralevich, head of Android platform security at Google at a recent Black Hat talk.

For a long time, Google approached security differently, focusing on exploit mitigations such as fstack-protector and ASLR, and preventing format string vulnerabilities. Those days are over.

By further reducing the attack surface in Oreo, Google believes it is taking a smarter approach to stopping the next Stagefright-like vulnerability.

In the old model, hackers were able to achieve remote code execution via MediaServer by bypassing SELinux with chained vulnerabilities. That changed in Android 7 (Nougat), where MediaServer functionality split into seven components such as MediaExtractor and MediaDrmServer, preventing format string vulnerabilities.

In Project Treble, Google accelerates the compartmentalizing of components and has introduced a bevy of new hardware abstraction layers (HALs) for the audio, camera and DRM servers inside the media framework. With those HALs in place more pieces of the Android framework are isolated in separate processes and sandboxes and no longer have access to the OS kernel—making it harder for hackers to chain vulnerabilities and compromise an Oreo device.

Kernel Lockdown

The reduction of user space attack surface has shifted focus by bad guys and researchers alike to finding vulnerabilities in the Android kernel. In 2014, Google said, kernel bugs represented four percent of reported bugs compared with 39 percent today.

To address that shift, Android O limits access to the kernel via the introduction of a seccomp filter. Seccomp (short for secure computing mode) is a security feature that filters system calls to the kernel using a configurable policy. Google said it found that shutting down unused system calls reduced the kernel attacks.

“In Android-powered devices, the kernel does the heavy lifting to enforce the Android security model. As the security team has worked to harden Android’s userspace and isolate and deprivilege processes, the kernel has become the focus of more security attacks,” wrote Paul Lawrence, security engineer with the Android development team, earlier this year.

Seccomp makes unused system calls inaccessible to application software. Because these syscalls cannot be accessed by apps, they can’t be exploited by potentially harmful apps, Lawrence said.

Better App Management and Controls

With Oreo, Google is also rethinking app permissions and scaling back what they are allowed to do.

One of the most common ways attackers try to exploit a device is by building malware into an application. Despite the fact Google does a lot of verification on its Play Store to ensure no malware is present in applications, users can side-load an application from a third-party app store.

In order to side-load an app, a user must first permit the installation of apps from “unknown sources” via a checkbox. That permission has been an all or nothing choice—allow one unknown third-party and allow them all.

Oreo changes this, allowing users to set permissions on a per-app basis, instead of globally allowing all applications to install if the checkbox is enabled. That means should a drive-by download attempt to be installed on a device, a user will forced to decide whether they want to download it and what it’s permissions should be.

System Alert

As part of Android O’s reeling in of app permissions, Google said it will also beef-up security on its System Alert window functionality. The System Alert feature allows developers to create apps that can pop-up or display windows on top of all other Android apps running on a handset.

This feature has been abused by malicious developers who create what users think are a persistent window on their Android device. Victims are asked to pay a ransom to make the window go away or are tricked into inputting credentials in hacker controlled text fields. In Android O, System Alert overlays will include visual notifications that can be clicked on to remove the overlay.

Verified Boot System

Android has had a Verified Boot system since 2013 that would check a user’s software as it loaded the OS for vulnerabilities.

Now with Oreo, Verified Boot goes a step further and prevents users or hackers from booting to older more vulnerable versions of the OS an adversary may have rolled the system back to.

The feature also supports the ability for apps and mobile device management firms to secure hardware areas of an Android device upon boot. That allows both to guarantee that the system has passed a Verified Boot check to ensure the device has a specific patch, for example, before granting user access to a banking app or enterprise resource.

Better, More Secure Protocols

Looking past features, Lookout’s Blaich said he is impressed with Oreo’s attention to deprecating the use of older insecure protocols for network connections. “The use of SSLv3 for secure HTTPS connections is being discontinued, this prevents the device and its apps from using a known insecure protocol that could leak sensitive data,” he said. He added, Google has also hardened certain network connection APIs from not falling back to older TLS versions that can leak sensitive data.

