Adobe and Microsoft today independently issued software updates to plug critical security holes in their software. Adobe released a patch that fixes a whopping 78 security vulnerabilities in its Flash Player software. Microsoft pushed a dozen patch bundles to address at least 71 flaws in various versions of the Windows operating system and associated software.

Three-quarters of the patches Microsoft issued earned the company’s most dire “critical” rating, meaning malware or attackers could use the flaws fixed in these patches to fully compromise vulnerable systems with zero help from users. What’s more, two of the vulnerabilities are actively being exploited, including a bug in Windows and Microsoft Office.

As per usual, a patch for Internet Explorer addresses a huge chunk (30) of the individual security flaws tackled in this month’s update cycle. Microsoft also released a critical patch to correct 15 weaknesses in Microsoft Edge, the browser meant to supplant IE.

According to security firm Shavlik, supported versions of IE will be changing quite a bit in January. After January 12, 2016, only the latest IE version available on each operating system will be supported. This means if you are not running the latest version of IE available for the version of Windows you are on, you will no longer be getting security updates. More information about this change is available here.

The SANS Internet Storm Center is reporting that some Windows users who have Outlook installed are experiencing some difficulties using the program after applying this month’s updates. If you use Outlook, it may be wise to put off installing this patch for a few days until Microsoft addresses the issue.

Another vulnerability — fixed by a patch for domain name system (DNS) servers that run on Windows Servers — could prove extremely dangerous for organizations that rely on Windows Server for DNS services. According to SANS, Microsoft rates the exploitability as “2”, but doesn’t provide much details as to the nature of the vulnerability other than the fact that it can be triggered by remote DNS requests, which is bad news if you are using a Microsoft DNS server exposed to the public internet.

Adobe’s Flash update brings Flash to version 20.0.0.228 for Internet Explorer and Chrome on Windows and Mac systems, and 20.0.0.235 for Windows and Mac versions of Firefox and Safari.

As I noted in a previous post, most users can jump off the incessant Flash-patching merry-go-round by simply removing the program — or hobbling it until and unless it is needed for some purpose or site.

Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash. Another alternative to removing Flash is Click-To-Play, which lets you control what Flash (and Java) content gets to load when you visit a Web page.

If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies — mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help “critical infrastructure” companies shore up their computer and network defenses against real-world adversaries. And it’s all free of charge (well, on the U.S. taxpayer’s dime).

KrebsOnSecurity first learned about DHS’s National Cybersecurity Assessment and Technical Services (NCATS) program after hearing from a risk manager at a small financial institution in the eastern United States. The manager was comparing the free services offered by NCATS with private sector offerings and was seeking my opinion. I asked around to a number of otherwise clueful sources who had no idea this DHS program even existed.

DHS declined requests for an interview about NCATS, but the agency has published some information about the program. According to DHS, the NCATS program offers full-scope penetration testing capabilities in the form of two separate programs: a “Risk and Vulnerability Assessment,” (RVA) and a “Cyber Hygiene” evaluation. Both are designed to help the partner organization better understand how external systems and infrastructure appear to potential attackers.

“The Department of Homeland Security (DHS) works closely with public and private sector partners to strengthen the security and resilience of their systems against evolving threats in cyberspace,” DHS spokesperson Sy Lee wrote in an email response to an interview request. “The National Cybersecurity Assessments and Technical Services (NCATS) team focuses on proactively engaging with federal, state, local, tribal, territorial and private sector stakeholders to assist them in improving their cybersecurity posture, limit exposure to risks and threats, and reduce rates of exploitation. As part of this effort, the NCATS team offers cybersecurity services such as red team and penetration testing and vulnerability scanning at no cost.”

The RVA program reportedly includes scans the target’s operating systems, databases, and Web applications for known vulnerabilities, and then tests to see if any of the weaknesses found can be used to successfully compromise the target’s systems. In addition, RVA program participants receive scans for rogue wireless devices, and their employees are tested with “social engineering” attempts to see how employees respond to targeted phishing attacks.

The Cyber Hygiene program — which is currently mandatory for agencies in the federal civilian executive branch but optional for private sector and state, local and tribal stakeholders — includes both internal and external vulnerability and Web application scanning.

The reports show detailed information about the organization’s vulnerabilities, including suggested steps to mitigate the flaws.  DHS uses the aggregate information from each client and creates a yearly non-attributable report. The FY14 End of Year report created with data from the Cyber Hygiene and RVA program is here (PDF).

Among the findings in that report, which drew information from more than 100 engagements last year:

-Manual testing was required to identify 67 percent of the RVA vulnerability findings (as opposed to off-the-shelf, automated vulnerability scans);

-More than 50 percent of the total 344 vulnerabilities found during the scans last year earned a severity rating of “high” (4o percent) or “critical” (13 percent).

-RVA phishing emails resulted in a click rate of 25 percent.

 ANALYSIS

I was curious to know how many private sector companies had taken DHS up on its rather generous offers, since these services can be quite expensive if conducted by private companies. In response to questions from this author, DHS said that in Fiscal Year 2015 NCATS provided support to 53 private sector partners.  According to data provided by DHS, the majority of the program’s private sector participation come from the financial services and energy sectors — typically at regional or smaller institutions.

DHS has taken its lumps over the years for not doing enough to gets its own cybersecurity house in order, let alone helping industry fix its problems. In light of its past cybersecurity foibles, the NCATS program on the surface would seem like a concrete step toward blunting those criticisms.

I wondered how someone in the penetration testing industry would feel about the government throwing its free services into the ring. Dave Aitel is chief technology officer at Immunity Inc., a Miami Beach, Fla. based security firm that offers many of the same services NCATS bundles in its product.

Aitel said one of the major benefits for DHS in offering NCATS is that it can use the program learn about real-world vulnerabilities in critical infrastructure companies.

“DHS is a big player in the ‘regulation’ policy area, and the last thing we need is an uninformed DHS that has little technical expertise in the areas that penetration testing covers,” Aitel said. “The more DHS understands about the realities of information security on the ground – the more it treats American companies as their customers – the better and less impactful their policy recommendations will be. We always say that Offense is the professor of Defense, and in this case, without having gone on the offense DHS would be helpless to suggest remedies to critical infrastructure companies.”

Of course, the downsides are that sometimes you get what you pay for, and the NCATS offering raises some interesting questions, Aitel said.

“Even if the DHS team doing the work is great, part of the value of an expensive penetration test is that companies feel obligated to follow the recommendations and improve their security,” he said. “Does the data found by a DHS testing team affect a company’s SEC liabilities in any way? What if the Government gets access to customer data during a penetration test – what legal ramifications does that have? This is a common event and pre-CISPA it may carry significant liability.”

As far as the potential legal ramifications of any mistakes DHS may or may not make in its assessments, the acceptance letter (PDF) that all NCATS customers must sign says DHS provides no warranties of any kind related to the free services. The rules of engagement letter from DHS further lays out ground rules and specifics of the NCATS testing services.

Aitel, a former research scientist at the National Security Agency (NSA), raised another issue: Any vulnerabilities found anywhere within the government — for example, in a piece of third party software — are supposed to go to the NSA for triage, and sometimes the NSA is later able to use those vulnerabilities in clandestine cyber offensive operations.

But what about previously unknown vulnerabilities found by DHS examiners?

“This may be less of an issue when DHS uses a third party team, but if they use a DHS team, and they find a bug in Microsoft IIS (Web server), that’s not going to the customer – that’s going to the NSA,” Aitel said.

And then there are potential legal issues with the government competing with private industry.

Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training group, isn’t so much concerned about the government competing with the private sector for security audits. But he said DHS is giving away something big with its free assessments: An excuse for the leadership at scanned organizations for not doing anything after the assessment and using the results as a way to actually spend less on security.

“The NCATS program could be an excellent service that does a lot of good but it isn’t,” Paller said. “The problem is that it measures only a very limited subset of of the vulnerability space but comes with a gold plated get out of jail free card: ‘The US government came and checked us.’ They say they are doing it only for organizations that cannot afford commercial assessments, but they often go to organizations that have deep enough pockets.”

According to Paller, despite what the NCATS documents say, the testers do not do active penetration tasks against the network. Rather, he said, they are constrained by their rules of engagement.

“Mostly they do architectural assessments and traffic analysis,” he said. “They get a big packet capture and they baseline and profile and do some protocol analysis (wireless).”

Paller said the sort of network architecture review offered by DHS’s scans can only tell you so much, and that the folks doing it do not have deep experience with one of the more arcane aspects of critical infrastructure systems: Industrial control systems of the sort that might be present in an energy firm that turns to NCATS for its cybersecurity assessment.

