Debug mode exposes sensitive data, Cisco’s Talos group exposes the Angler exploit kit & how a Microsoft exposed Conficker with an egg hunt.

Plus some great feedback, a huge round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Danish bank leaves production server in debug mode, exposes sensitive data

• While at Chaos Communication Camp, the Dutch researcher was talking with some Danish hackers about the security of Danish banks, especially their terrible HTTPS settings that result in an F from Qualys SSL Labs
• Upon arriving back home, he opened up the bank’s website, and decided to look at the HTML of the page
• On it, he found a giant URL encoded javascript comment
• Upon decoding it, he was that it leaked a huge amount of information, some of it sensitive
• It returned session cookie id, the entire contents of the cookie submitted by the user, and a bunch of other cookies.
• It also revealed that the site was written in Microsoft ASP, shows the path to the files on the web server, the internal IP addresses
• Worse, while looking at the data, he realized that the data was not infact his, but belonged to the session of another user
• “If I refreshed the login screen again, I would get to see a different set of data, from another customer. I repeated that a few times and got back different records each time.”
• He also noticed that the server port was 80, and HTTPS was “off”, this suggests it is a normal web server without TLS, with some kind of SSL Terminator appliance in front of it. It would be best practise to use TLS on the internal network as well, else a sysadmin, or someone who manages to compromise the web application, could snoop usernames and passwords as they passed between the terminator and the web servers.
• The researcher resisted the urge to add the cookie he had just seem go by to his own browser and login as some unsuspecting customer
• It seems likely that if viewing this same dump from a page that involved an HTTP POST, it would have included plain text username and password
• “The variables HTTP_SOPDB2MEMBER, HTTP_SOPQMGR and HTTP_SOPFECICS indicate that their Microsoft IIS server is connecting to a z/OS server that runs a DB2 database, message queue software and CICS. That’s a pretty normal (but old!) software stack for a bank. Probably also means they’re still using COBOL code on their backend.”
• He then tried to report the issue
• “Easier said than done. They don’t have a responsible disclosure process in place, so there was no e-mail address I could mail my findings to. I called a phone number on their web site and the lady that I spoke didn’t seem to understand the problem and said: “our technical guy will look at your finding”. I asked for her e-mail address so I could mail the details to her but she said that wasn’t possible. I didn’t get the feeling I was taken seriously, so I started looking on LinkedIn for IT security personnel that worked at the bank.”
• “Found someone that worked in the security incident response department and mailed him my findings. That worked! I saw that within 24 hours the vulnerability was patched.”
• The response from the bank: “Thank you for reporting a potential security vulnerability on our website. We investigated your report immediately. However, the data you saw was not real customer sessions or data – just some debug information. Our developers corrected this later that day.”
• “A potential vulnerability? Are you serious? The server was leaking all kinds of highly technical data. And what about using not real customer data? Is it suggested that Danske Bank is using test customer data in their production environment? That would be against all safety guards and all best practices. And creating test cookie data in production in combination with an IP address and user agent? Never seen that one before.”
• “For at least two weeks, but probably a lot longer, very confidential customer data in the form of session cookies were leaking on Danske Bank’s web site. With these cookies it should have been possible to hijack internet banking accounts of their customers. They closed the security hole quickly, but are now in denial of it.”
• “Update October 8: Because of all publicity this story gets, Danske Bank now admits that their production server was in debug mode and that I saw information and cookies from other visitors (!). That’s quite a turn! Seems that media attention forces the bank to be honest. They still hold on that I couldn’t hijack banking sessions.”
• Researcher’s Blog

