• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Expense Manager Services

Getting a handle on Unmanaged Spend through Expense Manager Services

  • Home
  • Babcock Advisors
  • What We Do
    • Our Process
    • Telecom
      • Telecom Invoice Audit Service
    • Merchant Services Cost Reduction
    • 5 Top Reasons for Outsourcing Human Resources Functions
    • Payroll Services
  • Who We Are
  • Blog

security

04.25.20 Credit Cards

Security News This Week: Zoom Upgrades Encryption Keys to What It Promised All Along

It was another week of social distancing or quarantine for most of the world, but Google published findings that it has seen 12 government-backed hacking groups undeterred by the pandemic and, in fact, trying to take advantage of those conditions for intelligence-gathering. Another report found that China, for one, has been busy during the pandemic hacking Uighurs’ iPhones in a recent months-long campaign.

We broke down how Apple and Google are using aggregate smartphone location data to visualize social distancing trends. And in an exclusive interview with WIRED, Federal Bureau of Investigation director Christopher Wray warned that domestic terrorism is a growing threat in the United States.

On top of all the other digital threats, researchers emphasized this week that so-called "zero-click" hacks that don't require any interaction from users to initiate may be more prevalent and varied than most people realize. Such attacks are difficult to detect with current tools.

And there's more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.

Under Pressure, Zoom Launches Round of Security Upgrades

On Wednesday, the video conferencing service Zoom announced a number of small but needed security improvements. As Zoom usage has increased during the pandemic, so has scrutiny on the service's security and privacy offerings. This week's announcement of incremental improvements is part of a 90-day plan the company announced to overhaul its practices. One change is that Zoom will now offer AES 256 encryption on all meetings, meaning data will be encrypted with a 256-bit key. Zoom previously used AES 128, a reasonable option, but a controversial one in Zoom's case, because the company claimed in documentation and marketing materials that it used AES 256 all along.

More Than 267 Million Facebook Profiles Available on the Dark Web for Just $600

Facebook data from more then 267 million profiles is being sold on criminal dark web forums for £500, or about $618. The information doesn't include passwords, but does include details like users' full names, phone numbers, and Facebook IDs. Though such information can't be used to break into the accounts directly, it can fuel digital scams like phishing. Most of the trove seems to be the same as data found by researcher Bob Diachenko in an exposed cloud repository last month. Even after that bucket was taken down, though, a copy of the information plus an addition 42 million records popped up in a different repository.

Rash of Nintendo Account Breaches Rages On

A growing number of Nintendo users over the past few weeks had watched fraudsters take control of their accounts, and in many cases use saved credit cards or linked PayPal accounts to buy Nintendo games or currency for the popular game Fortnite. At the beginning of April, Nintendo encouraged users to turn on two-factor authentication to protect their accounts, but it had been unclear how hackers were breaking in. On Friday, the company confirmed that hackers had gained unauthorized access to accounts and announced it was discontinuing users' ability to log into their Nintendo Accounts using Nintendo Network IDs, from older Wii U and 3DS systems. Nintendo also says it will contact affected users about resetting passwords. On its US customer support page, the company writes, "While we continue to investigate, we would like to reassure users that there is currently no evidence pointing toward a breach of Nintendo’s databases, servers or services."


Read more: https://www.wired.com/story/security-news-roundup-zoom-upgrades-encryption-keys/

07.12.19 Credit Cards

Hack Brief: A Card-Skimming Hacker Group Hit 17K Domainsand Counting

You may not recognize the name Magecart, but you’ve seen its impact. A set of sophisticated hacking groups, Magecart has been behind some of the bigger hacks of the past few years, from British Airways to Ticketmaster, all with the singular goal of stealing credit card numbers. Think of them as the ATM skimmers of the web. And thanks to poor security hygiene, they’ve managed to hit 17,000 domains in the past few months alone.

A new report from threat detection firm RiskIQ details how Magecart hackers have found a way to scan Amazon S3 buckets—cloud repositories that hold data and other backend necessities for sites and companies—for any that are misconfigured to allow anyone with an Amazon Web Services account to not just read their contents but write to them, implementing whatever changes they want. Like, say, inserting code that steals credit card numbers from ecommerce sites.

The Hack

RiskIQ has tracked the activity as far back as early April; it first noticed the technique after seeing several internet supply chain companies get compromised in May. Rather than the typical targeted attacks that Magecart groups had deployed in the past, though, these turned out to be part of a new “spray and pray” technique. The Magecart hackers were casting the widest possible net, altering the code of countless sites that had no ecommerce function at all, in hopes of catching enough sites that do process credit cards to make its efforts worthwhile.

“It’s still ongoing as we’re talking right now,” says RiskIQ threat researcher Yonathan Klijnsma. “All these guys are doing is just en masse trying to find S3 buckets that have been misconfigured. And their skimmers are getting everywhere.”

Specifically, once the hackers find a properly misconfigured S3 bucket, they run a scan to identify any JavaScript files. Because the bucket’s permissions let anyone write code to it, the attackers simply tack their Magecart malware onto the file, then overwrite the script that had been there. Imagine if a bank were to leave incontrovertible instructions to its tellers on a chalkboard. If you also have chalk, and can find a little room, you can cause a lot of trouble.

Who’s Affected?

It’s a more complicated question than it sounds. The easiest answer is: 17,000 domains and counting, including, RiskIQ says, some that are among the 2,000 biggest sites in the world.

But many of those sites don’t process credit card transactions at all, rendering the Magecart code moot. It's also unclear how many actual S3 buckets are affected, since multiple domains can link back to the same one. So the actual answer, the one that matters, sits in the center of the Venn diagram formed by “domains linked to aggressively misconfigured S3 buckets” and “domains that process credit card payments.” Or more to the point, anyone unfortunate enough to pay for something on one of those sites before the attack is resolved.

Which could take awhile. RiskIQ is working with Amazon to alert the affected administrators to their exposure, but wrangling 17,000 domains takes time. As does making the necessary backend adjustments.

How Bad Is This?

The issue of compromised ecommerce sites, however many there actually are, will have obvious ramifications. But the bigger problem stems from the method of attack itself.

Amazon S3 buckets are secure by default. Companies run into trouble when they actively change those permissions, either somewhere in the development process or when they hand off cloud work to a third-party contractor. Those Amazon S3 bucket misconfigurations have caused plenty of problems before. The fallout, though, was usually limited to the exposure of personally identifiable information, huge databases of usernames and passwords and birthdays and Social Security numbers that wind up for sale, or for free, on the dark web and elsewhere. That’s because those goofs typically give read permission to interlopers, but not the ability to write code. The Magecart hackers figured out a way to scan for misconfigurations that do both—and now they know 17,000 vulnerable domains.

“This is a whole new level of misconfiguring,” says Klijnsma. “These buckets are pretty much owned by anybody who talks to it, which is on a different scale, a different type of data leakage. Pretty much anybody can do anything in those S3 buckets, and the reach of those is quite big.”

The Magecart hackers have a singular focus: credit card skimming. But it’s not hard to imagine a group that thinks bigger, or at least with a more anarchical bent. With the same technique, you could append all sorts of malware to the same sites.

Amazon has developed tools to help its cloud customers forestall this type of attack, including an essentially one-click "block public access" option that it rolled out last fall. Tweak that one setting, and this problem goes away. But clearly, demonstrably, thousands of domains still haven’t locked down their infrastructure, with potentially devastating consequences.

“Nobody seems to have noticed this,” says Klijnsma, “and it’s still going on at such an insane rate.”


Read more: https://www.wired.com/story/magecart-amazon-cloud-hacks/

06.15.19 telecommunications

Radiohead Gets Hacked, a T-Mobile/Sprint Hiccup, and More News

Radiohead owned some hackers, the T-Mobile/Sprint merger runs into some hiccups, and a Swedish mining town is being picked up and moved. Here's the news you need to know, in two minutes or less.

Want to receive this two-minute round up as an email every week day? Sign up here!

Today's Headlines

Radiohead dropped 18 hours of unreleased music to screw pirates

This week a bootlegger got into an archive full of hours of unreleased Radiohead music and attempted to squeeze the band for a $150,000 ransom. Radiohead—not to be messed with—instead announced the extortion attempt on the internet, and then released all the archived contents to the public. Joke's on you, hacker.

States are suing to block the T-Mobile/Sprint merger

Nine states plus the District of Columbia have filed suit to block the $26.5 billion merger of wireless carriers T-Mobile and Sprint. The court case is further evidence of states wanting stricter oversight of telecommunications giants, and fears of what could happen with only three major wireless communication companies available for consumers. The companies argue the merge would allow them to expand coverage and build a nationwide 5G network more quickly.

