Experian gets caught selling your records to identity thieves, hacking a router with a single UDP Packet, the cloud storage service that deletes your files…

And a huge batch of your questions, our answers!

Thanks to:

Experian credit reporting service sold data to identity theft service

• An identity theft service that sold Social Security and driver\’s license numbers — as well as bank account and credit card data on millions of Americans.
• Purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.
• In November 2011, KrebsOnSecurity ran a story about an underground service called Superget.info, a fraudster-friendly site that marketed the ability to look up full Social Security numbers, birthdays, drivers license records and financial information on millions of Americans.
• Each SSN search on Superget.info returned consumer records that were marked with a set of varying and mysterious two- and three-letter “sourceid:” identifiers, including “TH,” “MV,” and “NCO,” among others.
• A KrebsOnSecurity reader said the abbreviations matched data sets produced by Columbus, Ohio-based USInfoSearch.com.
• Contacted about the reader’s claim, U.S. Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had previously struck an information sharing agreement.
• Founded in 2001, Court Ventures described itself as a firm that “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.”
• In March 2012, Court Ventures was purchased by Costa Mesa, Calif.-based Experian, one of the three major consumer credit bureaus. According to Martin, the proprietors of Superget.info had gained access to Experian’s databases by posing as a U.S.-based private investigator. In reality, Martin said, the individuals apparently responsible for running Superget.info were based in Vietnam.
• Martin said he first learned of the ID theft service after hearing from a U.S. Secret Service agent who called and said the law enforcement agency was investigating Experian and had obtained a grand jury subpoena against the company.
• While the private investigator ruse may have gotten the fraudsters past Experian and/or CourtVentures’ screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.
• Experian declined multiple requests for an interview. But in a written statement provided to KrebsOnSecurity, Experian acknowledged the broad outlines of Martin’s story and said it had worked with the Secret Service to bring a Vietnamese national to justice in connection with the online ID theft service.
• Meanwhile, it’s not clear what — if any — trouble Experian may face as a result of its involvement in the identity theft scheme.

Tenda W302R router can be exploited by sending a single UDP packet

• The Tenda routers use a modified version of the GoAhead web server, popular for embedded platforms
• The custom version Tenda uses contains a modification, when the web server starts it creates a UDP socket and bind it to port 7329
• If a packet is received that starts with the string “w302r_mfg”
• The next byte of the packet indicates what to do with the rest of the packet:
• ‘e’ – Responds with a pre-defined string, basically a ping test
• ’1′ – Intended to allow you to run iwpriv commands
• ‘x’ – Allows you to run any command, as root
• This means you can exploit this router and gain remote root privileges with nothing more than the netcat command
• “the backdoor only listens on the LAN, thus it is not exploitable from the WAN. However, it is exploitable over the wireless network, which has WPS enabled by default with no brute force rate limiting”
• The device also ship with a default WPA key, which you might want to try first
• Another Researcher found that this exploit exists in many other versions of the Tenda router firmware

Cloud storage service allows strangers to delete your data

• Box.com is a cloud storage service like Dropbox and others
• A reporter had an account that he used from time to time to share images with his Editors
• His wife also used the account, and at one point had invited an employee from a large PR firm to upload a file
• That PR firm later signed up for a corporate account with box.com
• Box.com has a feature, called account roll-in, which allows companies to slurp up all of their employees accounts and grant those users the additional capacity and features of the corporate account
• This feature can also slurp in accounts that have “deep collaborative relationships” with the company
• So in this case, the reporters account was sucked into the corporate account of the PR firm, even though the relationship was only a single file
• Later on, the Administrators of the PR firm saw the account they did not recognize, and deleted it
• Box.com destroyed the account rather than just unrelating it to the PR firm
• Eventually, Box.com managed to find the Reporters files and return them to him
• This just goes to show the risk involved with trusting your files to a cloud storage provider

Feedback:

• ZPool problems

• Monitor host which is not reachable by my nagios server

• Purposeful duplication

• Allan thinks like an old man! 😉

• Removing a drive from a ZFS volume

• Book Recommendations

— Allan’s new router unboxing —

• [25] An open plea for help from a weary sysadmin : techsnap

[asa]B005FYNSZA[/asa]

Amazon.com: SanDisk Cruzer Fit 16 GB USB Flash Drive SDCZ33-016G-B35: Electronics

Round Up:

• NSA hacked into public email of Mexican President and may have tapped the phone of the German Chancellor
• Disclosure attack on Asus Routers gives away your admin password
• Bing seen showing malware infested Ads
• Nordstrom’s Department Store Chain finds keyloggers on cash registers in Florida
• Underwater TCP/IP to connect offshore platforms etc
• Intel Broadwell chip production pushed back to 2014Q1 due to low yield
• US District court rules that if you claim you are a “hacker” you lose your 4th amendment rights
• Only a small fraction of internet facing Netgear ReadyNAS systems have been patched against serious command injection flaw, fix has been out for 3 months
• Contractors involved in ACA portal have history of security failures
• Officers in charge of Nuclear missile facility caught napping with anti-terrorist blastdoor left open
• Laptop rental company admits to putting spyware on machines
• Physical Access Attacks and Fun Bypass Tricks – How to bypass security on a windows computer