ITSecurity.org

Technology Security Controls

Biz & IT

Microsoft is adding Linux, Android, and firmware protections to Windows

by

Screenshot of antivirus protection.

Enlarge

Microsoft is moving forward with its promise to extend enterprise security protections to non-Windows platforms with the general release of a Linux version and a preview of one for Android. The software maker is also beefing up Windows security protections to scan for malicious firmware.

The Linux and Android moves—detailed in posts published on Tuesday here, here, and here—follow a move last year to ship antivirus protections to macOS. Microsoft disclosed the firmware feature last week.

Premium pricing

All the new protections are available to users of Microsoft Advanced Threat Protection and require Windows 10 Enterprise Edition. Public pricing from Microsoft is either non-existent or difficult to find, but according to this site, costs range from $30 to $72 per machine per year to enterprise customers.

In February, when the Linux preview became available, Microsoft said it included antivirus alerts and “preventive capabilities.” Using a command line, admins can manage user machines, initiate and configure antivirus scans, monitor network events, and manage various threats.

“We are just at the beginning of our Linux journey and we are not stopping here!” Tuesday’s post announcing the Linux general availability said. “We are committed to continuous expansion of our capabilities for Linux and will be bringing you enhancements in the coming months.”

The Android preview, meanwhile, provides several protections, including:

  • The blocking of phishing sites and other high-risk domains and URLs accessed through SMS/text, WhatsApp, email, browsers, and other apps. The features use the same Microsoft Defender SmartScreen services that are already available for Windows so that decisions to block suspicious sites will apply across all devices on a network.
  • Proactive scanning for malicious or potentially unwanted applications and files that may be downloaded to a mobile device.
  • Measures to block access to network resources when devices show signs of being compromised with malicious apps or malware.
  • Integration to the same Microsoft Defender Security Center that’s already available for Windows, macOS, and Linux.

Last week, Microsoft said it had added firmware protection to the premium Microsoft Defender. The new offering scans Unified Extensible Firmware Interface, which is the successor to the traditional BIOS that most computers used during the boot process to locate and enumerate hardware installed.

The firmware scanner uses a new component added to virus protection already built into Defender. Hacks that infect firmware are particularly pernicious because they survive reinstallations of the operating system and other security measures. And because firmware runs before Windows starts, it has the ability to burrow deep into an infected system. Until now, there have been only limited ways to detect such attacks on large fleets of machines.

It makes sense that the extensions to non-Windows platforms are available only to enterprises and cost extra. I was surprised, however, that Microsoft is charging a premium for the firmware protection and only offering it to enterprises. Plenty of journalists, attorneys, and activists are equally if not more threatened by so-called evil maid attacks, in which a housekeeper or other stranger has the ability to tamper with firmware during brief physical access to a computer.

Microsoft has a strong financial incentive to make Windows secure for all users. Company representatives didn’t respond to an email asking if the firmware scanner will become more widely available.

Intel will soon bake anti-malware defenses directly into its CPUs

by

A mobile PC processor code-named Tiger Lake. It will be the first CPU to offer a security capability known as Control-Flow Enforcement Technology.

Enlarge / A mobile PC processor code-named Tiger Lake. It will be the first CPU to offer a security capability known as Control-Flow Enforcement Technology.
Intel

The history of hacking has largely been a back-and-forth game, with attackers devising a technique to breach a system, defenders constructing a countermeasure that prevents the technique, and hackers devising a new way to bypass system security. On Monday, Intel is announcing its plans to bake a new parry directly into its CPUs that’s designed to thwart software exploits that execute malicious code on vulnerable computers.

Control-Flow Enforcement Technology, or CET, represents a fundamental change in the way processors execute instructions from applications such as Web browsers, email clients, or PDF readers. Jointly developed by Intel and Microsoft, CET is designed to thwart a technique known as return-oriented programming, which hackers use to bypass anti-exploit measures software developers introduced about a decade ago. While Intel first published its implementation of CET in 2016, the company on Monday is saying that its Tiger Lake CPU microarchitecture will be the first to include it.

ROP, as return-oriented programming is usually called, was software exploiters’ response to protections such as Executable Space Protection and address space layout randomization, which made their way into Windows, macOS, and Linux a little less than two decades ago. These defenses were designed to significantly lessen the damage software exploits could inflict by introducing changes to system memory that prevented the execution of malicious code. Even when successfully targeting a buffer overflow or other vulnerability, the exploit resulted only in a system or application crash, rather than a fatal system compromise.

ROP allowed attackers to regain the high ground. Rather than using malicious code written by the attacker, ROP attacks repurpose functions that benign applications or OS routines have already placed into a region of memory known as the stack. The “return” in ROP refers to use of the RET instruction that’s central to reordering the code flow.

Very effective

Alex Ionescu, a veteran Windows security expert and VP of engineering at security firm CrowdStrike, likes to say that if a benign program is like a building made of Lego bricks that were built in a specific sequence, ROP uses the same Lego pieces but in a different order. In so doing, ROP converts the building into a spaceship. The technique is able to bypass the anti-malware defenses because it uses memory-resident code that’s already permitted to be executed.

CET introduces changes in the CPU that create a new stack called the control stack. This stack can’t be modified by attackers and doesn’t store any data. It stores the return addresses of the Lego bricks that are already in the stack. Because of this, even if an attacker has corrupted a return address in the data stack, the control stack retains the correct return address. The processor can detect this and halt execution.

“Because there is no effective software mitigation against ROP, CET will be very effective at detecting and stopping this class of vulnerability,” Ionescu told me. “Previously, operating systems and security solutions had to guess or infer that ROP had happened, or perform forensic analysis, or detect the second stage payloads/effect of the exploit.”

Not that CET is limited to defenses against ROP. CET provides a host of additional protections, some of which thwart exploitation techniques known as jump-oriented programming and call-oriented programming, to name just two. ROP, however, is among the most interesting aspects of CET.

Those who do not remember the past

Intel has built other security functions into its CPUs with less-than-stellar results. One is Intel’s SGX, short for Software Guard eXtension, which is supposed to carve out impenetrable chunks of protected memory for security-sensitive functions such as the creation of cryptographic keys. Another security add-on from Intel is known as the Converged Security and Management Engine, or simply the Management Engine. It’s a subsystem inside Intel CPUs and chipsets that implements a host of sensitive functions, among them the firmware-based Trusted Platform Module used for silicon-based encryption, authentication of UEFI BIOS firmware, and the Microsoft System Guard and BitLocker.

A steady stream of security flaws discovered in both CPU-resident features, however, has made them vulnerable to a variety of attacks over the years. The most recent SGX vulnerabilities were disclosed just last week.

It’s tempting to think that CET will be similarly easy to defeat, or worse, will expose users to hacks that wouldn’t be possible if the protection hadn’t been added. But Joseph Fitzpatrick, a hardware hacker and a researcher at SecuringHardware.com, says he’s optimistic CET will perform better. He explained:

One distinct difference that makes me less skeptical of this type of feature versus something like SGX or ME is that both of those are “adding on” security features, as opposed to hardening existing features. ME basically added a management layer outside the operating system. SGX adds operating modes that theoretically shouldn’t be able to be manipulated by a malicious or compromised operating system. CET merely adds mechanisms to prevent normal operation—returning to addresses off the stack and jumping in and out of the wrong places in code—from completing successfully. Failure of CET to do its job only allows normal operation. It doesn’t grant the attacker access to more capabilities.

Once CET-capable CPUs are available, the protection will work only when the processor is running an operating system with the necessary support. Windows 10 Version 2004 released last month provides that support. Intel still isn’t saying when Tiger Lake CPUs will be released. While the protection could give defenders an important new tool, Ionescu and fellow researcher Yarden Shafir have already devised bypasses for it. Expect them to end up in real-world attacks within the decade.

Google fixes Android flaws that allow code execution with high system rights

by

Google fixes Android flaws that allow code execution with high system rights

Ron Amadeo

Google has shipped security patches for dozens of vulnerabilities in its Android mobile operating system, two of which could allow hackers to remotely execute malicious code with extremely high system rights.

In some cases, the malware could run with highly elevated privileges, a possibility that raises the severity of the bugs. That’s because the bugs, located in the Android System component, could enable a specially crafted transmission to execute arbitrary code within the context of a privileged process. In all, Google released patches for at least 34 security flaws, although some of the vulnerabilities were present only in devices available from manufacturer Qualcomm.

Anyone with a mobile device should check to see if fixes are available for their device. Methods differ by device model, but one common method involves either checking the notification screen or clicking Settings > Security > Security update. Unfortunately, patches aren’t available for many devices.

Two vulnerabilities ranked as critical in Google’s June security bulletin are indexed as CVE-2020-0117 and CVE-2020-8597. They’re among four System flaws located in the Android system (the other two are ranked with a severity of high). The critical vulnerabilities reside in Android versions 8 through the most recent release of 11.

“These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files,” an advisory from the Department of Homeland Security-funded Multi-State-Information Sharing and Analysis Center said. “Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Vulnerabilities with a severity rating of high affected the Android media framework, the Android framework, and the Android kernel. Other vulnerabilities were contained in components shipped in devices from Qualcomm. The two Qualcomm-specific critical flaws reside in closed source components. The severity of other Qualcomm flaws were rated as high.

US Senate tells members not to use Zoom

by

Photograph of US Capitol building.

Enlarge
Martin Falbisoner / Wikimedia Commons

The US Senate has become the latest organization to tell its members not to use Zoom because of concerns about data security on the video conferencing platform that has boomed in popularity during the coronavirus crisis.

The Senate sergeant at arms has warned all senators against using the service, according to three people briefed on the advice.

One person who had seen the Senate warning said it told each senator’s office to find an alternative platform to use for remote working while many parts of the US remain in lockdown. But the person added it had stopped short of officially banning the company’s products.

Zoom is battling to stem a public and regulatory backlash over lax privacy practices and rising harassment on the platform that has sent its stock plummeting. The company’s shares have fallen more than 25 per cent from highs just two weeks ago, to trade at $118.91.

Zoom was forced to apologize publicly last week for making misleading statements about the strength of its encryption technology, which is intended to stop outside parties from seeing users’ data.

The company also admitted to “mistakenly” routing user data through China over the past month to cope with a dramatic rise in traffic. Zoom has two servers and a 700-strong research and development arm in China. It had stated that users’ meeting information would stay in the country in which it originated.

The revelations triggered complaints from US senators, several of whom urged the Federal Trade Commission to investigate whether the company had broken consumer protection laws. It also prompted the Taiwanese government to ban Zoom for official business.

The FBI warned last month that it had received reports that teleconferences were being hacked by people sharing pornographic messages or using abusive language — a practice that has become known as “Zoombombing.”

A spokesperson for the company said: “Zoom is working around-the-clock to ensure that universities, schools, and other businesses around the world can stay connected and operational during this pandemic, and we take user privacy, security and trust extremely seriously.

“We appreciate the outreach we have received on these issues from various elected officials and look forward to engaging with them.”

However, the US Department of Homeland Security said in a memo to government cyber security officials that the company was actively responding to concerns and understood how grave they were, according to Reuters. The Pentagon told the Financial Times it would continue to allow its personnel to use Zoom.

The Senate move follows similar decisions by companies including Google, which last week decided to stop employees from downloading the app for work.

“Recently, our security team informed employees using Zoom Desktop Client that it will no longer run on corporate computers as it does not meet our security standards for apps used by our employees,” Jose Castaneda, a Google spokesperson, said. However, he added that employees wanting to use Zoom to stay in touch with family and friends on their mobiles or via a web browser could do so.

The Google decision was first reported by BuzzFeed.

Zoom has tried to stem the tide of criticism in recent days. The company said on Wednesday it had hired Alex Stamos, the former Facebook security chief, as an outside security consultant, days after saying it would redirect its engineering resources to tackle security and privacy issues.

© 2020 The Financial Times LtdAll rights reserved. Not to be redistributed, copied, or modified in any way.

Security tips every teacher and professor needs to know about Zoom, right now

by

Children take part in a video conference on a large TV.

Enlarge
jencu / Flickr

With the coronavirus pandemic forcing millions of people to work, learn, and socialize from home, Zoom conferences are becoming a default method to connect. And with popularity comes abuse. Enter Zoom-bombing, the phenomenon of trolls intruding into other people’s meetings for the sole purpose of harassing attendees, usually by bombarding them with racist or sexually explicit images or statements. A small sample of the events over the past few days:

  • An attendee who disrupted an Alcohol Anonymous meeting by shouting misogynistic and anti-Semitic slurs, along with the statement “Alcohol is soooo good,” according to Business Insider. Meeting organizers eventually muted and removed the intruder but only after more than half of the participants had left.
  • A Zoom conference hosting students from the Orange County Public Schools system in Florida that was disrupted after an uninvited participant exposed himself to the class.
  • An online meeting of black students at the University of Texas that was cut short when it was interrupted by visitors using racial slurs.

The basics

As disruptive and offensive as it is, Zoom-bombing is a useful reminder of just how fragile privacy can be in the world of online conferencing. Whereas usual meetings among faculty members, boards of directors, and employees are protected by physical barriers such as walls and closed doors, Zoom conferences can only be secured using other means that many users are unversed in using. What follows are tips for avoiding the most common Zoom conference pitfalls.

Make sure meetings are password protected. The best way to ensure meetings can be accessed only when someone has the password is to ensure that Require a password for instant meetings is turned on in the user settings. Even when the setting is turned off, there’s the ability to require a password when scheduling a meeting. It may not be practical to password protect every meeting, but conference organizers should use this measure as often as possible.

When possible, don’t announce meetings on social media or other public outlets. Instead, send messages only to the participants, using email or group settings in Signal, WhatsApp, or other messenger programs. This advice is especially important if you’re the leader of a country, such as the UK. (Fortunately, Prime Minister Boris Johnson had password-protected the meeting and was prudent enough not to have included the passphrase in his tweet. Even then, his tweet divulged the IDs of multiple participants.)

Carefully inspect the list of participants periodically, whenever possible. This can be done by the organizer or trusted participants. Any users who are unauthorized can be booted. (More about how to do that later.)

Carefully control screen sharing. The user settings allow organizers to set sharing settings by default. People who rarely need sharing should turn it off altogether by sliding the button to the right to off. In the event participants require screen sharing, the slider should be turned on and the setting for only the host to share should be turned on. Organizers should allow all participants to share screens only when the host knows and fully trusts everyone in a meeting.

And while you’re at it

The four measures above are cardinal. Here are a few other suggestions for securing Zoom meetings:

Disable the Join Before Host setting so that organizers can control the meeting from its very start.

Use the Waiting Room option to admit participants. This will prevent admittance of trolls should they have slipped through the two cardinal defenses.

Lock a meeting, when possible, once it’s underway. This will prevent unauthorized people from joining later. Locking a meeting can be accomplished by clicking Manage Participants and using the controls that appear on the right of the meeting window. Manage Participants also allows an organizer to mute all participants, eject select participants, or stop select participants from appearing by video.

Be aware of everything that’s within view of your camera. Whether working from home or an office, there may be diagrams, drawings, notes, or other things you don’t want other participants to see. Remove these from view of the camera before the meeting starts.

Beyond the above advice, Zoom users should consider using a browser to connect to meetings rather than the dedicated Zoom app. I prefer this setting because I believe the attack surface on my system—that is, the number of vulnerabilities a hacker can exploit to breach my security—grows with each app I install. In 2020, most browsers are hardened against attacks. Other types of software are less so.

Zoom makes the Web option difficult to find after clicking on the Join a Meeting link. In my testing on a Windows 10 machine, the option appeared only after I uninstalled the Zoom client. Even then, Zoom pushed an installation file after I tried to join a meeting. I was able to use the browser only after refusing the download and choosing Join from your browser. On a Mac, I was able to find the option, even when I had the Zoom client installed, by clicking cancel on the app installation dialog box. A Chrome extension called Zoom Redirector will also make it easy to find the link (Firefox and Edge versions of the open source addon are here). The permissions required by the extension suggest it’s not much of a privacy or security threat.

Users opting for the browser option will have the best results if they use Chrome. Firefox and other browsers will prevent some key features, such as audio and video, from working at all. As a courtesy, meeting organizers can choose a setting that can make it easier for participants to find the option.

Fortunately, Zoom has disabled an attention-tracking feature that allowed organizers to tell when a participant didn’t have the meeting in focus for more than 30 seconds, for instance, because the participant switched to a different browser tab. This capability was intrusive. It’s great that Zoom removed it.

Rental cars can be remotely started, tracked, and more after customers return them

by

Photograph of Ford Mustang combined with image of automobile controls.

Enlarge / The screen displayed by FordPass four days after an Enterprise Rent-A-Car customer returned his Ford Mustang.
Masamba Sinclair

In October, Ars chronicled the story of a man who was able to remotely start, stop, lock, unlock, and track a Ford explorer he rented and returned five months earlier. Now, something almost identical has happened again to the same Enterprise Rent-A-Car customer. Four days after returning a Ford Mustang, the FordPass app installed on the phone of Masamba Sinclair continues to give him control of the car.

Like the last time, Sinclair could track the car’s location at any given time. He could start and stop the engine and lock and unlock its doors. Enterprise only removed Sinclair’s access to the car on Wednesday, more than three hours after I informed the rental agency of the error.

“It looks like someone else has rented it and it’s currently at a golf resort,” Sinclair wrote on Tuesday in an email. “This car is LOUD so starting the engine will definitely start people asking a lot of questions.” On Wednesday, before his access was removed, he added: “Looks like the previous rental is over and it’s back at the Enterprise parking lot.” Below is a video demonstrating the control he had until then.

[embedded content]
FordPass access.

We take security and privacy seriously

In October, both Enterprise and Ford said they had mechanisms in place to ensure that FordPass, and other remote apps provided by Ford, were unpaired before vehicles were sold or rented to new customers. The responses were problematic for several reasons. Enterprise, for instance, said rental agreements that customers sign remind them to wipe their data from cars upon their return. The problem is that the reminder doesn’t warn renters of the risks that come when a previous customer’s app remains paired to the vehicle they are renting.

What’s more, customers have little incentive to unpair the app from a car they’re returning. Customers are often scrambling to catch flights and may not want to be bothered searching through menus they’ve never seen before. And since the privacy and security risks fall solely on the new customer, nefarious people returning the car may want to maintain remote access. Unpairing the app by rental agency employees should be standard practice when cars are returned, one that’s no different from vacuuming the car’s carpet or checking its engine.

Ford, meanwhile, maintained that there are several ways drivers can detect when an app has access to their vehicle. The car maker also said it reminds dealerships to unpair cars before being resold.

None of those measures appears to adequately address the risk stemming from people continuing to have control over vehicles after the vehicles have been rented or sold to new customers. Sinclair agrees that he had the ability to unpair his device himself. He said he didn’t do that because he wanted to test the safety procedures put in place by the companies that use and develop the app. An article published last week by KrebsOnSecurity—recounting a man who continued to have remote access to a Ford Focus four years after his lease expired—suggests the problem isn’t isolated.

The problem isn’t that there’s no way to remove previous renters’ or owner’s access to a paired vehicle. Ford vehicles, for instance, display a label on a dashboard screen whenever location sharing, remote start/stop, and remote lock/unlock are active. Popups will also appear on each ignition when location services are active and no known paired Bluetooth devices are detected. The messages can solve the problem only if they’re prominent and clear enough that users recognize the risk. Asked for comment, a Ford spokesman said that the notifications he described in October remained in effect.

Enterprise officials, meanwhile, provided the following statement:

The safety and privacy of our customers is an important priority for us as a company. We appreciate this being brought to our attention and we are actively working to follow up on the issue related to this specific rental that took place last week.

Following the outreach last fall, we updated our car cleaning guidelines related to our master reset procedure. Additionally, we instituted a frequent secondary audit process in coordination with Ford. We also started working with Ford and are very near the completion of testing software with them that will automate the prevention of FordPass pairing by rental customers.

We will use this latest experience as we continue evolving our processes to ensure they best address features and technologies that are continually being added to vehicles.

Vehicles from other manufacturers are likely to have similar features, and like the features provided by Ford, they’re probably easy for many drivers to miss. People renting or buying new cars would do well to read the manuals carefully to learn precisely how remote access works and how to ensure it’s removed from previous customers.

Not so IDLE hands: FBI program offers companies data protection via deception

by

The FBI's IDLE program uses "obfuscated" data to hide real data from hackers and insider threats, making data theft harder and giving security teams a tool to spot illicit access.

Enlarge / The FBI’s IDLE program uses “obfuscated” data to hide real data from hackers and insider threats, making data theft harder and giving security teams a tool to spot illicit access.
Getty Images

The Federal Bureau of Investigations is in many ways on the front lines of the fight against both cybercrime and cyber-espionage in the US. These days, the organization responds to everything from ransomware attacks to data thefts by foreign government-sponsored hackers. But the FBI has begun to play a role in the defense of networks before attacks have been carried out as well, forming partnerships with some companies to help prevent the loss of critical data.

Sometimes, that involves field agents proactively contacting companies when they have information of a threat—as two FBI agents did when they caught wind of researchers trying to alert casinos of vulnerabilities they said they had found in casino kiosk systems. “We have agents in every field office spending a large amount of time going out to companies in their area of responsibility establishing relationships,” Long T. Chu, acting assistant section chief for the FBI’s Cyber Engagement and Intelligence Section, told Ars. “And this is really key right now—before there’s a problem, providing information to help these companies prepare their defenses. And we try to provide as specific information as we can.”

But the FBI is not stopping its consultative role at simply alerting companies to threats. An FBI flyer shown to Ars by a source broadly outlined a new program aimed at helping companies fight data theft “caused by an insider with illicit access (or systems administrator), or by a remote cyber actor.” The program, called IDLE (Illicit Data Loss Exploitation), does this by creating “decoy data that is used to confuse illicit… collection and end use of stolen data.” It’s a form of defensive deception—or as officials would prefer to refer to it, obfuscation—that the FBI hopes will derail all types of attackers, particularly advanced threats from outside and inside the network.

Going proactive

A recent FBI Private Industry Notification (PIN) warned of social engineering attacks targeting two-factor authentication.

Enlarge / A recent FBI Private Industry Notification (PIN) warned of social engineering attacks targeting two-factor authentication.

In a discussion about the FBI’s overall philosophy on fighting cybercrime, Chu told Ars that the FBI is “taking more of a holistic approach” these days. Instead of reacting to specific events or criminal actors, he said, “we’re looking at cyber crime from a key services aspect”—aka, what are the things that cybercriminals target?—”and how that affects the entire cyber criminal ecosystem. What are the centers of gravity, what are the key services that play into that?”

In the past, the FBI got involved only when a crime was reported. But today, the new approach means playing more of a consultative role to prevent cybercrime through partnerships with both other government agencies and the private sector. “If you ever have the opportunity to go to the courtyard at FBI Headquarters, there’s a quote there. ‘The most effective weapon against crime is cooperation, the efforts of all law enforcement and the support and understanding of the American people.’ That can not be more true today, but it expands from beyond just law enforcement to the private sector,” Chu said. “That’s because we’re facing one of the greatest threats that our nation has ever faced, arguably, and that’s the cyber threat.”

