Almost 20 percent of Americans froze their credit file with one or more of the big three credit bureaus in the wake of last year’s data breach at Equifax, costing consumers an estimated $1.4 billion, according to a new study. The findings come as lawmakers in Congress are debating legislation that would make credit freezes free in every state.

The figures, commissioned by small business loan provider Fundera and conducted by Wakefield Research, surveyed some 1,000 adults in the U.S. Respondents were asked to self-report how much they spent on the freezes; 32 percent said the freezes cost them $10 or less, but 38 percent said the total cost was $30 or more. The average cost to consumers who froze their credit after the Equifax breach was $23.

A credit freeze blocks potential creditors from being able to view or “pull” your credit file, making it far more difficult for identity thieves to apply for new lines of credit in your name.

Depending on your state of residence, the cost of placing a freeze on your credit file can run between $3 and $10 per credit bureau, and in many states the bureaus also can charge fees for temporarily “thawing” and removing a freeze (according a list published by Consumers Union, residents of four states — Indiana, Maine, North Carolina, South Carolina — do not need to pay to place, thaw or lift a freeze).

In a blog post published today, Fundera said the percentage of people who froze their credit in response to the Equifax breach incrementally decreases as people get older.

“Thirty-two percent of millennials, 16 percent of Generation Xers and 12 percent of baby boomers froze their credit,” Fundera explained. “This data is surprising considering that older generations have been working on building their credit for a longer period of time, and thus they have a more established record to protect.”

However, freeze fees could soon be a thing of the past. A provision included in a bill passed by the U.S. Senate on March 14 would require credit-reporting firms to let consumers place a freeze without paying (the measure is awaiting action in the House of Representatives).

But there may be a catch: According to CNBC, the congressional effort to require free freezes is part of a larger measure, S. 2155, which rolls back some banking regulations put in place after the financial crisis that rocked the U.S. economy a decade ago.

Consumer advocacy groups like Consumers Union and the U.S. Public Interest Research Group (USPIRG) have long advocated for free credit freezes. But they’re not too wild about S. 2155, arguing that it would undermine banking regulations passed in the wake of the 2007-2008 financial crisis.

In a March 8 letter (PDF) opposing the bill, Consumers Union said the security freeze section fails to include a number of important consumer protections, such as a provision for the consumer to temporarily “lift” the freeze in order to open credit.

“Moreover, it could preclude the states from making important improvements to expand protections against identity theft,” Consumers Union wrote.

While it may seem like credit bureaus realized a huge financial windfall as a result of the Equifax breach, it’s important to keep in mind that credit bureaus also make money by selling your credit report to potential lenders — something they can’t do if there’s a freeze on your credit file.

Curious about what a freeze involves, how to file one, and other options aside from the credit freeze? Check out this in-depth Q&A that KrebsOnSecurity published not long after the Equifax breach.

Also, if you haven’t done so lately, take a moment to visit annualcreditreport.com to get a free copy of your credit file. A consumer survey published earlier this month found that roughly half of all Americans haven’t bothered to do this since the Equifax breach.

A 15-year-old security researcher has discovered a serious flaw in cryptocurrency hardware wallets made by Ledger, a French company whose popular products are designed to physically safeguard public and private keys used to receive or spend the user’s cryptocurrencies.

Hardware wallets like those sold by Ledger are designed to protect the user’s private keys from malicious software that might try to harvest those credentials from the user’s computer.  The devices enable transactions via a connection to a USB port on the user’s computer, but they don’t reveal the private key to the PC.

Yet Saleem Rashid, a 15-year-old security researcher from the United Kingdom, discovered a way to acquire the private keys from Ledger devices. Rashid’s method requires an attacker to have physical access to the device, and normally such hacks would be unremarkable because they fall under the #1 rule of security — namely, if an attacker has physical access to your device, then it is not your device anymore.

The trouble is that consumer demand for Ledger’s products has frequently outpaced the company’s ability to produce them (it has sold over a million of its most popular Nano S models to date). This has prompted the company’s chief technology officer to state publicly that Ledger’s built-in security model is so robust that it is safe to purchase their products from a wide range of third-party sellers, including Amazon and eBay.