“In general the architectural reviews are done by younger folks with little real world experience,” Paller said. “The big problem is that the customer is not fully briefed on the limitations of what is being done in their assessment and testing.”

Does your organization have experience with NCATs assessments? Are you part of a critical infrastructure company that might use these services? Would you? Sound off in the comments below.

Few schemes for monetizing stolen credit cards are as bold as the fuel theft scam: Crooks embed skimming devices inside fuel station pumps to steal credit card data from customers. Thieves then clone the cards and use them to steal hundreds of gallons of gas at multiple filling stations. The gas is pumped into hollowed-out trucks and vans, which ferry the fuel to a giant tanker truck. The criminals then sell and deliver the gas at cut rate prices to shady and complicit fuel station owners.

Agent Steve Scarince of the U.S. Secret Service heads up a task force in Los Angeles that since 2009 has been combating fuel theft and fuel pump skimming rings. Scarince said the crooks who plant the skimmers and steal the cards from fuel stations usually are separate criminal groups from those who use the cards to steal and resell gas.

“Generally the way it works is the skimmer will sell the cards to a fuel theft cell or ring,” he said. “The head of the ring or the number two guy will go purchase the credit cards and bring them back to the drivers. More often than not, the drivers don’t know a whole lot about the business. They just show up for work, the boss hands them 25 cards and says, ‘Make the most of it, and bring me back the cards that don’t work.’ And the leader of the ring will go back to the card skimmer and say, ‘Okay out of 100 of those you sold me, 50 of them didn’t work.'”

Scarince said the skimmer gangs will gain access to the inside of the fuel pumps either secretly or by bribing station attendants. Once inside the pumps, the thieves hook up their skimmer to the gas pump’s card reader and PIN pad. The devices also are connected to the pump’s electric power — so they don’t need batteries and can operate indefinitely.

Most internal, modern pump skimmers are built to record the card data on a storage device that can transmit the data wirelessly via Bluetooth technology. This way, thieves can drive up with a laptop and fill their tank in the time it takes to suck down the card data that’s been freshly stolen since their last visit.

The Secret Service task force in Los Angels has even found pump skimming devices that send the stolen card data via SMS/text message to the thieves, meaning the crooks don’t ever have to return to the scene of the crime and can receive the stolen cards and PINs anywhere in the world that has mobile phone service.

MOBILE BOMBS

Scarince said the fuel theft gangs use vans and trucks crudely modified and retrofitted with huge metal and/or plastic “bladders” capable of holding between 250 and 500 gallons of fuel.

“The fuel theft groups will drive a bladder truck from gas station to gas station, using counterfeit cards to fill up the bladder,” he said. “Then they’ll drive back to their compound and pump the fuel into a 4,000 or 5,000 [gallon] container truck.”

The fuel will be delivered to gas station owners with whom the fuel theft ring has previously brokered with on the price per gallon. And it’s always a cash transaction.

“The stations know they’re buying stolen gas,” Scarince said. “They’re fully aware the fuel is not coming from a legitimate source. There’s never any paperwork with the fuel driver, and these transactions are missing all the elements of a normal, legitimate transaction between what would be a refinery and a gas station.”

Needless to say, the bladder trucks aren’t exactly road-worthy when they’re filled to the brim with stolen and highly flammable fuel. From time to time, one of the dimmer bladder truck drivers will temporarily forget his cargo and light up a smoke.

“Two or three summers ago we had this one guy who I guess was just jonesing for a cigarette,” Scarince said. “He lit up and that was the last thing he did.”

Other bladder trucks have spontaneously burst into flames at filling stations while thieves pumped stolen gas.

“There have been other fires that took place during the transfer of fuel, where some static sparked and the whole place caught on fire,” Scarince said. “These vehicles are not road-worthy by any means. Some of the bladder tanks are poorly made, they leak. The trucks are often overweight and can’t handle the load. We see things like transmissions giving out, chassis going out. These things are real hazards just waiting to happen.”

How big are the fuel theft operations in and around Los Angeles? Scarince estimates that at any given time there are 20 to 30 of these deadly bladder trucks trundling down L.A. freeways and side streets.

“And that’s a very conservative guess, just based on what the credit card companies report,” he said.

Aaron Turner, vice president of identity service products at Verifone — a major manufacturer of credit card terminals — leads a team that has been studying many of the skimming devices that the Secret Service has retrieved from compromised filling stations. Turner says there is a huge potential for safety-related issues when it comes to skimmers in a gas-pump environment. 

