Kerbs on Security

Equifax or Equiphish?

1 hour 5 minutes ago
More than a week after it said most people would be eligible to enroll in a free year of its TrustedID identity theft monitoring service, big three consumer credit bureau Equifax has begun sending out email notifications to people who were able to take the company up on its offer. But in yet another security stumble, the company appears to be training recipients to fall for phishing scams.
BrianKrebs

Experian Site Can Give Anyone Your Credit Freeze PIN

2 days 22 hours ago
An alert reader recently pointed my attention to a free online service offered big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.
BrianKrebs

Equifax Breach: Setting the Record Straight

3 days 10 hours ago
Bloomberg published a story this week citing three unnamed sources who told the publication that Equifax experienced a breach earlier this year which predated the intrusion that the big-three credit bureau announced on Sept. 7. To be clear, this earlier breach at Equifax is not a new finding and has been a matter of public record for months. Furthermore, it was first reported on this Web site in May 2017.
BrianKrebs

Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop

1 week 2 days ago
Visa and MasterCard are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau Equifax. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers were first able to steal credit card numbers from Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time -- when hackers accessed the company's systems in mid-May 2017.
BrianKrebs

Adobe, Microsoft Plug Critical Security Holes

1 week 3 days ago
Adobe and Microsoft both on Tuesday released patches to plug critical security vulnerabilities in their products. Microsoft's patch bundles fix close to 80 separate security problems in various versions of its Windows operating system and related software, including two vulnerabilities that already are being exploited in active attacks. Adobe's new version of its Flash Player software fixes two flaws that malware or attackers could use to seize remote control over vulnerable computers with no help from users.
BrianKrebs

Ayuda! (Help!) Equifax Has My Data!

1 week 4 days ago
Equifax last week disclosed a historic breach involving Social Security numbers and other sensitive data on as many as 143 million Americans. The company said the breach also impacted an undisclosed number of people in Canada and the United Kingdom. But the official list of victim countries may not yet be complete: According to information […]
BrianKrebs

The Equifax Breach: What You Should Know

1 week 5 days ago
It remains unclear whether those responsible for stealing Social Security numbers and other data on as many as 143 million Americans from big-three credit bureau Equifax intend to sell this data to identity thieves. But if ever there was a reminder that you -- the consumer -- are ultimately responsible for protecting your financial future, this is it. Here's what you need to know and what you should do in response to this unprecedented breach.
BrianKrebs

Equifax Breach Response Turns Dumpster Fire

2 weeks 1 day ago
I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans.
BrianKrebs

Breach at Equifax May Impact 143M Americans

2 weeks 2 days ago
Equifax, one of the "big-three" U.S. credit bureaus, said today that a data breach at the company may have affected 143 million Americans, jeopardizing consumer Social Security numbers, birth dates, addresses and some driver's license numbers.
BrianKrebs

Who Is Marcus Hutchins?

2 weeks 5 days ago
In early August 2017, FBI agents in Las Vegas arrested 23-year-old U.K. resident Marcus Hutchins on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. Hutchins was virtually unknown to most in the security community until May 2017, when a British newspaper revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before. Relatively few knew it before his arrest, but Hutchins for many years authored the popular cybersecurity blog MalwareTech. When this fact became more widely known — combined with his hero status for halting Wannacry — a great many MalwareTech readers quickly leapt to his defense to denounce his arrest. They reasoned that the government was overstepping on flimsy evidence, noting that Hutchins has worked tirelessly to expose cybercriminals and their malicious tools. To date, some 226 supporters have donated more than $14,000 to his defense fund. At first, I did not believe the charges against Hutchins would hold up under scrutiny. But as I began to dig deeper into the history tied to dozens of hacker forum pseudonyms, email addresses and domains he apparently used over the past decade, a very different picture began to emerge. In this post, I will attempt to describe and illustrate more than three weeks’ worth of connecting the dots from what appear to be Hutchins’ earliest hacker forum accounts to his real-life identity. The clues suggest that Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror.
BrianKrebs

Twitter Bots Use Likes, RTs for Intimidation

3 weeks 3 days ago
I awoke this morning to find my account on Twitter (@briankrebs) had attracted almost 12,000 new followers overnight. Then I noticed I’d gained almost as many followers as the number of re-tweets (RTs) earned for a tweet I published on Tuesday. The tweet stated how every time I tweet something related to Russian President Vladimir Putin I […]
BrianKrebs

Beware of Hurricane Harvey Relief Scams

3 weeks 4 days ago
U.S. federal agencies are warning citizens anxious to donate money for those victimized by Hurricane Harvey to be especially wary of scam artists. In years past we've seen shameless fraudsters stand up fake charities and other bogus relief efforts in a bid to capitalize on public concern over an ongoing disaster. Here are some tips to help ensure sure your aid dollars go directly to those most in need.
BrianKrebs

Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet

3 weeks 5 days ago
A half dozen technology and security companies -- some of them competitors -- issued the exact same press release today. This unusual level of cross-industry collaboration caps a successful effort to dismantle 'WireX,' an extraordinary new crime machine comprising tens of thousands of hacked Android mobile devices that was used this month to launch a series of massive cyber attacks. Experts involved in the takedown warn that WireX marks the emergence of a new class of attack tools that are more challenging to defend against and thus require broader industry cooperation to defeat.
BrianKrebs

Is Your Mobile Carrier Your Weakest Link?

3 weeks 6 days ago
More online services than ever now offer two-step authentication -- requiring customers to complete a login using their phone or other mobile device after supplying a username and password. But with so many services relying on your mobile for that second factor, there has never been more riding on the security of your mobile account. Below are some tips to ensure your mobile device (or, more specifically, your mobile carrier) isn't the weakest link in your security chain.
BrianKrebs

Why It’s Still A Bad Idea to Post or Trash Your Airline Boarding Pass

4 weeks 2 days ago
An October 2015 piece published here about the potential dangers of tossing out or posting online your airline boarding pass remains one of the most-read stories on this site. One reason may be that the advice remains timely and relevant: A talk recently given at a Czech security conference advances that research and offers several reminders of how being careless with your boarding pass could jeopardize your security or even cause trip disruptions down the road.
BrianKrebs

Dumping Data from Deep-Insert Skimmers

1 month ago
I recently heard from a police detective who was seeking help identifying some strange devices found on two Romanian men caught maxing out stolen credit cards at local retailers. Further inspection revealed the devices to be semi-flexible data transfer wands that thieves can use to extract stolen ATM card data from "deep-insert skimmers," wafer-thin fraud devices made to be hidden inside of the card acceptance slot on a cash machine.
BrianKrebs

Carbon Emissions: Oversharing Bug Puts Security Vendor Back in Spotlight

1 month ago
Last week, security firm DirectDefense came under fire for over-hyping claims that Cb Response, a cybersecurity product sold by competitor Carbon Black, was leaking proprietary from customers who use it. Carbon Black responded that the bug identified by its competitor was a feature, and that customers were amply cautioned in advance about the potential privacy risks of using the feature. Now Carbon Black is warning that an internal review has revealed a wholly separate bug in Cb Response that could in fact result in certain customers unintentionally sharing sensitive files.
BrianKrebs

Blowing the Whistle on Bad Attribution

1 month ago
The New York Times this week published a fascinating story about a young programmer in Ukraine who'd turned himself in to the local police. The Times says the man did so after one of his software tools was identified by the U.S. government as part of the arsenal used by Russian hackers suspected of hacking into the Democratic National Committee (DNC) last year. It's a good read, as long as you can ignore that the premise of the piece is completely wrong.
BrianKrebs

Beware of Security by Press Release

1 month 1 week ago
On Wednesday, the security industry once again witnessed an all-too-familiar cycle: I call it "Security by press release." It goes a bit like this: A security firm releases a report claiming to have unearthed a major flaw in a competitor's product; members of the trade press uncritically republish the claims without adding much clarity or waiting for responses from the affected vendor; blindsided vendor responds in a blog post showing how the issue is considerably less dire than originally claimed. At issue are claims made by Denver-based security company DirectDefense, which published a report this week warning that Cb Response -- a suite of security tools sold by competitor Carbon Black (formerly Bit9) -- was leaking potentially sensitive and proprietary data from customers who use its product.
BrianKrebs

Alleged vDOS Operators Arrested, Charged

1 month 2 weeks ago
Two young Israeli men alleged by this author to have co-founded vDOS -- until recently the largest and most profitable cyber attack-for-hire service online -- were arrested and formally indicted this week in Israel on conspiracy and hacking charges.
BrianKrebs
Checked
39 minutes 28 seconds ago
In-depth security news and investigation
Subscribe to Kerbs on Security feed