The Shadowbrokers Dump of the month update and UNITEDRAKE

The Shadowbrokers Dump of the month update and UNITEDRAKE

So in the mist and haze of the Equifax hack we seemed to have missed the new update from The Shadowbrokers. On Sept. 5th , 2017 they released a new update on steemit.com to add some updates to their dump of the month club. The changes are starting this month they will only take Zcash and no longer accept Monero because the memo field, where you give them your email, on Monero isn’t encrypted. They will sell previous, and it appears, future dumps for a set price ranging in price from 100 ZEC to 16000 ZEC (at the time of this writing that is anywhere from 20,567 USD to 3,290,720 USD).

They will deliver the emails in clear text only and they recommend using tutanota or protonmail. The dump for September is all exploits. The last thing is that they are 2 dumps a month.

Another thing they did was release their megafolder that has the manual for UNITEDRACK a tool that is a fully extensible remote collection system designed for Windows targets. The interesting thing about this tool is that it is either older and retired or it itself runs on old and insecure systems. (windows server 2003 and SQL 2008). Though it is able to compromise everything up to Windows 8 and Window server 2012. The UNITEDRAKE malware’s modules can capture keystrokes, impersonate the user, listen in and view your webcam and mic, steal diagonistic info, and self destruct when its finished. Interesting stuff as always from this group. Still looking forward to what comes public next.

How secure is your credit data with consumer credit reporting agencies?

How secure is your credit data with consumer credit reporting agencies?

First let’s get all the facts. On Sept 7th, 2017 Equifax launched the site https://www.equifaxsecurity2017.com/ and announced that they have encountered “Cybersecurity incident” that potentially impacts 143,000,000 U.S. consumers. “Criminals” exploited a website application vulnerability to gain access to certain files. Based on an internal investigation the attack took place from mid-May to June 29th.

The information that was accessed in this attack were:

  • Names
  • Social Security Numbers
  • Birth dates
  • Addresses
  • Some Drivers license numbers
  • Credit Card number for approx. 209,000 customers
  • Dispute documents with Personal Identifying Information (PII) for approx. 182,000 customers
  • Limited PII for some UK and Canadian residents

Once Equifax discovered the unauthorized access they closed the vulnerability in their web application. Then they called in a “…leading, independent cybersecurity firm” that has been doing a forensic review to find what data has been compromised and how much of that data did the “criminals” get.  Equifax has also called in law enforcement and is still working with authorities.

Equifax has taken steps to help consumers find out if they are now at risk or could have been impacted by the attack and to sign up for free credit monitoring and identity theft protection with TrustedID Premier through Equifax. The monitoring includes:

  • 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports
  • Copies of Equifax credit reports
  • The ability to lock and unlock Equifax credit reports
  • Identity theft insurance of 1 million dollars
  • Internet scanning for Social Security numbers

Equifax recommend that anyone with additional questions visit their website www.equifaxsecurity2017.com or call their call center at 866-447-7559. The call center is open from 7:00 a.m. to 1:00 a.m. Eastern Time. They are also going to send mail notices to anyone who’s dispute documents with PII on it or credit card numbers were impacted. They have started to reach out to State and Federal regulators and they have sent written notices to all state attorney general’s that includes Equifax contact information for regulator inquiries.

“Equifax has engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.”

The last statement that Equifax makes about the incident on their site is the quote above the rest is an about Equifax, Forward-Looking Statements, and contact for Ines Gutzmer who’s in Corporate Communications.

This points out that they didn’t see a need to protect their company and other peoples PII enough to pay someone to double check their cybersecurity work. This also brings forward why did it take so long for them not to notice a breach the size of nearly HALF of all American citizens. We depend heavily on the credit reporting agencies to fully protect our data since good credit is so vital in today society.

It is true that the scope of this is pales in comparison to the Yahoo breach of 2014 but the major difference is that the Yahoo breach while inconvenient didn’t necessarily give away PII to all 1 billion accounts or for that matter most accounts.

This attack is going to put nearly 44% of the US population at a higher risk of fraud and Identity theft. It could very well lead to ruining people’s lives and lively hoods since some jobs do credit checks, getting a loan or a mortgage requires a credit check, and sometimes even renting a car can require a credit check. This is the sort of leak that we never want to happen.

Then let’s look at the overall response to the attack. I took nearly five weeks to let consumers know that their PII could have been leaked. The site www.equifaxsecurity2017.com uses a stock WordPress install which is a problem because on that site to sign up forEquifax’s ID theft protection you must enter nearly all of you Social Security number minus the first 3 digits and your last name. A stock WordPress install doesn’t provide the needed site security for that sort of information. The site wasn’t initially registered to Equifax.  Cisco OpenDNS was blocking this site and was warning that it was a suspected phishing threat. Meanwhile the main Equifax site after the discloser was displaying debug codes, which for many reasons should never happen on a production server.

So, with the lack luster start, middle and finish to Equifax’s security the question come to mind what should be done and what could be done now to fix these issues not only at Equifax but at the other credit reporting agencies who, by my best guess, have the same level of cyber security Equifax did. I say did in the hope of them taking the advice of the cybersecurity firm they hired, which they probably won’t, and will have a much higher level of cybersecurity going into the future.

Source:

https://www.equifaxsecurity2017.com/

https://twitter.com/kennwhite/status/905988701670531072

https://whois.domaintools.com/equifaxsecurity2017.com

https://twitter.com/SwiftOnSecurity/status/906005134529966080

https://www.equifax.com/cs7/faces/jspx/login.jspx

Home Routers and Data collection.

Home Routers and Data collection.

Earlier this year Netgear put out a memo that the new firmware for their Nighthawk routers would start collecting analytic data of all network traffic that went through it. This data includes1:

  • information regarding the router’s running status,
  • number of devices connected to the router,
  • types of connections,
  • LAN/WAN status,
  • WiFi bands and channels,
  • IP address, MAC address, serial number,
  • similar technical data about the functioning and use of the router and its WiFi network.

Now Netgear is saying that it collects this data only for

  • isolate and debug general technical issues,
  • improve router features and functionality,
  • improve the performance and usability of NETGEAR routers.

For example, such data may help NETGEAR get any early notification of Internet or WiFi disconnects in a firmware and help identify root causes in order to fix them quickly.1

This isn’t too much of a problem if it is true but for the security cautious I recommend disabling this functionality because there is no reason for them to have all that data the issues they say they are looking into. Why would they need the IP address, MAC address or serial number of a connected device?

To opt-out you can do this at the beginning after installing the new firmware by checking the opt-out option after the firmware install. If you have already installed the firmware and didn’t opt-out then you still can do it now by following the steps below2.

Launch a web browser from a computer or mobile device that is connected to the network.

  1. Enter http://www.routerlogin.net.
  2. A login window opens.
  3. Enter the router user name and password.
  4. The user name is admin. The default password is password. The user name and password are case-sensitive.
  5. The BASIC Home page displays.
  6. Select ADVANCED > Administration > Router Update.
  7. The Router Update page displays.
  8. Scroll down to the Router Analytics Data Collection section.
  9. To enable router analytics data collections, select the Enable radio button.
  10. To disable router analytics data collections, select the Disable radio button.
  11. To view the type of data that might be collected, click the router analytics data link.
  12. Click the Apply button.
    Your settings are saved.

The other router company we are going to look at is ASUS and their router firmware asuswrt. They have a really neat function of being able to prioritize devices in your house using QOS service to make sure that streaming devices have network priority. This is nice to make sure that all of your videos and tv content is coming through smoothly but there is a huge catch. They collect and transmit data about websites you visit to Trend Micro if you use any of the feauters listed below that are apart of ASUSWRT3:

  • Apps/traffic Analysis
  • Bandwidth Monitor
  • Network Analyzer
  • Network Protection (AiProtection), blocks known malware domains
  • Parental Controls, including time scheduling
  • Quality-of-Service
  • Web History

When you use any of the above functions you will be presented with a EULA from Trend Micro to read and agree to. The end of the EULA you find the section to “Privacy” Below are some snipits of that EULA3:

“[…] certain information (“Forwarded Data”) to be sent to Trend Micro-owned or -controlled servers for security scanning and other purposes as described in this paragraph. This Forwarded Data may include information on potential security risks as well as URLs of websites visited that the Software deem potentially fraudulent and/or executable files or content that are identified as potential malware. Forwarded Data may also include email messages identified as spam or malware that contains personally identifiable information or other sensitive data stored in files on Your router. […]”

[…] “Trend Micro reserves the title, ownership and all rights and interests to any intellectual property or work product resulting from its use and analysis of Forwarded Data.”

The EULA also holds the devices owner responsible for notifying anyone else using the router that their network data may be recorded and shared with Trend Micro.

So for the two facts above I would recommend NOT even buying an ASUS router and if you already have one I recommend that you very quickly flash the firmware over to DD-WRT if compatible, you can check compatibility here: https://www.dd-wrt.com/wiki/index.php/Supported_Devices. If not compatible I recommend you go buy something else if you can

 

Sources:

  1. https://kb.netgear.com/000038663/What-router-analytics-data-is-collected-and-how-is-the-data-being-used-by-NETGEAR
  2. https://kb.netgear.com/000038661/How-do-I-Enable-Disable-Router-Analytics-Data-Collection
  3. https://ctrl.blog/entry/review-asuswrt

TheShadowBrokers Data Dump of the Month club

Welcome to the TheShadowBrokers Data Dump of the Month

On May 15th TheShadowBrokers group announced in a blog post that they were going to introduce a hack of the months club and compared it to a wine of the month type club. Where they will sell you a membership and you will get an unknown number and unknown type of exploits. It could be anything from web browser, router, and handset exploits and tools to compromised network data from North Korean nuke and missile programs.

On May 29th the group Tweeted out a PGP singed message that tells you how to subscribe and pay and their price. The will be using ZEC (Zcash) for the transaction which is a new and supposedly more secure version of bit coin though they even admit they don’t necessarily trust it. The instructions are :

#1 – Between 06/01/2017 and 06/30/2017 send 100 ZEC (Zcash) to this z_address: zcaWeZ9j4DdBfZXQgHpBkyauHBtYKF7LnZvaYc4p86G7jGnVUq14KSxsnG mUp7Kh1Pgivcew1qZ64iEeG6vobt8wV2siJiq

#2 – Include a “delivery email address” in the “encrypted memo field” when sending Zcash payment

#3 – If #1 and #2 then a confirmation email will be sent to the “delivery email address” provided

#4 – Between 07/01/2017 and 07/17/2017 a “mass email” will be send to the “delivery email address” of all “confirmed subscribers” (#1, #2, #3)

#5 – The “mass email” will contain a link and a password for the June 2017 dump

The ZEC to USD is approximately at the time of writing 1 ZEC to US $235.71 on CoinGecko.com. So to join the club it will cost approximately us $23,571 for something that you don’t know what you are getting. This will obviously limit who gets first access to the tool since the average person doesn’t have thats sort of money laying around and even TheShadowBrokers admit this. They say in the PGP message that its for high rollers, hackers, security companies, OEMs, and governments.

So whats in it? Who knows but it will be interesting for sure when “thepeople” see what they have to lay bare to the world for such a steep price.

 

Sources:

  1. https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition
  2. https://twitter.com/shadowbrokerss/status/869436313057075200
  3. https://steemit.com/shadowbrokers/@theshadowbrokers/theshadowbrokers-monthly-dump-service-june-2017
  4. https://www.coingecko.com/en/price_charts/zcash/usd
  5. https://steemit.com/shadowbrokers/@theshadowbrokers/theshadowbrokers-monthly-dump-service-june-2017