“Every piece of equipment that is installed by gas station owners in the pump area is approved by reviewed and approved according to industry standards, but these skimmers…not so much,” Turner said. “One of the skimmers that we retrieved was sparking and arcing when we powered it up in our lab. I think it’s safe to say that skimmer manufacturers are not getting UL certifications for their gear.”

COUNTERING FUEL FRAUD

With some fuel theft gangs stealing more than $10 million per year, Scarince said financial institutions and credit card issuers have responded with a range of tactics to detect and stop suspicious fuel station transactions.

“A lot more card issuers and merchant processors are really pushing hard on velocity checks,” Scarince said, referring to a fraud detection technique that reviews transactions for repeating patterns within a brief period. “If you buy gas in Washington, D.C. and then 30 minutes gas later gas is being purchased on opposite side of the city in a short period of time. Those are things that are going to start triggering questions about the card. So, more checks like that are being tested and deployed, and banks are getting better at detecting this activity.”

Card issuers also can impose their own artificial spending limits on fuel purchases. Visa, for example, caps fuel purchases at $125.  But thieves often learn to work just under those limits.

“The more intelligent crooks will use only a few cards per station, which keeps them a lower profile,” Scarince said. “They’ll come in a swipe two to three cards and fill up 40-80 gallons and move on down the road to another station. They definitely also have what we determine to be routes. Monday they’ll drive one direction, and Tuesday they’ll go the other way, just to make sure they don’t hit the same stations one day after another.”

Newer credit and debit cards with embedded chip technology should make the cards more costly and difficult to counterfeit. However, the chip cards still have the card data encoded in plain text on the card’s magnetic strip, and most fuel stations won’t have chip-enabled readers for several years to come.

On Oct. 1, 2015, Visa and MasterCard put in force new rules that can penalize merchants who do not yet have chip-enabled terminals. Under the new rules, merchants that don’t have the technology to accept chip cards will assume full liability for the cost of fraud from purchases in which the customer presented a chip-enabled card.

But those rules don’t apply to fuel stations in the United States until October 2017, and a great many stations won’t meet that deadline, said Verifone’s Turner.

“The petroleum stations and the trade organizations that represent them have been fairly public in their statements that they don’t feel they’re going to hit the 2017 dates,” Turner said. “If you look at the cost of replacing these dispensers and the number of systems that have been touched by qualified, licensed technicians…most of the stations are saying that even if they start this process now they’re going to struggle to meet that October 2017 date.”

Turner said that as chip card readers take hold in more retail establishments, card thieves will begin targeting fuel stations more intensively and systematically.

“We’re moving into this really interesting point of time when I think the criminals are going to focus on the approaches that offer them the greatest return on their investment,” Turner said. “In the future, I think there will be a liability shift specifically for petroleum stations [because] the amount of mag-stripe-facilitated fraud that will happen in that market is going to increase significantly along with chip card deployment.”

Part of the reason Los Angeles is such a hotbed of skimming activity may be related to ethnic Armenian organized crime members that have invested heavily in fuel theft schemes. Last month, the Justice Department announced charges against eight such men accused of planting skimmers in pumps throughout Southern California and Nevada.

Scarince and Turner say there is a great deal of room for the geographic spread of fuel theft scams. Although the bulk of fuel theft activity in the United States is centered around Los Angeles, the organized nature of the crime is slowly spreading to other cities.

“We are seeing pump skimming now shoot across the country,” Scarince said. “Los Angeles is still definitely ground zero, but Florida is now getting hit hard, as are Houston and parts of the midwest. Technology we first saw a couple of years ago in LA we’re now seeing show up in other locations across the country. They’re starting to pick on markets that are probably less aware of what’s going on as far as skimming goes and don’t secure their pumps as well as most stations do here.”

WHAT CAN  YOU DO?

Avoid sketchy-looking stations and those that haven’t started using tamper-evident seals on their pumps.

“The fuel theft gangs certainly scout out the stations beforehand, looking for stations that haven’t upgraded their pump locks and haven’t started using tamper seals,” Scarince said. “If some franchised station decided not to spend the money to upgrade their systems with these security precautions, they’re going to be targeted.”

Scarince says he also tends to use pumps that are closest to the attendants.

“Those are less likely to have skimmers in or on them than street-side pumps,” he said.

