CyberheistNews Vol 4, # 39 Home Depot Hack Turns Into Criminal Negligence Scandal

CyberheistNews Vol 4, # 39
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube

CyberheistNews Vol 4, 39

Editor's Corner


Home Depot Hack Turns Into Criminal Negligence Scandal

Wait for the class-action lawsuits to get unleashed. The lawyers are going to be all over this one like white on rice. Ex-employees from the Home Depot IT technology group are now claiming that management of the retailer had been warned for years that their Point Of Sale systems were open to attack and did not act on these warnings. Several members of the Home Depot IT security team quit their jobs in protest.

It gets worse. In 2012, Home Depot management hired Ricky Joe Mitchell as their Senior IT security architect, apparently without doing their due diligence and background check. Turns out that Mitchell was fired from a company called EnerVest Operating where he sabotaged that company’s network for 30 days in an act of revenge.

It gets even worse. Mitchell was kept on the job at Home Depot even after his indictment a year later and remained in charge of Home Depot security until he finally pled guilty to federal charges Jan 2014.

Wait, we're not done yet. Things are worse than that. The same ex-employees claim that Home Depot relied on antivirus that was not being updated with new antivirus definitions, a version of Symantec AV purchased in 2007.

And here is the next epic fail. As we all know, to be PCI compliant, you need quarterly security scans, done by authorized third parties. However, vulnerability scans were only done irregularly, and most of the time only on a relatively small number of stores. A few IT security ex-employees said that their team was blocked from doing security audits on machines that handled customer data.

And finally, to add insult to injury, in a total disregard for best practices, the Home Depot didn’t run any kind of behavioral network monitoring, which means they were not able to detect any breaches and for instance see unusual files being exfiltrated from the network.

Now their PR team tried to paper over all this criminal negligence and claims that the company maintains "robust security systems", and that the malware was custom made and hard to detect. Yeah, right. I see another CEO being fired in the near future...

Looking at this type of negligent behavior, Home Depot must not have done a lot of security awareness training for their employees either. It is not sure yet how the hackers got in, but a website that was not sufficiently protected and allowed a SQL injection and a spear-phishing attack are the most likely attack vectors.

Don't let this happen to you and as part of your defense-in-depth, step your users through effective Kevin Mitnick security awareness training. Find out how affordable this is for your organization. Click on the link to get a quote:

$1.66M in Limbo After FBI Seizes Funds from Cyberheist

Actual Cyberheists are still happening. Large amounts of money gets transferred out of organization's bank accounts, and sent abroad as fast as possible. The legal hassle and lost time related to these heists are immense. Over 90% these attacks start with a spear-phishing attack, and that is why I keep warning you about it. Here is another example, explained by Brian Krebs.

"A Texas bank that’s suing a customer to recover $1.66 million spirited out of the country in a 2012 cyberheist says it now believes the missing funds are still here in the United States — in a bank account that’s been frozen by the federal government as part of an FBI cybercrime investigation.

"In late June 2012, unknown hackers broke into the computer systems of Luna & Luna, LLP, a real estate escrow firm based in Garland, Texas. Unbeknownst to Luna, hackers had stolen the username and password that the company used to manage its account at Texas Brand Bank (TBB), a financial institution also based in Garland.

"Between June 21, 2012 and July 2, 2012, fraudsters stole approximately $1.75 million in three separate wire transfers. Two of those transfers went to an account at the Industrial and Commercial Bank of China. That account was tied to the Jixi City Tianfeng Trade Limited Company in China. The third wire, in the amount of $89,651, was sent to a company in the United States, and was recovered by the bank. More:

SCAM of the WEEK: Compromised eBay Accounts

Digital miscreants have moved to eBay in a big way. Warn your users to not give out personal bank account data on eBay. Always use a credit card (not a debit card) or pay with PayPal! There are way too many people using a debit card online, not understanding the risks they are running doing that.

Here is how the scam works. First phishing emails get sent and keyloggers put on the initial victim's PC, so that the bad guys can get their eBay credentials.

Next their legit, 100% positive feedback, eBay user account gets hijacked and a fake listing gets placed. They get locked out of their own account, and later billed by eBay to cover seller's fees for items they did not sell.

When buyers clicked on one of these malicious listings for things like smartphones, televisions and clothing, they were brought to a totally real-looking site that asked victims to log in and give out their bank account details. Once those were divulged, the account was emptied out.

The lesson still is: Think Before You Click!

Quotes of the Week

"Why fit in when you were born to stand out?" - Dr. Seuss, Writer

"Happy is the man who finds a true friend, and far happier is he who finds that true friend in his wife." - Franz Schubert, Composer

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

You can read CyberheistNews online at our Blog!:

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me:
Facebook LinkedIn Blog Twitter YouTube YouTube

Your Money or Your Files!

New KnowBe4 Whitepaper: A Short History of Ransomware

Read the short and brutal history of how vicious ransomware came into existence. 2014 was the year that ransomware went mainstream... but how did we wind up here?

Learn about: Hacking Generations, the first ransomware in 1989 (!), Bitcoin 101, and why criminals want to be paid in Bitcoin, CryptoLocker and its copycats, different ransomware types and families, the future of ransomware, and how to best mitigate against it. Download here:


New Android Ransomware Strain Locks The Device Twice

Researchers in Russia discovered a new Android ransomware strain which does not lock the device just once but twice. It spreads by using a social engineering trick, disguising itself as a system update, and as soon as the user downloads the app, it asks for admin rights. Once installed, a message is sent to a remote server that the infection is successful.

The "extra" feature is a second lock, which kicks in if the user tries to remove the initial ransomware infection. The command to lock the device can be sent trough the command & control server and also via text. First, the device gets put into stand-by (screen lock) mode and then shows a fake warning that all files will be erased.

The moment the user makes a choice related to this fake warning, the ransomware brings up the lock screen again and activates a feature that requires the user to enter a password to toggle off the standby mode.

Even if the feature hasn’t been used before, the malicious locker sets its own password: "12345". That way the infected smart phone or tablet is locked until the criminals involved get their ransom. The lock can be removed with the set_unlock command, or the user resets all the device's settings to default.

Hat Tip to the Dr.Web blog, who gave this version the name of Android.Locker.38.origin.


Whitelisting: Why And How It Works

Bad guys continually tweak malware, making it tough for traditional antivirus products to keep up. Whitelisting can help, by allowing only pre-approved applications.

The rising popularity of whitelisting boils down to simple math. With a relatively small number of malware items, it made sense to compile known virus signatures to detect and prevent infection. But with a huge increase in the volume of viruses and other forms of intrusion, it isn’t easy to keep virus signatures up to date.

That is where whitelisting comes in. Instead of listing all the potential bad stuff you don't want to let in, it’s simpler to create a shorter list of applications and processes that are authorized to run.

"Traditional antivirus is based on blacklisting which helps to block known malware," said Simone Spencer, endpoint product expert, McAfee. "Whitelisting limits use with a 'deny by default' approach so that only approved files or applications can be installed. Dynamic application whitelisting strengthens security defenses and helps to prevent malicious software and other unapproved programs from running."

25% of Enterprises Already Deploy Some Form

Gartner surveys show that 25 percent of enterprises are already deploying some form of application control. And another 50 percent are seriously considering it. That's why the analyst firm predicts that whitelisting will enter the mainstream by 2017. Within three years, Gartner believes more than half of tablets, smartphones, desktops, laptops and servers will only be allowed to run pre-approved applications, with everything else denied access.

Whitelisting and Ransomware

"Whitelisting is more necessary than ever because viruses and other malware are morphing," said Rob Cheng, CEO of PC Pitstop."This means that one virus looks like hundreds or thousands of different viruses to traditional AV products."

The type of attack vector has shifted recently, with individual users and entire companies being subjected to ransomware – infections that encrypt all their data and lock them out unless they pay a ransom. Recent ransomware attacks like CryptoLocker and CryptoWall are examples of attacks that could have been prevented through the use of application whitelisting. Continue to read at eSecurity planet, I am quoted:


Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

SUPER FAVE: "Sparked" A Live Interaction Between Humans and Quadcopters brought to you by Cirque du Soleil:

KLM Royal Dutch Airlines recently hired Sherlock the beagle to help hunt down passengers and reunite them with possessions they left behind on planes. Actually a fantastic idea:

5-Minute Virtual Vacation: Time lapse of Belarus - a fascinating country with a rich cultural heritage, extraordinary landscapes, and lots of hackers:

The population of the Internet, in one map. Fascinating:

How Bitcoin is like the Internet in the nineteen eighties:

How much do you know about the world? Hans Rosling demonstrates that you have a high statistical chance of being quite wrong about what you think you know:

How a thin spray coating can make things nearly unbreakable. From the National Geographic TV show 'Showdown of the Unbeatables':

An Alfa Romeo 4C is pitted against a Gibbs Quadski on and around Lake Como in Italy, famous for its narrow winding roads and stunning views:

Electric Cars Have Lots Of Torque. I know from experience, I just picked up my Tesla Model S. Woo Hoo :-)))) But use that torque wisely, kids!:

Flying a 1938 classic open-air flight training glider - high above the green pastures of Southern Germany. Sweet!:

What it was like to fly on the Concorde from New York to London in 3 hours and 15 minutes at twice the speed of sound in 2003. The "good old times":

I wish that when I was in school they had cool robots to teach math like this!

Facebook LinkedIn Blog Twitter YouTube YouTube

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews