The Market for Stolen Account Credentials

In my security webinars, I spend time upfront emphasizing the vast underlying business behind hacking. The objective in stressing this to users is so they can realize they aren’t dealing with individuals looking out to attack and exploit “them”, but to comprehend that ransomware and other malware attacks are huge businesses built at scale.

It’s basically the difference between defending yourself from a single home break-in, or defending yourself from the entire might of a nation-state military with its thousands of men, planes, tanks, etc, and the full ecosystem (Manufacturing, research, supporting systems) behind their declared war.

I am not exaggerating – much.

This article over at Kreb’s Security quantifies just a small attack that yields a couple of hundred thousand dollars in just a few months, just from selling account credentials.
So far this year, customers of this service have purchased more than 35,000 credentials he’s sold to this service, earning him more than $288,000 in just a few months.
Curious to know more?

The prices for individual credentials are set by value.

For example, credentials for Uber are $30 for each account.

You have a military-only account with Each account there is for sell for $60 each.

But it is not just account credentials. Entire identities can range up to $150 each, depending on the individuals FICO score (let that sink in a moment). Oh, you can also by their credit reports while you’re there.

Read the Full Article here: >Krebs on Security

Insecurity Are Us: Why the NSA Breach Has Harmed Everyone

The NSA, presumably the most stalwart of the United States’ cybersecurity organizations, was infiltrated by a group know as the Shadow Brokers over a year ago. The group stole the NSA’s hacking tools, and provided them to everyone for money. State-sponsored hacking never had it so easy.

These hacking tools are causing miilions, if not billions, of dollars of harm all over the world, including small businesses and individuals. The recent cryptoware WannaCry was spread worldwide by use of the NSA’s lost tools:

Millions of people saw their computers shut down by ransomware, with demands for payments in digital currency to have their access restored. Tens of thousands of employees at Mondelez International, the maker of Oreo cookies, had their data completely wiped. FedEx reported that an attack on a European subsidiary had halted deliveries and cost $300 million. Hospitals in Pennsylvania, Britain and Indonesia had to turn away patients. The attacks disrupted production at a car plant in France, an oil company in Brazil and a chocolate factory in Tasmania, among thousands of enterprises affected worldwide.

New York Times, Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core. By SCOTT SHANE, NICOLE PERLROTH and DAVID E. SANGER NOV. 12, 2017 

It gets worse:

…they have a new suite of tools and vulnerabilities in newer software. The possible targets include Microsoft’s Windows 10, which was unaffected by the initial attack and is on at least 500m devices around the world.

The Guardian, Shadow Brokers threaten to unleash more hacking tools – Samuel Gibbs, May 17, 2017 07.56 EDT

And they don’t have a clue who they are:

Fifteen months into a wide-ranging investigation by the agency’s counterintelligence arm, known as Q Group, and the F.B.I., officials still do not know whether the N.S.A. is the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or both.

Imagine if Apple provides a “back-door” to law enforcement agencies in response to isolated incidents of terror. The NSA can’t even keep their tools safe. Do you think the FBI, New York State Police or Sherriff Andy Taylor would be able to keep these vulnerabilities out of everyone’s hands?

Vulnerabilities exist. They always have, and they likely always will. The way to privacy and security for all is to guard against any attempt to weaken security endeavors.

Apple’s business model does not include selling their customer’s personal information. Nor does most open-source software companies (like Firefox). Facebook, Google, and others harvesting data and building extensive dossiers on every single user of their services. The data is shared with their clients for highly targeted advertising and other uses. Think that data is safe? Think it already hasn’t been used against your best interests?

Fixing LastPass with Safari Binary Install

Speaking of annoying tech problems, LastPass has been thwarting me ever since I received a new MacBook. It was unusable with Safari. LastPass worked fine with Chrome (eats too much battery) and Firefox (leaks too much memory), but no matter how many times I uninstalled and re-installed it, the binary component failed to load.

What is tragic is that the version has not been updated since May 2016, and the problem is a very simple fix, and presumably, a very easy update to the LastPass Installer. Zero help from LastPass tech support, even though we are an Enterprise user. Fortunately, a user figured it out.