But Rashid discovered that a reseller of Ledger’s products could update the devices with malicious code that would lie in wait for a potential buyer to use it, and then siphon the private key and drain the user’s cryptocurrency account(s) when the user goes to use it.

The crux of the problem is that Ledger’s devices contain a secure processor chip and a non-secure microcontroller chip. The latter is used for a variety of non-security related purposes, from handling the USB connections to displaying text on the Ledger’s digital display, but the two chips still pass information between each other. Rashid found that an attacker could compromise the insecure processor (the microcontroller) on Ledger devices to run malicious code without being detected.

Ledger’s products do contain a mechanism for checking to ensure the code powering the devices has not been modified, but Rashid’s proof-of-concept code — being released today in tandem with an announcement from Ledger about a new firmware update designed to fix the bug — allows an attacker to force the device to sidestep those security checks.

“You’re essentially trusting a non-secure chip not to change what’s displayed on the screen or change what the buttons are saying,” Rasheed said in an interview with KrebsOnSecurity. “You can install whatever you want on that non-secure chip, because the code running on there can lie to you.”

Kenneth White, director of the Open Crypto Audit Project, had an opportunity to review Rashid’s findings prior to their publication today. White said he was impressed with the elegance of the proof-of-concept attack code, which Rashid sent to Ledger approximately four months ago. A copy of Rashid’s research paper on the vulnerability is available here (PDF). A video of Rashid demonstrating his attack is below.

White said Rashid’s code subverts the security of the Ledger’s process for generating a backup code for a user’s private key, which relies on a random number generator that can be made to produce non-random results.

“In this case [the attacker] can set it to whatever he wants,” White said. “The victim generates keys and backup codes, but in fact those codes have been predicted by the attacker in advance because he controls the Ledger’s random number generator.”

Rashid said Ledger initially dismissed his findings as implausible. But in a blog post published today, Ledger says it has since fixed the flaw Rasheed found — as well as others discovered and reported by different security researchers — in a firmware update that brings Ledger Nano S devices from firmware version 1.3.1 to version 1.4.1 (the company actually released the firmware update on March 6, potentially giving attackers time to reverse engineer Rashid’s method).

The company is still working on an update for its pricier Ledger Blue devices, which company chief security officer Charles Guillemet said should be ready soon. Guillemet said Nano-S devices should alert users that a firmware update is available when the customer first plugs the device into a computer.

“The vulnerability he found was based on the fact that the secure element tries to authenticate the microcontroller, and that authentication is not strong enough,” Guillemet told KrebsOnSecurity. “This update does authentication more tightly so that it’s not possible to fool the user.”

Rasheed said unlike its competitors in the hardware wallet industry, Ledger includes no tamper protection seal or any other device that might warn customers that a Nano S has been physically opened or modified prior to its first use by the customer.

“They make it so easy to open the device that you can take your fingernail and open it up,” he said.

Asked whether Ledger intends to add tamper protection to its products, Guillemet said such mechanisms do not add any security.

“For us, a tamper proof seal is nothing that adds security to the device because it’s very easy to counterfeit,” Guillemet said. “You can buy some security seals on the web. For us, it’s a lie to our customers to use this kind of seal to prove the genuineness of our product.”

Guillemet said despite Rashid’s findings, he sees no reason to change his recommendation that interested customers should feel free to purchase the company’s products through third party vendors.

“As we have upgraded our solution to prove the genuineness of our product using cryptographic checks, I don’t see why we should change this statement,” he said.

Nevertheless, given that many cryptocurrency owners turn to hardware wallets like Ledger to safeguard some or all of their virtual currency, it’s probably a good idea if you are going to rely on one of these devices to purchase it directly from the source, and to apply any available firmware updates before using it.

Adrian Lamo, the hacker probably best known for breaking into The New York Times‘s network and for reporting Chelsea Manning‘s theft of classified documents to the FBI, was found dead in a Kansas apartment on Wednesday. Lamo was widely reviled and criticized for turning in Manning, but that chapter of his life eclipsed the profile of a complex individual who taught me quite a bit about security over the years.

