Zappos gets Zapped gives Zippo

Posted by John H. Lacey on January 17, 2012

So, I went to Zappos.com for the first time today. I thought I would see what they had to say about this weekend’s announcement that just about everyone who shopped there has had their information stolen (well, 24 million people, which may or may not be “everyone” who shopped there, but man, that’s a lot of people).

What did I find? Nothing, nada, zilch, zip. Not a single mention could I find. I even used their search function and typed in “data breach”, which resulted in the site showing me a watch for $90.

I checked out their “blogs” section thinking that maybe they’d put something up there… nope, just the announcement of the winner of the “Ultimate Tee Shirt Design Contest.”

I heard from media reports that all affected accounts would need a new password, so I clicked on “new password” – no mention of the breach there either.

 

Lastly I scrolled down about a quarter mile and found the “privacy policy” link. For sure there will be some mention there… ah, no. But wait – look over on the right, a picture of a lock and the words “shopping with confidence.” And even better a link to “Learn how we protect your personal data…”

 

Here’s a quote from that section:

 

“Zappos.com servers are protected by secure firewalls—communication management computers specially designed to keep information secure and inaccessible by other Internet users. So you're absolutely safe while you shop.”

 

So, if I didn't watch the news or read the Internet, would I know? 

But wait just one minute. According to a Fox news account from two days ago, there was a posting that said “security email” – it’s right here: http://blogs.zappos.com/securityemail And in that email was the announcement that the customers would start getting an e-mail in a couple of hours.

And in that posting there was a link to this: http://www.zappos.com/passwordchange

 

Look, I’m no expert computer designer, but I’m not a neophyte either… I simply could not find any way to access those pages. If it’s there, it certainly not prominent. I challenge someone, anyone, to find it from their homepage.

 

I have never shopped at Zappos, so I would not expect an email notification from them. In the email to their employees dated Jan 15th they inform them that “in the next hour or so we will begin the process of notifying the 24 million people involved…”

 

My wife shops there, a lot it appears, even has a “zapp app”… but lo and behold…no email… nothing, nada, zilch, zippo… OK, 24 million people is a lot to email, well, not according to certain Spam operators...just maybe 48 hours is not enough time. Since she heard about it on the news she decided that she better take action. 

My wife used her fancy-dancy "zapp app" and clicked "change password" - she was brought to a page that listed Ugg boots for sale... She eventually went to the Zappo site and tried to log in with her old credentials...

Here’s the message my wife got when she tried to log in:

We apologize for the inconvenience however a recent security update has resulted in the need for you to reset your password. By resetting your password, you'll have a more secure experience on our website.

“…a recent security update…”, that’s how it’s being phrased… lovely. I think it’s only fair that you prominently post relevant, important, accurate information on your home page. Sure, it’s embarrassing when something like this happens, but you can’t hide from it.

According to a simple Google search, there are a lot of media outlets covering this story. The media is reporting all over the place that it was a “cyber hacking incident” and not a “mistake” or a “lost piece of equipment.”

But what if you don’t consume news like I do, or preferred to watch the Packer’s game on Sunday afternoon (what was THAT all about – 15-1-and done?)

If you didn't read the news about this incident and relied on Zappos to provide you with the relevant information you would be told that a "recent security update" requires you to use a new password. No worries my friend - remember, at Zappos you can shop with confidence. They have really cool firewalls...

So, what is it? Were the servers in Kentucky hacked into by criminals? If it's my information involved, that's a WHOLE different story than a "recent security update."

Lots of people use the same email address and password at several different retail outfits. Right now there is someone, or someone(s), with my wife's email address and password for Zappos. How hard would it be to figure out that maybe she shops elsewhere with the same info - oh, and at that other site, she has her credit card information saved there to "make the shopping experience that much faster..."

Incidents like this are going to happen, but to keep the integrity of the online commerical world intact, they have to be handled properly.

Chaos reigns in the early moments of a data breach. Getting it right requires ADVANCE preparation because YES, it can happen to you. Do you think they had a "data breach response policy manual?"

Me either.

 

PS - how about a WISP? I'll be curious to see how our AG handles this one.

 

 

The tech world loses a visionary

Posted by John H. Lacey on October 06, 2011

As we've all heard by now, Steve Jobs has passed away. In the past 25 years or so I have been torn between the Mac world and the PC world... My first computer was an Apple IIe. I can still see it in my mind's eye, although physically I have no idea where it is (or what's on it!). After that it was PC after PC after PC. I can't even recall how many there were.

What is really amazing to me is the massive advances that Apple continuously make that leaves the PC in the dust. Even I, a diehard PC person, has to admit that Apple's technology is wicked cool. I do have a G5 at home that is pretty cool, I'm just not sure I'm a "mac guy"...

In the 80's and 90's I watched Apple get relegated to the "educational institutions of the world" only to reinvent itself as THE consumer computer company over the last 15 or so years. I know that Steve Jobs made that happen. It's also been fascinating to see how for a while there were "mac" people and "PC" people, just check out the ads about it. The way I see it now, with the iPad and the iPhone, it's gonna be a "Mac" world soon enough. Everything else will simply be a copy of theirs. (anyone remember the story about the first graphical interface? Karma's a bitch, Bill)

Rest in peace Steve.

 

PS - I am disgusted but not surprised that within hours of his passing, idiot advertising/affiliate/marketing/scammers started doing their thing. They set up "stevejobsfuneral[dot]com" which has no legitimate purpose. Check out the story over at Threatpost...

The Data Breach you may not have heard about, but should definitely care about

Posted by John H. Lacey on September 12, 2011

cybercrime-180x140.jpgAbout two weeks ago a company called DigiNotar reported to the world that they had a problem. It was August 30, 2011 and the company was discussing an “intrusion” that had occurred on or about July 19, 2011. DigiNotar, located in Netherlands, is a subsidiary of VASCO, an American company. DigiNotar issues what are called “Certificate Authorities” or CA’s.

 

As you will see, this is scary.

 

Imagine you are walking down the street and have $1,000.00 cash in your pocket that you want to deposit into your bank. As you turn the corner, you see a new bank location that appears to be open. It’s not the one you usually go to, but it has all the right signs and colors and it looks like your bank just opened another location – how convenient for you. You walk in and hand them your money as a deposit and go about your day. Later that day you walk by the same location, except now it's not your bank anymore, it appears to be a tax preparation service location with people walking in with their tax information.

 

Man, how’d that happen so fast…

 

Now imagine that the whole story above happened on the Internet. Since you can’t “see” on the Internet you are at the mercy of certain organizations in order to “trust” where you are on the Internet. Anyone can copy a website, but there are technologies to assure you that when you are visiting your bank or downloading your latest Amazon purchase you actually are doing just that. This “trust” happens because of the existence of Certificate Authorities.

 

But on August 30, 2011, DigiNotar told us that back in July some one broke in and stole their CA’s, some 500 of them. (PS - another company, NJ-based Comodo suffered a breach losing about nine Certificate Authorities. The real difference is that DigiNotar didn't tell anyone for a wwwhile.)

 

Whose were stolen?  They don’t say.

Who stole it?  The Iranians, they say.

Why were they stolen?  So the Iranian Government could snoop on their possible protest planning people… that was one story.

 

 Invalid CA jpg

 

Picture courtesy of the Internet, although it's a fairly accurante representation of the error message generated by Firefox if the CA is invalid - please hit the "get me outta here" button if you see this in your travels.

 

These Certificate Authorities are kinda key to the safety of the Internet. I say “kinda” just to be funny, because they’re not “kinda” key – they’re essential. They’re essential and so is their authenticity. Their whole purpose of existence is to deliver one message and one message only: “HEY YOU, YA YOU, YOU ARE DEFINITELY WHERE YOU THINK YOU ARE…” (well, it has more than one purpose, it also provides for encrypted communication and some other details but I don't want to confuse the issue further)

 

How would having one of these CAs be helpful? You could easily set up a look-a-like website, send a link purporting to come from the actual site and when the traffic arrives, they will all think they are in the right location because of the stolen Certificate. The bad guys would simply be collecting your user-name and passwords and then showing you a message that says something like “Error 612, Please try again later”. (remember, there’s no site to enter)

 

If the Iranians really did it, then they could collect email addresses and passwords for lots of people and then read the emails and do what oppressive regimes do.

If a cyber crook did it, they could collect user-names and passwords at the bank and then log into the real bank, transfer your money, and disappear.

This scam WILL WORK. There's no way to stop it once the CA is compromised (well, unless the CA issuer tells the world and the various Internet browser providers make some very quick adjustments).

 

 

Let’s just try something for kicks: click this link to “Bank of America Home Personal” and see what happens.

Bank of America Home Personal.mht

It somewhat appears that you are at Bank of America’s site, right? I left it incomplete so as to avoid any “issues” with the powers that be (see generally: Law Enforcement), but if I cleaned up the file, at first blush you’d think you were at Bank of America’s site, right? It’s not the site, not even close. It’s a sub-file of my blog’s site, uploaded from my computer. I could disguise the name on the link so it looked legit, could clean up the site so it appeared to be the real bank…even fix the address bar so you wouldn’t see the real location you were visiting.

Note what’s clearly missing: the little “LOCK” that appears at the real Bank of America site and the associated SSL (secure socket layer). Now imagine that you can set up a duplicate Bank of America site AND have that “lock” and the SSL (https)?  The Certificate Authority will take care of all that for you. Here's a link to the real bank, with the "lock" and SSL intact.

Bank of America Home Personal mht

I am only slightly above the "digital idiot" level and could probably figure a way to make that work, imagine what the real bad guys could do...

 

The digital world “revoked” trust in DigiNotar, and now we all should be updating our Internet browsers (IE, Firefox, Chrome, Safari, etc.) so that our little innocent PC’s know about the “trust issue.”

Is it a case of the trusted trust givers dropping the ball? Or is it simply impossible to lock anything useful down in the digital world?

 

Man, oh man, or Woman, oh woman, whatever. I think I am starting to see what it was like to live in the Western United States in the 1800’s…. and why everyone carried a gun.

 

UPDATE: Department of Homeland Security has issued a warning... about this very issue.

 

 

I got mail? No, I got hacked

Posted by John H. Lacey on July 13, 2011

So just yesterday I was using my laptop, checking the weather, reading the latest data breach news, seeing when Whitey Bulger was next due in court and WHAMMO...

A screen popped up on my computer appearing to be "my" virus protection software telling me that I had an infection. Because I am a freak, I recognized that it wasn't "my" virus software (I know my brand). I was very hesitant to click any links. I looked at the various options, the most prominent being "Activate Now". hmmm... isn't "my" virus protection already "activated?"

I found what appeared to be a link that said "Help and Support" and tried to click it. Nothing happened. Do you know why?  There is no help, not from this thing.

All of a sudden a little box appeared and then disappeared, then appeared, then disappeared. This happened over and over and over again. I could make out that the box was reporting that "my" virus protection software had been "interrupted". 

Fake jpg

[Image "borrowed" from my savior, "howtogeek.com". This is almost identical to what I saw.]

 

This is what is known as a "Fake AV attack" (AV stands for Anti-Virus).

I tried to click on the start menu, nothing... tried to launch the internet browsers (I have several), nothing happened.

The only button that would work was "ACTIVATE NOW". If you click activate now, you are taken to a devilish place in the back alleys of the Internet where you are politely asked for your credit card information to "activate" your subscription and rid yourself of this "infection". This plays out thousands of times a day across the Internet. Check out this story, we're talking about $133 million dollars in revenue from this scam.

I did not click the "activate now" link. The first thing I did was manually turn off the wireless signal. I didn't want the, now "out of my control", computer getting any other "friends" from the Internet to come visit me. I did manually turn off the computer by holding down the power button for at least 10 seconds. Then I unplugged it and packed it into my bag to take to work.

 

I took the computer to work in order to "clean" it up. No, I don't has a fancy computer lab, in fact I have no tools whatsoever to "clean" a computer. What I did have was a protected, clean computer that I could use to research how to clean up my machine.

I found a website, "howtogeek.com". Thank you fellas. They provide a step by step "how-to" get rid of this thing.

I had to use my work computer and download the 2 separate software packages available, for FREE, mind you...! I downloaded them to a USB memory stick. Then I fired up my pesky friend in SAFE MODE (F8 before Windows loads - if you miss it, shut it off manually and try again).

I was able to follow their directions to the letter and run SuperAntiSpyWare - CHECK (24 minutes) - found 313 problems (of which 310 were "ad ware tracking cookies", thanks BestBuy)

I then had to restart and run MalwareBytes - CHECK (20 minutes) My new friend, MB, found another 5 or so issues.

I then restarted, in normal mode now, and things looked great. No insane pop-ups... But I did run "my" anti-virus software and found what was called a "cybot-backdoor" and got rid of it (I hope I did, don't like the thought of a backdoor, do you?)

All appears fine now, but I don't think that I will be visiting my bank from that computer any time soon, and THAT'S the moral of this story. I cannot trust that machine anymore can I...?

 

And based on this article, can we trust ANY machine? This article is about a revelation that there are brand new computers in the supply chain that are destined for America's retail stores, except you're getting more than you bargained for if you buy one. Apparently, officials have found brand new machines coming into America pre-loaded with Malware, spyware, and other "things" that may give control over your machine to someone else.

Allow me to play out one scenario: 50 million machines are built by a Chinese company (or a company who outsources their construction to China) and shipped to America pre-loaded with Malware that gives "someone" remote control over the devices. Each of the 50 million devices are purchased by regular joes and put in homes across America. One day that "someone" decides to take down a website in Tibet, or Pakistan or maybe even our own NYSE... they "activate" their 50 million strong computer army (without the owner's knowledge) and WHAMMO, that site is down. All the evidence would point to the attack originating in America wouldn't it. And how about having 50 million different IP addresses from which to conduct a hack into an American computer system...

This is a profound problem, kids...

 

I ask again: who is responsible for safety and security in the digital world?

 

100 Hours worth of data breaches

Posted by John H. Lacey on June 14, 2011

BitterSweet.JPGThumbnail image for senate_large_seal.gifThumbnail image for jpg

It was a busy weekend for the morally questionable, yet technically literate, people of the world. Over the weekend it was revealed that the International Monetary Fund was hacked, suffering what they called a "major security breach." And just yesterday we found out that the United States Senate was breached by LulzSec, a self styled "gray hat" hacking group ("white hat" hackers are supposedly good, "black hat" hackers are supposedly bad, and "gray hat" are just that - in the gray area between).

Just this morning I read about a small-ish business in Rhode Island whose customers reported fraudulent charges on both their credit and debit cards. That breach involved 100 victims. It's not the size that drew my attention, it was the lack of size that did.

 

And to round out the 100 hours, Anonymous is claiming that they intend to hack into the Federal Reserve on Flag Day, which happens to be today, June 14th. You see, the group Anonymous has an issue with the world's financial institutions, more specifically, the "global banking cartel..." You can read all about it over at Forbes blog.

 

LulzSec claimed responsibilityfor the US Sentate breach. Anonymous has stated that they want to bring down the global financial cartel of which the IMF is apparently a member, but no claim of responsibility has been made by them.

A quick aside, the IMF is currently involved in the financial bailout of Ireland, Portugal and Greece. Three European countries who are in financial peril. Germany is footing a sizeable chunk of those bailouts through various means. Ireland, Portugal and Greece are required to provide tons of information to the IMF in order to receive the funds. Do you think that Germany was wondering where all that money was going? Did the IMF have that information? An attack of this scale should suggest that the culprit is someone with lots of time and money and information. See Generally: A Nation State. Maybe Germany would never do such a thing, but how about a certain Asian Country who would love to see the financials on every country in the world. (PS - it appears that this was a "phishing incident", meaning a likely e-mail delivery of the MalCode - don't we learn?)

 

With the major breaches taking place in New York and Washington, what got my attention was little ol' Rhode Island. 100 people's information was stolen and then used. They had all apparently shopped at two local establishments: White's of Westport and Bittersweet Farms. This one could certainly have been a "morally questionable" employee who was "skimming" patrons' credit / debit card info, or it could have been a more "technologically" based event (meaning a computer hack). The article reports that the people involved believe that anyone who used their card between February 1 and now should check their statements. Law Enforcement is saying that the 100 identified victims are likely the beginning.

 

The moral of this story is: YES, it can happen to you no matter who you are: The International Monetary Fund, the United States Senate, or Bittersweet Farms of Westport, Rhode Island.

 

RSA data breach the result of successful spear phishing

Posted by John H. Lacey on April 07, 2011

A great story almost slipped by me... With all this "Epsilon" business happening, the disclosed cause of the RSA breach almost went unnoticed. Remember the data breach of the security company, RSA? They're the company who provide computer security apparatus used by Government agencies, hospitals, and lots of corporations with extremely sensitive data.  I wrote about it a couple weeks ago and gave you five possible theories.

Guess how the RSA breach happened? Think hard about our aquatic friends...

Yes, spear phishing.

 

A lonely email makes its way to the inbox of an unsuspecting employee who opens the "excel spreadsheet" and BAM - game on ladies and gentlemen.

 

On April 1, Uri Rivner, a key RSA boss, posted "Anatomy of an Attack." You have to give RSA credit for telling the world what happened. Mr. Rivner tells us that there were two "phishing emails" sent to a small group of RSA employees. Apparently the email ended up in their "junk" box, but one employee retrieved it and in the end opened the attachment that released the "malcode" (as our AG calls it) and the rest is history. RSA doesn't hide much, they lay out quite a bit of detail. I won't bore you here, but it is fascinating, and their disclosure does a service for the rest of us.

 

Today, I want to tell you about "social engineering". My definition is "getting someone to do something that they either don't want to do or don't know why they're doing it". Wikipedia defines it in the context of "security" fairly well.

How did the "villains" know who to send the "phishing" email to? According to Mr. Rivner's blog, the employees were defined as follows:

...you wouldn't consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”

 

 So, the employees were not "high value targets", but they were employees of RSA. A couple of basic facts to consider:

  • The bad guys had to know the employees email addresses
  • The bad guys had to know at least something about the employees - meaning they knew that the targeted employees were not janitors
  • The bad guys had to get the employee to open the infected file

Where is information like this available?...   Facebook, LinkedIn, social media sites, that's where. Some people have basic information on their social media sites and some update it so often you know what they had for breakfast. You can tell a lot about a person from reading their social media website. You may even be able to tell what they might do in a given situation... that, my friends, is "social engineering."

Why would only one of the "targeted" employees retrieve an email from the junk mail box and open an attachment. You work at RSA, you work for a security company and you open an attachment on an email that your spam filter caught? Something just doesn't make sense here.

 

Was it something about the name of the attachment that caught that employee's eye? "2011 Recruitment Plan" was the subject line of the email. Why did the bad guys chose to name it that? Maybe because they had been watching the various employees' social media sites and knew that RSA had an ongoing recruitment plan. That's just a guess, a pure guess, but if you're the bad guy and you want to successfully "spear phish" you need some good intel. What's going to make the employee open this attachment? That, as the bad guy, is your operational goal.

 

We, as digital citizens, put a lot of information about ourselves in the public domain. (oh, I'm sorry did you think that the privacy settings on Facebook keep the bad guys out? How many "friends" do you have and how many of those "friends" have "friends"... and can your friends' friends see your page?)

As a quick aside, I used to use Facebook regularly as an investigative tool. We would "friend" our suspects' friends and then just sit back and read. It was oh so simple to get access to a guy's site - use a pretty girl. She's not real, she's the police, silly. Plus most of the time the privacy settings were non existent and their info was public.

 

Social engineering is made easier the more public we are about ourselves. Spear phishing works. And the combination of social engineering and spear phishing has worked in the most dramatic way in this case resulting in the breach of one of the world's leading security firms.

 

But what about my five "theories"?

  1. Conspiracy - technically still viable, but I sincerely doubt it now.
  2. Foreign Government Action - gaining ground based on the complexity of the incident
  3. Corporate Espionage - still possible, but unlikely. The same type of attack has been launched against many other corporations leading me to believe that it's from outside the corporate world.
  4. Criminal Organization - I stand by my assertion that this is too complicated for them to pull off. Prove me wrong Eastern Europe, I dare you.
  5. It never happened - It did. This one is out.

 

One final note: If I was a bad guy and had the EPSILON email data, here's how I would use it:

I would send an email purporting to be from the affected company apologizing for the inconvenience and in the same email offer to have them removed from our email list by clicking "this" link. Would you click that link?