![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Let's talk more about credit card theft!
Feb. 9th, 2014 01:15 amSome interesting stuff. First up, Target. They were hit by a piece of malware called BlackPOS, in this post Brian Krebs interviews two computer security experts who fought BlackPOS at another unnamed retailer. The story is quite interesting, it's amazingly sophisticated software. For example, the software is equipped with anti-forensic modules. They watched it infect a laptop in their lab, realize that there was no card swipe machine connected to it, then erase itself. In doing so, it deployed the anti-forensic modules and left no trace of itself behind for analysis.
http://krebsonsecurity.com/2014/02/these-guys-battled-blackpos-at-a-retailer
Next, still Target. It would appear that one attack vector was through their HVAC contractor (heating/ventilation/air conditioning). Understandably, they want their HVAC people to be able to remote in to their infrastructure to make adjustments, do updates, etc., to save money and energy. Unfortunately either they were given far too much permission on the network or the attackers were able to escalate privileges to improve their access. Privilege escalation is a common thing to try: if you're able to get the network access of a peon and escalate the privileges to that of the CEO or head network admin, then you get to have all sorts of fun.
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
And finally, taxes. In 2012, the US Internal Revenue Service issued $4,000,000,000 in fraudulent refunds to thieves who did some basic identity theft and filed fraudulent returns in people's names, had the returns sent to different addresses, then disappeared. The solution? File your returns ASAP and get them in before the bad guys do. The thieves need full information to file these fraudulent returns, and probably also need to do some electronic forgery to transmit the supporting documents. And this is the exact level of information stolen by the Experian subsidiary by those Vietnamese hackers who were paying via electronic funds transfers from China.
http://krebsonsecurity.com/2014/02/file-your-taxes-before-the-fraudsters-do/
You can't win, and you can't quit the game. The best solution is to pay cash whenever possible, failing that, pay with a credit card as they offer you the best electronic theft protection.
http://krebsonsecurity.com/2014/02/these-guys-battled-blackpos-at-a-retailer
Next, still Target. It would appear that one attack vector was through their HVAC contractor (heating/ventilation/air conditioning). Understandably, they want their HVAC people to be able to remote in to their infrastructure to make adjustments, do updates, etc., to save money and energy. Unfortunately either they were given far too much permission on the network or the attackers were able to escalate privileges to improve their access. Privilege escalation is a common thing to try: if you're able to get the network access of a peon and escalate the privileges to that of the CEO or head network admin, then you get to have all sorts of fun.
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
And finally, taxes. In 2012, the US Internal Revenue Service issued $4,000,000,000 in fraudulent refunds to thieves who did some basic identity theft and filed fraudulent returns in people's names, had the returns sent to different addresses, then disappeared. The solution? File your returns ASAP and get them in before the bad guys do. The thieves need full information to file these fraudulent returns, and probably also need to do some electronic forgery to transmit the supporting documents. And this is the exact level of information stolen by the Experian subsidiary by those Vietnamese hackers who were paying via electronic funds transfers from China.
http://krebsonsecurity.com/2014/02/file-your-taxes-before-the-fraudsters-do/
You can't win, and you can't quit the game. The best solution is to pay cash whenever possible, failing that, pay with a credit card as they offer you the best electronic theft protection.