I first met Lamo in 2001 when I was a correspondent for Newsbytes.com, a now-defunct tech publication that was owned by The Washington Post at the time. A mutual friend introduced us over AOL Instant Messenger, explaining that Lamo had worked out a simple method allowing him to waltz into the networks of some of the world’s largest media companies using nothing more than a Web browser.

The panoply of alternate nicknames he used on instant messenger in those days shed light on a personality not easily grasped: Protagonist, Bitter Geek, AmINotMerciful, Unperceived, Mythos, Arcane, truefaith, FugitiveGame.

In this, as in so many other ways, Lamo was a study in contradictions: Unlike most other hackers who break into online networks without permission, he didn’t try to hide behind the anonymity of screen names or Internet relay chat networks.

By the time I met him, Adrian had already earned the nickname “the homeless hacker” because he had no fixed address, and found shelter most evenings in abandoned buildings or on friend’s couches. He launched the bulk of his missions from Internet cafes or through the nearest available dial-up connections, using an old Toshiba laptop that was missing seven keys. His method was the same in every case: find security holes; offer to fix them; refuse payment in exchange for help; wait until hole is patched; alert the media.

Lamo had previously hacked into the likes of AOL Time Warner, Comcast, MCI Worldcom, Microsoft, SBC Communications and Yahoo after discovering that these companies had enabled remote access to their internal networks via Web proxies, a kind of security by obscurity that allowed anyone who knew the proxy’s Internet address and port number to browse internal shares and other network resources of the affected companies.

By 2002, Lamo had taken to calling me on the phone frequently to relate his various exploits, often spoofing his phone number to make it look like the call had come from someplace ominous or important, such as The White House or the FBI. At the time, I wasn’t actively taking any measures to encrypt my online communications, or to suggest that my various sources do likewise. After a few weeks of almost daily phone conversations with Lamo, however, it became abundantly clear that this had been a major oversight.

In February 2002, Lamo told me that he’d found an open proxy on the network of The New York Times that allowed him to browse the newsroom’s corporate intranet. A few days after that conversation, Lamo turned up at Washingtonpost.com’s newsroom (then in Arlington, Va.). Just around the corner was a Kinkos, and Adrian insisted that I follow him to the location so he could get online and show me his discovery firsthand.

While inside the Times’ intranet, he downloaded a copy of the Times’ source list, which included phone numbers and contact information for such household names as Yogi Berra, Warren Beatty, and Robert Redford, as well as high-profile political figures – including Palestinian leader Yassir Arafat and Secretary of State Colin Powell. Lamo also added his own contact information to the file. My exclusive story in Newsbytes about the Times hack was soon picked up by other news outlets.

In August 2003, federal prosecutors issued an arrest warrant for Lamo in connection with the New York Times hack, among other intrusions. The next month, The Washington Post’s attorneys received a letter from the FBI urging them not to destroy any correspondence I might have had with Lamo, and warning that my notes may be subpoenaed.

In response, the Post opted to take my desktop computer at work and place it in storage. We also received a letter from the FBI requesting an interview (that request was summarily denied). In October 2003, the Associated Press ran a story saying the FBI didn’t follow proper procedures when it notified reporters that their notes concerning Lamo might be subpoenaed (the DOJ’s policy was to seek materials from reporters only after all other investigative steps had been exhausted, and then only as a last resort).

In 2004, Lamo pleaded guilty to one felony count of computer crimes against the Times, as well as LexisNexis and Microsoft. He was sentenced to six month’s detention and two years probation, an ordered to pay $65,000 in restitution.

Several months later while attending a formal National Press Foundation dinner at the Washington Hilton, my bulky Palm Treo buzzed in my suit coat pocket, signaling a new incoming email message. The missive was blank save for an unusually large attachment. Normally, I would have ignored such messages as spam, but this one came from a vaguely familiar address: adrian.lamo@us.army.mil. Years before, Lamo had told me he’d devised a method for minting his own .mil email addresses.

The attachment turned out to be the Times’ newsroom source list. The idea of possessing such information was at once overwhelming and terrifying, and for the rest of the evening I felt certain that someone was going to find me out (it didn’t help that I was seated adjacent to a table full of NYT reporters and editors). It was difficult not to stare at the source list and wonder at the possibilities. But ultimately, I decided the right thing to do was to simply delete the email and destroy the file.

EARLY LIFE

Lamo was born in 1981 outside of Boston, Mass. into an educated, bilingual family. Lamo’s parents say from an early age he exhibited an affinity for computers and complex problem solving. In grade school, Lamo cut his teeth on a Commodore64, but his parents soon bought him a more powerful IBM PC when they grasped the extent of his talents.

“Ever since he was very young he has shown a tendency to be a lateral thinker, and any problem you put in front of him with a computer he could solve almost immediately,” Lamo’s mother Mary said in an interview in 2003. “He has a gifted analytical mind and a natural curiosity.”

By the time he got to high school, Lamo had graduated to a laptop computer. During a computer class his junior year, Lamo upstaged his teacher by solving a computer problem the instructor insisted was insurmountable. After an altercation with the teacher, he was expelled. Not long after that incident, Lamo earned his high school equivalency degree and left home for a life on his own.

For many years after that he lived a vagabond’s existence, traveling almost exclusively on foot or by Greyhound bus, favoring the affordable bus line for being the “only remaining form of mass transit that offers some kind of anonymity.” When he wasn’t staying with friends, he passed the night in abandoned buildings or under the stars.

In 1995, Lamo landed contract work at a promising technology upstart called America Online, working on “PlanetOut.com,” an online forum that catered to the gay and lesbian community. At the time, advertisers paid AOL based on the amount of time visitors spent on the site, and Lamo’s job was to keep people glued to the page, chatting them up for hours at a time.

Ira Wing, a security expert at one of the nation’s largest Internet service providers, met Lamo that year at PlanetOut and the two became fast friends. It wasn’t long before he joined in one of Lamo’s favorite distractions, one that would turn out to be an eerie offshoot of the young hacker’s online proclivities: exploring the labyrinth of California’s underground sewage networks and abandoned mines.

Since then, Lamo kept in touch intermittently, popping in and out of Wing’s life at odd intervals. But Wing proved a trustworthy and loyal friend, and Lamo soon granted him power of attorney over his affairs should he run into legal trouble.

In 2002, Wing registered the domain “freeadrian.com,” as a joke. He’d later remark on how prescient a decision that had been.

“Adrian is like a fast moving object that has a heavy affect on anyone’s life he encounters,” Wing told this reporter in 2003. “And then he moves on.”

THE MANNING AFFAIR

In 2010, Lamo was contacted via instant message by Chelsea Manning, a transgender Army private who was then known as Bradley Manning. The Army private confided that she’d leaked a classified video of a helicopter attack in Baghdad that killed 12 people (including two Reuters employees) to Wikileaks. Manning also admitted to handing Wikileaks some 260,000 classified diplomatic cables.

Lamo reported the theft to the FBI. In explaining his decision, Lamo told news publications that he was worried the classified data leak could endanger lives.

“He was just grabbing information from where he could get it and trying to leak it,” Mr. Lamo told The Times in 2010.

Manning was later convicted of leaking more than 700,000 government records, and received a 35 year prison sentence. In January 2017, President Barack Obama commuted Manning’s sentence after she’d served seven years of it. In January 2018, Manning filed to run for a Senate seat in Maryland.

HOMELESS IN WICHITA

The same month he reported Manning to the feds, Lamo told Wired.com that he’d been diagnosed with Asperger Syndrome after being briefly hospitalized in a psychiatric ward. Lamo told Wired that he suspected someone had stolen his backpack, and that paramedics were called when the police responding to reports of the alleged theft observed him acting erratically and perhaps slurring his speech.

Wired later updated the story to note that Lamo’s father had reported him to the Sacramento Sherriff’s office, saying he was worried that his son was over-medicating himself with prescription drugs.