Cocktail Conversation

The Swedish mining town of Kiruna, population 20,000, is sinking. It sits atop an iron deposit that miners have dug so many holes into, the city is literally falling into the earth. You would think the answer is easy: stop mining. But the mining operations are too hard, and too valuable, to move. So their state-owned mining operation decided to move the city instead. The town's 21 most important buildings—which includes the home of the city's founder—will be physically transported to a new location, and the move is expected to have a $1 billion price tag.

WIRED Recommends: E3 Deals

One of the most hyped gaming conferences of the year, E3, has struck. With it comes a whole lot of deals on both games and consoles. We put together a list of the best deals you can take advantage of right now so you can get button-mashing ASAP.

More News You Can Use

Your Cadillac can now drive itself to more places.

This daily roundup is available via newsletter. You can sign up right here to make sure you get the news delivered fresh into your inbox every weekday!

Related Video

Gadgets

How Hip-Hop Producer Steve Lacy Makes Hits With … His Phone

Steve Lacy is a pretty big deal. He's part of the band The Internet, he's a producer for J. Cole and Kendrick Lamar, and he just put out his first solo album which he made on his iPhone.

Read more: https://www.wired.com/story/radiohead-hackers-tmobile-sprint-merger-e3-deals/

05.08.19 telecommunications

The Strange Journey of an NSA Zero-DayInto Multiple Enemies’ Hands

The notion of a so-called zero-day vulnerability in software is supposed to mean, by definition, that it's secret. The term refers to a hackable flaw in code that the software's maker doesn't know about but that a hacker does—in some cases offering that hacker a powerful, stealthy skeleton key into the hearts of millions of computers. But according to new findings from security firm Symantec, one extraordinarily powerful flaw in Microsoft software at one point remained "secret" to Microsoft while at least three active hacker groups knew about it. And both before and after that secret became public in early 2017, it took a long, strange trip through the hands of intelligence agencies around the world, enabling years of espionage and, eventually, mayhem.

On Monday, Symantec revealed that it had traced how a hacker group it calls Buckeye—also known as APT3 or Gothic Panda and widely believed to be a contractor of the Chinese Ministry of Security Services—used NSA hacking tools apparently intercepted from the networks of NSA targets and repurposed those tools to use against other victims, including US allies. Most notably, Symantec says, the Chinese group's hacking had planted an NSA backdoor on the network of its victims using a zero-day vulnerability in Microsoft's Server Message Block (SMB) software, also seemingly learned by studying the NSA's hacking tools.

That newly revealed hijacking of the NSA's intrusion techniques doesn't just dredge up longstanding questions about how and when the NSA should secretly exploit software vulnerabilities to use for spying rather than help software companies to fix them. It also adds another chapter to the strange story of this particular zero-day's journey: Created by the NSA, intercepted by China, later stolen and leaked by another mysterious hacker group known as the Shadow Brokers, and ultimately used by North Korea and Russia in two of the most damaging and costly cyberattacks in history.

"Based on what we know historically, it’s extremely unusual to have a zero-day be utilized like this by multiple groups, some of them unbeknownst to each other, for years," says Eric Chien, a Symantec security analyst. "I can’t think of another case where something like this has ever happened."

With the addition of Symantec's findings, here's what we now know about the timeline of that zero-day's path.

Born at the NSA

The SMB vulnerability—labelled as CVE-2017-0143 and CVE-2017-0144 in two slightly different forms—appears to have first been discovered by the NSA sometime before 2016, though the NSA has never publicly admitted to having used it; it wouldn't be tied to the agency until it leaked in 2017, revealing its integration in NSA tools called EternalBlue, EternalRomance, and EternalSynergy.

The SMB zero-day no doubt represented a kind of precious specimen for the agency's spies: Microsoft's SMB feature allows the sharing of files between PCs. But the agency's researchers found that it could be tricked into confusing harmless data with executable commands that an attacker injected via SMB into a computer's memory. That made it a rare entry point that the NSA's hackers could use to run their own code on practically any Windows machine with no interaction from the target user, and one that offered access to the computer's kernel, the deepest part of its operating system. "It’s exactly the kind of vulnerability someone would want," Chien says. "The target doesn’t have to open a document or visit a website. You have a machine on the internet, and I can get you with it. I immediately have the highest privileges available to me."

Or, as Matthew Hickey, founder of security firm Hacker House, at one point described it, "It’s internet God mode."