Consumers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the phony transactions. There is no substitute for keeping a close eye on your card statements. Also, use credit cards instead of debit cards at the pump; having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

LANDESK, a company that sells software to help organizations securely and remotely manage their fleets of desktop computers, servers and mobile devices, alerted employees last week that a data breach may have exposed their personal information. But LANDESK employees contacted by this author say the breach may go far deeper for the company and its customers.

The South Jordan, Utah-based LANDESK makes and markets software that helps organizations manage all users, platforms and devices from a single digital dashboard. The company’s software specializes in automating and integrating IT systems management, endpoint security management, service management, IT asset management, and mobile device management.

On Nov. 18, 2015, LANDESK sent a letter to current and former employees warning of an intrusion, stating that “it is possible that, through this compromise, hackers obtained personal information, including names and Social Security numbers, of some LANDESK employees and former Wavelink employees.”

LANDESK declined to answer questions for this story. But the company did share a written statement that mirrors much of the text in the letter sent to affected employees:

“We recently became aware of some unusual activity on our systems and immediately initiated safeguards as a precaution and began an investigation. As part of our ongoing investigation in partnership with a leading computer forensics firm, we recently learned that a small amount of personally identifiable information for a limited number of our employees may have been accessible during the breach. While no data compromises of personally identifiable information are confirmed at this point, we have reached out with information and security resources to individuals who may have been affected. The security of our networks is our top priority and we are acting accordingly.”

“The few employees who may have been affected were notified promptly, and at this point the impact appears to be quite small.”

According to a LANDESK employee who spoke on condition of anonymity, the breach was discovered quite recently, but system logs show the attackers first broke into LANDESK’s network 17 months ago, in June 2014.

The employee, we’ll call him “John,” said the company only noticed the intrusion when several co-workers started complaining of slow Internet speeds. A LANDESK software developer later found that someone in the IT department had been logging into his build server, so he asked them about it. The IT department said it knew nothing of the issue.

John said further investigation showed that the attackers were able to compromise the passwords of the global IT director in Utah and another domain administrator from China.

“LANDESK has found remnants of text files with lists of source code and build servers that the attackers compiled,” John said. “They know for a fact that the attackers have been slowly [archiving] data from the build and source code servers, uploading it to LANDESK’s web servers, and downloading it.”

The implications are potentially far reaching. This breach happened more than a year and a half ago, during which time several versions and fixes of LANDESK software have been released. LANDESK has thousands of customers in all areas of commerce. By compromising LANDESK and embedding a back door directly in their source code, the attackers could have access to large number of computers and servers worldwide.

The wholesale theft of LANDESK source code also could make it easier for malware and exploit developers to find security vulnerabilities in the company’s software.

A LANDESK spokesperson would neither confirm nor deny the date of the breach or the source code theft, saying only that the investigation into the breach is ongoing and that the company “won’t comment on speculation.”

Two months after KrebsOnSecurity first reported that multiple banks suspected a credit card breach at Hilton Hotel properties across the country, Hilton has acknowledged an intrusion involving malicious software found on some point-of-sale systems.

According to a statement released after markets closed on Tuesday, the breach persisted over a 17-week period from Nov. 18, 2014 to Dec. 5, 2014, or April 21 to July 27, 2015.

“Hilton Worldwide (NYSE: HLT) has identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems,” the company said. “Hilton immediately launched an investigation and has further strengthened its systems.”

Hilton said the data stolen includes cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs).

The company did not say how many Hilton locations or brands were impacted, or whether the breach was limited to compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties — as previously reported here.

The announcement from Hilton comes just five days after Starwood Hotel & Resorts Worldwide — including some 50 Sheraton and Westin locations — was hit by a similar breach that lasted nearly six months.

Starwood and Hilton join several other major hotel brands in announcing a malware-driven credit card data breach over the past year. In October 2015, The Trump Hotel Collection confirmed a report first published by KrebsOnSecurity in June about a possible card breach at the luxury hotel chain.

In March, upscale hotel chain Mandarin Oriental acknowledged a similar breach. The following month, hotel franchising firm White Lodging allowed that — for the second time in 12 months — card processing systems at several of its locations were breached by hackers.

Readers should remember that they are not liable for unauthorized debit or credit card charges, but with one big caveat: the onus is on the cardholder to spot and report any unauthorized charges. Keep a close eye on your monthly statements and report any bogus activity immediately. Many card issuers now let customers receive text alerts for each card purchase and/or for any account changes. Take a moment to review the notification options available to you from your bank or card issuer.