In 2011, Lamo told news outlet Al Jazeera that he was in hiding because he was getting death threats for betraying Manning’s confidence and turning him in to the authorities. In 2013, he told The Guardian that he’d struggled with substance abuse “for a while.”

It’s not yet certain what led to Lamo’s demise. He was found dead in a Wichita apartment on March 14. According to The Wichita Eagle, Lamo had lived in the area for more than a year. The paper quoted local resident Lorraine Murphy, who described herself as a colleague and friend of Lamo’s. When Murphy sent him a message in December 2016 asking him what he was up to, he reportedly replied “homeless in Wichita.”

“Adrian was always homeless or on the verge of it,” Murphy is quoted as saying. “He bounced around a great deal, for no particular reason. He was a believer in the Geographic Cure. Whatever goes wrong in your life, moving will make it better. And he knew people all over the country.”

The Eagle reports that Wichita police found no signs of foul play or anything suspicious about Lamo’s death. A toxicology test was ordered but the results won’t be available for several weeks.

Security researchers who rely on data included in Web site domain name records to combat spammers and scammers will likely lose access to that information for at least six months starting at the end of May 2018, under a new proposal that seeks to bring the system in line with new European privacy laws. The result, some experts warn, will likely mean more spams and scams landing in your inbox.

On May 25, the General Data Protection Regulation (GDPR) takes effect. The law, enacted by the European Parliament, requires companies to get affirmative consent for any personal information they collect on people within the European Union. Organizations that violate the GDPR could face fines of up to four percent of global annual revenues.

In response, the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit entity that manages the global domain name system — has proposed redacting key bits of personal data from WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges (IP addresses).

Under current ICANN rules, domain name registrars should collect and display a variety of data points when someone performs a WHOIS lookup on a given domain, such as the registrant’s name, address, email address and phone number. Most registrars offer a privacy protection service that shields this information from public WHOIS lookups; some registrars charge a nominal fee for this service, while others offer it for free.

But in a bid to help registrars comply with the GDPR, ICANN is moving forward on a plan to remove critical data elements from all public WHOIS records. Under the new system, registrars would collect all the same data points about their customers, yet limit how much of that information is made available via public WHOIS lookups.

The data to be redacted includes the name of the person who registered the domain, as well as their phone number, physical address and email address. The new rules would apply to all domain name registrars globally.

ICANN has proposed creating an “accreditation system” that would vet access to personal data in WHOIS records for several groups, including journalists, security researchers, and law enforcement officials, as well as intellectual property rights holders who routinely use WHOIS records to combat piracy and trademark abuse.

But at an ICANN meeting in San Juan, Puerto Rico on Thursday, ICANN representatives conceded that a proposal for how such a vetting system might work probably would not be ready until December 2018. Assuming ICANN meets that deadline, it could be many months after that before the hundreds of domain registrars around the world take steps to adopt the new measures.

Gregory Mounier, head of outreach at EUROPOL‘s European Cybercrime Center and member of ICANN’s Public Safety Working Group, said the new WHOIS plan could leave security researchers in the lurch — at least in the short run.

“If you don’t have an accreditation system by 25 May then there’s no means for cybersecurity folks to get access to this information,” Mounier told KrebsOnSecurity. “Let’s say you’re monitoring a botnet and have 10.000 domains connected to that and you want to find information about them in the WHOIS records, you won’t be able to do that anymore. It probably won’t be implemented before December 2018 or January 2019, and that may mean security gaps for many months.”

Rod Rasmussen, chair of ICANN’s Security and Stability Advisory Committee, said ICANN does not have a history of getting things done before or on set deadlines, meaning it may be well more than six months before researchers and others can get vetted to access personal information in WHOIS data.

Asked for his take on the chances that ICANN and the registrar community might still be designing the vetting system this time next year, Rasmussen said “100 percent.”

“A lot of people who are using this data won’t be able to get access to it, and it’s not going to be pretty,” Rasmussen said. “Once things start going dark it will have a cascading effect. Email deliverability is going to be one issue, and the amount of spam that shows up in peoples’ inboxes will be climbing rapidly because a lot of anti-spam technologies rely on WHOIS for their algorithms.”