The symptoms: In Safari, the LastPass plugin would not display “Copy Password” or “Copy User” and it did not have the icons to do so. Here are some images and fix:

More details can be found here and here.

Once you have it all straightened out, if you go to More Option -> About LastPass, if should show the Binary Component: true (Helper App): 

Doesn’t require too much technical skill, but don’t expect help from LastPass.



Cooper Clinic Blocks VPN Connections?

vpnbrokenSo I have two VPNs that i regularly use. A Kirkham Systems one that flows through our office, and PIA which serves me well.

Thought I might do a little work while getting a dose of rust juice, but no, the Guest WiFi blocks VPN connections. Since I cannot risk client data being exposed over an open connection, can’t use the network.

Can someone explain the business case for blocking VPNs on a guest network? Seriously. Would really like to know.

Security and Privacy as a Lifestyle – SPaaL

SPaaL – Dontcha just love all the acronyms?

This is one of the most important posts I have ever scribed.

Remaining secure and private in this world is something that I take very seriously – you should too. You don’t have to be an executive at a Fortune 500 company or even a small business owner. The fact is, everyone should take security and privacy seriously.

In the hacker world, there are “white hats” and “black hats”. White hats are the good guys – or ethical hackers – and work to secure our banks, defense and corporate networks. Black hats are the bad guys, and hack mostly for profit. In between are the ones that make political statements – think Anonymous or Edward Snowden.

While really good hackers have skills that take years to master, casual computer users with just a fundamental knowledge of computers and networks can be hackers. Tools are available here and here. Tools to hack are built-in to your computer’s operating system. You can even do it by just buying your way into the business.

By far, most of the unethical hacking is done automatically, at scale. Like millions. Malware is emailed through spam or placed on a legitimate websites (none are beyond being hacked). Visit the website or open the email, and bingo, you’ve just been hacked. Whether it ends up holding your data hostage or configuring your computer to spew spam, or whatever, it is making the creators money. It really has nothing to do with your personal data – the hackers are operating at a scale that is all about numbers. In other words, if you think that no one would be interested in your data, or that you have nothing to hide, that is irrelevant to hackers. In fact, they are counting on you to use poor security and privacy methods to continue to stay in business. And yes, it is a business – a HUGE business. This article at Info-Security Magazine references a 2014 McAfee report that “estimates the cost to the global economy from cybercrime at anywhere from $375bn to $575bn a year. These figures, the researchers point out, actually exceed the national incomes of many countries.”

See what I mean when I talk about “scale” in malware?

So what I’ve discovered is that when discussing these issue with people, whether business owners or individuals, most people’s eyes glaze over, then something like “I would love to protect myself and others, but it is a such a hassle to use good security” falls out of their mouth.

My response is “SO WHAT?” It’s a hassle to first get used to wearing a seatbelt. It’s a hassle to buy and pay for insurance. It’s a hassle to register to vote. Get over it, and start living the SPaaL lifestyle. Oops, that was redundant. I guess I didn’t plan my acronym out properly. That’s kinda like PIN number. I digress.

But it is a change of mindset. Being frustrated over using a password manager such as LastPass is understandable, but it’s a necessary evil. In fact, every time I use it I am thinking of all the times that I have prevented wide-scale infections or data breaches on my computer.

It is a commitment to dedicate yourself to the pain – the pain in setting up and using a VPN, having to generate and store secure passwords, etc. But you must. Until we all do this, the scourge will remain. It MUST be a lifestyle change.

Install and USE LastPass. Make all your passwords unique. Turn on Two Factor Authentication, or TFA (most times, you can set all your devices to not require the TFA if the site recognizes the device – this way if someone else uses it, they are the ones that have to use TFA).

By all means, make sure your email addresses use unique passwords, not shared with any other site, because once your email address is hackable, so is your bank account and any other site that is tied to that email address, because email access is the key for password resets.

Other Security Reading

If you think you have nothing to hide, 1) send me all your email addresses and passwords, then 2) watch this. Glenn Greenwald: Why privacy matters.

If your organization thinks that HIPAA compliance and PHI is not worth the hassle, read this. “We’re not in this for the money. We want to help put a plan together to bring you into compliance, while you’re paying your fine.” – Office of Civil Rights

If you think security is not important to your business, read this on Kirkham Systems.