Cisco Talos tackles the Angler exploit kit

• Angler is one of the largest exploit kit found on the market and has been making news as it has been linked to several high profile malvertising/ransomware campaigns.
• In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually.
• The Talos organization gained additional visibility into the global activity of the network through their ongoing collaboration with Level 3 Threat Research Labs.
• Thanks to their continued collaboration with OpenDNS they were able to gain in depth visibility into the domain activity associated with the adversaries.
• The dataset was originally from July 2015 and included data from all sources available. July provided a unique opportunity because Angler went through several iterations of development, including URL structure changes and implementation of several unpatched Adobe Flash vulnerabilities. During the analysis, trends and patterns emerged. This paper will discuss trends in hosting, domain usage, referers, exploits, and payloads. It was the trends associated with the hosting that lead to the most significant discoveries.
• While analyzing the data they found that a large amount of Angler activity was focused with a single hosting provider, Limestone Networks. Talos collaborated with Limestone to gather some previously unknown insight into Angler. This includes details related to data flow, management, and scale.
• Angler is actually constructed in a proxy/server configuration. There is a single exploit server that is responsible for serving the malicious activity through multiple proxy servers.
• Additionally, there is a health monitoring server that is conducting health checks, gathering information about the hosts that are being served exploits, and remotely erase the log files once they have been fetched. This health server revealed the scope and scale of the campaign, and helped allow us to put a monetary value on the activity.
• A single health server was seen monitoring 147 proxy servers over the span of a month and generating in excess of $3,000,000 USD in revenue.
• Despite not having a large footprint, Angler is able to compromise a significant amount of users, for a presumably small amount of customers. An interesting aspect is the lack of IP variety from day to day. Angler starts with an IP address (i.e. 74.63.217.218) as the system compromises users and generates noise the adversaries shift to an adjacent IP (i.e. 74.63.217.219).
• This activity would continue through contiguous blocks of IP space being used from a single provider. Indicating that the actors likely had multiple servers available moving from one server to the next as they were blocked.
• Looking at the amount of unique IP’s, while it is still clear that Hetzner and Limestone Networks were the primary sources of Angler, Limestone Networks was the largest single provider.
• Talos approached both Hetzner and Limestone related to the information we gathered on these threat actors. Limestone Networks responded and cooperated fully with this investigation.
• For example one Talos account purchased 815 servers during the course of a week using stolen credit cards originating from different countries. This would continue gradually allowing the users to accumulate a fair amount of server infrastructure. Eventually the credit cards would be identified as stolen and significant costs are incurred. According to Limestone Networks our adversaries “contributed approximately $10,000 in cost and lost revenue each month.” The vast majority of this in charge backs due to fraudulent credit card charges.
• Limestone Networks was also able to provide Talos with copies of images of the servers that were being used as well as network captures of the communications the servers were conducting for short time periods. As a result of this Talos was able to get valuable information that exposed previously undisclosed aspects of Angler, as well as the scope of the users impacted.
• Users do not just browse to an exploit kit they are pushed into it there via malicious iFrames and malvertising. Both were found in significant volume during the course of the month. Talos observed popular websites redirecting users to the Angler exploit kit via malvertising including hundreds of major news, real estate, and popular culture sites.
• Additionally, Talos noticed a couple of smaller volume referer chains that were being used, either as a way to directly get users to Angler or just add a layer to the redirection chain. The first was the use of dynamic DNS services.
• A similar type of service has also been observed gaining volume recently. It also made use of an additional tier of redirection using shadowed domains.
• These were almost exclusively javascript files that are hosted under englishword based sub folders
• A huge variety of different browsers and operating systems hit Angler landing pages (including Netscape 4.0 which was a bit surprising, but not all of those users were served exploits). Overwhelmingly the most common browsers to be served actual exploits were Internet Explorer and the reasons we believe are two fold. First is that Angler leveraged CVE-2014-6332 heavily for the last six months and continues to do so (Angler also recently added CVE-2015-2419 also targeting IE), this exploit is targeted specifically at Internet Explorer users. The second is that the other major web browsers, Chrome and Firefox, have gone to great lengths to either sandbox Adobe Flash or prevent any flash rendering with outdated versions. Firefox even went so far as to block all Flash activity when the Hacking Team 0days (CVE-2015-5119, CVE-2015-5122) were disclosed to prevent its users from being impacted.
• Talos has observed both Cryptowall 3.0 as well as Teslacrypt 2.0 being delivered by Angler during this time period. Both ransomware variants leverage compromised wordpress sites to push data for later retrieval.
• Not surprisingly the overwhelming majority of the exploits Angler was serving were tied to Adobe Flash. Almost 75% of the exploits served to users were Adobe Flash related.
• One of the biggest reasons that Angler has been so pervasive and able to infect as many users is the lack of antivirus coverage. During the month of July Talos observed almost 3,000 unique hashes associated with exploits. That data was then queried against VirusTotal which found that only 6% of the hashes were in VirusTotal. Of that 6% the average detection was low, with usually less than ten AV engines detecting it. This, coupled with the recent large scale malvertising campaign, reinforces that a user browsing the internet using Internet Explorer with only basic antivirus protection is highly vulnerable to an Angler infection.
• Additional Coverage: TheStack

The story of MS08-067, the 2008

• This is the story of a zero-day exploit against all versions of Windows that came to light in 2008
• “The attackers had a remote code execution (RCE) vulnerability that affected every version of Windows, gave them full control at SYSTEM level rights, left almost no forensic footprint, and could be used anonymously from anywhere on the Internet. Their exploit was 95% reliable. Almost perfect. Almost.”
• “To understand MS08-067 you need to understand MS07-029, an RCE vulnerability in Windows DNS. MS07-029 was one of a series of Remote Procedure Call (RPC) server vulnerabilities that were steadily being ferreted out by Microsoft, attackers, and security researchers alike. There was one difference. MS07-029 was the first RCE that where we had our Visual Studio return address protection (/GS) and Windows Data Execute Prevention (DEP) in effect. We refer to these defenses as exploit mitigations and we had been steadily adding them since XP SP2. It was one of the ways we were using security engineering to combat security issues in engineering. Once an exploit has trashed the internal memory of a process, there is no recovery and the only option is to force a crash—a terrible user experience for sure, but better than resulting in a compromised machine.”
• “By September 2008 we had built a system that screened millions of crashes for security exploits. Along the way I felt like I joined the world’s smallest profession—that of an exploit failure engineer. On September 25th a crash came in that got my attention–an exploit in netapi32.dll. This new crash was in very similar code, but in a different WER bucket. It was not in the top 100 or top 1,000 issues. It was bucket #45,000 with exactly 2 hits ever. This was living in the tail. ”
• “What made this tiny bucket stand out? First, there was an exploit. It found shellcode in the crash dump. I reviewed the shellcode and saw that it used an egghunt to find the payload. An egghunt is an exploit engineering technique used when a buffer overrun is constrained in terms of how much payload can be sent.”
• “The second thing unusual about this crash dump was not just the way it failed. It was the way it was succeeding before it crashed. I looked beyond the crashing thread to the other threads in the process. One of them revealed the attacker had already exploited the process and the shellcode was in the middle of downloading a payload using URLDownloadToFileA!”
• “While egghunts weren’t new, this was a new flavor of shellcode for netapi32 exploits and clear evidence of a successful exploit. The final nail in the coffin was the version information in the crash dump. Netapi32.dll was fully patched! There seemed to be only one explanation for this: a new 0-day in the wild. “
• “Most of the time security researchers find a vulnerability then work to write an exploit. I was going in reverse: examining an exploit to determine the vulnerability, armed with only a forensic crash and no way to reproduce it. Had the exploit blown away the crucial clues in the buffer overrun itself? I studied the crash over and over. I looked at the source code for netapi32. Vulnerabilities are often obvious in hindsight but stubborn to reveal themselves at first. Here was my dilemma: if I could not find the vulnerability, despite having a clear exploit, we could not act.”
• “I brought the case to the manager of the MSRC security engineers, Andrew Roths. I remember the moment Andrew stopped by my office. He said, “I found a vulnerability.””
• “We walked down the hallway to the office of the crisis manager, Phillip. He was in the middle of a meeting with someone in his office. There must have been something about the expression on our faces because he turned to his visitor and abruptly said, “I’ll talk with you later”. We entered and I said, “we have a zero day.” We explained the basic facts. We had a vulnerability, that could be exploited remotely, anonymously, that affected all versions of Windows. It was wormable and someone was already exploiting it. When you say the word ‘wormable’ to a crisis manager, it activates some latent response DNA. In his quiet way he went from 1 to 11 and immediately got to work mobilizing everyone. Scarred by Code Red and Blaster, when an issue is wormable, at Microsoft everyone shows up and works it as job #1.”
• “On Windows Vista and Windows Server 2008 it always failed. The Security Development Lifecycle (SDL) process at Microsoft made sure those OS editions had full ASLR and DEP for the svchost.exe”
• “Their solution for this was to first call the vulnerable function with a benign input that had the slash character but would not trigger the vulnerability. This data would stay latent on the stack, like a ghost, the next time the function was called. This technique was perfectly reliable if Windows used the same thread for both requests. This happened nearly all the time. Nearly. In a quirk of fate, the Windows RPC thread pool handed the second request containing the exploit to a different thread—one that did not have the carefully placed slash character. The netapi32 code kept searching for it, eventually running off the end of the thread stack, hitting the guard page, and crashing the process with a stack overflow error (0xC00000fd).”
• “Once MSRC was ready with the patch, we made the decision to ship it as an out-of-band update. Every patch release starts the clock in terms of copycat exploits. This is the one of those dilemmas in the MSRC business. Naturally you want to ship an update as soon as it’s ready. But when you ship an out-of-band update, many IT teams aren’t ready and this slows down how quickly systems are updated. Attackers don’t hesitate to download the patch, diff it, and start building exploits, and defenders caught on their back foot may be at a disadvantage as they scramble to rearrange their schedule to deploy the update. We considered. Can you hold until Patch Tuesday when IT teams around the world are ready to receive and act? Or do you ship early and disrupt customers? The answer was clear. We had a critical vulnerability. We saw an uptick in activity. The patch was ready. We went out-of-band.”
• “Ask anyone about MS08-067 and most will mention Conficker. At this point in October, Conficker did not even exist. Conficker, as disruptive as it was, affected only the tail of computers that had not patched. Imagine what would have happened if Conficker had half a billion more systems to infect.”

iXsystems — FreeNAS worst practices guide

Feedback:

• Passwordless SSH keys for deployment

• ZFS question: corruption rebuilding a ZRAID

• ZFS send and receive to multiple locations.

• allanjude/zxfer

• Video Encoding

• Amazon.com: Magewell XI100DUSB-HDMI HDMI to USB 3.0 Video Capture Dongle

Round up:

• Chinese Hackers Breached LoopPay, Whose Tech Is Central to Samsung Pay
• IPv6 is a real world big deal now, 50% of facebook traffic from mobile is v6 now
• Verizon’s zombie cookie gets new life
• Ubuntu plans to make ZFS a standard option
• Not all iPhone 6s are created equal. Samsung chips slower and use more battery than TSMC chips
• For justice to work properly, you need to be able to inspect the source code of forensic devices to prove they actually collected the evidence properly
• Journalist linked to Anonymous found guilty of 3 federal counts of hacking
• Be sure to dispose of your airline boarding passes properly
• Get AMP’d: Here’s what publishers need to know about Google’s new plan to speed up your website
• The certification disconnect — Hacker witch hunts are driving students away from the security field
• Volvo Will Accept Liability For Self-Driving Car Crashes
• How I spent 2 weeks hunting a memory leak in ruby
• OPM says more than 5.6 million fingerprint records also compromised
• How elliptic curve cryptography works
• The low-tech approach to taking out a network, just zap an exposed ethernet port
• Understanding bias and arguments
• CEO Responds To Experian Data Breach
• Hack Android phones, by typing in a really long password

The post Catching the Angler | TechSNAP 235 first appeared on Jupiter Broadcasting.

Lenovo & Google are victims of DNS hijacking, we’ll share the details, Everyone wants you to secure your data, just not from them & how Turbotax profits from Cyber tax fraud!

Plus a great batch of your questions, a fantastic round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Attackers Hijack Lenovo Domain, Spoof Website and Intercept Company Emails

• The lenovo.com website was replaced with a slideshow of some random person
• The attack was apparently carried about by members of LizardCircle (or LizardSquad)
• The identity of the person in the slideshow is unclear, but reports suggest they are two members of another hacking group (Hack The Planet) that have been trying to undermine LizardSquad for months
• The pictures on the Lenovo site suggest that the webcam of the target may have been compromised
• It seems the Lizard Squad was able to compromise webnic.cc, a large domain name registrar via a remote command injection vulnerability
• They then reported installed a rootkit and took over the registrars infrastructure
• Using this access, they were able to change the authoritative nameservers for the Lenovo.com domain to their own, and post the defacement page
• This allow allowed them to intercept all incoming email sent to @lenovo.com addresses
• They apparently used CloudFlare to host the site, and CloudFlare engineers eventually returned control of the site to Lenovo, while the DNS changes propagated
• The attackers apparently also got access to the ‘auth codes’ required to transfer ownership of the domain to another registrar
• Same attack also compromised google.com.vn domain in Vietnam
• Additional Coverage: Krebs On Security
• Additional Coverage: Ars Technica

Everyone wants you to secure your data, just not from them

• Bruce Schneier writes a blog post about security and privacy
• Google and Facebook was your data to be secure, on their server, so they can analyze it
• Your government wants you to have security communications, as long as they have the magic keys to decrypt it, but other governments do not
• “Governments are no different. The FBI wants people to have strong encryption, but it wants backdoor access so it can get at your data. UK Prime Minister David Cameron wants you to have good security, just as long as it’s not so strong as to keep the UK government out. And, of course, the NSA spends a lot of money ensuring that there’s no security it can’t break.”
• Schneier also quotes Whitfield Diffie (pioneering cryptographer, co-developed the Diffie-Hellman key exchanged used in SSH and TLS): “You can’t have privacy without security, and I think we have glaring failures in computer security in problems that we’ve been working on for 40 years. You really should not live in fear of opening an attachment to a message. It ought to be confined; your computer ought to be able to handle it. And the fact that we have persisted for decades without solving these problems is partly because they’re very difficult, but partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you. The trouble is, I’m not sure of any practical alternative.”
• Corporations want access to your data for profit; governments want it security purposes, be they benevolent or malevolent. But Diffie makes an even stronger point: we give lots of companies access to our data because it makes our lives easier.
• Bruce wrote in his recent book: Data and Goliath: “Convenience is the other reason we willingly give highly personal data to corporate interests, and put up with becoming objects of their surveillance. As I keep saying, surveillance-based services are useful and valuable. We like it when we can access our address book, calendar, photographs, documents, and everything else on any device we happen to be near. We like services like Siri and Google Now, which work best when they know tons about you. Social networking apps make it easier to hang out with our friends. Cell phone apps like Google Maps, Yelp, Weather, and Uber work better and faster when they know our location. Letting apps like Pocket or Instapaper know what we’re reading feels like a small price to pay for getting everything we want to read in one convenient place. We even like it when ads are targeted to exactly what we’re interested in. The benefits of surveillance in these and other applications are real, and significant.”
• “Last week, we learned that the NSA broke into the Dutch company Gemalto and stole the encryption keys for billions ­ yes, billions ­ of cell phones worldwide. That was possible because we consumers don’t want to do the work of securely generating those keys and setting up our own security when we get our phones; we want it done automatically by the phone manufacturers. We want our data to be secure, but we want someone to be able to recover it all when we forget our password.”
• “We’ll never solve these security problems as long as we’re our own worst enemy. That’s why I believe that any long-term security solution will not only be technological, but political as well. We need laws that will protect our privacy from those who obey the laws, and to punish those who break the laws. We need laws that require those entrusted with our data to protect our data. Yes, we need better security technologies, but we also need laws mandating the use of those technologies.”
• I think at some level, part of the onus needs to be on the user as well, you are responsible for managing your passwords and security.
• Transcript: NSA Director Mike Rogers vs. Yahoo! on Encryption Back Doors | Just Security

The rise of tax refund fraud

• Fraudsters made billions of dollars last year by filing fake federal tax refund requests in the names of millions of unsuspecting Americans
• The IRS added a number of security measures and better automated screening, which drove the fraudsters to focus on state-level tax fraud
• “Anti-fraud Improvements by IRS Fuel Up To 3700 Percent Rise in Phony State Filings”
• “Earlier this month, TurboTax was forced to briefly suspend state tax refund filings while it investigated the source of the unprecedented fraud spike”
• To learn more about what was going on, Krebs interviewed Indu Kodukula, chief information security officer at Intuit
• “The IRS has gotten much better than a few years ago from the perspective of fighting fraud,” Kodukula said. “We think what’s happening is that as a result the fraudsters are starting to target the states.”
• In the 2014 tax season, the Treasury Inspector General for Tax Administration (TIGTA) found that the IRS identified and confirmed 28,076 fraudulent tax returns involving identity theft. That was down significantly from a year earlier (PDF), when the IRS identified and confirmed 85,385 fraudulent tax returns involving identity theft
• “But there are 46 states in the Union where taxpayers can file what’s called an ‘unlinked return,’ meaning they can file a state return without having a file a federal return at the same time. So when the [tax fraudsters] file an unlinked return, it leaves the state at its own disposal to fight this fraud, and we think that’s what has taken the states by surprise this year.”
• “States allow unlinked returns because most taxpayers owe taxes at the federal level but are due refunds from their state. Thus, unlinked returns allow taxpayers who owe money to the IRS to pay some or all of that off with state refund money.”
• “Unlinked returns typically have made up a very small chunk of Intuit’s overall returns, Kodukula said. However, so far in this year’s tax filing season, Intuit has seen between three and 37-fold increases in unlinked, state-only returns. Convinced that most of those requests are fraudulent, the company now blocks users from filing unlinked returns via TurboTax.”
• “It’s very hard to imagine a fundamental demographic shift that could cause that kind of pattern,” Kodukula said. “Our thought is that the vast majority of this is clearly not legitimate activity.”
• The traditional way that income tax fraud has been perpetrated was to steal the identity of an individual, then create an online tax account on their behalf and file the fraudulent return
• However, there has been a spike in compromised tax accounts, most appear to be because of password reuse
• We have seen many sites being compromised in the last few years, like LinkedIn, and Adobe. When huge piles of passwords like that are dropped on the Internet, the attackers try those same username/email and password combinations on other sites, like tax preparation sites
• “Over the past one-and-a-half years, we started to see much more of this type type of account takeover attack, where a customer’s TurboTax credentials were compromised at another site,” Kodukula said, describing wave after wave of attempts by fraudsters to log in at TurboTax using huge lists of credentials leaked in the wake of breaches at other companies.
• Currently, about 60 percent of the returns flagged as likely fraudulent by Intuit appear to come from SIRF, while the other 40 percent are the result of account takeovers, Kodukula said. But the account takeover attacks are definitely growing in frequency and intensity, he said.
• “From the list validation attacks we’ve seen, we know the credentials came from somewhere else,” he added. “When you look at credentials that have never been used in our system [trying to log in] it’s a pretty good indicator that those are credentials not from our space.”
• Security experts (including Krebs) have long called on TurboTax to implement two-step authentication for customers to help address the account takeover the problem of password re-use by consumers. Earlier this month, Intuit announced it would be implementing this very feature, although the company’s choice of approaches may fall short of what many security experts think of when they talk about real two-step or two-factor authentication.
• Krebs’ article also has some links and guidance for those who fall victim to this type of attack
• A week after the above interview, Krebs interviewed Robert Lee, a security business partner at Intuit’s consumer tax group until his departure from the company in July 2014
• Kreb’s 2nd Interview
• Lee said that he and his team at Intuit developed sophisticated fraud models to help Intuit quickly identify and close accounts that were being used by crooks to commit massive amounts of SIRF fraud.
• But Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns
• “If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said in an interview with KrebsOnSecurity. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.”
• “The Federal Trade Commission (FTC) said it received 332,646 identity theft complaints in the calendar year 2014, and that almost one-third of them — the largest portion — were tax-related identity theft complaints. Tax identity theft has been the largest ID theft category for the last five years.”
• Lee said the scammers who hijack existing TurboTax accounts most often will use stolen credit cards to pay the $25-$50 TurboTax fee for processing and sending the refund request to the IRS.
• But he said the crooks perpetrating SIRF typically force the IRS — and, by extension, U.S. taxpayers — to cover the fee for their bogus filings. That’s because most SIRF filings take advantage of what’s known in the online tax preparation business as a ‘refund transfer’, which deducts TurboTax’s filing fee from the total amount of the fraudulent refund request. If the IRS then approves the fraudulent return, TurboTax gets paid.
• “The reason fraudsters love this system is because they don’t even have to use stolen credit cards to do it,” Lee said. “What’s really going on here is that the fraud business is actually profitable for Intuit.”
• Lee confirmed Kodukula’s narrative that Intuit is an industry leader in sending the IRS regular reports about tax returns that appear suspicious. But he said the company eventually scaled back those reports after noticing that the overall fraud the IRS was reporting wasn’t decreasing as a result of Intuit’s reporting: Fraudsters were simply taking their business to Intuit’s competitors.
• “We noticed the IRS started taking action, and because of this, we started to see not only our fraud numbers but also our revenue go down before the peak of tax season a couple of years ago,” Lee recalled. “When we stopped or delayed sending those fraud numbers, we saw the fraud and our revenue go back up.”
• “Then, there was a time period where we didn’t deliver that information at all,” he said. “And then at one point there was a two-week delay added between the time the information was ready and the time it was submitted to the IRS. There was no technical reason for that delay, but I can only speculate what the real justification for that was.”
• KrebsOnSecurity obtained a copy of a recording made of an internal Intuit conference call on Oct. 14, 2014, in which Michael Lyons, TurboTax’s deputy general counsel, describes the risks of the company being overly aggressive — relative to its competitors — in flagging suspicious tax returns for the IRS.
• “As you can imagine, the bad guys being smart and savvy, they saw this and noticed it, they just went somewhere else,” Lyons said in the recording. “The amount of fraudulent activity didn’t change. The landscape didn’t change. It was like squeezing a balloon. They recognized that TurboTax returns were getting stopped at the door. So they said, ‘We’ll just go over to H&R Block, to TaxSlayer or TaxAct, or whatever.’ And all of a sudden we saw what we call ‘multi-filer activity’ had completely dropped off a cliff but the amount that the IRS reported coming through digital channels and through their self reported fraud network was not changing at all. The bad guys had just gone from us to others.”
• That recording was shared by Shane MacDougall, formerly a principal security engineer at Intuit. MacDougall resigned from the company last week and filed an official whistleblower complaint with the U.S. Securities and Exchange Commission, alleging that the company routinely placed profits ahead of ethics. MacDougall submitted the recording in his filing with the SEC.
• “Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn’t do anything that would ‘hurt the numbers’,” MacDougall wrote in his SEC filing. “Complainant repeatedly offered solutions to help stop the fraud, but was ignored.”
• Robert Lanesey, Inuit’s chief communications officer, said Intuit doesn’t make a penny on tax filings that are ultimately rejected by the IRS.
• “Revenue that comes from reports included in our suspicious activity reports to the IRS has dropped precipitously as we have changed and improved our reporting mechanisms,” Lanesey said. “When it comes to market share, it doesn’t count toward our market share unless it’s a successful return. We’ve gotten better and we’ve gotten more accurate, but it’s not about money.”
• Williams added that it is not up to Intuit to block returns from being filed, and that it is the IRS’s sole determination whether to process a given refund request.
• “We will flag them as suspicious, but we do not get to determine if a return is fraud,” Williams said. “It’s the IRS’s responsibility and ultimately they make that decision. What I will tell you is that of the ones we report as suspicious, the IRS rejects a very high percentage, somewhere in the 80-90 percent range.”
• It will be interesting to see how this story develops

Feedback:

• pfSense “advanced” routing question

• Transfer a huge files while it is being created (Linux shell scripting?)

• Lets encrypt

• PHK on HTTP/2

• Allan’s Tetris lamps are driving me crazy.

Round Up:

• Intel Security warns of six Social Engineering techniques being used against businesses
• Remote Code Execution (as root) vulnerability in all versions of Samba (windows file sharing daemon for UNIX-like operating systems)
• SSL-busting code that threatened Lenovo users found in a dozen more apps
• Some of todays hackers are more sophisticated than you think
• Replacing my 10+ years old home router
• Ad blocking software PrivDog, may actually be worse than Superfish
• Moxie Marlinspike – GPG, with its old technology, bad design, and small userbase, is dead; it’s time for a more usable encryption system
• The most vulnerable operating systems and applications of 2014
• FCC approves net neutrality rules, reclassifies broadband as a utility
• Tens of thousands of home routers all using the same SSH private key, defeating the security provided by the private key
• Intel To Rebrand Atom Chips Along Lines of Core Processors
• Facebook posts results of its research into SSL Interception against Facebook visitors

The post TurboHax | TechSNAP 203 first appeared on Jupiter Broadcasting.

WebRTC is going to bring a whole new category of applications to Linux, and the web. We’ll demo some of our favorite and surprisingly powerful uses of WebRTC that go way beyond basic video chat.

Plus Steambox specs get real, Mir gets dropped from Ubuntu 13.10…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show: