‘Backoff’ Retail Malware Threat Even Worse than Expected

Backoff Malware

Just a few weeks ago the Department of Homeland Security issued a warning to retailers about Backoff, the point-of-sale malware responsible for the massive payment card security breach at Target during last year’s holiday season. The initial report indicated up to 600 retailers were affected, but on August 22nd the DHS issued another advisory that stated the scale is much larger. The Secret Service estimated over 1,000 businesses of all sizes have been victimized by variants of Backoff.

Backoff Basics

The days of the simple mechanical cash register are long gone for all but the smallest retailers. The registers most retailers use are actually Windows computers running point-of-sale (POS) software. They are networked and connected to the Internet so they can verify payment cards and checks. Like any computer, they are vulnerable to attack by malicious software and hackers.

The Backoff malware takes advantage of a vulnerability in the process used to read and validate payment cards. The customer’s information is stored in unencrypted format on a magnetic strip on the back of the card. When a customer swipes their card at checkout, the card reader transmits the data to the computer. The POS software will then encrypt the information and send it to the payment card processing company for verification.

Backoff can read the POS computer’s physical memory and record the payment card data before it is encrypted. It uses its own encryption on the data and sends it to servers the hackers can access. The hackers either sell the data to other criminals through black market channels or use it to make purchases themselves.

Moving Payment Cards Forward

There is little consumers can do to protect themselves at the moment except pay with cash or checks. These payment methods are more costly for retailers to handle and come with their own complications.

The only solution is to move away from magnetic strip cards and toward other methods of payment. Companies are experimenting with digital wallets and other smartphone-based payment systems, but they have yet to see widespread acceptance.

EMV

Europay-Mastercard-Visa system, or EMV payment data is encrypted and stored on a microchip.

The system that’s most like the payment cards consumers are already familiar with is the Europay-Mastercard-Visa system, or EMV. It uses the same plastic cards, except the payment data is encrypted and stored on a microchip. The credit card industry has set a deadline for retailers to move to EMV cards by the end of 2015, but the equipment required is expensive. A retailer could pay up to $1,000 per register, leading many to drag their feet due to the cost.

The cost of a security breach is much higher. Target estimated costs associated with the breach had reached $148 million in the second quarter of 2014. The cost of the damage to the company’s reputation, brand and corporate image is harder to calculate. Unless more retailers want to follow in Target’s footsteps, they must leave magnetic payment cards behind.

Follow every major phase of the Target retail security breach along with my insights. Download my RETAIL SECTOR PDF for all the major retail security stories in 2013 and 2014.

'Backoff' Retail Malware Threat
How worried are you about the 'Backoff' malware threat?

Is Your E-ZPass Spying on You?

E-ZPass

E-ZPass is a type of RFID device called an electronic toll collector (ETC). Instead of waiting in line at the toll booth while the driver ahead of you searches for loose change, you simply drive on through. A wireless transponder activates the ETC, reads the ID number and the transportation department debits your account. ETCs are currently available in 22 states, with more adding them every year. They’re popular and certainly convenient, but are they a threat to the user’s privacy? Most ETCs don’t give the user any indication when they’re being read, and at least one state has admitted to using ETCs for other purposes.

New York E-ZPasses Are Milked for Information

Last year a hardware hacker in New York going by the handle ‘Puking Monkey’ wired up his E-ZPass to trigger a signal light and mooing toy cow. The E-ZPass draws 8uA of power while at rest, but 0.3mA while being read. When the draw increased, the LEDs would light up and the cow would moo. He found multiple sites in and around NYC where the E-ZPass transponder was being read but there were no tolls.

Screen Shot 2014-08-25 at 9.48.23 AM

ETCs are placed throughout many major cities

When the media contacted the New York Department of Transportation, a spokesperson claimed the data was used to provide real-time traffic information, estimate travel times and reduce congestion. According to the E-ZPass Interagency Group, which oversees ETCs in 15 states, New York is the only state that has been using the passes outside of collecting tolls. It’s worth noting that some states have their own ETC systems and might also be using them to track motorists without their knowledge.

ETC Users Will Soon Be Able Rest Easy

Puking Monkey had to open his E-ZPass and do the wiring himself, but most ETC users don’t have the technical know-how to create their own alarm system. In many states, the user doesn’t own the ETC device and must return it if they leave the program.

Detect-A-Pass

BVS’ Detect-A-Pass keeps security conscious drivers in the know

But security-conscious ETC users will soon be able to purchase an off-the-shelf solution from BVS. We’re working on a new product that will let them know when their ETC is transmitting, without making alterations to the hardware.

Contact sales@bvsystems.com for more information.

Source:

http://m.authorstream.com/presentation/pukingmonkey-1903125-road-less-surreptitiously-traveled/ (E-ZPass info starts on page 84)

Car Remote Key Fobs Prove Vulnerable to Hackers

car_hackWATCH VIDEO HERE

Remote door locks are a convenience to the driver, but they could also offer thieves a convenient way to break in. When you press a button on your car’s key fob, it uses radio waves to send a series of codes to a receiver inside the vehicle. If the codes match, the car accepts the input. The problem is criminals could use off-the-shelf equipment to crack the codes and unlock the vehicle.

Silvo Cesare at Black Hat Conference

Silvo Cesare at Black Hat Security Conference

At the Black Hat Security Conference earlier this month Australian security researcher Silvo Cesare showed a video demonstrating the security flaw, unlocking his girlfriend’s car in just a few minutes. The hack disables the alarm and leaves no evidence for police, and the victim’s key fob will still function after a few repeated presses. Most victims would probably assume the battery in the fob is simply going dead.

While he’s only tried the hack on one car, automakers tend to use the same parts and technology across different models, meaning other cars are probably carrying the same vulnerability. While Cesare would not share the specific make and model, the video does show the car and a variant of the vehicle was sold in North America.

Cesare’s method does have some drawbacks that limits its appeal to thieves. Remote key fobs have used rolling codes that change every time the user presses the button since the 1990s, and the process of cracking the active code can take up to two hours. However, cars spend most of their time parked and idle. If the car sits overnight in a driveway or deserted parking lot, a thief would have ample time to break in.

Cesare used a software-defined radio to capture and transmit the wireless signals, a device that can send and receive wireless signals on a wide range of frequencies. Along with a laptop and an inexpensive amplifier and antenna, the equipment cost approximately $1,000.

Thieves who simply want to take a car or steal something inside will probably opt for simpler and more direct methods like a slim jim or the old smash and grab. In some cases criminals might want to commit a crime using a method that doesn’t leave evidence for the victim to find, such as wiring a car bomb or attaching a GPS tracking device.

Car thieves might already be using similar technology. Last year CNN reported police were stumped by a rash of car thefts caught on tape showing thieves using mysterious black boxes to unlock the vehicles. We’re not sure if these devices use the same technique as Cesare, but as prices fall the equipment he used will become more available to criminals.

Source:

http://www.cnn.com/video/data/2.0/video/us/2013/06/21/newday-pkg-lah-high-tech-car-theft.cnn.html

5 Security Tips To Stay Safe From Russian Hackers

Russian Hackers

On August 5th the New York Times announced the largest known theft of online login credentials. A group of Russian cyber criminals has amassed stolen usernames and passwords from over 1.2 billion accounts and 524 million email addresses. The data was uncovered in an 18-month investigation by a Milwaukee-based company called Hold Security. According to their report, the criminals got the information from over 420,000 sites of all sizes, many of which remain vulnerable.

Here are five things you can do to help ensure your information stays safe in the future.

1. Don’t use the same login information on multiple sites.

So far it appears the hackers have only used the stolen credentials to send spam on social media sites, but people often use the same usernames and passwords on other sites. According to the Internet security firm Symantec, the average user has 26 password-protected accounts but only five passwords. If you use the same login credentials on your bank’s web site or at online retailers that store credit card information it’s like leaving the front door of your house wide open.

2. Protect your email password.

Email is so commonplace, we almost forget about it. But criminals can use your email account to wreak all sorts of havoc. If you’ve ever received an email from your bank or clicked at “forgot password” link on another site and forgotten to delete the message, anyone with access to your email account will know how you have an account on that site. Criminals can also glean personal information they can use to commit identity theft from your email account. Treat your email password as you would any high-security account.

3. Practice secure password policy.

Choose passwords that are difficult to crack. Do not use passwords based on personal information such as a child or pet’s name, your birthday or the school you attended. In today’s online world of social media, this information may not be as private as you might think. Choose a password that is at least 12 characters long and has a mix of numbers, symbols and uppercase and lowercase letters.

Symantec also found 38% would rather clean a toilet than make a new password, but secure passwords don’t have to be difficult to create and remember. Acronyms of phrases make excellent passwords that stay with you.

4. Change your passwords often.

Many of us are guilty of not changing our passwords often enough. Remember, there are many security breaches that go unnoticed or unreported. Make it a practice to update all your passwords at least every six months.

5. Be wary of follow-up scams.

Hackers often use compromised email and social media accounts to commit phishing scams, since people are more likely to open an email attachment or click a link in a message sent from a trusted source. Never open a link or email attachment you weren’t expecting, even if it supposedly came from someone you know.

Homeland Security Warns of Retail Malware Threat

Hacked!

As banks and financial institutions have become harder to break into, cyber criminals have increasingly turned to targeting retail operations. According to an advisory issued last week by the DHS, the malware family known as Backoff has been identified in three forensic investigations of large-scale Point-of-Sale (POS) data breaches.

The malware reads credit and debit card information from the infected computer’s memory, before it can be encrypted for verification. Backoff attaches itself to an essential Windows executable file and is very difficult to detect. The report indicated it is almost undetectable by current virus definitions.

While the antivirus software companies work on a solution, here are a few things you can do to keep Backoff away from your business.

Disable or remove remote desktop applications

Backoff targets computers running programs like Apple Remote Desktop, Chrome Remote Desktop and Splashtop 2. If your IT staff needs to use these programs for troubleshooting or updates, have them disable or remove the programs when they are finished. Leaving them installed and active lays out the red carpet for data thieves.

Monitor outside connections coming into your network

Once the criminals find a vulnerable system, they usually attempt to break in using brute force. They use automated software to try common usernames and passwords until they hit a match. Monitor your network traffic for unfamiliar IP addresses and unusually high numbers of external connections or login attempts.

password

Require strong passwords for all accounts

Weak passwords are easy to crack. Strong passwords should be at least 12 characters and have a mix of uppercase and lowercase letters, symbols and numbers. Some systems use two passwords, the user’s normal password and a single-use password sent via another route such as text messaging.

Educate your users about email security

Don’t forget many security breaches start with simple phishing scams. Caution your users not to click on any email link or attachment they weren’t expecting, even if it’s from someone they trust. If they receive a suspicious email, have them contact the source directly to make sure it’s legitimate.

lock

Safeguard your point-of-sale computers

Your POS computers should have their own network isolated from other computers, and they should only run software directly related to POS functions. The criminals responsible for the Target data breach last November stole their login credentials from an HVAC subcontractor that had also done work for other large retailers. Businesses often give HVAC companies network access to monitor heating and cooling equipment. Since the POS machines ran off the same network, the criminals were able to access them and install their malware.

What’s next?

Now that Backoff has been discovered, it’s certain antivirus software companies are hard at work on finding ways to neutralize it so it won’t remain undetectable for long. But retailers shouldn’t be lulled into a false sense of security. Malware developers aren’t standing still either, and there are always new threats on the horizon.

Top 4 Security Drawbacks of BYOD

BYOD

BYOD Security Concerns

Many organizations have allowed or encouraged employees to use their own smartphones and tablets on the job. The process is called bring your own device, or BYOD. It’s popular with workers and saves the employer money on equipment costs. However, BYOD has drawbacks that concern security experts.

Last week the Information Security Community on LinkedIn and Internet security firm Vectra Networks released the results of their second annual BYOD & Mobile Security Study. The study involved polling more than 1,100 IT security experts on their top BYOD security concerns.

1. Loss of Company or Client Data

The biggest fear of any IT security professional is losing confidential data. Smartphones and tablets are basically handheld computers and malicious individuals can use them to steal information and cause damage to your corporate systems.

2. Unauthorized Access to Company Data and Systems

With workers bringing their own equipment, the process of administration and granting access is more complex. In addition to workers, the company may also have clients and contractors that need access using their own devices.

3. Mobile Malware

mobile malware

Viruses, worms and Trojans aren’t limited to computers anymore. The open structure of the Android operating system and the lax screening policy on the Google Play Store makes it a prime target for malware programmers. Antivirus and Internet security developer Symantec has called Android a “malware magnet.”[1] Apple maintains a tighter control on iOS apps, but the iPhone and iPad are not immune from malware either.

4. Installed Apps with Security Flaws or Suspect Permissions

Even if an app isn’t outright malware, it can have built-in security flaws. In April 2014, Fiberlink released the results of a survey of BYOD users that found 83% had 10 to over 100 apps installed on their devices.[2]

It’s highly likely that many of these apps have not been tested for security and compatibility with the employer’s systems. Apps that use advertising to generate revenue often use third-party mobile ad services that add another layer of potential security problems. Many apps have permissions that allow them to share information that may be sensitive with the developer. For example, a game or social media app the user installed on impulse could share the user’s contact list or call history.

Even if your company has not embraced BOYD, it still needs to address the use of personal mobile devices. The BYOD & Mobile Security Study found 21% of organizations that have no BYOD support acknowledge employees are using their own devices for work-related tasks anyway.

[1] http://www.cbronline.com/news/security/symantec-google-android-is-a-malware-magnet-4324588

[2] https://blog.cloudsecurityalliance.org/2014/07/21/survey-finds-byod-devices-cluttered-with-mobile-apps/

Wiping Your Old Android Device Isn’t Enough

 

pileofcellphones(x-ray)

The average user’s upgrade cycle for smartphones and tablets is around two years. If the old device is still in good shape once the user upgrades, individual users and small businesses usually sell it or pass it along to someone else. Big companies send obsolete devices to companies that specialize in recycling end-of-life electronics. Most users just perform a factory reset before sending the device on its way, but a recent finding by security software company Avast illustrates that this assumption is false.

Avast employees purchased 20 used smartphones from eBay and used readily-available data recovery software to browse through the wiped devices using a PC. They were able to recover over 40,000 photos, 750 messages and 250 contacts. They also managed to identify four previous users and found a completed loan application with enough information to perpetrate identity theft.

Why wiping your device doesn’t delete your data

The factory reset or wipe feature on an Android device doesn’t actually remove the data from the device’s storage. When it comes to deleting files, the system Android uses is very similar to the hard drive on a computer. It uses an index of pointers to keep track of the location of different files. When you wipe your device, the operating system only resets the pointers and marks the space open for overwriting. The actual information is still present until the device overwrites the space. Until then, anyone with access to the device, a computer, a data cable and the right software can find and open the deleted files.

How to make sure your information is gone for good

1. Enable Encryption on Your Device

Google included a standard encryption feature starting with Android 3.0. When you encrypt the data before wiping the device, the device prompts you to enter an encryption key. Without the key the information is unreadable. The default location for this setting in stock Android is Settings>Security>Encryption. Device manufacturers and developers can customize Android to their own specifications, so check the manual or contact support if you can’t find it.

android-encrypt

2. Save personal files on a removable memory card

If your device has a memory card slot, use a microSD card to store your photos, videos and other personal files. When you remove the memory card, the data goes with it.

3. Load junk data

After wiping your device, use a computer to transfer files into the memory and fill up the available storage space. Any large file without sensitive information will work. After the transfer is complete, wipe the device again. Doing this will overwrite your personal files, so anyone trying to browse through them will only find the junk files.

4. Install adequate security software

Avast’s has a vested interest in pointing out the problem because they provide a free Android app that allows you to secure your device and permanently delete the data. For an added fee there are other useful services such as remotely wiping the data in case you lose the device. They aren’t the only game in town, so browse through the Google play™ store and choose an app that fits your needs.

When you decide it’s time for an upgrade and want to dispose of your old Android device, don’t just wipe it and consider the job done. Take a few minutes to clear the data the right way and you won’t have to worry about the new owner getting your personal information.

TSA Bars Dead Electronics from Certain Incoming International Flights

56440_low_income_health__battery-low

On July 6th the United States Transportation Safety Administration announced passengers flying into the U.S. from Europe and the Middle East will soon have to power on their cell phones and other electronic devices. If the device will not power on, it won’t be allowed on the plane. The TSA has required international passengers to power on laptops for many years, but until Sunday smaller electronics were exempt.

pan-am-bombing

While the TSA has stated there’s no specific threat, the administration is concerned that terrorists may hollow out the devices and use them to conceal explosives. It’s not as farfetched as you might think. In 1988, Pan Am Flight 103 was brought down by a bomb hidden in a cassette player. Cell phones were also used to detonate explosive devices on public transportation in Europe in 2004 and 2005. Since then explosives have gotten smaller and harder to detect.

Here’s a list of things you can do to make sure your cell phone can come on the flight with you once the new rules go into effect:

  • Make sure your phone is charged prior to arriving at the airport. Don’t count on being able to charge your phone while you’re there. Available outlets are few and far between at many airports and competition can be fierce.
  • If your phone has a replaceable battery, carry a spare and keep it charged.
  • Invest in a portable battery pack or battery case. They provide extra power, even to phones with sealed batteries. If you carry a laptop, you can use it as a portable battery in a pinch.
  • Carry your charger and extra cables in your carry-on bag. A portable power source won’t do you much good if you can’t connect it to your phone.
  • Turn off your phone or use airplane mode when you don’t need to make or receive calls. Many phones have trouble picking up signal at airports due to radio interference. While the phone is searching for service, the battery drains much faster. You may find your phone has gone dead during a long layover.

41OLCwoaiVL._SY300_

Right now the changes only apply to passengers on international flights coming into the United States, not passengers on domestic flights. However, that could change at any time. All it took was one person with bombs in his shoes for the TSA to require everyone to remove their footwear at security checkpoints.

Safeguarding Digital Evidence on Wireless Devices

cellphone-evidence-bag-580x326-131617

On June 25th, the US Supreme Court struck a blow for digital privacy rights by ruling that in most cases police must get a search warrant before searching a suspect’s cell phone. The court ruled unanimously on two separate cases, one involving a feature phone and the other a smartphone.

There’s no question any cell phone can contain data that could be helpful in a prosecution. Photos, call records, text messages and emails can link the owner to crimes, victims and known criminal accomplices. There are a few cases where law enforcement personnel can search a phone without a warrant, such as when not examining the device would endanger public safety. For example, if a bomber or kidnapping suspect were apprehended and the police needed to search their device to prevent greater harm.

The process for obtaining a search warrant can take anywhere from a few hours to several days. This leaves law enforcement personnel with the dilemma of how to safeguard any information on the device until they can obtain the warrant.

Bad Guys Can Reach Out and Delete Some Evidence

Don’t make the mistake of thinking just because the phone is out of the suspect’s possession it means the data on the device is safe. Some phones allow the user to wipe or alter the information over the Internet, and it’s not just limited to smartphones. An accomplice or a suspect out on bail could change or delete incriminating evidence such as call logs and contact numbers without even touching the phone.

google-remote-wipe

Even turning the phone off isn’t a safeguard, since it will receive and carry out the change or wipe as soon as it connects to the cellular network. While law enforcement personnel can isolate smartphones from the network by activating airplane mode, most feature phones lack this ability and many owners secure their phones with access codes anyway.

Cutting Seized Phones Off From the Wireless Network

The solution to this remote alteration problem lies in Faraday evidence bags. Faraday look similar to the familiar static shield bags used to protect electronics sensitive to static shock, but don’t be fooled into thinking they’re the same thing.

faraday

Cell phones communicate wirelessly by sending and receiving electromagnetic radio waves. A Faraday bag isolates the cell phone from radio waves and prevents communication with the outside network by completely surrounding it in conductive material. Since the electromagnetic waves do not penetrate the bag, the cell phone is completely cut off from the wireless network. If you’ve ever dropped a call when riding in a metal elevator, you’ve seen this effect in action.

When law enforcement personnel seize a device, they should turn feature phones off and place smartphones into airplane mode. Since the phone doesn’t have any signal inside the bag, the battery will run down quickly as the device continues to search for service.

Cell phones with touchscreens should be wrapped in protective padding to prevent accidentally activating the touchscreen through the material. While capacitive touchscreens will not work through the Faraday bag, resistive touchscreens are sensitive to simple pressure. If in doubt, wrap it up.

IMG_7428

Before law enforcement personnel can secure the phone, they need to find it. Here at BVS, we’re the phone-finding experts. Our line of cell phone detection equipment can locate cell phone from up to a mile away and find them hidden inside other objects, even people. Contact us today for advice on finding and safeguarding digital evidence on mobile devices.

Kidnapping Orchestrated by Inmate With Cell Phone

Screen Shot 2014-07-02 at 7.54.06 PM

It seems every week there’s a story in the news about the number of cell phones confiscated from prison inmates. A recent incident in the American south provides a dramatic illustration why correctional facilities cannot afford to allow this problem to continue.

In 2012, a North Carolina gang member with a long history of violent felonies named Kelvin Melton received a life sentence for ordering the shooting of his ex-girlfriend’s new boyfriend. Melton swore revenge and in March 2014, he acted.

Screen Shot 2014-07-02 at 7.55.03 PM

Melton was on maximum control status at Polk County Correctional Facility, but somehow managed to get a cell phone. He contacted accomplices from inside the prison and tried to arrange for the kidnapping of a family member of the court-appointed attorney who defended him at trial. For unknown reasons the plan was called off, but sometime in late March or early April he contacted the accomplices and told them to change targets to the Wake County Assistant District Attorney.

The kidnappers looked up the information online but somehow got the address for Frank Arthur Janssen, the father of the prosecutor who sent him to jail. On April 5th, a team of kidnappers travelled from Atlanta to the Raleigh area of North Carolina, with Melton calling them several times during the trip to give instructions.

When Janssen answered a knock on the door, they forced their way inside and immobilized him with a stun gun. They put him in handcuffs, pistol whipped him many times and brought him back to Atlanta in a rental car.

On Monday, April 7th Jenssen’s wife Christie received a text message threatening to send him home in “six boxes” if she contacted authorities. Early on April 9th, she received a picture message with a photo of him tied to a chair and a threat to start torturing him the next day.

Later that night, Melton received a text message from the kidnappers confirming they had a shovel, a car and a spot to dispose of the body. He immediately called them back with instructions to kill Jenssen if his demands were not met or they lost contact with him for more than three days.

By that night, the authorities had determined Melton was orchestrating the kidnapping from behind the bars. When correctional officers entered his cell, he tried to destroy the phone by smashing it. Fortunately, the authorities were able to locate of the apartment were the kidnappers were holding Jenssen. Just before midnight on the 9th they stormed the apartment and rescued him unharmed. Three suspects were picked up later in a Tahoe with a gun, two shovels and a pick.

In the week before the kidnappers were caught, Melton was in regular contact via cell phone. He made at least 123 calls or text messages to his accomplices. Unmonitored communication by inmates presents a serious threat to the general public, court employees and their families. Correctional facilities must do everything they can to keep cell phones out of the hands of dangerous criminals.

BVS offers a full line of cell phone detection equipment that helps correctional staff sniff out contraband phones no matter where they hide, at a cost much lower than other detection methods. Contact us today for a solution that fits your facility.

References:

http://news.nationalpost.com/2014/04/23/i-will-start-torchering-gang-kidnapped-wrong-person-in-plot-directed-from-behind-bars-police-say/

http://www.hngn.com/articles/28644/20140411/fbi-news-fbi-update-fbi-rescues-kidnapping-victim-north-carolina-man-kidnapped-frank-arthur-janssen-frank-arthur-janssen-update-wake-forest-man-kidnapped.htm

http://bigstory.ap.org/article/fbi-team-has-rescued-nc-kidnap-victim-atlanta