As I noted in last month’s story on this topic, WHOIS is probably the single most useful tool we have right now for tracking down cybercrooks and/or for disrupting their operations. On any given day I probably perform 20-30 different WHOIS queries; on days I’ve set aside for deep-dive research, I may run hundreds of WHOIS searches.

WHOIS records are a key way that researchers reach out to Web site owners when their sites are hacked to host phishing pages or to foist malware on visitors. These records also are indispensable for tracking down cybercrime victims, sources and the cybercrooks themselves. I remain extremely concerned about the potential impact of WHOIS records going dark across the board.

There is one last possible “out” that could help registrars temporarily sidestep the new privacy regulations: ICANN board members told attendees at Thursday’s gathering in Puerto Rico that they had asked European regulators for a “forbearance” — basically, permission to be temporarily exempted from the new privacy regulations during the time it takes to draw up and implement a WHOIS accreditation system.

But so far there has been no reply, and several attendees at ICANN’s meeting Thursday observed that European regulators rarely grant such requests.

Some registrars are already moving forward with their own plans on WHOIS privacy. GoDaddy, one of the world’s largest domain registrars, recently began redacting most registrant data from WHOIS records for domains that are queried via third-party tools. And experts say it seems likely that other registrars will follow GoDaddy’s lead before the May 25 GDPR implementation date, if they haven’t already.

Adobe and Microsoft each pushed critical security updates to their products today. Adobe’s got a new version of Flash Player available, and Microsoft released 14 updates covering more than 75 vulnerabilities, two of which were publicly disclosed prior to today’s patch release.

The Microsoft updates affect all supported Windows operating systems, as well as all supported versions of Internet Explorer/Edge, Office, Sharepoint and Exchange Server.

All of the critical vulnerabilities from Microsoft are in browsers and browser-related technologies, according to a post from security firm Qualys.

“It is recommended that these be prioritized for workstation-type devices,” wrote Jimmy Graham, director of product management at Qualys. “Any system that accesses the Internet via a browser should be patched.”

The Microsoft vulnerabilities that were publicly disclosed prior to today involve Microsoft Exchange Server 2010 through 2016 editions (CVE-2018-0940) and ASP.NET Core 2.0 (CVE-2018-0808), said Chris Goettl at Ivanti. Microsoft says it has no evidence that attackers have yet to exploit either flaw in active attacks online.

But Goettl says public disclosure means enough information was released publicly for an attacker to get a jump start or potentially to have access to proof-of-concept code making an exploit more likely. “Both of the disclosed vulnerabilities are rated as Important, so not as severe, but the risk of exploit is higher due to the disclosure,” Goettl said.

Microsoft says by default, Windows 10 receives updates automatically, “and for customers running previous versions, we recommend they turn on automatic updates as a best practice.” Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

Adobe’s Flash Player update fixes at least two critical bugs in the program. Adobe said it is not aware of any active exploits in the wild against either flaw, but if you’re not using Flash routinely for many sites, you probably want to disable or remove this awfully buggy program.

Just last month Adobe issued a Flash update to fix two vulnerabilities that were being used in active attacks in which merely tricking a victim into viewing a booby-trapped Web site or file could give attackers complete control over the vulnerable machine. It would be one thing if these zero-day flaws in Flash were rare, but this is hardly an isolated occurrence.

Adobe is phasing out Flash entirely by 2020, but most of the major browsers already take steps to hobble Flash. And with good reason: It’s a major security liability. Chrome also bundles Flash, but blocks it from running on all but a handful of popular sites, and then only after user approval.

For Windows users with Mozilla Firefox installed, the browser prompts users to enable Flash on a per-site basis. Through the end of 2017 and into 2018, Microsoft Edge will continue to ask users for permission to run Flash on most sites the first time the site is visited, and will remember the user’s preference on subsequent visits.

The latest standalone version of Flash that addresses these bugs is 29.0.0.113  for Windows, Mac, Linux and Chrome OS. But most users probably would be better off manually hobbling or removing Flash altogether, since so few sites actually require it still. Disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.