Adopted by China

Symantec found that by March 2016, the SMB zero-day had been obtained by the Chinese BuckEye group, which was using it in a broad spying campaign. The BuckEye hackers seemed to have built their own hacking tool from the SMB vulnerability, and just as unexpectedly were using it on victim computers to install the same backdoor tool, called DoublePulsar, that the NSA had installed on its targets' machines. That suggests that the hackers hadn't merely chanced upon the same vulnerability in their research—what the security world calls a bug collision.; they seemed to have somehow obtained parts of the NSA's toolkit.

Symantec's researchers say they still don’t know how the BuckEye hackers got the NSA’s hacking secrets. But Symantec's Chien says their theory is that the tools were found in victim networks, reverse-engineered, and repurposed. "It doesn't look like they had the exploit executables,” says Jake Williams, a former NSA hacker and now founder of security firm Rendition Infosec, who reviewed Symantec's findings. "But it's possible they were able to steal them [when they were] being thrown at targets by monitoring network communications."

Symantec says it detected BuckEye’s hackers in five different intrusions, stretching from March 2016 to August 2017, all using the combination of the SMB exploit and the NSA's DoublePulsar backdoor. Those intrusions, all seemingly bent on espionage, hit telecommunications companies as well as research and educational organizations in Hong Kong, the Philippines, Vietnam, Belgium, and Luxembourg.

Leaked and Weaponized

Starting a year after those stealthy intrusions began, however, the NSA's zero-day was hijacked in a far more public fashion. In April 2017, a still-mysterious group calling itself the Shadow Brokers dumped the NSA's EternalBlue, EternalRomance, EternalSynergy, and DoublePulsar tools into public view, part of a series of leaks from the group that had started the previous summer with a failed attempt to auction the stolen tools to the highest bidder. It's still entirely unclear how the NSA's crown jewels ended up in the Shadow Brokers' hands, though theories include a rogue NSA insider selling the tools and hackers chancing upon an NSA "staging server," a machine used as a kind of remote outpost from which to launch operations.

Anticipating that leak, Microsoft had pushed out an emergency SMB patch after a warning from the NSA. Nonetheless, over the next two months, the now-public EternalBlue and EternalRomance were integrated into a pair of nation-state cyberattacks that hit the vast numbers of still-unpatched computers across the globe, with catastrophic consequences.

First, the North Korean–coded WannaCry worm tore through the internet, combining EternalBlue with a ransomware payload that encrypted hundreds of thousands of computers, from police departments in India and universities in China to the National Health Service in the United Kingdom. The next month, Russian military intelligence hackers combined EternalBlue and EternalRomance with the open source hacking tool Mimikatz to create an even larger digital debacle. That second worm was targeted at Russia's enemies in Ukraine and wiped an estimated 10 percent of the country's computers. But it quickly spread beyond Ukraine's borders, paralyzing companies such as Maersk, a European subsidiary of FedEx, the US pharmaceutical Merck, and many others, costing a record-breaking $10 billion in damage.

Despite the NSA's decision to help Microsoft patch its SMB flaw before those attacks, the agency has already faced plenty of criticism for having kept its zero-day secret for as long as it did. But with Symantec's latest revelations, the knowledge of yet another hacker campaign that had somehow obtained that zero-day and was using it for global spying will no doubt spark those criticisms again. It may lead to a reexamination of the White House's so-called Vulnerabilities Equities Process, a system of determining which flaws that US agencies discover should be patched and which ones should be used for operations. "No matter how you play it, the fact that someone else besides the Shadow Brokers had these exploits is extremely concerning and raises serious questions about our vulnerability equities process," Williams says.

But others counter that the reuse of hacking tools by adversaries should be part of the expected cost of using them in the first place. And as Symantec's BuckEye research shows, that cost may be entirely hidden: The reuse of a zero-day by an adversary can remain as secret as its initial use for years afterward—more than three years, in this case.

"When you utilize a vulnerability, it has a chance to be discovered," Chien says. “That can happen, and we saw it happen here. But we didn’t know it had happened for quite some time.”


Read more: https://www.wired.com/story/nsa-zero-day-symantec-buckeye-china/

How Can We Reduce Costs For Your Business?

Let's start talking about reducing your costs and growing your profits. Step one is to let us know how we can help.Contact Us

Footer

Babcock Advisors

604 14th Ave North West
Suite 200
Kasson, MN 55944

Phone: 507-208-8881