Your help is needed in a massive law enforcement effort to take down the Gameover Zeus (GOZ) and Cryptolocker botnets. The Department of Justice (DoJ) has announced a massive international legal and technical assault against these two infrastructures. To give you an idea of the scope of this action, here is an official list of the other cooperating agencies:
The Australian Federal Police; the National Police of the Netherlands National High Tech Crime Unit; European Cybercrime Centre (EC3); Germany’s Bundeskriminalamt; France’s Police Judiciare; Italy’s Polizia Postale e delle Comunicazioni; Japan’s National Police Agency; Luxembourg’s Police Grand Ducale; New Zealand Police; the Royal Canadian Mounted Police; Ukraine’s Ministry of Internal Affairs – Division for Combating Cyber Crime; and the United Kingdom’s National Crime Agency participated in the operation. The Defense Criminal Investigative Service of the U.S. Department of Defense also participated in the investigation.
You can read all about what they have done here. Here’s an excerpt:
Here is what we did: first, on May 7, in coordination with the FBI, Ukrainian authorities seized and copied key Gameover Zeus command servers in Kiev and Donetsk.
. . .
At the same time, our foreign law enforcement partners seized critical computer servers used to operate Cryptolocker, which resulted in Cryptolocker being unable to encrypt victim files.
. . .
Beginning in the early morning hours on Friday and continuing through the weekend, the FBI and foreign law enforcement then began the coordinated seizure of computer servers around the world that had been the backbone of Gameover Zeus and Cryptolocker. These seizures took place in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine and the United Kingdom.
. . .
I am pleased to report that our actions have caused a major disruption of the Gameover Zeus botnet. Over the weekend, more than 300,000 victim computers have been freed from the botnet – and we expect that number to increase as computers are powered on and connected to the internet this week.
A huge blow, to be sure, but that’s not the whole story. Hundreds of thousands of computers are still infected and it’s possible that the bad guys could re-establish communications by setting up new servers. Keep in mind, these guys are geniuses, albeit acting evilly at the moment, so don’t assume they are down for the count.
“But I’m just a single person,” you say. “How can I possibly contribute to such a massive effort?”
Simple, follow the advice of Sophos:
The next stage – the part of the operation that is the duty of all of us – is to dismantle the rest of the botnet, by progressively disinfecting all the zombie-infected computers that made the Gameover and Cryptolocker “business empires” possible in the first place.
US-CERT has come up with a whole list of free tools so you can do just that, and (if you are the go-to person for IT problems amongst your friends and family) so that you can help others, too.
I’m delighted to say that the Sophos Virus Removal Tool is amongst the recommended cleanup utilties.
Scan every computer you touch that you suspect might have malware of some kind. Let’s break this thing completely.
Because of the abrupt announcement at truecrypt.sourceforge.net, no one is completely sure yet whether or not the venerable staple of file and disk encryption is really finished for good. Here’s the notice posted there:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
This page exists only to help migrate existing data encrypted by TrueCrypt.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
You should download TrueCrypt only if you are migrating data encrypted by TrueCrypt.
The site then goes on to explain how to migrate from TrueCrypt to BitLocker under Windows and an encrypted disk under Mac OS and linux.
Whatever is going on here, it’s going to make users very wary about ever trusting the software again. It’s probably time for all of us to find another way to do encryption on our files and hard drives.
I posted 5 days ago (5/22/14) about the eBay security breach. I STILL haven’t received an email from them about it. This is absolutely unacceptable.
Apparently, some people have gotten emails, like Graham Cluley
“Yesterday, at 5:32pm UK time, I received an email from eBay, telling me that I should consider changing my password because they had suffered a security breach.”
C’mon, eBay, get your stuff together.
I do a lot of business on eBay and now I’m wondering If I can trust them.
If hackers can’t boot your PC, it makes the task of stealing your files that much more difficult. Using a pre-boot password is a highly effective security precaution.
In the latest issue of Windows Secrets newsletter, one of my favorite gurus, Fred Langa, explains:
Most current PCs have some kind of BIOS/UEFI-password option built in. There can be multiple types of passwords, and they typically appear immediately after a system powers on and before the operating system loads.
. . .
Some passwords lock down the entire system; without the proper password, the system won’t boot at all — either from the internal hard drive or from any bootable media! Other passwords help to protect the hard drive from unauthorized access. And still other passwords let you set an administrator/supervisor password to prevent unauthorized changes to the BIOS/UEFI settings.
. . .
Using one or more of these low-level passwords can help lock your system down tight, making it extremely secure against any unauthorized access.
Very good advice, Fred. Thank you!
If you have an account on eBay, be sure to change your password now. eBay has confirmed that they suffered a breach that revealed non-financial user data. From the ebay inc blog:
eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.
. . .
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.
Other takes on the breach:
Graham Cluley’s blog.
Brian Krebs’ Krebs on Security blog.
eBay said they would be sending out emails to customers, but I, for one, have not received anything from them yet.