Reaping The Rewards

Right now, Android Oreo is only available on a handful of Google Pixel smartphones. According to Google, over the next six months O will pushed out to third-party flagship handsets made by Samsung, LG and HTC. But it could take years for the benefits of Android O benefit the masses. That’s because of slow adoption rates of Android operating systems. Android 7.0 (Nougat) was introduced in Aug. 2016 and a full year after its release it’s just now used on half of Android devices, according to Duo Security.

“Android O is a big step forward,” said Duo Security’s Lady. He said with O, Google closes the security gap on the iPhone. “It used to be if you cared about security you had to pay a premium and buy an iPhone. Soon, even a $50 Android device running O will be on par with a $1,000 iPhone X when it comes to security.”

Posted in Android 8.0, Android Compartmentalization, Android Oreo, Android Security, device permissions, google, Mobile Security, Project Treble, Security, System Alerts, Verified Boot | Leave a comment

September 20, 2017: Registered Nurse Sentenced for Tampering with Fentanyl

September 20, 2017: Registered Nurse Sentenced for Tampering with Fentanyl

Posted in Solutions | Leave a comment

Experian Site Can Give Anyone Your Credit Freeze PIN

An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.

Experian's page for retrieving someone's credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.

“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).

The above quote from Mr. Weaver came in a story from May 2017 which looked at how identity thieves were able to steal financial and personal data for over a year from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering KBA questions about those employees.

In short: Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze. 

After discovering this portal at Experian, I tried to get my PIN, but the system failed and told me to submit the request via mail. That’s fine and as far as I’m concerned the way it should be. However, I also asked my followers on Twitter who have freezes in place at Experian to test it themselves. More than a dozen readers responded in just a few minutes, and most of them reported success at retrieving their PINs on the site and via email after answering the KBA questions.

Here’s a sample of the KBA questions the site asked one reader:

1. Please select the city that you have previously resided in.

2. According to our records, you previously lived on (XXTH). Please choose the city from the following list where this street is located.

3. Which of the following people live or previously lived with you at the address you provided?

4. Please select the model year of the vehicle you purchased or leased prior to July 2017 .

Experian will display the freeze PIN on its site, and offer to send it to an email address of your choice.

Experian will display the freeze PIN on its site, and offer to send it to an email address of your choice. Image: Rob Jacques.

I understand if people who place freezes on their credit files are prone to misplacing the PIN provided by the bureaus that is needed to unlock or thaw a freeze. This is human nature, and the bureaus should absolutely have a reliable process to recover this PIN. However, the information should be sent via snail mail to the address on the credit record, not via email to any old email address.

This is yet another example of how someone or some entity other than the credit bureaus needs to be in put in charge of rethinking and rebuilding the process by which consumers apply for and manage credit freezes. I addressed some of these issues — as well as other abuses by the credit reporting bureaus — in the second half of a long story published Wednesday evening.

Experian has not yet responded to requests for comment.

While this service is disappointing, I stand by my recommendation that everyone should place a freeze on their credit files. I published a detailed Q&A a few days ago about why this is so important and how you can do it. For those wondering about whether it’s possible and advisable to do this for their kids or dependents, check out The Lowdown on Freezing Your Kid’s Credit.

Posted in credit freeze, Equifax, Experian, Other, Solutions | Leave a comment

Equifax Breach: Setting the Record Straight

Bloomberg published a story this week citing three unnamed sources who told the publication that Equifax experienced a breach earlier this year which predated the intrusion that the big-three credit bureau announced on Sept. 7. To be clear, this earlier breach at Equifax is not a new finding and has been a matter of public record for months. Furthermore, it was first reported on this Web site in May 2017.

equihaxIn my initial Sept. 7 story about the Equifax breach affecting more than 140 million Americans, I noted that this was hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans.

On May 17, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

That story was about how Equifax’s TALX division let customers who use the firm’s payroll management services authenticate to the service with little more than a 4-digit personal identification number (PIN).

Identity thieves who specialize in perpetrating tax refund fraud figured out that they could reset the PINs of payroll managers at various companies just by answering some multiple-guess questions — known as “knowledge-based authentication” or KBA questions — such as previous addresses and dates that past home or car loans were granted.

On Tuesday, Sept. 18, Bloomberg ran a piece with reporting from no fewer than five journalists there who relied on information provided by three anonymous sources. Those sources reportedly spoke in broad terms about an earlier breach at Equifax, and told the publication that these two incidents were thought to have been perpetrated by the same group of hackers.

The Bloomberg story did not name TALX. Only post-publication did Bloomberg reporters update the piece to include a statement from Equifax saying the breach was unrelated to the hack announced on Sept. 7, and that it had to do with a security incident involving a payroll-related service during the 2016 tax year.

I have thus far seen zero evidence that these two incidents are related. Equifax has said the unauthorized access to customers’ employee tax records (we’ll call this “the March breach” from here on) happened between April 17, 2016 and March 29, 2017.

The criminals responsible for unauthorized activity in the March breach were participating in an insidious but common form of cybercrime known as tax refund fraud, which involves filing phony tax refund requests with the IRS and state tax authorities using the personal information from identity theft victims.

My original report on the March breach was based on public breach disclosures that Equifax was required by law to file with several state attorneys general.

Because the TALX incident exposed the tax and payroll records of its customers’ employees, the victim customers were in turn required to notify their employees as well. That story referenced public breach disclosures from five companies that used TALX, including defense contractor giant Northrop Grumman; staffing firm Allegis GroupSaint-Gobain Corp.; Erickson Living; and the University of Louisville.

When asked Tuesday about previous media coverage of the March breach, Equifax pointed National Public Radio (NPR) to coverage in KrebsonSecurity.

One more thing before I move on to the analysis. For more information on why KBA is a woefully ineffective method of stopping fraudsters, see this story from 2013 about how some of the biggest vendors of these KBA questions were all hacked by criminals running an identity theft service online.

Or, check out these stories about how tax refund fraudsters used weak KBA questions to steal personal data on hundreds of thousands of taxpayers directly from the Internal Revenue Service‘s own Web site. It’s probably worth mentioning that Equifax provided those KBA questions as well.

ANALYSIS

Over the past two weeks, KrebsOnSecurity has received an unusually large number of inquiries from reporters at major publications who were seeking background interviews so that they could get up to speed on Equifax’s spotty security history (sadly, Bloomberg was not among them).

These informational interviews — in which I agree to provide context and am asked to speak mainly on background — are not unusual; I sometimes field two or three of these requests a month, and very often more when time permits. And for the most part I am always happy to help fellow journalists make sure they get the facts straight before publishing them.

But I do find it slightly disturbing that there appear to be so many reporters on the tech and security beats who apparently lack basic knowledge about what these companies do and their roles in perpetuating — not fighting — identity theft.

It seems to me that some of the world’s most influential publications have for too long given Equifax and the rest of the credit reporting industry a free pass — perhaps because of the complexities involved in succinctly explaining the issues to consumers. Indeed, I would argue the mainstream media has largely failed to hold these companies’ feet to the fire over a pattern of lax security and a complete disregard for securing the very sensitive consumer data that drives their core businesses.

To be sure, Equifax has dug themselves into a giant public relations hole, and they just keep right on digging. On Sept. 8, I published a story equating Equifax’s breach response to a dumpster fire, noting that it could hardly have been more haphazard and ill-conceived.

But I couldn’t have been more wrong. Since then, Equifax’s response to this incident has been even more astonishingly poor.

EQUIPHISH

On Tuesday, the official Equifax account on Twitter replied to a tweet requesting the Web address of the site that the company set up to give away its free one-year of credit monitoring service. That site is https://www.equifaxsecurity2017.com, but the company’s Twitter account told users to instead visit securityequifax2017[dot]com, which is currently blocked by multiple browsers as a phishing site.

equiphish

FREEZING UP

Under intense public pressure from federal lawmakers and regulators, Equifax said that for 30 days it would waive the fee it charges for placing a security freeze on one’s credit file (for more on what a security freeze entails and why you and your family should be freezing their files, please see The Equifax Breach: What You Should Know).

Unfortunately, the free freeze offer from Equifax doesn’t mean much if consumers can’t actually request one via the company’s freeze page; I have lost count of how many comments have been left here by readers over the past week complaining of being unable to load the site, let alone successfully obtain a freeze. Instead, consumers have been told to submit the requests and freeze fees in writing and to include copies of identity documents to validate the requests.

Sen. Elizabeth Warren (D-Mass) recently introduced a measure that would force the bureaus to eliminate the freeze fees and to streamline the entire process. To my mind, that bill could not get passed soon enough.

Understand that each credit bureau has a legal right to charge up to $20 in some states to freeze a credit file, and in many states they are allowed to charge additional fees if consumers later wish to lift or temporarily thaw a freeze. This is especially rich given that credit bureaus earn roughly $1 every time a potential creditor (or identity thief) inquires about your creditworthiness, according to Avivah Litan, a fraud analyst with Gartner Inc.

In light of this, it’s difficult to view these freeze fees as anything other than a bid to discourage consumers from filing them.

The Web sites where consumers can go to file freezes at the other major bureaus — including TransUnion and Experian — have hardly fared any better since Equifax announced the breach on Sept. 7. Currently, if you attempt to freeze your credit file at TransUnion, the company’s site is relentless in trying to steer you away from a freeze and toward the company’s free “credit lock” service.

That service, called TrueIdentity, claims to allow consumers to lock or unlock their credit files for free as often as they like with the touch of a button. But readers who take the bait probably won’t notice or read the terms of service for TrueIdentity, which has the consumer agree to a class action waiver, a mandatory arbitration clause, and something called ‘targeted marketing’ from TransUnion and their myriad partners.

The agreement also states TransUnion may share the data with other companies:

“If you indicated to us when you registered, placed an order or updated your account that you were interested in receiving information about products and services provided by TransUnion Interactive and its marketing partners, or if you opted for the free membership option, your name and email address may be shared with a third party in order to present these offers to you. These entities are only allowed to use shared information for the intended purpose only and will be monitored in accordance with our security and confidentiality policies. In the event you indicate that you want to receive offers from TransUnion Interactive and its marketing partners, your information may be used to serve relevant ads to you when you visit the site and to send you targeted offers.  For the avoidance of doubt, you understand that in order to receive the free membership, you must agree to receive targeted offers.

TransUnion then encourages consumers who are persuaded to use the “free” service to subscribe to “premium” services for a monthly fee with a perpetual auto-renewal.

In short, TransUnion’s credit lock service (and a similarly named service from Experian) doesn’t prevent potential creditors from accessing your files, and these dubious services allow the credit bureaus to keep selling your credit history to lenders (or identity thieves) as they see fit.

As I wrote in a Sept. 11 Q&A about the Equifax breach, I take strong exception to the credit bureaus’ increasing use of the term “credit lock” to divert people away from freezes. Their motives for saddling consumers with even more confusing terminology are suspect, and I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim (consider the source).

Experian’s freeze Web site has performed little better since Sept. 7. Several readers pinged KrebsOnSecurity via email and Twitter to complain that while Experian’s freeze site repeatedly returned error messages stating that the freeze did not go through, these readers’ credit cards were nonetheless charged $15 freeze fees multiple times.

If the above facts are not enough to make your blood boil, consider that Equifax and other bureaus have been lobbying lawmakers in Congress to pass legislation that would dramatically limit the ability of consumers to sue credit bureaus for sloppy security, and cap damages in related class action lawsuits to $500,000.

If ever there was an industry that deserved obsolescence or at least more regulation, it is the credit bureaus. If either of those outcomes are to become reality, it is going to take much more attentive and relentless coverage on the part of the world’s top news publications. That’s because there’s a lot at stake here for an industry that lobbies heavily (and successfully) against any new laws that may restrict their businesses.

Here’s hoping the media can get up to speed quickly on this vitally important topic, and help lead the debate over legal and regulatory changes that are sorely needed.

Posted in credit lock, Elizabeth Warren, Equifax breach, Experian, Other, Solutions, TransUnion, TrueIdentity | Leave a comment

September 20, 2017: Miami-Dade Resident Sentenced to More Than 4 Years in Prison for Managing a Miami Spa Performing Illicit Silicone Injections

September 20, 2017: Miami-Dade Resident Sentenced to More Than 4 Years in Prison for Managing a Miami Spa Performing Illicit Silicone Injections

Posted in Solutions | Leave a comment

Investor Bulletin: Financial Professionals’ Use of Professional Honors – Awards, Rankings, and Designations

https://www.sec.gov/oiea/investor-alerts-and-bulletins/ib_professionalhonors

The SEC’s Office of Investor Education and Advocacy is issuing this Investor Bulletin to educate individual investors about the professional awards, rankings, and designations that financial professionals often use to market themselves to prospective clients.

Posted in Solutions | Comments Off on Investor Bulletin: Financial Professionals’ Use of Professional Honors – Awards, Rankings, and Designations

Premium SMS Malware ‘ExpensiveWall’ Infects Millions of Android Devices

Google has ejected 50 apps from its Google Play store that were harboring mobile malware dubbed ExpensiveWall. The malware, which was downloaded between 1 million to 4.2 million times, sends fraudulent premium SMS messages for fake fee-based services without the knowledge or permission of users, according to Check Point security researchers.

Researchers said the malware was bundled prominently an Android wallpaper app Lovely Wallpaper.

“ExpensiveWall is a new variant of malware found earlier this year on Google Play. The entire malware family has now been downloaded between 5.9 million and 21.1 million times,” wrote Check Point researchers Elena Root, Andrey Polkovnichenko and Bohdan Melnykov in a technical description posted Thursday.

This latest strain sets itself apart from a previous versions of the malware because of the use of the advanced obfuscation technique called “packed“, which compresses malicious programs and encrypts them in order to avoid detection.

Google was notified of the malware-tainted apps on Aug. 7 and removed them. However, the malware reemerged on Google Play days later on a new unidentified app, according to researchers. More than 5,000 additional devices were infected before it was removed four days later, Check Point said.

While this latest infiltration impacted an estimated 50 apps, Google Play has been battling rogue apps for the entire year. Four messaging apps in the Google Play store containing spyware called SonicSpy were removed last month. In May, malware called Judy was downloaded 36 million times and found in 40 apps. On at least four separate occasions this year Google has had to give malware the boot from Google Play. That malware included Dvmap, SMSVova, Ztorg and also 132 apps infected with malicious iFrames.

Researchers said it’s unclear how much revenue has been generated via ExpensiveWall’s premium SMS scam.

“It’s important to point out that any infected app installed before it was removed from the App store, still remains installed on users’ devices. Users who downloaded these apps are therefore still at risk and should manually remove them from their devices,” Check Point said.

Once an app with the malware ExpensiveWall is installed it requests several device permissions including internet access – allowing apps to connect to its C&C server – and SMS permissions to register users for paid services and sending premium SMS messages without the users’ knowledge, researchers said. The firm suggests the apps may have also been able to sneak past Google Play security measures because the permissions required for the scam were not unusual and used for appropriate purposes by legitimate apps.

“ExpensiveWall contains an interface that connects between in-app actions and the JavaScript code, which runs on a web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI,” researchers wrote.

When a user turned on their Android smartphone or switched connectivity preferences, the malware connected to its C&C server and received a URL. The URL “opens in an embedded WebView. This page contains a malicious JavaScript code that can invoke in-app functions using JavascriptInterface, like subscribing them to premium services and sending SMS messages,” they said.

Researchers are warning developers that ExpensiveWall is likely spread to different apps via an SDK called “GTK.”

Posted in Android, Dvmap, ExpensiveWall, google play, GTK, Javascript, JavascriptInterface, Judy, malicious iFrames, Malware, Mobile Security, premium SMS messages, Security, SMSVova, SonicSpy, WebView, Ztorg | Leave a comment

September 8, 2017: Galena Biopharma Inc. to Pay More than $7.55 Million to Resolve Alleged False Claims Related to Opioid Drug

September 8, 2017: Galena Biopharma Inc. to Pay More than $7.55 Million to Resolve Alleged False Claims Related to Opioid Drug

Posted in Solutions | Leave a comment

Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop

Visa and MasterCard are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau Equifax. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time — when hackers accessed the company’s systems in mid-May 2017.

equifax-hq

Both Visa and MasterCard frequently send alerts to card-issuing financial institutions with information about specific credit and debit cards that may have been compromised in a recent breach. But it is unusual for these alerts to state from which company the accounts were thought to have been pilfered.

In this case, however, Visa and MasterCard were unambiguous, referring to Equifax specifically as the source of an e-commerce card breach.

In a non-public alert sent this week to sources at multiple banks, Visa said the “window of exposure” for the cards stolen in the Equifax breach was between Nov. 10, 2016 and July 6, 2017. A similar alert from MasterCard included the same date range.

“The investigation is ongoing and this information may be amended as new details arise,” Visa said in its confidential alert, linking to the press release Equifax initially posted about the breach on Sept. 7, 2017.

The card giant said the data elements stolen included card account number, expiration date, and the cardholder’s name. Fraudsters can use this information to conduct e-commerce fraud at online merchants.

It would be tempting to conclude from these alerts that the card breach at Equifax dates back to November 2016, and that perhaps the intruders then managed to install software capable of capturing customer credit card data in real-time as it was entered on one of Equifax’s Web sites.

Indeed, that was my initial hunch in deciding to report out this story. But according to a statement from Equifax, the hacker(s) downloaded the data in one fell swoop in mid-May 2017.

“The attacker accessed a storage table that contained historical credit card transaction related information,” the company said. “The dates that you provided in your e-mail appear to be the transaction dates. We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017.”

Equifax did not respond to questions about how it was storing credit card data, or why only card data collected from customers after November 2016 was stolen.

In its initial breach disclosure on Sept. 7, Equifax said it discovered the intrusion on July 29, 2017. The company said the hackers broke in through a vulnerability in the software that powers some of its Web-facing applications.

In an update to its breach disclosure published Wednesday evening, Equifax confirmed reports that the application flaw in question was a weakness disclosed in March 2017 in a popular open-source software package called Apache Struts (CVE-2017-5638)

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” the company wrote. “We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

The Apache flaw was first spotted around March 7, 2017, when security firms began warning that attackers were actively exploiting a “zero-day” vulnerability in Apache Struts. Zero-days refer to software or hardware flaws that hackers find and figure out how to use for commercial or personal gain before the vendor even knows about the bugs.

By March 8, Apache had released new versions of the software to mitigate the vulnerability. But by that time exploit code that would allow anyone to take advantage of the flaw was already published online — making it a race between companies needing to patch their Web servers and hackers trying to exploit the hole before it was closed.

Screen shots apparently taken on March 10, 2017 and later posted to the vulnerability tracking site xss[dot]cx indicate that the Apache Struts vulnerability was present at the time on annualcreditreport.com — the only web site mandated by Congress where all Americans can go to obtain a free copy of their credit reports from each of the three major bureaus annually.

In another screen shot apparently made that same day and uploaded to xss[dot]cx, we can see evidence that the Apache Struts flaw also was present in Experian’s Web properties.

Equifax has said the unauthorized access occurred from mid-May through July 2017, suggesting either that the company’s Web applications were still unpatched in mid-May or that the attackers broke in earlier but did not immediately abuse their access.

It remains unclear when exactly Equifax managed to fully eliminate the Apache Struts flaw from their various Web server applications. But one thing we do know for sure: The hacker(s) got in before Equifax closed the hole, and their presence wasn’t discovered until July 29, 2017.

Posted in apache struts, cve-2017-5638, Equifax breach, mastercard, Other, Solutions, Visa, window of exposure | Leave a comment

September 12, 2017: Former Paramedic Pleads Guilty to Stealing Pain-killing Drugs, Replacing Vials with Water

September 12, 2017: Former Paramedic Pleads Guilty to Stealing Pain-killing Drugs, Replacing Vials with Water

Posted in Solutions | Leave a comment