An example of that sort of outreach was visible in a case Ars reported on in March—that of the casino kiosk vendor Atrient. FBI Las Vegas field office and FBI Cyber Division agents picked up on Twitter posts about an alleged vulnerability in Atrient’s infrastructure, and the agents connected the company and an affected customer with the researchers to resolve the issue (which, in Atrient’s case at least, went somewhat awry). But in these situations, the FBI now also shares information it gathers from other sources, including data gathered from ongoing investigations.

Sharing happens a lot faster, Chu said, when there’s a “preexisting relationship with our partners, so we know exactly who we need to call and vice versa.” And information flows faster when it goes both ways. “Just as we’re trying hard to get the private industry information as fast as possible, it’d be a lot more effective if we’re getting information from the private industry as well,” he said. Exchanging information about IP addresses, indicators of compromise, and other threat data allows the FBI to aggregate the data, “run that against our databases and all our resources, and come up with a much stronger case, so to speak, against our adversaries,” Chu noted, “along with trying to attribute or identify who did it will prevent further attacks from happening.”

Some information sharing takes the form of collaboration with industry information sharing and analysis centers (ISACs) and “Flash” and “Private Industry Notice” (PIN) alerts on cybercrime issues. And to build more direct relationships with companies’ security executives, the FBI also offers a “CISO Academy” for chief information security officers twice a year at the FBI Academy in Quantico, Virginia. Attendees are indoctrinated on the FBI’s investigation approaches, and they learn what kind of evidence needs to be preserved to help spur investigations forward.

But for some sectors of particular interest, the FBI is now trying to get a deeper level of collaboration going—especially with companies in the defense industry base (DIB) and other critical infrastructure industries. The FBI sees these areas as crucial industry-spanning networks, and it hopes to build a defense in-depth against cyber-espionage, intellectual property theft, and exposure of other data that could be used particularly by other nations in a way that could impact national security or the economy.
That’s precisely where IDLE comes in.

PoS malware skimmed convenience store customers’ card data for 8 months

by

Promotional image of gas station.

Enlarge
Wawa

US convenience store Wawa said on Thursday that it recently discovered malware that skimmed customers’ payment card data at just about all of its 850 stores.

The infection began rolling out to the store’s payment-processing system on March 4 and wasn’t discovered until December 10, an advisory published on the company’s website said. It took two more days for the malware to be fully contained. Most locations’ point-of-sale systems were affected by April 22, 2019, although the advisory said some locations may not have been affected at all.

The malware collected payment card numbers, expiration dates, and cardholder names from payment cards used at “potentially all Wawa in-store payment terminals and fuel dispensers.” The advisory didn’t say how many customers or cards were affected. The malware didn’t access debit card PINs, credit card CVV2 numbers, or driver license data used to verify age-restricted purchases. Information processed by in-store ATMs was also not affected. The company has hired an outside forensics firm to investigate the infection.

Thursday’s disclosure came after Visa issued two security alerts—one in November and another this month—warning of payment-card-skimming malware at North American gasoline pumps. Card readers at self-service fuel pumps are particularly vulnerable to skimming because they continue to read payment data from cards’ magnetic stripes rather than card chips, which are much less susceptible to skimmers.

In the November advisory, Visa officials wrote:

The recent attacks are attributed to two sophisticated criminal groups with a history of large-scale, successful compromises against merchants in various industries. The groups gain access to the targeted merchant’s network, move laterally within the network using malware toolsets, and ultimately target the merchant’s POS environment to scrape payment card data. The groups also have close ties with the cybercrime underground and are able to easily monetize the accounts obtained in these attacks by selling the accounts to the top tier cybercrime underground carding shops.

The December advisory said that two of three attacks bore the hallmarks of Fin8, an organized cybercrime group that has targeted retailers since 2016. There’s no indication the Wawa infections have any connection to the ones in the Visa advisories.

People who have used payment cards at a Wawa location should pay close attention to billing statements over the past eight months. It’s always a good idea to regularly review credit reports as well. Wawa said it will provide one year of identity-theft protection and credit monitoring from credit-reporting service Experian at no charge. Thursday’s disclosure lists other steps card holders can take.