Another piece of advice for you: If you haven’t done so, consider setting up the PayPal Security Key on both eBay and PayPal. You can use your mobile phone for free, or buy the special credit-card size device for $29.95. Either of these methods adds additional two-factor security on both sites.
I have been disaffected with Adobe for a long time. Though they have excellent programs like Photoshop and now Creative Cloud suite, Their security has been dismal and Acrobat Reader is probably the worst piece of bloatware to ever hit a computer. I got rid of Shockwave Player last year because of obvious security issues and because it’s really not needed much of anywhere. I refuse to use Adobe Reader anywhere, opting for Foxit Reader instead (which I have used since version 1).
This author has long advised computer users who have Adobe‘s Shockwave Player installed to junk the product, mainly on the basis that few sites actually require the browser plugin, and because it’s yet another plugin that requires constant updating. But I was positively shocked this week to learn that this software introduces a far more pernicious problem: Turns out, it bundles a component of Adobe Flash that is more than 15 months behind on security updates, and which can be used to backdoor virtually any computer running it.
So, I’m once again recommending that if you have any version of Shockwave on any of your systems, or your users have it, get rid of it now. Adobe says they’re going to bring it up to date. Whatever. Just get rid of it.
We all have our preferred security habits (at least, I hope so!) Some of them are for our own comfort and some of them are actually highly effective. In my next few posts, I am going to discuss the ones I consider are most effective. I plan to outline the pros and cons of full drive encryption, pre-boot passwords, HDD/SSD passwords, protecting mobile devices, public Wi-Fi, social media and a few other things that will make your and your clients’ computing much more secure.
Passwords are always a hot topic and I will introduce a couple of controversial concepts regarding those as well. Hackers know all the tricks and the password crackers of today are nothing like those of a couple of years ago. Your favorite password creation algorithm just might be completely insecure these days.
The focus is going to be on simplicity rather than further complexity. Secure computing should not be a chore (although it can easily become a burden); rather, it should be simple enough to become habit. My goal is to make it as easy as possible.
While Bitly’s first description of the breach was rather vague, they have updated their blog with considerably more details:
On May 8, the Bitly security team learned of the potential compromise of Bitly user credentials from the security team of another technology company. We immediately began operating under the assumption that we had a breach and started the search for all possible compromise vectors.
Over the course of the next few hours, the Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers. They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly.
Going on, they say they discovered unauthorized access to an employee’s account on their offsite database backup storage. They go into specific action details on the blog and also posted a two item FAQ:
Were passwords exposed?
Hashed passwords were exposed but plain text passwords were not. All passwords are salted and hashed. If you registered, logged in or changed your password after January 8th, 2014, your password was converted to be hashed with BCrypt and HMAC using a unique salt. Before that, it was salted MD5.
Were any of my Bitlinks affected or changed?
No. The production database was never compromised nor was there any unauthorized access to our production network or environment. The data was from an offsite static backup. There was no risk of any data, including redirects, being changed.
Bottom line: it could have been much worse, but you should take the steps listed in my previous post.
Got this email late last Friday:
Dear Ken Harthun,
We have reason to believe that your Bitly account credentials have been compromised; however, we have no indication at this time that your account has been accessed without permission.
Just to be safe, we have proactively disconnected any connections you might have had to publish on Facebook and Twitter from your Bitly account. You can safely reconnect these accounts at your next login.
Although you may see your Facebook and Twitter accounts connected to your Bitly account, it is not possible to publish to these accounts until you reconnect your Facebook and Twitter profiles.
To ensure the security of your account, please take the following steps:
1) Go to Your Settings Profile tab and reset your password.
2) Go to Your Settings Connected Accounts tab to disconnect and reconnect any Twitter or Facebook accounts. If you have any connected applications, disconnect and reconnect through the third-party application.
3) Go to Your Settings Advanced tab to reset your API key. If you are a developer using your API key, copy the new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
We have taken measures to secure all paths that led to the compromise and ensure the security of all account credentials going forward.
We apologize for any inconvenience and we will continue to update our Twitter feed, @Bitly, as we have any further updates.
The Bitly Team
This is something I have never advised anyone to do, but I’m doing it now: change all of your passwords. There have been so many breaches recently that I don’t trust any of my passwords to still be secure. I doubt that I’m even a serious target, but I’m not taking any chances. You shouldn’t take chances either.
I’m talking about things that matter, like banking and credit card sites and online bill payment sites – anything that may contain your credit card, bank info, or other payment information. Change PayPal, too, unless you are using two-factor authentication; even with 2FA, it’s not a bad idea to change the password.
With the recent Heartbleed, IE, Flash, and Apple vulnerabilities, it’s not safe to trust your information on any sites to an insecure password. When you change them, make sure they are at least 12 characters and don’t include any recognizable dictionary words. I’ve given you many ways to create a memorable secure password, so just search “password harthun” and you can find those.