CyberheistNews Vol 4, # 38 Home Depot Target Breaches Exploited Old WinXP

CyberheistNews Vol 4, # 38
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube

CyberheistNews Vol 4, 38

Editor's Corner


Home Depot And Target Breaches Exploited Old WinXP Flaw - OUCH.

The massive security breaches and theft of credit card information at The Home Depot and Target have something in common. They were both allowed by a vulnerability in XP embedded that was more than 10 years old!

The XP embedded, used in their POS systems, (yes, both definitions apply) was Win XPe SP3, which is not the last version of the XP-based embedded OSen. This whole disaster could have been avoided if Target and Home Depot upgraded to Win7 for Embedded Systems. OUCH. Internal IT security people knew about this and told their friends and relatives to pay cash at Home Depot.

Specific malware created for embedded XP systems reared up its ugly head in the middle of the last decade. They use a technique called "RAM scraping", as WinXP has relatively weak memory access protection. Win 7's memory protection is much better.

This means that once malicious code is inside the XP box, it can pretty much do what it wants. RAM scraping is how hackers stole credit card data from TJ Maxx stores, Office Max, Barnes & Noble, Sports Authority and several more.

Moral of the story? Despite brutal economies, increased worldwide competition, and demanding shareholders that only look at short-term quarterly numbers, skimping on IT security budgets is a Really Bad Idea. And oh, using whitelisting software on those XP-based POS machines would also have prevented this type of attack. Incredible, no? More technical detail at the dailytech site:

And as expected, cyber thieves are now raiding bank accounts via stolen Home Depot data, there is a spike in PIN debit card fraud. The fact that it is still possible to use customer service or an automated system to change someone else’s PIN with just the cardholder’s Social Security number, birthday and the expiration date of their stolen card is "remarkable", to say the least. Brian Krebs explains how this is done:

Scam Of The Week: iPhone Six Purchase Receipt

Scammers are using the recent iPhone Six release for several phishing scams. Emails claiming to be purchase receipts from the iTunes store, lists orders supposedly made and charged to their Apple account or Mastercard. The email informs users that if this is erroneous, they should report a problem, please click on the link and supply information to rectify the issue.

KnowBe4 has added a template with a similar simulated phishing attack so that current customers can send this to end-users and inoculate them

Citadel Banking Trojan Recycles As Spy Tool

Security researchers discovered a variant of the Citadel malware which has been repurposed to spy on and steal data from petro companies in the Middle East. The Citadel malware was originally designed to steal online banking credentials through man-in-the-middle (MITM) browser attacks. Most enterprise security does not do enough to protect against this type of attack. You need end-to-end encryption by default, your policies need to be restrictive and of course your authentication needs to be very strong. Hat Tip to SANS Editor Murray.

Quotes of the Week

"Great things are done by a series of small things brought together." - Vincent Van Gogh

"My attitude is that if you push me towards something that you think is a weakness, then I will turn that perceived weakness into a strength." - Michael Jordan

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me:
Facebook LinkedIn Blog Twitter YouTube YouTube

New KnowBe4 Whitepaper: A Short History of Ransomware

Read the short and brutal history of how vicious ransomware came into existence. 2014 was the year that ransomware went mainstream... but how did we wind up here?

Learn about: Hacking Generations, first ransomware in 1989 (!), Bitcoin 101, and why criminals want to be paid in Bitcoin, CryptoLocker and its copycats, different ransomware types and families, the future of ransomware, and how to best mitigate against it. Download here:


Regular Facebook Users Are More Likely To Fall For Phishing Scams

Techcrunch was the first one to report on some very interesting findings: "Researchers at SUNY Buffalo have found that habitual Facebook users — those who are on the site more frequently than their peers — were more susceptible to phishing scams. How did they figure this out? By asking them about their habits and then surreptitiously creating a fake friend who then asked them for private information, including their student ID number and date of birth.

As per the researchers:

Arun Vishwanath (Associate Professor of Communication, University at Buffalo – State University of New York) subjected 150 college students to real phishing attacks on Facebook. At the beginning of the semester students were asked to participate in an online survey on general technology use, buried among these questions were measures for their Facebook usage habits. Six weeks after the survey, the participants were located on Facebook and each student was sent a friend-request from a phony Facebook account. Two weeks later, an information-request was sent to them from that profile. This communication asked for the participants’ student ID number, e-mail username, and date of birth.

It turns out the more you used the service the more likely you were to give up your information. While we could argue that the information provided was innocuous, it’s a very interesting correlation. As we begin to trust these services with more and more information, the researchers posit, we become less careful about what we send to whom." Article:


Vishing Module Takes a Bite Out of Automated Attacks

The Dark Reading site wrote about the new KnowBe4 Vishing Module which allows you to send social engineering attacks to your users via the phone. They wrote:

"Individual employees may be targeted for seemingly innocuous information in a vishing scam and are caught unaware, providing key credentials or a way in to steal corporate data. KnowBe4 trains users on these new scenarios and how to recognize and avoid such social engineering attempts. The module plugs into the new KnowBe4 V3.5 cloud-based Admin Console for quick and easy deployment."

Good to send to higher-ups and/or colleagues. Link here:


New Online Black Market Trades in Drugs, Credentials & Health Data

Remember the Silk Road takedown? It was an online black marketplace, selling all kinds of illegal goods for Bitcoin. The Feds shut them down but new criminal entrepreneurs stepped in and built a thriving site only accessible via the TOR network.

The biggest one of these is called "evolution" but this site deals not only in all kinds of drugs, but also stolen financial account credentials and medical records. These records appear to have been exfiltrated from a Texas life insurance company. Very interesting story about state of the art, fifth-generation criminal e-commerce at WIRED Mag:


Cyber Insurance Coverage Will Be A Basic Insurance Policy By 2020

By 2020, private firms will be buying cybersecurity insurance when they sign up for product liability coverage and other basic policies, a top White House cyber official said Monday.


Within six years, "We're going to be well on our way to everyone having cyber insurance as just a basic set of insurance, just like property insurance," said Ari Schwartz, director for cybersecurity on the White House National Security Council, during a Sept. 8 panel discussion at the Nextgov Prime conference.

Some businesses are clamoring for coverage, but cannot obtain the type of policies they need. A Bipartisan Policy Center report on power grid cybersecurity published in February recommended the government initially guarantee coverage.

"A federal backstop would increase carriers' willingness to offer cyber insurance and lower the cost of doing so", said the co-authors, who included retired Gen. Michael Hayden, former CIA and National Security Agency director.

Schwartz, however, said the marketplace is "really growing quite a bit" today without government intervention. However, the demand for such services still outstrips the supply. More at the NextGov site:


Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

MIT lets its robotic cheetah off the leash. This is fun, high-tech, scary and hard to understand because of the researcher's accent. But the robot cheetah is running on its own!:

Amazing things happen when store employees have nothing to do at night at the Cora Supermarket in Rennes, France:

This Russian girl decided to do something about littering. She straps a GoPro camera to her helmet and sets out to teach the litterbugs in her city a lesson. A great way to get run over by irate motorists:

Ants form a 'daisy chain' to haul dinner back to their home. Never seen that before!:

Caught on camera by a remote-controlled submarine, the Siphonophore isn’t actually a single being, but a colony of highly integrated tiny organisms:

Just really like this Eurovision song: Pamela Falcon & Isaac Roosevelt - Lost in a mad world:

Mat Franco - the last magician standing - performs the most amazing mind-blowing magic trick at America’s Got Talent 2014 Finale:

Jetpack helps soldiers run faster. The (assisted) 4-minute mile is now possible ...I want one!

Facebook LinkedIn Blog Twitter YouTube YouTube

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews