We Live Security » Languages » English http://www.welivesecurity.com News, Views, and Insight from the ESET Security Community Tue, 02 Sep 2014 17:26:53 +0000 en-US hourly 1 Secure password: CyberVor hoard of 1.2 billion details ‘used in attack’ http://www.welivesecurity.com/2014/09/02/secure-password/ http://www.welivesecurity.com/2014/09/02/secure-password/#comments Tue, 02 Sep 2014 13:14:10 +0000 Secure password: CyberVor hoard of 1.2 billion details ‘used in attack’ http://www.welivesecurity.com/?p=50563 Hosting provider Namecheap said that it has come under attack from hackers apparently using the “Cybervor” hoard of 1.2 billion usernames and passwords and warned that some accounts may have been compromised.

The post Secure password: CyberVor hoard of 1.2 billion details ‘used in attack’ appeared first on We Live Security.

]]>
Hosting provider Namecheap has come under attack from hackers apparently using the “CyberVor” hoard of 1.2 billion usernames and passwords, and has warned that some accounts that had failed to use a secure password may have been compromised.

In a blog post entitled, “Urgent Security Warning”, the company said that some accounts had been compromised, but Computer World reports that the “vast majority” of login attempts had failed.

Namecheap said that it was now “aggressively blocking” the IP addresses that the attack appeared to have come from, and said that the logins appeared to come from the record-breaking hoard of passwords and usernames stolen by the gang known as “CyberVor”.

Secure password: Record-breaking hoard used in attack

Veteran security writer and researcher, and We Live Security contributor Graham Cluley said, “The gang, which has been dubbed “CyberVor” (“vor” means “thief” in Russian) by security researchers, is thought to be in possession of the largest known haul of stolen internet credentials – 1.2 billion usernames and passwords, together with 542 million email addresses. And the data has been stolen from some 420,000 different websites.”

Company officials did not reveal why they suspected the credentials being used in the attack were the ones from the Cybervor (“Vor” is Russian for “thief”) trove which was discovered online last month, with a mix of passwords, usernames and email addressses in one online cache, according to CIO magazine.

“Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. Upon investigation, we determined that the username and password data gathered from third party sites, likely the data identified by The Register (i.e. not Namecheap) is being used to try and gain access to Namecheap.com accounts,” Namecheap said, also offering advice for users on how to create a secure password for their accounts.

Fake browser used in mass attack

“The group behind this is using the stored usernames and passwords to simulate a web browser login through fake browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts,” Namecheap said.

Veteran security writer and researcher, and We Live Security contributor Graham Cluley advises, “Whenever you create accounts online you are putting trust in the hands of web developers that they are properly securing your information. The very best you can do is enable additional security measures (such as multi-factor authentication when made available), and ensure that you never reuse the same password nor choose a password that is easy to guess or crack.

Because one thing is clear: The Russian CyberVor gang may or may not be sitting on one of the largest cybercriminal hauls in history, but unless we all work harder to keep our private information safe and secure, this is not going to be the last time that you’re waking up to newspaper headlines of stolen passwords.”

 

 

 

The post Secure password: CyberVor hoard of 1.2 billion details ‘used in attack’ appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/09/02/secure-password/feed/ 0
Cybercrime: Top experts to form international crook-hunting force http://www.welivesecurity.com/2014/09/01/cybercrime/ http://www.welivesecurity.com/2014/09/01/cybercrime/#comments Mon, 01 Sep 2014 14:14:00 +0000 Cybercrime: Top experts to form international crook-hunting force http://www.welivesecurity.com/?p=50488 As many as 18 top cybercrime experts from around the world will form a new Joint Cybercrime Action Task Force based in the Hague, which will target “top-level criminals”.

The post Cybercrime: Top experts to form international crook-hunting force appeared first on We Live Security.

]]>
As many as 18 top cybercrime experts from around the world will form a new Joint Cybercrime Action Task Force based in the Hague, which will target “top-level criminals” far faster than any previous force, the Guardian reports. The Joint Cybercrime Action Task Force (J-CAT) said that the new entity would allow action against high-profile criminals to move more quickly than before, “It’s not a talk shop. This has to lead to more arrests,” said  Troels Oerting, head of Europol’s European Cybercrime Center, according to V3’s report. The unit will be headed by Britain’s Andy Archibald, head of the National Cyber Crime Unit,  according to The Parliament Magazine.

Cybercrime: “This will lead to more arrests”

“The J-CAT will operate from secure offices in Europol’s HQ, assisted by experts and analysts from the EC3. The aim is not purely strategic, but also very operational. The goal is to prevent cyber crime, to disrupt it, catch crooks and seize their illegal profits,” said Troels Oerting, head of Europol’s European Cybercrime Center, according to V3. “This is a first step in a long walk towards an open, transparent, free but also safe internet. The goal cannot be reached by law enforcement alone, but will require a consolidated effort from many stakeholders in our global village. But the J-CAT will do its part of the necessary ‘heavy lifting’ and that work started today. I am confident we will see practical tangible results very soon.” The Guardian pointed to some of the difficulties facing such organizations – such as the fact that criminals such as Evgeniy Bogachev remain at large, despite being accused of major cybercrimes.

“The goal is to prevent cybercrime”

Archibald, who will head the new organization, organized a major international operation to attack the command and control servers of the notorious banking malware Shylock/Win32/Caphaw. He says that cross-border cooperation is key to success against today’s cyber gangs. The new J-CAT organization will also deal with private-sector companies and computer-emergency teams from other EU organizations to ensure effective information sharing. Mr Archibald said: “There are many challenges faced by law enforcement agencies with regards to cyber criminals and cyber attacks. This is why there needs to be a truly holistic and collaborative approach taken when tackling them.” “The J-CAT will, for the first time, bring together a coalition of countries across Europe and beyond to coordinate the operational response to the common current and emerging global cyber threats faced by J-CAT members.” “This is a unique opportunity for international law enforcement agencies to collectively share our knowledge to defend against cyber related attacks, and the UK’s National Crime Agency is proud to be a founding member”.

The post Cybercrime: Top experts to form international crook-hunting force appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/09/01/cybercrime/feed/ 0
Wi-Fi password – “one second” hack allows attackers into many routers http://www.welivesecurity.com/2014/09/01/wi-fi-password/ http://www.welivesecurity.com/2014/09/01/wi-fi-password/#comments Mon, 01 Sep 2014 14:09:15 +0000 Wi-Fi password – “one second” hack allows attackers into many routers http://www.welivesecurity.com/?p=50480 A push-button function on many wireless routers designed to bypass the Wi-Fi password and provide quick access to the network could allow attackers to break in in “one second”, reports have claimed.

The post Wi-Fi password – “one second” hack allows attackers into many routers appeared first on We Live Security.

]]>
A push-button function on many wireless routers designed to bypass the Wi-Fi password and provide quick access to the network could allow attackers to break in in just “one second”, reports have claimed. The Wi-Fi password flaw was found by Swiss security firm Oxcite, and allows hackers to bypass the security of Wi-Fi Protected Setup almost instantly, according to Engadget’s report. Rather than making thousands of guesses at the PIN code, the attackers make one guess, based on offline calculations. “It takes one second,” Dominique Brongard of Oxcite said. “It’s nothing. Bang. Done.”

Wi-Fi password: “It takes one second”

The attack is the latest in a series of weaknesses uncovered in popular models of routers – and affects routers using a chipset made by Broadcom and another , as yet unnamed, manufacturer. In both cases Oxcite claims, it would take roughly “one second” to guess the hotspot’s PIN code. The attack relies on poorly generated “random” numbers, and is not inherent to WPS itself, just the (as yet undisclosed) router models. The researchers believe, however, that the Wi-Fi password security flaw is relatively common, and advise users to switch off the WPS function (done from any router’s set-up page) until the problem is known to be solved. Research has shown that many popular router models ship with known Wi-Fi password vulnerabilities among others, which activist group Electronic Frontier Foundation attributes to the relatively low price of the devices, and the difficulty of budgeting for proper security updates. A We Live Security guide to keeping small-office and home routers as secure as possible can be found here.

“It’s nothing. Bang. Done.”

The Wi-Fi alliance said, speaking to Ars Technica, “A vendor implementation that improperly generates random numbers is more susceptible to attack, and it appears as though this is the case with at least two devices.” “It is likely that the issue lies in the specific vendor implementations rather than the technology itself. As the published research does not identify specific products, we do not know whether any Wi-Fi certified devices are affected, and we are unable to confirm the findings.”

The post Wi-Fi password – “one second” hack allows attackers into many routers appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/09/01/wi-fi-password/feed/ 0
Week in Security: Game over in Korea, cellphone snoops and phishy Bitcoins http://www.welivesecurity.com/2014/08/29/security-news-2/ http://www.welivesecurity.com/2014/08/29/security-news-2/#comments Fri, 29 Aug 2014 12:40:26 +0000 Week in Security: Game over in Korea, cellphone snoops and phishy Bitcoins http://www.welivesecurity.com/?p=50420 Gamers and cellphone users were targeted by criminal groups around the world this week - while retailers continued to suffer at the hands of POS malware, and a phishing campaign highlighted just how hot Bitcoin is right now.

The post Week in Security: Game over in Korea, cellphone snoops and phishy Bitcoins appeared first on We Live Security.

]]>
Gamers and cellphone users were targeted by criminal groups around the world in our security news this week – with results varying from slightly eerie surveillance towers, to a gigantic data breach in which 220 million records were traded. The former were struck with a series of irritating service outages caused by a hacktivist group, plus a data breach of enormous proportions, which swept up half of South Korea’s population in a scam designed to steal virtual money and goods.

Cellphone users were left looking over their shoulders as a security news report highlighted the sale and use of tools which could track a user with high accuracy from town to town and even to other countries – and these tools are being bought not only by oppressive regimes, but by gangs.

Even more disconcerting was the discovery of at least 17 ‘fake’ cellphone towers which hacked into nearby handsets to either eavesdrop, or install spyware. The fake towers, found, oddly enough, by a company which markets handsets immune to such attacks, were found throughout America – with one, puzzlingly, in a casino….

Meanwhile, POS malware continues to multiply, and a new phishing attack highlighted how social engineering can strike anyone…

Security news: Half of South Korea breached

By anyone’s standards, it was a massive data breach - involving 27 million people, half the population, and 220 million private records changing hands. It also highlighted just how much South Korea loves playing games, as it hit adults and children alike – the breach targeted registration pages and passwords for six online gaming sites, with the aim of selling game currency and virtual goods.

The breach affected 70% of the population between the ages of 15 and 65, according to Forbes.

The sixteen hackers who were jailed had used 220 million items of personally identifying information, with the goal of breaking into online game accounts. A 24-year-old man, surname Kim, bought these records from a Chinese hacker he met in another online game in 2011, according to the Korea JoonGang Daily.

Kim and his associates are thought to have used a hacking tool known as an “extractor” to log in to accounts and steal virtual currency to and items to sell – earning in the process 400 million won ($390,919).

1,000 U.S. firms infected with credit-card-stealing POS malware

An official warning issued this week highlighted the rise and rise of malware targeting point-of-sale systems in retail outlets, with the goal of stealing credit card details – with Secret Service operatives warning that one particular strain had infected a vast number of American firms.

The United States Computer Emergency Readiness Team issued a statement saying that the “Backoff” malware was rife in U.S. businesses, taking over administrator accounts and removing customer data from several hundreds of companies. Their information was based on Secret Service estimates, after conversations with POS software vendors in America.

ESET Malware Researcher Lysa Myers says, “Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now.”

Myers offers a detailed guide for businesses concerned that they may be being targeted with POS malware.

Cellphone users targeted by cyber-snoops

Cellphone users, you may be being watched - by a surveillance industry which one privacy group claims is worth $5 million a year.  This week saw an in-depth report into the export of equipment  which can track the movements of anyone carrying a cellphone – from town to town and even into other countries.

It also saw the discovery of “fake” cellphone towers known as “interceptors” in active use on U.S. soil, according to Popular Science. The technology is known, but expensive, and it’s unclear who is operating the towers, or why.

High-end surveillance technologies which penetrate networks to track users are freely on sale not only to oppressive regimes, but also to criminal gangs, according to a report by the Washington Post.

Third-party surveillance apps are, of course, widely available which allow suspicious spouses and more nefarious individuals to track the owner of a phone by surreptitiously installing and hiding such an app. Such ‘domestic spyware’ is often involved in domestic violence cases.

The gear used by oppressive regimes is of a higher level altogether. “Surveillance systems are secretly collecting these records to map people’s travels over days, weeks or longer, according to company marketing documents and experts in surveillance technology,” the Washington Post reports.

“The capabilities of surveillance technology have grown hugely in the past decade – in the hands of a repressive regime, this equipment eradicates free speech, quashes dissent and places dissidents at the mercy of ruling powers as effectively as guns and bombs, if not more so,” Privacy International says in its report.

Game Over, man! PSN taken down, other networks under attack

A new hacktivist gang disrupted and brought down several gaming services this week, including Sony’s PSN network, and the Twitch gamer-TV service, which returned only after presenters Tweeted photographs of themselves with the group’s name written on their foreheads.

Most of the attacks were basic denial-of-service attacks, and no information was lost during Sony’s network outage. The FBI took an interest when a reported bomb threat by the same group caused the diversion of a flight carrying a Sony executive, according to Reuters report.

Sony summed up in a blog post, “The networks were taken offline due to a distributed denial of service attack. We have seen no evidence of any intrusion to the network and no evidence of any unauthorized access to users’ personal information.”

It is as yet unclear what the group’s motivation is – with DDoS attacks also aimed at popular PC titles such as Blizzard’s Battle.net, Riot’s League of Legends and Grinding Gear Games’ Path of Exile.

Bitcoin phishing a cryptic success with non-users

How hot is Bitcoin right now? So hot that even non-Bitcoin users are tempted to click on phishing links referring to Bitcoin wallet sites (which they don’t use). The relative success of the attacks shows how social engineering can take many forms – and that clicking on links in ANY unsolicited email is a bad idea.

Previous Bitcoin wallet phishing campaigns usually targeted known lists of Bitcoin users. The new waves of phishing emails were targeted at corporations, rather than those with an interest in cryptocurrency. The tactic has proved a success for the criminals behind it – with nearly 2.7% of victims clicking on the malicious link embedded in the two waves of 12,000 emails.

Proofpoint, which monitored the attack, said that the high success rate proved how much the hype behind the Bitcoin wallet had caught the imagination of the general population.“Unregulated and designed for anonymity, Bitcoin represents an attractive, $6.8 billion target to cyber criminals,” Proofpoint said.

The Register’s John Leyden reported, “This high click-through rate is a concern because crooks could easily switch from Bitcoin scams to targeting curious users with DDoS malware, remote access Trojans, corporate credential phish, or other threats.”

Some things, of course, don’t change: the emails took the form of a classic “account warning” phishing email, just using a Bitcoin site instead of a bank.

The post Week in Security: Game over in Korea, cellphone snoops and phishy Bitcoins appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/29/security-news-2/feed/ 0
Internet privacy: Seven rules to keep secrets safe http://www.welivesecurity.com/2014/08/29/internet-privacy/ http://www.welivesecurity.com/2014/08/29/internet-privacy/#comments Fri, 29 Aug 2014 11:25:33 +0000 Internet privacy: Seven rules to keep secrets safe http://www.welivesecurity.com/?p=50337 You are never truly invisible online - and even if you equip yourself with an arsenal of privacy tools, you'll still be watched. But there are ways to ensure that you and your business never "overshare". Here's seven of them.

The post Internet privacy: Seven rules to keep secrets safe appeared first on We Live Security.

]]>
Internet privacy is something consumers are increasingly aware of, but which is near-impossible to achieve. You are never truly invisible on the internet – just witness how quickly the Blackphone, made by encryption legends Silent Circle met its match at DEF CON.

But while the free internet relies on “watching you” to sell ads, and others watch you just because they like it, there are a few steps sensible internet users should take for those moments when a little internet privacy IS required.

Most are the basics of internet privacy - password hygiene – and good security practice on social networks.

But when it comes to things you might want to keep private – business conversations that would be of interest to a rival, hobbies such as motorcycling that might be of interest to an insurer, a few basic steps can help.

If you ARE James Bond, no security tip in the world will stop your enemies watching you – that’s their job. For most of us – from college students to small businesses to people afraid of one particular watcher, such as domestic violence survivors – some basic steps will help you stay private.

Tinfoil hats are not required. Nor is switching to a “private” browser such as Tor – although privacy-conscious users may find it surprisingly fast these days.

Rule one: Use the internet privacy tools provided by ‘the watchers’

There are good reasons to revisit the internet privacy menus on your Facebook account - and it’s highly unwise to post anything to the network that is in any way sensitive. Facebook  is not content with the trove of data provided by its own users – it deals with third-party “data broker” companies, who provide the company with encrypted lists of email addresses (for instance, of users who have bought a vacuum cleaner), which Facebook then matches against its own encrypted list. This means the company may ‘know’ more than you think it does. The only defense is to be cautious with data both inside and outside Facebook.

There are other good reasons behind people’s distrust of Facebook, and to ensure your account is locked up as much as possible. This year, the social site added hidden tracking in its ubiquitous ‘Like’ button to track users outside of Facebook pages. The new tracking method actually ignores users’ Do Not Track preference settings (the browser setting where users can choose “ask websites to not track me”). Staying logged out as much as possible is a good idea to increase your internet privacy.

Google is a major player in collecting data – every Google service from YouTube to Search collects information on signed-in users, and collates it to refer to one user profile. This is used to tailor Google ‘adwords’ – the text adverts that appear around searches and above Gmail’s Inbox – to the user. Google, however, is very open about how it all works, and you can opt out of almost everything, even if you’re a heavy user. If you do so, the only service you’ll really be unable to use is the excellent Google Now on Android, which relies heavily on search history and location history. It poses its own privacy risks, of course, if anyone looks over your shoulder…

Google itself offers a clear explanation of how its data collection works - and provides a dashboard of tools web users may wish to use to prevent themselves being tracked. For Google, personalized adverts are a service, and one you can choose not to use. Facebook’s approach is more opaque. Facebook said that it would also ignore “do not track” signals sent by browsers – a measure put in place to offer users choice on privacy – because “because currently there is no industry consensus.”

Rule two: Don’t tell the internet your age, or if you went to college

Sharing information too openly online is a bad idea – leaving you open to spear phishing attacks. But data also falls into the hands of companies which trade in it – billions of data points at once, sold to advertisers and other companies. Most of these are perfectly normal companies. Some are not. The Federal Trade Commission is investigating ‘data brokers’. The industry is thus far largely unregulated, and brokers will offer anything from anonymous data gleaned from browsing, to a mix of data, some publicly available, some from website cookies and other tracking tools. You are significantly more likely to be identifiable from your data if you share things publicly – even the fact you own a dog, or your address, or if you geolocate pictures. Take control of this data. Don’t share when you don’t have to.

internet privacy

Consumers are increasingly concerned about privacy, a Silent Circle poll found

Social networks are a prime example, but “overfilling” a profile on a blog or corporate site can also reveal details. If there’s ever a box about sharing data with other companies, make sure you tick (or don’t tick) so your data isn’t shared. Whatever happens to it, it isn’t going away. Some, not all data brokers categorise customers in a way which may impact future eligibility for financial products – categorising them as uneducated, or putting them in a category of older people, or instance. This is information you should not share publicly, as it may impact your financial future.

Rule Three: Don’t trust ‘Do Not Track’ – Incognito or Private mode are better

Many companies ignore a browser’s request not to be tracked – including high profile firms such as Facebook.  The only fix is to use Incognito or Private browsing, and not log in to Facebook as you browse.

You will still be followed by trackers (cookies and scripts embedded in most websites) as you browse, but the profile that’s built up applies to a user who disappears when the session ends. You are still, of course, not truly ‘private’ – your IP address can still be traced as having visited a particular website, but it helps. Setting your browser to delete cookies on closing also helps in this regard – but it’s not a silver bullet.

Rule Four: Don’t use Facebook log-ins on apps

Don’t imagine smartphones are any different from PCs – you will be tracked on your browser, just as you are on PC, and there are other security concerns, too. But one step is easy to take. Many apps allow users to log in using their Facebook details, which spares user the time of filling in a form.

internet privacy

However, this allows the social network to use information from the app, and apply this to its advertising profile to target adverts. Any information in the app becomes available to Facebook. If you’re worried about how much Facebook ‘knows’ about you, use email to log in instead.

Rule Five: Turn to Tails if you  really need to be private

If you are determined not to be watched, Tails is a high-end internet privacy tool – although it should be noted that it is not “spy proof”. It boots from a DVD or USB stick, and forces internet traffic through the anonymizing service Tor (all non-Tor connections are rejected). Tor is of course not immune from spying - but it’s as secure as it gets, most of the time.

When you’ve finished, Tails deletes all data from the session (it’s stored in RAM rather than in computer storage). It can be used on any computer, and leaves no trace once the session ends. You are, of course, still vulnerable to some techniques – for instance, electronic listening devices could pick up your keystrokes.

Rule Six: If you’re doing business, use a VPN, and encrypt everything you can

If you are using the internet for sensitive business reasons, use VPN software. Either provided by your company, or if you’re a small business or freelancer, use your own VPN client. Likewise, ensure you encrypt as much as you can – from emails to data stored on your PC. ESET researcher Stephen Cobb argues that encryption is now essential for business - and with the rate of data breaches seen over the past few months it’s hard to argue. Malware researcher Lysa Myers says,”The best way to protect your data from prying eyes is to make more of it unreadable to outside parties. And the best way to do this is to encrypt as much as you can both data that is saved on your hard disk, and data that you send out of your machine, via email, web or other methods.”

Rule Seven: You are never invisible online

No matter how paranoid you are, how security-conscious you are, there is always a way round your snoop-proof techniques. Unscrupulous and greedy people will find it. If you want something to stay private, don’t do it online, or on the phone. Do it in the real world. As more consumers use internet privacy tools, new unknown techniques appear to bypass them. ‘Canvas fingerprinting’ is a new technique, invisible to users, which became widespread among companies selling data to advertisers before the media were even aware of it. Requiring PCs to render a fragment of text, it bypasses “do not track” instructions to create a fingerprint which “shatters” current privacy tools, Princeton researchers say. One provider which uses the ‘fingerprinting’ technique,  touted as a replacement for cookies for advertisers keen to track users across the web, uses its scripts in thousands of sites – and reaches 97.2% of the internet population in America, according to Comscore.

The post Internet privacy: Seven rules to keep secrets safe appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/29/internet-privacy/feed/ 0
Anyone want to know my Social Security Number? http://www.welivesecurity.com/2014/08/28/anyone-want-know-social-security-number/ http://www.welivesecurity.com/2014/08/28/anyone-want-know-social-security-number/#comments Thu, 28 Aug 2014 16:38:59 +0000 Anyone want to know my Social Security Number? http://www.welivesecurity.com/?p=50362 Your home may be your castle, but on social networks, your friends are your perimeter. Will they enclose and protect your personal data?

The post Anyone want to know my Social Security Number? appeared first on We Live Security.

]]>
Let me tell you about yet another brain-dead Facebook meme* about ‘your [something or other] name’ games. These games are the sort of round-robin post that tell you how to generate your very own witness protection name, your soap character name, and similar richly meaningful concepts.

It’s Only Rock and Roll

Apparently the rock star name meme has been around since at least 2007, but I somehow managed to miss it for most of that time. Clearly I should consider dedicating what is left of my twilight years to Facebook so that I don’t miss anything.

Perhaps this one has something to do with the way rock stars, footballers, and movie stars, worried that alternatively pampering and neglecting their offspring might not be the optimum parenting methodology, give them ludicrous names like Leafmould Cheesecake. Or I suppose it might be a way of generating a name that will get you mistaken for a celebrity and ensure that you get into nightclubs and pay a larger than normal deposit on hotel rooms. Anyway, most of the examples I’ve seen (thank you so much, Google, for brightening my life yet again) are generated by combining the name of your first pet and something like your current car, your first car, or the street where you live. (I apologize if I’ve increased the danger that some future reader will be christened Tiddley Widdley 2CV.)

Security content coming up. (Finally.)

It may not have escaped your notice that those elements are very similar to those secret questions that banks and such want us to use to supplement those passwords that they take such good care of. Sometimes. (Here’s a list of other name ‘games’, several of which have a disquieting tendency to be based on ‘secret question’ data.)

I started looking into this social phenomenon when I recently came across a variation on the rock star meme: this one offers us the following way to find our own rock star names. Ready, steady, type:

  1. Your mother’s maiden name
  2. Your first pet’s name
  3. The model of your first car
  4. Your High School mascot
  5. Your favourite uncle
  6. The last four digits of your Social Security Number (SSN)

Several of my friends in the security business found this meme extremely amusing. As you probably will too, knowing that this is a parody – or an extreme example – of the kind of ‘secret questions’ that financial providers and others are fond of passing off as additional security. In fact, the first three are common – even stereotypical – secret questions proposed by real service providers. 4 and 5, maybe not so much. But SSNs are commonly used in the US as authentication, so there’s certainly possible value there for someone trying to harvest useful information about you.

Still, surely no-one could fail to recognize the danger there? Well, some people who commented clearly thought it would be worth putting it out there to see who (or how many) fell for it, if only out of curiosity. No ethical qualms there, then.

Friendship and Fiendship

I’ve talked before (for Virus Bulletin) about the potential of the Facebook meme for collecting data that could be used for malicious purposes. One datum addressed there was your date of birth  (mildly obfuscated, but if I could find out how it worked, so could any bad guy who could use a search engine). Another was the instance cited by Graham Cluley of the Royal Wedding in 2011, inviting Facebook users to generate their ‘royal wedding guest name’ by combining an aristocratic title, one of their grandparent’s names, and the name of their first pet ‘double-barrelled’ with the name of the street they grew up on. I can assure you that if I absent-mindedly sign this article as Lord Melvin Sundance-Acacia, I won’t be giving any sensitive data away. After 25 years in security, I’m not naïve enough to think that everyone who’s a friend on social media – or a reader of my blogs – is to be trusted with personal data. I don’t think there are many burglars or identity thieves in my immediate circle of acquaintance, but friends of friends of friends are another matter. In any case, I’m pretty sure that some of my friends aren’t as paranoid with their – or my – posts and data as I am. Furthermore, I’m no fan of the way that various social networks try to insist on my giving them far more personal information than they really need to know.

Not, of course, that I’m advocating a general policy of dishonesty in social networking profiles, but as I commented in that article and elsewhere, these are organizations who regard subscribers not as customers but as sources of commoditized data. Big names in the social media are constant targets for hacking, and don’t always take the care over securing sensitive data that you might expect. In fact, they often have an agenda that is at heart anti-privacy, since our data is exactly what matters to the retail organizations and service providers who are their real customers. While we the subscribers are all too willing to give away the sort of material targeted in a data aggregation (or data inference) attack, where individual items may seem harmless, but an aggregation of such items gives an attacker all he needs to indulge in a little identity theft.

Social Insecurity

But let’s talk about SSNs. Is giving away just part of your SSN really dangerous? In a paper published in 2009 by Alessandro Acquisti and Ralph Gross in the Proceedings of the National Academy of Sciences of the United States of America, it was claimed (as I summarized here) that there is:

a correlation between an SSN and the birthdate of its “owner” that makes it feasible to infer the SSN, given knowledge of that birthdate and … public access to the Social Security Administration’s Death Master File … to determine SSN allocation patterns based on the zip code of their birthplace and the date of issue.

So how secure is your Social Security Number? Well, here a couple of issues:

  • Some legitimate, convenient-to-subscribe-to organizations may require it who are, nevertheless, not “entitled” to it.
  • The difference between legitimate and illicit organizations (or their web pages, URLs and so on) is not always as pronounced as you might think – otherwise, we wouldn’t have to worry about phishing.

A Social Security Number (like a National Insurance Number in the United Kingdom) is an identifier, not an authenticator, because it isn’t secret: many people know (or at least could gain access to) your SSN. But a problem arises whether or not an organization providing some kind of service to you insists on using it as an authenticator rather than as an identifier.  Even if a criminal doesn’t have direct access to an SSN, he may be able to guess it based on information aggregated from other sources.

The Social Security Office has stated in the past (apparently in the hope of making it easier to spot a fake) that the 9 digits of the Social Security Number are grouped as follows.

  • The first three digits represent the Area Number
  • The next two digits represent the Group Number
  • The four digits at the end are called the Serial Number

And, of course, it’s exactly those four final digits that are under discussion. According to an article in the LA Times from 2009, Acquisti and Gross were able”to identify all nine digits for 8.5% of people born after 1988 in fewer than 1,000 attempts. For people born recently in smaller states, researchers sometimes needed just 10 or fewer attempts to predict all nine digits.” However, the Social Security Office stated at that time that it was moving over to a more randomized SSN allocation system. Unfortunately, that probably hasn’t decreased the risk for many people whose SSN was already allocated by the time such changes were introduced.

Hopefully, most sites that ask for SSN info won’t allow unlimited guesses. Even more hopefully, few people will fall for a blatant, exaggerated data harvesting/phishing attempt resembling the meme described above.

The Sum of the Parts

But how about a story recently passed on by one of my colleagues in the security industry? He related how one of his friends received what appears to have been an automated phone call claiming that his or her debit card had been locked for fraud. Such calls are actually quite common, as in the cases described here, where the recording asks for the target to press 1 and then to ‘unlock’ their card by inputting sensitive financial information including the card number and the PIN associated with it in chip and PIN transactions. This isn’t a new threat, of course. A post at Scamcallfighters indicates that characteristically:

The automated system will ask the victim to key-in, card number, name, date of birth and even the security code! And at the end of it, it will declare that your card is reactivated!

In this case, however, the first thing requested was to input a full 9-digit SSN. Fortunately, the intended victim in this instance knew better than to actually give that information. I suspect, however, that a less greedy scammer might get quite a good hit rate in the right context.

By ‘less greedy’ I don’t just mean not asking for so many data items that even the most naïve end user might start to get suspicious, but also being prepared to do some data aggregation. After all, a victim who just volunteered 2-3 potentially useful data items is probably more likely than average to volunteer further items the second time round. And while a partial SSN requires more effort to build into a full SSN, the trade-off is that a victim is less likely to be scared off by a request for too much information.

After all, we’re conditioned to think that when a bank or other agency asks us to identify ourselves by giving part of an identifier or authenticator – “the 1st, 3rd and 4th character of your special word” or “the last four digits of your credit card number”, they already have the whole identifier/authenticator. Of course, this isn’t necessarily true at all. A scammer might even camouflage a harvesting probe by ‘sacrificing’ a data item that can’t be fully established so as to establish a context of trust in which the victim will:

  • Not take the trouble to check that the call is genuine by ending the call and calling back to a known-genuine number.
  • Go on to supply data items that can be used to implement some form of fraud.

However, in this case, a partial SSN might actually be enough to establish yet another useful (in terms of identity theft) data item.

Sadly, this use of automation for fraudulent purposes is another case where well-meaning (but not necessarily well-implemented) attempts by banks to reduce the impact of fraud has actually been perverted by criminals into an attack.

Technology versus Education

In the security industry, there’s a longstanding debate between those who advocate more user education and those who say that if education was going to fix the cybercrime problem it would have worked by now. (Randy Abrams and I discussed that debate at some length back in 2008: People Patching: Is User Education Of Any Use At All?

This particular threat exemplifies that conflict/tension: the efficiency of a technical solution – automated detection of fraudulent (or at least unusual) transactions – is compromised because card users are not well enough informed to distinguish between legitimate and fraudulent phone calls.

David Harley
ESET Senior Research Fellow

* Meme: An idea, behaviour, style, or usage that spreads from person to person within a culture. (Merriam-Webster)

The post Anyone want to know my Social Security Number? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/28/anyone-want-know-social-security-number/feed/ 0
Android security mystery – ‘fake’ cellphone towers found in U.S. http://www.welivesecurity.com/2014/08/28/android-security-2/ http://www.welivesecurity.com/2014/08/28/android-security-2/#comments Thu, 28 Aug 2014 16:38:43 +0000 Android security mystery – ‘fake’ cellphone towers found in U.S. http://www.welivesecurity.com/?p=50343 Seventeen mysterious cellphone towers have been found in America which can only be identified by a heavily customized handset built for Android security - but seem to be built to spy on passing cellphone users, according to Popular Science.

The post Android security mystery – ‘fake’ cellphone towers found in U.S. appeared first on We Live Security.

]]>
[There have been many comments to this story from people who are assuming that these 'towers' are physical installations. There's no reason to assume this is the case: it's far likelier that they are mobile installations of the kind used not only by law enforcement and government agencies, but also by scammers and other criminals. (David Harley)]

Seventeen mysterious cellphone towers have been found in America which look like ordinary towers, and can only be identified by a heavily customized handset built for Android security – but have a much more malicious purpose, according to Popular Science.

The fake ‘towers’ – computers which wirelessly attack cellphones via the “baseband” chips built to allow them to communicate with their networks, can eavesdrop and even install spyware, ESD claims. They are a known technology - but the surprise is that they are in active use.

The towers were found by users of the CryptoPhone 500, one of several ultra-secure handsets that have come to market in the last couple of years, after an executive noticed his handset was “leaking” data regularly.

Its American manufacturer boasts that the handset has a “hardened” version of Android which removes 468 vulnerabilities from the OS.

Android Security: Towers in casinos

Despite its secure OS, Les Goldsmith of the handset’s US manufacturer ESD found that his personal Android security handset’s firewall showed signs of attack “80 to 90” times per hour.

The leaks were traced to the mysterious towers. Despite having some of the functions of normal cellphone towers, Goldsmith says their function is rather different. He describes them as “interceptors” and says that various models can eavesdrop and even push spyware to devices. Normal cellphones cannot detect them – only specialized hardware such as ESD’s Android security handsets.

Who created the towers and maintains them is unknown, Goldsmith says.

Origin of towers ‘unknown’

“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says.  “One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip.  We even found one at South Point Casino in Las Vegas.”

Their existence can only be seen on specialized devices, such as the custom Android security OS used by Cryptophone, which includes various security features – including “baseband attack detection.”

The handset, based on a Samsung Galaxy SIII, is described as offering, a “Hardened Android operating system” offering extra security. “Baseband firewall protects against over-the-air attacks with constant monitoring of baseband processor activity, baseband attack detection, and automated initiation of countermeasures”, claims the site.

“What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.” says Goldsmith.  “Whose interceptor is it?  Who are they, that’s listening to calls around military bases?  The point is: we don’t really know whose they are.”

Baseband attacks are considered extremely difficult – the details of the chips are closely guarded. “Interceptors” are costly devices – and hacking baseband chips is thought to be technically advanced beyond the reach of “ordinary” hackers, ESD says. The devices vary in form, and are sold to government agencies and others, but are computers with specialized software designed to defeat the encryption of cellphone networks. The towers target the “Baseband” operating system of cellphones – a secondary OS which sits “between” iOS or Android, for instance, and the cellular network.

Goldsmith says that the devices cost “less than $100,000” and does not mention what level or type of device his team has detected. Most are still out of reach of average hackers, although freely advertised. One model is the VME Dominator, which is described as, “a real time GSM A5.1 cell phone interceptor. It cannot be detected. It allows interception of voice and text. It also allows voice manipulation, up or down channel blocking, text intercept and modification, calling & sending text on behalf of the user, and directional finding of a user during random monitoring of calls.”

What has come as a surprise is how many “interceptors” are in active use in the U.S., and that their purpose remains mysterious.

 

 

The post Android security mystery – ‘fake’ cellphone towers found in U.S. appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/28/android-security-2/feed/ 0
Google dorks – FBI warning about dangerous ‘new’ search tool http://www.welivesecurity.com/2014/08/28/google-dorks/ http://www.welivesecurity.com/2014/08/28/google-dorks/#comments Thu, 28 Aug 2014 11:07:29 +0000 Google dorks – FBI warning about dangerous ‘new’ search tool http://www.welivesecurity.com/?p=50313 The FBI has issued a warning to police and other emergency response personnel about a lethal new tool which 'malicious actors' have been using to deadly effect against American government institutions - Google dorks.

The post Google dorks – FBI warning about dangerous ‘new’ search tool appeared first on We Live Security.

]]>
The FBI has issued a warning to police and other emergency response personnel about a lethal new tool which ‘malicious actors’ have been using to deadly effect against American government institutions – Google dorks.

The warning, reported by Ars Technica, refers specifically to ‘Google dorks’  or “Google dorking” – ie the use of specialized search syntax,  using terms such as “filetype:sql”.

‘Google dorks’ refers to search syntax which allow users to search within a specific website (using the term in:url) or for specific file types, and can thus be used to search databases. Such search terms are widely known, and legal – the warning alerts units who may not be aware of the technique to secure databases properly.

Google dorks: Weapon of the ‘malicious’?

“In October 2013, unidentified attackers used Google dorks to find websites running vulnerable versions of a proprietary internet message board software product, according to security researchers,” the FBI warning says.

“After searching for vulnerable software identifiers, the attackers compromised 35,000 websites and were able to create new administrator accounts. ”

“For example, a simple “operator:keyword” syntax, such as “filetype:xls intext:username,” in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries.”

The warning refers to several online resources commonly used to automate “Google dork” queries – and offers advice on the scope of such search terms.syntax.

Shock as web users employ ‘search’

The warning also offers a useful link to Google’s own testing centre for pre-empting such attacks, the Google Hacking Database. Webmasters can use this to check whether files are “visible” to Google dorks, then hide them if they wish.

Ars Technica points out that the warning refers to “malicious cyber actors” and refers to a notorious case in which reporters were accused of “hacking” a website by using freely available information and an automated tool, GNUGet.

However, as Ars explains, the warning is not really meant to highlight a “new” technique, i.e Google dorks, but to warn webmasters to make their websites more secure.

“This warning from the DHS and the FBI was mostly intended to give law enforcement and other organizations a sense of urgency to take a hard look at their own websites’ security,” Ars comments. “Local police departments have increasingly become the target of “hacktivists.” Recent examples include attacks on the Albuquerque Police Department’s network in March following the shooting of a homeless man and attacks on St. Louis County police networks in response to the recent events in Ferguson, Missouri.”

The warning says, “Ensure sensitive websites are not indexed in search engines. Google USPER provides webmaster tools to remove entire sites, individual URLs, cached copies, and directories from Google’s index.”

The post Google dorks – FBI warning about dangerous ‘new’ search tool appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/28/google-dorks/feed/ 0
Data breach in South Korea hits 27 million – half the population http://www.welivesecurity.com/2014/08/27/data-breach/ http://www.welivesecurity.com/2014/08/27/data-breach/#comments Wed, 27 Aug 2014 09:48:28 +0000 Data breach in South Korea hits 27 million – half the population http://www.welivesecurity.com/?p=50266 A data breach of staggering proportions has hit South Korea - involving 27 million people and 220 million private records - all bought from hackers with the goal of stealing money from online games.

The post Data breach in South Korea hits 27 million – half the population appeared first on We Live Security.

]]>
A data breach of staggering proportions has hit South Korea – involving 27 million people and 220 million private records – and affecting 70% of the population between the ages of 15 and 65, according to Forbes.

Sixteen hackers were arrested for the attack, which targeted registration pages and passwords for six online gaming sites – with the aim of selling game currency. South Korea has a strong online gaming culture, and people of all ages indulge in the hobby.

South Korean authorities said that the gang had stolen 220 million items of personally identifying information, with the goal of breaking into online game accounts. A 24-year-old man, surname Kim, bought these records from a Chinese hacker he met in another online game in 2011, according to the Korea JoonGang Daily.

Data breach hit 70% of adults

According to police, Kim reportedly received 220 million personal information items from a data breach of unknown origin, including the names, resident registration numbers, account names and passwords, of the 27 million people from a Chinese hacker he met in an online game in 2011.

Kim and his associates are thought to have used a hacking tool known as an “extractor” to log in to accounts and steal virtual currency to and items to sell – earning in the process 400 million won ($390,919).

The Register reports that, “Kim bagged almost $400,000 by hacking six online games using the details and gave the Chinese cracker a $130,000 cut. The buyer used the creds to steal items from gaming accounts and sold off to other players.”

Hacking tool known as ‘extractor’

Police estimate that secondary damages from the data breach cost at least $2m.

When Kim’s gang could not break into accounts, they bought yet more personal information including identity cards from a cellphone retailer in Daegu, and then changed passwords to gain access.

Kim is also accused of having sold his hoard of personally identifying information to mortgage fraudsters and illegal gambling advertisers.

 

The post Data breach in South Korea hits 27 million – half the population appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/27/data-breach/feed/ 0
Surveillance fears over systems which ‘follow’ cellphone users http://www.welivesecurity.com/2014/08/27/surveillance-fears-systems-follow-cellphone-users/ http://www.welivesecurity.com/2014/08/27/surveillance-fears-systems-follow-cellphone-users/#comments Wed, 27 Aug 2014 09:15:09 +0000 Surveillance fears over systems which ‘follow’ cellphone users http://www.welivesecurity.com/?p=50258 Concern is growing over the export of surveillance equipment which can track the movements of anyone carrying a cellphone. Such technnologies are freely on sale not only to oppressive regimes, but also to criminal gangs.

The post Surveillance fears over systems which ‘follow’ cellphone users appeared first on We Live Security.

]]>
Concern is growing over the export of surveillance equipment which can track the movements of anyone carrying a cellphone – from town to town and even into other countries.  Such technologies are freely on sale not only to oppressive regimes, but also to criminal gangs, according to a report by the Washington Post.

Third-party surveillance apps are, of course, widely available which allow suspicious spouses and more nefarious individuals to track the owner of a phone by surreptitiously installing and hiding such an app. Such ‘domestic spyware’ is often involved in domestic violence cases.

The technology used by repressive regimes is much higher-level surveillance: specifically, the governments, gangs and other individuals monitor telecoms networks for their location records.

Surveillance systems map people for weeks

“Surveillance systems are secretly collecting these records to map people’s travels over days, weeks or longer, according to company marketing documents and experts in surveillance technology,” the Washington Post reports.

The use of such equipment is highlighted in a report, Big Brother Inc, by Privacy International, which claims that the surveillance industry has grown to be worth $5 billion per year, and that export control regulations have not kept pace with developments in such technology.

Capabilities of surveillance have grown hugely

“The capabilities of surveillance technology have grown hugely in the past decade – in the hands of a repressive regime, this equipment eradicates free speech, quashes dissent and places dissidents at the mercy of ruling powers as effectively as guns and bombs, if not more so,” Privacy International says in its report.

Mark James, security specialist at ESET, says there is a broader issue about the ownership of the data generated by such devices, and in particular the rights of the end user.

“The main concern here is the lack of international laws to protect the end user,” says James. “Without a global policy in place there will always be some countries that can be used to track people’s locations and activity.”

“With users now requiring the latest technology advancements in their mobile devices which include GPS location, mobile internet and the ability to be contacted wherever they are, it is often overlooked that this technology is two-way.

“Even if in your contract there were to be a paragraph stating that you can be monitored whenever and wherever, the likelihood of you reading it and acknowledging it exists is remote, and let’s be honest would you refuse to have the phone if this were made clear to you when you purchased it in the first place? I honestly think not.”

“This type of surveillance has been around for a while and it’s not going anywhere, all we can do is put measures in place for an independent organization to monitor its use and work harder to have an international  agreement in place to limit where this data ends up.”

Privacy International is now campaigning for more regulation of the surveillance industry, and in particular to restrict the sale of such technologies to repressive regimes. The group points to some limited successes, such as the EU Parliament’s resolution calling for stricter oversight of surveillance technology exports, and President Obama’s  executive order to prevent such exports to Syria and Iran.

The group says, “Export control regulations have not kept pace with this development, nor have companies taken it upon themselves to vet the governments to whom they sell their technology. The situation has now reached a crisis point: countries must enact strict export controls now, or be guilty of a staggering and continued hypocrisy with regard to global human rights.”

The post Surveillance fears over systems which ‘follow’ cellphone users appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/27/surveillance-fears-systems-follow-cellphone-users/feed/ 0
Online fraud – POS malware has now hit 1,000 U.S. firms http://www.welivesecurity.com/2014/08/26/online-fraud/ http://www.welivesecurity.com/2014/08/26/online-fraud/#comments Tue, 26 Aug 2014 15:08:58 +0000 Online fraud – POS malware has now hit 1,000 U.S. firms http://www.welivesecurity.com/?p=50187 More than a thousand U.S. businesses have been affected by point-of-sale malware - malicious software written specifically for online fraud, to steal information such as credit card details from businesses and their customers.

The post Online fraud – POS malware has now hit 1,000 U.S. firms appeared first on We Live Security.

]]>
More than a thousand U.S. businesses have been affected by point-of-sale malware – malicious software written specifically for online fraud – to steal information such as credit card details from companies and their customers.

The United States Computer Emergency Readiness Team issued a statement saying that the “Backoff” malware was rife in U.S. businesses, taking over administrator accounts and removing customer data from several hundreds of companies.

POS malware was a footnote in computing history until the Target breach, but the hi-tech online fraud now appears to be a growth industry. Ars Technica points out how quickly the software has evolved during the past two years, and emphasizes the direct impact on American consumers.

ESET Malware Researcher Lysa Myers says, “Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now.” Myers offers a detailed guide for businesses concerned that they may be being targeted with POS malware.

Online fraud: Shop terminals under attack

“Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the ‘Backoff’ malware,” the advisory stated. “Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes.”

The figure of 1,000 businesses comes from a Secret Service estimate, based on figures from vendors of POS software.

“Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected,” the advisory says.

Criminals target makers of software for shops

Ars refers to a recent  attack, where the attackers were able to guess the password to the system,and  installed the Backoff program. The malware disguises itself as an innocent Java component but ‘listens’ for credit card transactions, storing them and transmitting them to criminals, according to  US-CERT’s original advisory.

The US-CERT advisory advises companies, “Organizations that believe they have been impacted should contact their local Secret Service field office and may contact the NCCIC for additional information.”

 

The post Online fraud – POS malware has now hit 1,000 U.S. firms appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/26/online-fraud/feed/ 0
Google Images hacked? Searches fill with morbid image http://www.welivesecurity.com/2014/08/26/google-images/ http://www.welivesecurity.com/2014/08/26/google-images/#comments Tue, 26 Aug 2014 14:58:12 +0000 Google Images hacked? Searches fill with morbid image http://www.welivesecurity.com/?p=50206 An image of a Russian car crash has piled up in Google Images - leading to speculation that the service has been hacked. What’s less clear is why, or who might have done it.

The post Google Images hacked? Searches fill with morbid image appeared first on We Live Security.

]]>
An image of a Russian car crash has piled up in Google Images, regardless of what users search for. Time magazine searched for ‘puppy” and instead saw multiple images of the crash – leading to speculation that the service has been hacked. What’s less clear is why, or who might have done it.

One user says that regardless of what he searches for, he sees dozens of images of the same car crash, “Every time I search something in Google images, these creepy images are appearing. It’s apparently a crashed truck or something, but I didn’t look it up. People could say that it had something to do with what I was searching, but if I click on it, a different image appears. I have some screenshots attached.”

Google Images: ‘Creepy images appearing’

The issue is not affecting all users, but Google product forums are full of complaints about the image, which shows a fatal car crash from several years ago.

Time magazine reports that the images vary –  Google’s own support forums tracked back and found the image came from a report on a Ukrainian news site. We’ve not linked to the report as it contains many more grisly images of the crash.

Time also reported that a related Reddit chain say that images of basketball player and occasional actor Kevin Durant have also been reported by some user.

Hours of glitches

Jalopnik says, “In the meantime, Reddit user anvile noticed that the original photos stem from a story about a car crash in Moscow that killed three people. The driver, a 28-year-old woman, was reported to be intoxicated.”

“Weirder still, the crash occurred in November of 2012, according to this Pravda article, so it isn’t recent.”

Google has as yet not offered comment on the images, or their origin.

The post Google Images hacked? Searches fill with morbid image appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/26/google-images/feed/ 0
PSN hacked – Network back after cyber attack and bomb threat http://www.welivesecurity.com/2014/08/25/psn-hacked/ http://www.welivesecurity.com/2014/08/25/psn-hacked/#comments Mon, 25 Aug 2014 14:28:12 +0000 PSN hacked – Network back after cyber attack and bomb threat http://www.welivesecurity.com/?p=50151 Sony’s PlayStation Network was back online and the information of its 53 million users safe, despite a weekend-long cyber attack, and a reported bomb threat which caused the diversion of a flight carrying a Sony executive.

The post PSN hacked – Network back after cyber attack and bomb threat appeared first on We Live Security.

]]>
Sony’s PlayStation Network was back online on Monday, and the information of its 53 million users was safe, despite a weekend-long cyber attack which left PSN hacked, and a reported bomb threat by the same group which caused the diversion of a flight carrying a Sony executive, according to Reuters report.

A Twitter user with the handle @LizardSquad claimed responsibility for the attack, according to ITV’s report.

Sony summed up in a blog post, “The networks were taken offline due to a distributed denial of service attack. We have seen no evidence of any intrusion to the network and no evidence of any unauthorised access to users’ personal information.”

One of @LizardSquad’s Tweets said, “”Sony, yet another large company, but they aren’t spending the waves of cash they obtain on their customers’ (PlayStation Network) service. End the greed,”

PSN hacked – and bomb threat issued

The group’s motivation for its attack was unclear. Shack News reported that the group also aimed DDoS attacks at Blizzard’s Battle.net, Riot’s League of Legends and Grinding Gear Games’ Path of Exile.

PSN Hacked

In a series of Tweets, the group also claimed to be aiming similar attacks at Xbox Live. “We don’t comment on the root cause of a specific issue, but as you can see on Xbox.com/status, the core Xbox LIVE services are up and running,” Xbox spokesman David Dennis said in an interview with Reuters.

Vice commented, “Since Lizard Squad’s fake threat of explosives and media coverage citing it as responsible for the ‘hack,’the group has gained over 15,000 followers on Twitter. One of those followers includes Smedley himself.

Gained 15,000 Twitter followers

In a blog post timed for Cologne’s Gamescom this year, ESET Distinguished Researcher Aryeh Goretsky said, “Computer criminals don’t just target gamers: gaming companies themselves can be targeted as well.  Probably the most well-known example of this is the April 2011 breach of the Sony PlayStation Network gaming and Qriocity music streaming service, which resulted in the compromise of the names, addresses and credit card details of 77 million user accounts.

“ESET provided extensive coverage of the Sony data breach in our blog, starting from the initial report of the breach in April 2011 all the way up to the proposed settlement of a week ago.  As a result, I am not going to discuss the details of the Sony breach in this article.

“Readers should be aware that this sort of problem is not unique to Sony, either.  Almost exactly, two years ago, Blizzard Entertainment suffered a data breach themselves, although they responded in a different and — this author thinks — more responsible fashion.

The point here is that computer game companies and their associated services face real threats from criminals: if they charge customers for online play, the purchase of in-game items, or otherwise contain customer billing data in their computers, then those computers systems are targets for financial crime.”

A We Live Security guide to staying safe from cybercriminals while gaming online can be found here.

The post PSN hacked – Network back after cyber attack and bomb threat appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/25/psn-hacked/feed/ 0
Bitcoin wallet phishing scores unlikely hit with crypto-curious http://www.welivesecurity.com/2014/08/25/bitcoin-wallet/ http://www.welivesecurity.com/2014/08/25/bitcoin-wallet/#comments Mon, 25 Aug 2014 14:16:59 +0000 Bitcoin wallet phishing scores unlikely hit with crypto-curious http://www.welivesecurity.com/?p=50142 A new tactic where waves of Bitcoin wallet phishing emails are targeted at corporations has proved a success for the criminals behind it - with nearly 2.7% of victims clicking on the malicious link embedded in the two waves of 12,000 emails.

The post Bitcoin wallet phishing scores unlikely hit with crypto-curious appeared first on We Live Security.

]]>
A new tactic where waves of Bitcoin wallet phishing emails are targeted at corporations has proved a success for the criminals behind it – with nearly 2.7% of victims clicking on the malicious link embedded in the two waves of 12,000 emails. Previous Bitcoin wallet phishing campaigns usually targeted known lists of Bitcoin users.

Proofpoint, which monitored the attack, said people who did not use Bitcoin wallets clicked on the emails as well as users of the cryptocurrency, which were sent in two separate waves directed at organizations across various industries.

Proofpoint said that the high success rate proved how much the hype behind the Bitcoin wallet had caught the imagination of the general population.“Unregulated and designed for anonymity, Bitcoin represents an attractive, $6.8 billion target to cyber criminals,” Proofpoint said.

Bitcoin Wallet: ‘Attractive target’

The Register’s John Leyden reported, “This high click-through rate is a concern because crooks could easily switch from Bitcoin scams to targeting curious users with DDoS malware, remote access Trojans, corporate credential phish, or other threats.”

Anti-phishing firm Cloudmark commented on The Register’s report that the relatively low volume campaign had not been effective at avoiding spam filters – and thus was likely the work of “inexperienced spammers.”

The emails took the form of fake “account warning” emails, except using the Bitcoin wallet site Blockchain instead of banks or online payment services. The warning described a failed login attempt “originating in China”. As soon as victims clicked they were directed to a fake version of the Blockchain site, which includes a Bitcoin wallet.

Unlike with many banks and credit cards, there is little protection for Bitcoin users who have had their currency stolen – hence the many, many campaigns targeted at them.

Exploiting human psychology

The phishing campaign follows a fairly straightforward “account warning” template, using the Bitcoin site Blockchain.info instead of the usual bank or online payment service names. Prospective marks were falsely warned about a failed login attempt originating in China, attempting to create a sense of urgency by capitalising on popular fears over Chinese hacking.

Kevin Epstein, vice president of Advanced Security at Proofpoint said, “Cybercriminals are continuing to improve their odds of success by exploiting human psychology as well as technology. Proofpoint’s research team recently observed a startling example of these ‘human factor’ exploit tactics in a campaign nominally targeted at stealing Bitcoin access credentials”

“People who had no Bitcoin accounts – no reason to click on the email solicitation – were clicking anyway. It seems likely that attackers were taking advantage of Bitcoin’s recent popularity in the news to engage targeted users’ curiosity.

“The implications for corporate security teams are significant. Security professionals cannot afford to ignore any phishing emails, even what initially appear to be consumer-oriented campaigns not relevant to professional end users, as such topical phish clearly compels clicks even from users who should have no reason to click.”

The post Bitcoin wallet phishing scores unlikely hit with crypto-curious appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/25/bitcoin-wallet/feed/ 0
How to protect your identity at school http://www.welivesecurity.com/2014/08/22/protect-identity-school/ http://www.welivesecurity.com/2014/08/22/protect-identity-school/#comments Fri, 22 Aug 2014 19:25:57 +0000 How to protect your identity at school http://www.welivesecurity.com/?p=50138 Young people are targeted for data theft at 35 times the rate of adults – they are considered an easy target for both digital and physical theft. You can make going back to school an easier transition by ensuring your data and devices are secure both at school and at home.

The post How to protect your identity at school appeared first on We Live Security.

]]>
Summer is in full swing, but school season is right around the corner. Young people are targeted for data theft at 35 times the rate of adults – they are considered an easy target for both digital and physical theft. You can make going back to school an easier transition by ensuring your data and devices are secure both at school and at home. Even if you’ll be using the computers provided by your school’s libraries or labs, there are plenty of steps you can take to make your data safer.

Protecting Your Devices at School

If you’re using your own desktop, laptop or smartphone, there are two things to be concerned with: Physical and information theft. There are a few things you can do to minimize the odds of both types of theft, and mitigate the damage if either does occur.

  • Minimize the target
    Don’t leave your laptop or phone unlocked and unattended, whether you’re at home or in public – these items are easily grabbed when you’re not looking. And when you take your laptop with you in public, it’s best to carry it in a bag that doesn’t advertise what’s inside; laptop sleeves or carriers let people know exactly what you’re carrying.
  • Minimize the damage
    Installing a Tracker App will help you track down your device, should it be lost or stolen. And if the files on your device are encrypted, even if someone gets access to your computer, they won’t be able to profit from your information.
  • Beef up your security
    Physical loss and thefts are not the only ways to lose information on your phone. Malware and phishing are becoming increasingly common on mobile devices, so be sure to protect yourself. To protect yourself from phishing, make sure you’re using different passwords for all your different accounts, and pick a strong password for each. Using a password manager can help make this an easier task. Once you’ve got a good password, protect it: Don’t share it with others and don’t enter your password into sites you’ve visited via links in email or IM. To protect yourself from malware, install apps only from reputable apps stores, and scan those files with an anti-malware product before installing.
  • Be cautious on public Wi-Fi
    You can never be entirely sure who’s sharing the network with you on public Wi-Fi, so be extra careful when you use public Wi-Fi, like at school or at your local coffee shop. Use VPN software so that your web traffic will all be encrypted – it’ll help keep people from electronically eavesdropping on you.

Securing Your Data When Using Communal Machines

There may be times when you may need to use the computers that are provided by the school. You really have no idea who was using that computer last, or what they were doing before you got there, so you should probably assume the worst. It’s best to act as if anything you type or see on the screen can be recorded and act accordingly:

  • Do not use public machines to log into accounts, especially accounts that store financial information (e.g., bank accounts or credit cards).
  • Avoid online shopping, as someone could get not just your login credentials, but your credit card number.
  • If for some reason you do need to log into an account on a public machine, it is essential to change any passwords you may have used, when you get back to your own machine.
  • Browse in Privacy Mode if you can – if not, be sure to clear your browser history and all cookies.

Younger people may feel that their information is of lesser value than more established adults, because they may have smaller bank accounts or less-juicy data, and may not take security as seriously. Ultimately, it doesn’t matter how young you are – your data and identity are valuable to cybercriminals and correcting the problems caused by loss and theft is a pain, no matter your age. Protecting your data now will help you avoid those headaches.

The post How to protect your identity at school appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/22/protect-identity-school/feed/ 0
Week in security: Nuclear attack, scareware back and traffic-light hack http://www.welivesecurity.com/2014/08/22/week-security-nuclear-attack-scareware-back-traffic-light-hack/ http://www.welivesecurity.com/2014/08/22/week-security-nuclear-attack-scareware-back-traffic-light-hack/#comments Fri, 22 Aug 2014 15:37:36 +0000 Week in security: Nuclear attack, scareware back and traffic-light hack http://www.welivesecurity.com/?p=50099 This week saw two of the scariest targets for hacks ever - nuclear plants and city-wide traffic systems. Tthe traffic-light hack could basically have paralyzedany one of 40 American cities, and America’s Nuclear Regulatory Commission was successfully attacked three times within the past three years.

The post Week in security: Nuclear attack, scareware back and traffic-light hack appeared first on We Live Security.

]]>
This week in security news saw two of the scariest targets for hacks ever – nuclear plants and city-wide traffic systems. The stories delivered the goods, too — the traffic-light hack could basically have been carried out by anyone, and paralyze any one of 40 American cities, and America’s  Nuclear Regulatory Commission was successfully attacked three times within the past three years, by unknown attackers, some foreign – and largely using standard phishing emails and similar techniques. It is still unknown who the attackers were.

In terms of novel malware, it was a bit of a dry week (always a good thing) bar the return of scareware  - this time armed with an even more annoying method of making you pay up.

In Cologne, gamers gathered for Gamescom – and ESET’s Aryeh Goretsky took a look at how gaming has evolved, and cybercrime along with it, with discussions of gold-farming, theft of virtual goods, and how gaming companies are now fully awake to the threat of cybercrime.

Hackers get a “green” for go!

Often, when one reads a paper behind a cybercrime story, it’s disappointing – not so in the case of the novel attack against city-wide traffic systems described by University of Michigan researchers, which is genuinely terrifying. Little skill was required – radios are unencrypted, or used default passwords, and control units had known vulnerabilities.

An attacker, like the film’s ‘crew’ on robbery, could control a series of lights to give himself passage through intersections, and then turn them red to slow emergency vehicles in pursuit, according to the BBC’s report.

The researchers at the University of Michigan, who say that networked traffic systems are left vulnerable by unencrypted radio signals and factory-default passwords, and that access to individual lights – or even a city-wide attack, as in the film, is possible, according to Time’s report.

“This paper shows that these types of systems often have safety in mind but may forget the importance of security,” the researchers write. Technology Review points out that Michigan’s system, which networks 100 lights, is far from unique. Similar systems are used in 40 states.

Scareware II: The return

Over the past months, ‘scareware’ – windows that warn users that their machine is infected, then, ironically, persuade them to download malware – has dropped, says Microsoft, as users wise up.

But a new variant, Win32/Defru has a different and simpler approach on how to trick the user and monetize on it. Basically, it prevents the user from using the internet – it displays warning windows instead of sites. Now that really is cruel.

The malware targets 300 websites, and when a user tries to access them, they instead see the following fake message, ““Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security ® was forced to intervene.”

Rogue AV is still found – indeed ESET has been repeatedly ‘honored’ with fake scareware versions of  of its products such as when ESET researchers discovered a Trojan packaged to look like antimalware products,  – but Microsoft reports that in the past 12 months, scareware had fallen out of fashion.

Microsoft researcher Daniel Chipiristeanu says, “Lately we’re seeing a dropping trend in the telemetry for some of the once most-prevalent rogue families,  It’s likely this has happened due to the anti-malware industry’s intense targeting of these rogues in our products, and better end-user awareness and security practices.”

Chipiristeanu says that “education” has played a part – but new gangs have simply moved on to new methods to target victims.

Pay for privacy? Yes we would!

Silent Circle, makers of Blackphone, are not smarting overly from their handset’s humiliation, it seems – and their mission to stop everyone spying on us continues. They have support, it seems - a poll of 2,000 people found that almost all of us believe we are being spied on, and about a third would pay to stop it.

Privacy issues have become an increasing concern outside the security community – in part thanks to revelations of government surveillance, as discussed by ESET researcher Stephen Cobb. Silent Circle carried out the survey in May this year, via OnePoll and found that 88% of UK workers believe their calls and texts are being listened to, versus 72% of Germans – it’s not clear by whom.

Nearly a third – 31% – of Germans would pay for a service which guaranteed their texts and calls were not being listened to. In Britain, 21% would do so. Germany is traditionally more privacy-conscious – services such as Google StreetView are not permitted there.

The scandal over Facebook’s Messenger app – and the overstated responses of many media outlets, served to highlight this. Cosmopolitan writes, “Basically, it can control your whole phone. And, most scarily of all, CALL PEOPLE.” Cosmopolitan had not been previously known for its concern with online privacy.

Nuclear Armageddon: Virtually here

A report released by America’s Nuclear Regulatory Commission highlighted how depressingly ordinary cyber attacks can still be effective against even the highest value targets.

The spear-phishing attacks against the Nuclear authority were hardly hacker whizkid territory, but nonetheless, hundreds fell for them.

CNET reports that one incident led 215 employees of the nuclear agency to “a logon-credential harvesting attempt,” hosted on “a cloud-based Google spreadsheet.” The information was obtained through a specific request by NextGov. A second spearphishing attack targeted specific employees with emails crafted to dupe them into clicking a link which led to malware on Microsoft’s cloud storage site SkyDrive.

The third attack was a spearphishing attack directed at a specific employee. Once his account credentials were obtained, emails were sent to 15 further employees, with malware-laced PDFs.

“It’s still unclear which country originated the attacks, and whether the attackers were acting independently or as a part of a larger state action.

NRC spokesman David McIntyre said that his security team “thwarts” most such attempts.

Conspiracy theorists, start your engines!

Our last story really is the stuff of conspiracy theorist’s dreams: the very next day after Malaysia Airlines Flightt MH370 disappeared, “sophisticated” malware was used to steal documents from government officials working the case.

A mysterious attacker in China purloined “classified documents” in “significant amounts”, details of which remained vague – stoking the fires of conspiracy still further.

The Malaysian Star claims that the attack targeted officials with a PDF document which appeared to be a news report about Flight MH370, and was sent to a group of investigators. Around 30 computers were infected by the malware.

“We received reports from the administrators of the agencies telling us that their network was congested with e-mail going out of their servers,” CyberSecurity Malaysia chief exec Dr Amirudin Abdul Wahab said.

“Those e-mail contained confidential data from the officials’ computers, including the minutes of meetings and classified documents. Some of these were related to the Flight MH370 investigation.”

Business Insider says that the attack occurred one day after the Boeing 777 went missing, and took the form of an .exe file disguised as a PDF (a common office file format).

It’s unclear who the attacker – or attackers – were, but information from infected computers was transmitted to an IP address in China. Officials in Malaysia blocked the transmission, The Star said.

 

The post Week in security: Nuclear attack, scareware back and traffic-light hack appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/22/week-security-nuclear-attack-scareware-back-traffic-light-hack/feed/ 0
Facebook scams – the ‘classics’ and how to avoid them http://www.welivesecurity.com/2014/08/22/facebook-scams-classics-avoid/ http://www.welivesecurity.com/2014/08/22/facebook-scams-classics-avoid/#comments Fri, 22 Aug 2014 15:27:37 +0000 Facebook scams – the ‘classics’ and how to avoid them http://www.welivesecurity.com/?p=50035 But some things on Facebook haven’t changed - namely, the scams. It’s not that cybercriminals are unoriginal - it’s just that there are a few Facebook scams which work again and again. Here's why.

The post Facebook scams – the ‘classics’ and how to avoid them appeared first on We Live Security.

]]>
Facebook has changed hugely over the years – remember ‘Pokes’? – and today’s sharing machine, with its videos, its news and its scams,  is very different from the bare site Mark Zuckerberg launched.

Naturally, each new ‘feature’ has also brought new privacy worries – and security-conscious users should revisit their profile with our detailed guide to ‘maxing’ privacy on Facebook.

But some things haven’t changed – namely, the Facebook scams. It’s not that cybercriminals are unoriginal – it’s just that there are a few Facebook scams which work again and again, and all the criminals need to do is vary them slightly to keep money rolling in.

ESET Senior Research Fellow David Harley says, “While hoaxes may not seem the most dangerous aspect of online life, the migration of old hoaxes and new variations from email to social media does have some serious implications, as people Like and Share links without checking because they seem to come from likeminded and trusted friends.”

“The more FB friends you have, the more you’ll see these reverberate. You may not worry about political propaganda, but medical hoaxes and semi-scams can be a literal threat to health. “

ESET’s Social Media Scanner offers a quick, free way to check out if that news story on Facebook is true – or a scam. It never hurts to be cautious, though – and here are five classic scammy and spammy posts you should NEVER click.

Facebook scams‘Help, I’ve been mugged abroad’

Your friend or family member has lost their phone – so it makes sense they’d contact you via Facebook for help. Usually the story goes that they have been mugged or are in hospital – but it’s one of THE classic online scams, and one of the common uses cybervillains put hijacked Facebook accounts to. ESET’s Harley offers detailed tips on spotting the scam – known as ‘Londoning’,  due to early versions being used on Americans. Harley quotes a typical text: “I hope you get this on time, I made a trip to Manila(Philippines) and had my bag stolen from me with my passport and personal effects therein. The embassy has just issued me a temporary passport but I have to pay for a ticket and settle my hotel bills with the Manager.”

“I have made contact with my bank but it would take me 3-5 working days to access funds in my account, the bad news is my flight will be leaving very soon but i am having problems settling the hotel bills and the hotel manager won’t let me leave until i settle the bills, I need your help/LOAN financially and I promise to make the refund once i get back home, you are my last resort and hope, Please let me know if i can count on you and i need you to keep checking your email because it’s the only way i can reach you.”

Naturally, people worry – but it’s not your friend. Someone has hijacked their account. Harley offers five steps to take in a post here – starting with “Be suspicious” and “Verify.”

Facebook scams‘See who has been looking at your Facebook profile’

Facebook will NEVER introduce a feature that allows people to see who has looked at their profile – with the number of people who surreptitiously look up old (or potential new) flames it would probably cause World War III.

Beware – it’s a classic scam post, along with variations on real new Facebook features, or fake ones such as turning your profile pink (another bizarrely long-lived scam).

Links offering early access to features such as Facebook’s A Look Back video, or upgrades to Timeline can also be scams, as reported here. The key warning sign is that you are directed outside Facebook – look at the URL.

If Facebook was ‘upgrading’ you, it would do so within Facebook. As soon as you see an external site URL, close the window – and do not install any app. In many cases, scam videos will install a ‘rogue’ Facebook app to spread rapidly via the network – but as reported by We Live Security here, such scams can, in the worst case scenario, lead to tainted sites which infect users with PC malware.

If I get a million Likes….

What’s the harm in “Liking” a page if it’ll get his girlfriend to marry him? Not a huge amount – but you’re still helping scammers earn money. Campaigns such as privacy drives, or “Click This if You Hate Cancer” are also usually just as fake (ESET Senior Research Fellow David Harley offers tips and thoughts on these “chain letters” of Facebook)  - as are pictures where you’re urged to click and see what happens. Likes, of course, are the “currency” of Facebook – so criminals collect them by any means, air or foul. Daylan Pearce, a search-engine expert at Next Digital in Melbourne says pages with 100,000 likes can be sold for $200, according to adverts unearthed by Pearce.

‘Within 3 days a post like this one has 70,000 likes, and someone somewhere is about to make a nice little profit by selling the page to a business wanting some quick wins. The buyer then changes the page details.Instant fanpage with a big following, lots of likes.”

Your “Likes” also remain visible forever – and could serve adverts to your friends. Any pages you have “Liked” are also now searchable in Facebook’s new Graph Search. Visit your Activity Log and make sure you haven’t “Liked” any companies, products or sites you wouldn’t want the world to know about.

The warning from Facebook

“WARNING : Your account is reported to have violated the policies that are considered annoying or insulting Facebook users.system will disable your account within 24 hours if you do not do the reconfirmation.” The fake warning, is of course, a tool as fundamental to scammers as lockpicks are to burglars – witness this report just this week. Some of the bad English in that particular post should alert you to the fact that this is not a communication from Facebook – but it’s good enough to fool you if you’re not fully alert.
It’s a scam and a particularly vicious one at that.

Identified by Facecrooks.com – a great site to stay up to speed with the latest scams – the ‘warning’ scam is easier to fall for because Facebook does block certain posts or behavior – but the warning sign here is that a genuine reprimand would NEVER ask for your password. Why would Facebook need it at that point? Facecrooks writes, “if a user submits their Facebook login credentials, then the scammer will have complete control over their account. They can access their personal information to try and steal their identity, they can send bogus messages to their friends stating that they are in trouble and please send money, they can send links to other scams to all of the victim’s Facebook friends….the opportunities for misuse and exploitation are endless! Similar scareware posts involve Facebook purging drug-related posts – again, a scam.

Facebook scamsThe morbid celebrity-death story

News stories DO spread through Facebook – but so do fakes, or hybrids where a real story is changed to offer one morbid detail. Last week, a video purported to offer a video of Robin Williams making his last phone call, should ring alarm bells – few news sources would play such a video so soon after someone’s death. The scam, which you may see shared by your Facebook friends oblivious to the fact that they are helping fraudsters earn money, claims to be a ghoulish video of Robin Williams making his last phone call before committing suicide earlier this week. Of course, you might be fooled into believing it is genuine. After all, you have just seen one of your Facebook friends share it on their wall.

Multiple scams – including some using fake Facebook profiles – targeted grieving victims of the recent Flight Mh17 tragedy. Alistair MacGibbon of the University of Canberra said that the criminals would hope to make money for referring victims to unscrupulous sites – and that the practice was increasingly common. “Crooks are super-fast these days at picking up on anything that’s remotely topical, and working out how to monetize it from a criminal point of view,” he said. “It’s a really distasteful trend.”.

The too-good-to-be-true ticket offer

Cybercriminals follow the news avidly – hoping to fool users into clicking on malicious links in fake news stories – but the low-hanging fruit is upcoming events. Whether it’s the World Cup or a big concert, people  DO want tickets – and worst of all, some companies offer them through Facebook competitions, which makes the scam more convincing. A recent tickets scam encouraged fans to forward the link to friends to win Rolling Stones tickets. “You’d be making a big mistake if you clicked on the link, as you will be taken to a third-party website which strongly encourages you to share the link via social media, and then coerce others into clicking on it,” writes We Live Security’s Cluley. It is often safer to Google the subject of a link or type a website’s main URL into a browser instead of clicking the link – here, fans would have found that, on the official Stones website, there was no mention of the offer at all.

 

The post Facebook scams – the ‘classics’ and how to avoid them appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/22/facebook-scams-classics-avoid/feed/ 0
Secret app takes mere minutes to hack, revealing anyone’s secret via simple vulnerability http://www.welivesecurity.com/2014/08/22/secret-app-takes-mere-minutes-hack-revealing-anyones-secret-via-simple-vulnerability/ http://www.welivesecurity.com/2014/08/22/secret-app-takes-mere-minutes-hack-revealing-anyones-secret-via-simple-vulnerability/#comments Fri, 22 Aug 2014 13:48:14 +0000 Secret app takes mere minutes to hack, revealing anyone’s secret via simple vulnerability http://www.welivesecurity.com/?p=50041 Do you trust the internet with your secrets? Perhaps you shouldn't, even if you're using an app which professes to "deliver anonymously" secrets to your friends, and their circles, without identifying you as the originator...

The post Secret app takes mere minutes to hack, revealing anyone’s secret via simple vulnerability appeared first on We Live Security.

]]>
Do you trust the internet with your secrets?

Perhaps you shouldn’t, even if you’re using an app which professes to “deliver anonymously” secrets to your friends, and their circles, without identifying you as the owner of those secrets.

As Wired reports, researchers at Seattle-based Rhino Security Labs discovered a weakness in how the popular Secret app works, giving them a way of reading anybody’s supposedly anonymous postings.

At this point you’re probably imagining that for anyone to hack Secret, a popular app amongst iOS and Android users, would take ninja-like skills and advanced methods.

But in truth researchers found it remarkably easy, and the secrets of users can spill out within just a matter of minutes, as a Rhino Security researcher demonstrated to journalist Kevin Poulsen over lunch:

White hat hacker Ben Caudill is halfway through his sandwich when he casually reaches over to his iPhone, swipes the screen a few times, then holds it up to me. “Is that you?” he asks.

It is, but nobody was supposed to know. He’s showing me one of my posts to Secret, the popular anonymous sharing app that lets you confess your darkest secrets to your friends without anyone knowing it’s you. A few minutes ago I gave Caudill my personal e-mail address, and that was all he needed to discover my secret in the middle of a Palo Alto diner, while eating a BLT.

So just how did researchers manage to connect users’ email addresses with secrets they had posted via the Secret app?

Well, it’s breathtakingly simple.

Secret posts

When you create an account on Secret, the app requests access to your address book – so it can identify friends who might also be using the service.

And, as Secret’s FAQ explains, you need at least seven friends before the app will begin to say that a secret has been posted by one of your friends (although, of course, it doesn’t identify which one).

Part of Secret FAQ

Until you have 7 friends, posts will not be identified as coming from “friends” or “friends of friends” but will instead indicate “Your Circle.” We’ll never explicitly tell you which of your friends are on Secret to protect identities.

Does that sound reasonable to you?

Well, maybe this will make you think again.

Because what the researchers then did was create seven bogus Secret accounts – something that’s remarkably easy to do as Secret doesn’t require you to confirm your phone number or email address.

And then came the really clever part, as Kevin Poulsen of Wired explains:

Next, [Caudill] deleted everything from his iPhone’s contact list, and added the seven fake e-mail addresses as contacts. When he was done, he added one more contact: the e-mail address of the person whose secrets he wanted to unmask — me.

Then he signed up for another new Secret account and synced his contacts. He now had a new, blank Secret feed that followed eight accounts: seven bot accounts created and controlled by him, and mine. Anything that appeared as posted by a “friend” logically belonged to me.

Clever, huh? And, in retrospect, remarkably straightforward.

So all that was required to find out what secrets you had posted was your email address – something that, for most of us, cannot really be considered private or secret.

Secret CEO David Byttow told Wired that the vulnerability has now been closed, and claimed that they had no evidence that the privacy hole had been maliciously exploited.

“As near as we can tell this hasn’t been exploited in any meaningful way. But we have to take action to determine that.”

However, it’s worth bearing in mind that an absence of evidence is not evidence of absence. Just because Secret can’t tell if the flaw has been excused to embarrass or blackmail individuals who have posted compromising secrets, doesn’t mean that it hasn’t happened.

Secret appAnd the Secret app’s developers have confirmed that since a bug bounty was introduced in February, a total of 42 security holes have been identified and fixed.

Obviously it’s good that security and privacy vulnerabilities are being fixed, but when it’s your *secrets* which are at stake, wouldn’t you feel happier knowing that the app had been built on more sturdy ground in the first place?

One has to wonder whether Secret’s claims of “refined algorithms” to detect bots and suspicious activity on Secret are really enough to protect its users.

Secret is no stranger to controversy, of course.

Just this week a Brazilian judge has called for the app to be banned from official app stores, claiming that it encourages anonymous bullying.

But, in my mind, the problems lies not so much with the app but with the people who use it.

They clearly haven’t learnt the most basic rules of keeping secrets.

Don’t tell anyone. Don’t write it down. Don’t type it into an app. Never ever post it onto the internet.

As soon as you trust anyone or anything else with a secret, you’re doomed.

The post Secret app takes mere minutes to hack, revealing anyone’s secret via simple vulnerability appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/22/secret-app-takes-mere-minutes-hack-revealing-anyones-secret-via-simple-vulnerability/feed/ 0
Scareware: It’s back, and now it’s even scarier http://www.welivesecurity.com/2014/08/21/scareware-back-now-scarier/ http://www.welivesecurity.com/2014/08/21/scareware-back-now-scarier/#comments Thu, 21 Aug 2014 12:06:57 +0000 Scareware: It’s back, and now it’s even scarier http://www.welivesecurity.com/?p=49995 ‘Scareware’ - fake antivirus programs which attempt to fool the user into downloading malware, by warning him or her of a “threat” on their PC - is back, with a new, even more annoying trick.

The post Scareware: It’s back, and now it’s even scarier appeared first on We Live Security.

]]>
‘Scareware’ – fake antivirus programs which attempt to fool the user into downloading malware, by warning him or her of a “threat” on their PC – is back, with a new, even more annoying trick.

V3 reports that the new strain of scareware reverses a “dropping trend” in fake AV with a new way of making money – blocking the user from using the internet until they pay for the ‘product’.

Threatpost says, “Rogue antivirus was once the scourge of the Internet, and while this sort of malware is not entirely extinct, it’s fallen out of favor among criminals as users have become more aware and security products have gotten better at blocking the threat.”

Scareware: Antivirus that isn’t ‘anti’

Rogue AV is still found – indeed ESET has been repeatedly ‘honored’ with fake scareware versions of  of its products – but Microsoft reports that in the past 12 months, scareware had fallen out of fashion.

Variants on the tactic are still used, but the classic scareware warning inciting victims to download AV products that are, in fact, malware, is less common.

On Android, ESET researchers discovered a Trojan packaged to look like antimalware products, “This backdoor trojan, which ESET detects as Android/Spy.Krysanec, was found as a malicious modification of MobileBank (a mobile banking app for Russian Sberbank), 3G Traffic Guard (an app for monitoring data usage) and a few others, including our own ESET Mobile Security.”

Microsoft researcher Daniel Chipiristeanu says, “Lately we’re seeing a dropping trend in the telemetry for some of the once most-prevalent rogue families,  It’s likely this has happened due to the anti-malware industry’s intense targeting of these rogues in our products, and better end-user awareness and security practices.”

Chipiristeanu says that “education” has played a part – but new gangs have simply moved on to new methods to target victims.

Stops you using internet – until you pay

“The big malware “players” are having more trouble in taking advantage of users paying for fake security products, and are moving away from this kind of social engineering, we are seeing other players willing to fill the gapRogue:Win32/Defru has a different and simpler approach on how to trick the user and monetize on it. Basically, it prevents the user from using the internet by showing a fake scan when using different websites.”

The malware targets 300 websites, and when a user tries to access them, they instead see the following fake message, ““Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security ® was forced to intervene.”

Naturally, the ‘cure’ is to pay, Threatpost says. Thus far, the malware largely targets Russian-speakers.

“An unsuspecting user, after receiving this warning more than a few times when browsing, might be inclined to click “Pay Now”. This will lead them to a payment portal called “Payeer” (payeer.com) that will display payment information (see Figure 3). But of course, even if the user pays, the system will not be cleaned,” says Chipiristeanu.

“The user can clean their system by removing the entry value from the “run” registry key, delete the file from disk and delete the added entries from the hosts file. Before paying for a product (either a security product or any other) make a thorough investigation to make sure that it is a legitimate product and it is not fake or a copy of a free one.”

The post Scareware: It’s back, and now it’s even scarier appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/21/scareware-back-now-scarier/feed/ 0
Flight MH370 – did cyber attack steal its secret? http://www.welivesecurity.com/2014/08/21/flight-mh370/ http://www.welivesecurity.com/2014/08/21/flight-mh370/#comments Thu, 21 Aug 2014 12:02:24 +0000 Flight MH370 – did cyber attack steal its secret? http://www.welivesecurity.com/?p=49985 Classified documents relating to the missing Malaysian Airlines Flight MH370 were stolen using a carefully-crafted spear-phishing attack, targeting 30 government officials just one day after it vanished.

The post Flight MH370 – did cyber attack steal its secret? appeared first on We Live Security.

]]>
Classified documents relating to the missing Malaysian Airlines Flight MH370 were stolen using a carefully-crafted spear-phishing attack, targeting 30 government officials just one day after the disappearance of the still-missing aircraft.

The Malaysian Star claims that the attack targeted officials with a PDF document which appeared to be a news report about Flight MH370, and was sent to a group of investigators. Around 30 computers were infected by the malware.

“We received reports from the administrators of the agencies telling us that their network was congested with e-mail going out of their servers,” CyberSecurity Malaysia chief exec Dr Amirudin Abdul Wahab said.

Flight MH370: ‘Confidential data’

“Those e-mail contained confidential data from the officials’ computers, including the minutes of meetings and classified documents. Some of these were related to the Flight MH370 investigation.”

Business Insider says that the attack occurred one day after the Boeing 777 went missing, and took the form of an .exe file disguised as a PDF (a common office file format).

It’s unclear who the attacker – or attackers – were, but information from infected computers was transmitted to an IP address in China. Officials in Malaysia blocked the transmission, The Star said.

‘Very sophisticated attack’

Department of Civil Aviation, the National Security Council and Malaysia Airlines were among those targeted by the hacker, the Telegraph reports. The infected machines were shut down, but “significant amounts” of information on Flight MH370 had been stolen.

“This was well-crafted malware that antivirus programs couldn’t detect. It was a very sophisticated attack,” Amirudin said.

CyberSecurity Malaysia suspects the motivation may have been curiosity about supposedly “secret” information held by the Malaysian government on Flight MH370.

“At that time, there were some people accusing the Government of not releasing crucial information,” Amirudin said.“But everything on the investigation had been disclosed.”

The post Flight MH370 – did cyber attack steal its secret? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/21/flight-mh370/feed/ 0
Traffic light – ‘easy’ to hack whole city’s systems http://www.welivesecurity.com/2014/08/20/traffic-light/ http://www.welivesecurity.com/2014/08/20/traffic-light/#comments Wed, 20 Aug 2014 13:19:40 +0000 Traffic light – ‘easy’ to hack whole city’s systems http://www.welivesecurity.com/?p=49936 The most famous traffic light ‘hack’ in history is in the classic film, The Italian Job (1969), where the heist involves paralyzing Turin via its traffic control system - but the reality is much easier.

The post Traffic light – ‘easy’ to hack whole city’s systems appeared first on We Live Security.

]]>
The most famous traffic light ‘hack’ in history is in the classic film, The Italian Job (1969), a caper movie where the heist involves paralyzing Turin via its traffic control system. The plan’s author, played by Michael Caine, says, “It’s a very difficult job and the only way to get through it is we all work together as a team. And that means you do everything I say.”

The reality, it turns out, is much easier – at least according to researchers at the University of Michigan, who say that networked traffic systems are left vulnerable by unencrypted radio signals and factory-default passwords, and that access to individual lights – or even a city-wide attack, as in the film, is possible, according to Time’s report.

“This paper shows that these types of systems often have safety in mind but may forget the importance of security,” the researchers write. Technology Review points out that Michigan’s system, which networks 100 lights, is far from unique. Similar systems are used in 40 states.

An attacker focused, like the film’s ‘crew’ on robbery could control a series of lights to give himself passage through intersections, and then turn them red to slow emergency vehicles in pursuit, according to the BBC’s report.

Traffic light: Blow the bloody doors off

“Once the network is accessed at a single point, the attacker can send commands to any intersection on the network,” the researchers write.

“This means an adversary need only attack the weakest link in the system. The wireless connections are unencrypted and the radios use factory default user-names and passwords.”

Traffic light controllers also have known vulnerabilities, and attacks could paralyze cities: a traffic DDOS could, the researchers suggest, turn all lights to red, and cause “confusion” across a city.

Lights ‘go green automatically’ as thief escapes

“An attacker can also control lights for personal gain. Traffic lights could be changed to be green along the route the attacker is driving,” the researchers write.

“Since these attacks are remote, this could even be done automatically as she drove, with the traffic lights being reset to normal functionality after she passes through the intersection.”

“More maliciously, lights could be changed to red in coordination with another attack in order to cause traffic congestion and slow emergency vehicle response,” they write.They also suggest measures including encrypted signals and firewalls which could improve current systems.

Perhaps a film reboot is in order: after all, the 1969 version ends with Caine saying, “Hang on, lads; I’ve got a great idea.”

The post Traffic light – ‘easy’ to hack whole city’s systems appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/20/traffic-light/feed/ 0
PIN number: Police want codes on ALL devices http://www.welivesecurity.com/2014/08/20/pin-number/ http://www.welivesecurity.com/2014/08/20/pin-number/#comments Wed, 20 Aug 2014 13:15:20 +0000 PIN number: Police want codes on ALL devices http://www.welivesecurity.com/?p=49926 Police hope to work with leading mobile phone manufacturers such as Samsung to build in the requirement for a password or PIN number into ALL handsets to 'target-harden' devices.

The post PIN number: Police want codes on ALL devices appeared first on We Live Security.

]]>
Police hope to work with leading mobile phone manufacturers such as Samsung to build in the requirement for a password or PIN number as a default into new handsets, with the British police unit responsible for phone theft wanting to “target-harden” phones.

Currently, up to 60% of phones have no form of password protection, said the National Mobile Phone Crime Unit.This not only makes it easier to resell the gadgets, but hands over personal data – including, potentially GPS data showing the locations of homes, as well as passwords and banking details, according to The Register’s report.

DCI Bob Mahoney of the NMPCU said, “We are trying to get [PIN number systems and other codes] to be set as a default on new phones, so that when you purchase it you will physically have to switch the password off, rather than switch it on.”

The NMPCU said in a statement to Motherboard that PIN-protected phones were less valuable to thieves.

PIN number: Less valuable to thieves

“We have been talking to the industry and government. This is one of the main ideas among a range of measures we are trying to push to protect personal data. All of the industry has been engaged at all levels – and government too.”

“We have intelligence that shows a phone with personal information is worth more than other mobiles, because the thief can sell it on to anyone who can make use of that info,” the DCI said.

“On an unlocked phone, you can find a person’s home address, home telephone number, their partner’s details, diary, Facebook and Twitter account. This allows thieves to know when a target is not going to be at home or perhaps use their details to set up banking loans. They could destroy a person’s life.”

‘This can destroy lives’

We Live Security has written a guide to securing mobile devices (including tips such as ensuring screen time-outs are lowered before a PIN number is required so a thief is less likely to get access to an ‘unguarded’ handset).

PR efforts from major phone companies tend to focus on novel protection methods such as biometrics, but Get Safe Online, a government organization focused on cyber safety, said that passwords, when rolled out widely were an effective measure. “Fingerprint recognition offers a degree of safety, but there is still no substitute for a well-devised and protected password or PIN.”

Techradar said that Samsung had been in discussion with government. Mahoney said the discussions had been underway for two years and the “idea was gaining traction.”

Mahoney said, “If you have to get into the phone to switch something on, our research indicates people are less likely to do it. The industry are very supportive.”

The post PIN number: Police want codes on ALL devices appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/20/pin-number/feed/ 0
Banking security – new apps ‘know’ your touch http://www.welivesecurity.com/2014/08/19/banking-security-new-apps-know-touch/ http://www.welivesecurity.com/2014/08/19/banking-security-new-apps-know-touch/#comments Tue, 19 Aug 2014 16:41:31 +0000 Banking security – new apps ‘know’ your touch http://www.welivesecurity.com/?p=49868 Everyone hates passwords - even the guy who invented them - but some bank app users in the Nordic region are experiencing a taste of a future where they might not be necessary.

The post Banking security – new apps ‘know’ your touch appeared first on We Live Security.

]]>
Everyone hates passwords – even the guy who invented them – but some bank app users in the Nordic region are experiencing a taste of a future where they might not be necessary.

Password theft – on a massive scale – has become a near-weekly happening, and biometrics have their own disadvantages – such as inaccurate scanners which won’t work when wet, as well as hacks with latex fingerprints and other such gizmos.

But customers at Danske bank have been trialling a new “behavioral” form of identification, according to Forbes magazine. Rather than simply ID a customer using a PIN, the app tracks the pressure and speed they use to type it in.

Banking security: Touch too much?

The theory is that even if a PIN is weak, or stolen, the thief cannot mimic the distinctive pattern of pressure the user types theirs in with.

“Eventually mobile security may no longer hinge on whether a password is long enough, but on how well the device knows the user,” ComputerWorld comments.

“We’re monitoring the small stuff,” says Neil Costigan, founder of Behaviosec,. “The flight between the keys, which corners of the keys you tend to hit, where you pause. Do you circle in on a button or do you go straight to it and hit it?”

‘How well the device knows you’

As a security solution, it’s low-cost (it uses sensors already present in the phone) and demands nothing of the customer. The trial has been such a success that multiple banks in Sweden, Norway and Denmark will use similar apps shortly. The app scored 99.7% session acccuracy.

“Multilayered security can be achieved by combining the three pillars: something you have (i.e., the phone as a token), something you know (like your PIN), and something you are which is your physical or behavioral metrics,” says Behaviosec.

At present, Behaviosec’s technology can pick up a ‘false’ user within 20 to 60 seconds. The company said it could also have wider applications such as preventing children accessing inappropriate content on tablets.

The start-up is now investigating further behavioral tracking – such as monitoring the way in which a user picks up a smart device, using the gyroscope.

Our own daily routines could even be used as “passwords” some researchers believe. Google’s “predictive” Google Now system already offers Android users reminders to go to work (by monitoring their movments by GPS), and to go home. Could such data be used as a “password”?

“Most people are creatures of habit – a person goes to work in the morning, perhaps with a stop at the coffee shop, but almost always using the sameroute. Once at work, she might remain in the general vicinity of her office building until lunch time. In the afternoon, perhaps she calls home and picks up her child from school,” says Markus Jakobsson of the Palo Alto Research Centre.

Jakobsson analyzed several techniques for identifying users via smartphone use, and found GPS to be the most reliable.

Jakobsson claims that by combining techniques, it’s possible to lock out up to 95% of adversaries, even, “an informed stranger, who is aware of the existence of implicit authentication and tries to game it.”

The post Banking security – new apps ‘know’ your touch appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/19/banking-security-new-apps-know-touch/feed/ 0
Phishing emails: U.S. nuke authority hit three times http://www.welivesecurity.com/2014/08/19/phishing-emails-u-s-nuke-authority-hit-three-times/ http://www.welivesecurity.com/2014/08/19/phishing-emails-u-s-nuke-authority-hit-three-times/#comments Tue, 19 Aug 2014 10:52:57 +0000 Phishing emails: U.S. nuke authority hit three times http://www.welivesecurity.com/?p=49840 America’s Nuclear Regulatory Commission was successfully attacked three times within the past hree years, by unknown attackers, some foreign - and largely using standard phishing emails.

The post Phishing emails: U.S. nuke authority hit three times appeared first on We Live Security.

]]>
America’s Nuclear Regulatory Commission was successfully attacked three times within the past three years, by unknown attackers, some foreign – and largely using standard phishing emails and similar techniques, according to the news site NextGov.

Two of the incidents have been traced to unknown foreign individuals, and another to an unidentifiable attacker, as records have been lost.

CNET reports that one incident led 215 employees of the nuclear agency to “a logon-credential harvesting attempt,” hosted on “a cloud-based Google spreadsheet.” The information was obtained through a specific request by NextGov.

Phishing emails: Lethal targets

A second spearphishing attack targeted specific employees with emails crafted to dupe them into clicking a link which led to malware on Microsoft’s cloud storage site SkyDrive.

The third attack was a spearphishing attack directed at a specific employee. Once his account credentials were obtained, emails were sent to 15 further employees, with malware-laced PDFs.

“It’s still unclear which country originated the attacks, and whether the attackers were acting independently or as a part of a larger state action. It’s also unclear how far the attackers got,” the Verge reports.

‘Team thwarts most attempts’

NRC spokesman David McIntyre said that his security team “thwarts” most such attempts.

“The few attempts documented in the OIG (Office of the Inspector General) cyber crimes unit report as gaining some access to NRC networks were detected and appropriate measures were taken,” he said, speaking to CNET.

Slashgear reports, “The reasons for the hacks aren’t known, but are suspected to be an effort to harvest details about the nation’s nuclear infrastructure – another suggestion is that the NRC might not be a specific target, but instead swept up by chance in a more general attack by an individual hacker rather than a foreign nation’s government.”

A recent report on America’s energy agencies said such incidents were increasing 35% between 2010 and 2013.

The report, “INFORMATION SECURITY Agencies Need to Improve CyberIncident Response Practices.” said, “Our sample indicates that agencies demonstrated that they completed their eradication steps for the majority of cyber incidents. Specifically, our analysis shows that for about 77 percent of incidents governmentwide, the agencies had identified and eliminated the remaining elements of the incident. However, agencies did not demonstrate that they had effectively eradicated incidents in about 23 percent of incidents.”

The report made 25 suggestions about how agencies could improve responses, including that agencies should, “revise policies for incident response to include requirements for defining the incident response team’s level of authority, prioritizing the severity ratings of incidents based on impact and establishing measures of performance.”

The post Phishing emails: U.S. nuke authority hit three times appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/19/phishing-emails-u-s-nuke-authority-hit-three-times/feed/ 0
Twitter hacked – Cricket legend ‘Beefy’ Botham exposed http://www.welivesecurity.com/2014/08/19/twitter-hacked/ http://www.welivesecurity.com/2014/08/19/twitter-hacked/#comments Tue, 19 Aug 2014 07:46:24 +0000 Twitter hacked – Cricket legend ‘Beefy’ Botham exposed http://www.welivesecurity.com/?p=49832 One of England’s greatest-ever cricketers, Sir Ian Botham, appeared to have been the victim of a Twitter hack yesterday as an obscene picture unexpectedly appeared on the sportsman’s feed.

The post Twitter hacked – Cricket legend ‘Beefy’ Botham exposed appeared first on We Live Security.

]]>
One of England’s greatest-ever cricketers, Sir Ian Botham, appeared to have had his offficial Twitter hacked yesterday as an obscene picture unexpectedly appeared on the sportsman’s feed, according to the Evening Standard.

The single post was accompanied by the message, “What are you thinking…. xx”.  Botham was rapidly warned by friend and Welsh football pundit Robbie Savage that he had had his Twitter hacked, “Mate I think you’ve been hacked.”.

Botham rapidly regained control of the account, and Tweeted, “I would like to thank the hacker….I’ve just got 500 hits in 20 mins !!”

Twitter hacked: ‘Beefy’

In his column in the Daily Mirror newspaper, ‘Beefy’ said, “For those of you on Twitter who may have seen a distasteful photo from my account yesterday, let me assure you it was the result of someone hacking into it. I’ve played a few jokes in my time, but this was pathetic.”

“My old mate and fellow Mirror columnist Robbie Savage was straight on to me to change my password – which I’ve done. I’ve also asked the boffins in the Sky tech department to see how I can stop it happening again.”

Veteran security writer and researcher Graham Cluley wrote, “Let’s hope that Sir Ian Botham has now properly secured his Twitter account and other social media assets more effectively. It would be terrible if future hacks would cause his fans to boycott his future tweets.

The only silver lining is that Ian Botham is now trending on Twitter.”

More followers after picture

Botham too saw the silver lining to the hack, saying, “If some keyboard warrior has nothing better to do than post silly pictures, more fool them. The only impact it has had on me bizarrely is to give me more followers – strange.”

A We Live Security guide to how and why passwords can be hacked – and how to stop it – can be found here.

The post Twitter hacked – Cricket legend ‘Beefy’ Botham exposed appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/19/twitter-hacked/feed/ 0
Privacy: Workers “would pay” to stop snoopers http://www.welivesecurity.com/2014/08/18/online-privacy-4/ http://www.welivesecurity.com/2014/08/18/online-privacy-4/#comments Mon, 18 Aug 2014 11:17:02 +0000 Privacy: Workers “would pay” to stop snoopers http://www.welivesecurity.com/?p=49803 Online privacy has gone from being a minority concern to something that worries the man in the street - after a study of 2,000 people found a majority believed they were being listened to online, and nearly a third would pay to stop it.

The post Privacy: Workers “would pay” to stop snoopers appeared first on We Live Security.

]]>
Online privacy has gone from being a minority concern to something that worries the man in the street – after a study of 2,000 people found a majority believed they were being listened to online, and nearly a third would pay to stop it.

The research, carried out with a group of 1,000 employees in the UK and 1,000 in Germany, was commissioned by Blackphone, the “ultra-private” encrypted Android handset which was “hacked” on stage in five minutes at DEF CON (the company promised to patch the issue). Silent Circle, the company behind BlackPhone – and the widely used PGP encryption standard  – clearly wishes to highlight that privacy is becoming a mainstream issue.

Privacy issues have become an increasing concern outside the security community – in part thanks to revelations of government surveillance, as discussed by ESET researcher Stephen Cobb. Silent Circle carried out the survey in May this year, via OnePoll and found that 88% of UK workers believe their calls and texts are being listened to, versus 72% of Germans – it’s not clear by whom.

Who is listening in?

Nearly a third – 31% – of Germans would pay for a service which guaranteed their texts and calls were not being listened to. In Britain, 21% would do so. Germany is traditionally more privacy-conscious – services such as Google StreetView are not permitted there.

The scandal over Facebook’s Messenger app – and the overstated responses of many media outlets, served to highlight this. Cosmopolitan writes, “Basically, it can control your whole phone. And, most scarily of all, CALL PEOPLE.” Cosmopolitan had not been previously known for its concern with online privacy.

Users are already anxious over the list of permissions granted to Facebook’s main app  - which has expanded. Many apps – such as Facebook’s, have come under fire for Permissions which change after the app has been installed. For instance, Facebook now requires the ability to turn a smartphone’s Wi-Fi connection on and off.

Veteran online privacy writer and researcher and We Live Security contributor Graham Cluley said, “The world has changed. People who would have imagined ten years ago that “identity theft” was something from a sci-fi film, now have a genuine concern about their private data being stolen from the online companies they deal with, their web traffic tracked, and their communications being snooped upon.”

No such thing as a “free” app

Cluley says that consumers are realizing that ‘free’ software is often paid for through a loss of online privacy, “Additionally, users are becoming more suspicious of free apps and asking themselves how the developers might be planning to earn money, and are nervous of sharing too much information.  There probably is a market out there for more products which charge a little bit of money for a whole lot more security and privacy.”

Silent Circle, creators of the PGP encryption standard, admitted their errors after BlackPhone’s highly public hacking, saying, “No hard feelings — things get fixed by being found.”

Vic Hyder, Revenue Chief for Silent Circle suggests, “These figures confirm that many consumers recognize mobile communications are no longer private. It’s also reassuring that almost a quarter of the UK respondents, and a third of Germans, value their privacy enough to acquire assistance. This is a trend we’re seeing dramatically increase as individuals start to realize that they do have an option to privacy erosion.”

The post Privacy: Workers “would pay” to stop snoopers appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/18/online-privacy-4/feed/ 0
Gamescom: How gaming grew up into a target for crime http://www.welivesecurity.com/2014/08/15/gamescom/ http://www.welivesecurity.com/2014/08/15/gamescom/#comments Fri, 15 Aug 2014 20:31:20 +0000 Gamescom: How gaming grew up into a target for crime http://www.welivesecurity.com/?p=49761 Video games have gone since the late 1970s and early 1980s from being a small offshoot of the "traditional" computing industry to becoming a full-fledged multi-billion dollar industry - with its own brand of criminal.

The post Gamescom: How gaming grew up into a target for crime appeared first on We Live Security.

]]>
With over double the attendance of San Diego’s Comic-Con (340,000 attendees last year, compared to Comic-Con’s 130,000), gamescom highlights not just how pervasive video games have become in our lives, but also how video games have gone since the late 1970s and early 1980s from being a small offshoot of the “traditional” computing industry to becoming a full-fledged multi-billion dollar industry in themselves. Today, companies like Microsoft, Nintendo and SONY generate billions of dollars from sales of games and gaming consoles; and there is a burgeoning market for dedicated gaming hardware for PCs ranging from specialized graphics processors from companies like AMD (formerly ATI) and Nvidia to exotic cooling solutions using liquid nitrogen and metalized thermal interface materials; to the creation of AAA games such as Electronic Arts‘ fifteen year old (and still going strong) The Sims franchise, and Blizzard‘s World of Warcraft, which redefined MMORPG gaming.

Gaming by the numbers

To get an idea of just how pervasive computer gaming is, let’s look at these successful games and consoles, and match them up with some other real-world numbers:

ITEM
NUMBER
EQUIVALENT TO
The Sims 175 000 000
(copies sold over 15 years)
Combined population of Austria, Belgium, Denmark, Germany, Liechtenstein, Luxembourg, Netherlands, Poland, Slovakia and Switzerland
World of Warcraft 7 600 000
(avg. # players over
last 4 quarters)
Cost of 2014 upgrades (in
USD) to Kensington Palace,
United Kingdom
8th generation console units 18 680 000
(PS4+Wii+XBONE units shipped/sold)
Average number of viewers per
episode of Big Bang Theory
during its 2012-2013 season

Computer gaming is a huge and a wildly successful market, and as in any system that works at scale, there are going to be so-called businessmen or entrepreneurs who “seek to optimize their return on investment through whatever means possible” or, to put it more succinctly, criminals who abuse the ecosystem.  But in virtual worlds, can real crimes occur?

Game Crime

gamescom

As gaming has moved online, as with next-gen consoles such as Xbox One, crime has moved in

As it actually turns out, there’s actually quite a bit of undesirable activity that can occur online, such as trolling or griefing, which have occurred for as long as people have been playing games online.  The exact nature of these activities varies between games, as do their consequences, but while some online behavior is horrifying, it is not always clear whether an actual crime, prosecutable outside of cyberspace, has occurred and, if so, in what jurisdictions.  Likewise, cheating, while unsportsmanlike, may be a violation of a game’s acceptable-use policy, but not a criminal offense.

Doing time, online

Computer game companies police their virtual worlds to various degrees, as unwanted or objectionable in-game behavior could cause paying customers to leave en masse, with a corresponding drop in revenue.  If warnings are not sufficient, the usual sentence for abusive users is to ban them from playing the game for a fixed amount of time.  Repeat offenders, or those who may have done something especially offensive, may find themselves permanently banned from the game and their accounts closed.

Real thieves in a virtual world

The sale of virtual goods (including virtual currencies) is an important part of in-game economies, but also presents criminals with some unique opportunities as well:

Theft of Goods

The longer you play a MMORPG, the more likely you are to get items which are rare, limited edition, unique or otherwise contain powerful buffs for your character.  Game companies create these kinds of items and adjust their scarcity because it helps encourage gamers to pay real money, either for the items themselves, or for in-game currency.  Or the developer may charge a subscription fee to play the game.  And that use of real money is what makes some games lucrative targets for thieves.

In some games’ player-versus-player (PvP) combat, the losers of fights may drop items that they were using in their inventory or currency, upon their in-game death.  In some games, this has led to the creation of gangs or “mafias” who often target new players, either to “loot their corpses” or merely to threaten them with looting in order to obtain their items or currency.

In the real world, gamers are regularly targeted by criminal gangs with phishing emails, as well as password stealing software, in order to gain access to their account credentials.  From there, it is a simple matter for the criminals to empty out the gamer’s account, akin to taking the jewels out of some kind of high-tech safe deposit box.

While some game companies employ sophisticated geolocation tracking and even two-factor authentication systems identical to those employed by banks, others do not, and this makes those game accounts not only vulnerable to being emptied out, but to being stolen themselves.  It can take years of grinding away at some games to reach the upper levels.  For some unsporting game players, that represents an almost irresistible target.

Counterfeiting items

The amount of virtual items (including virtual currencies) is usually carefully calculated by gaming companies, even to the point of employing economists, to help ensure the stability of their virtual economy.  Unfortunately, as in the real world, some virtual worlds are subject to counterfeiting, where in-game items or currency is duped (“duplicated”) over and over again by criminal gangs by exploiting vulnerabilities or bugs in the game, network connection or timing issues, and so forth.

If an in-game item can be duped ad nauseam, it can generate a lot of money, especially if it is the in-game currency that is being copied, and not some scarce or unique item.  While item duping may not be enough to disrupt the in-game economy if the item is not being sold, it does disrupt game play and fairness when characters become seriously overbalanced.

Regardless of why it is being done, counterfeiting can be difficult to deal with, especially if the recipient of a duped item is not aware of its provenance.  This may not stop game admins from removing counterfeit items or currency from a gamer’s account, or even banning the gamer, though.

Gold farming

Although in-game currency is not always golden coins, gold farming is the generic term used to describe players who do nothing but play a game in order to generate in-game currency, which they sell online for real-world currency.  This is particularly problematic in China, where there have been reports that prisoners are used as slave labor to generate revenue for prison authorities.

As with item duping, gold farming is disruptive to gaming economies because it leads to inflation.  Aside from that, it also leads to other problems, both in-game and in the real world, with being spammed with advertisements for gold.  And, as with selling counterfeit or stolen goods, one runs the risk of having the items removed by the game admins or even being banned for having received counterfeit or stolen virtual property.

Companies under assault

Of course, computer criminals don’t just target gamers:  Gaming companies themselves can be targeted as well.  Probably the most well-known example of this is the April 2011 breach of the SONY PlayStation Network gaming and Qriocity music streaming service, which resulted in the compromise of the names, addresses and credit card details of 77 million user accounts.

ESET provided extensive coverage of the SONY data breach in our blog, starting from the initial report of the breach in April 2011 all the way up to the proposed settlement of a week ago.  As a result, I am not going to discuss the details of the SONY breach in this article.  Readers should be aware that this sort of problem is not unique to SONY, either.  Almost exactly, two years ago, Blizzard Entertainment suffered a data breach themselves, although they responded in a different and—this author thinks—more responsible fashion.

The point here is that that computer game companies and their associated services face real threats from criminals:  If they charge customers for online play, the purchase of in-game items, or otherwise contain customer billing data in their computers, then those computers systems are targets for financial crime.  But even if they don’t charge customers, their systems might still be targeted by criminals seeking access to accounts for the reasons mentioned in the preceding section.  Game companies recognize this, of course, and as a result their security practices have improved greatly over the past couple of years.

Final thoughts

For the most part, computer gaming poses no additional risks beyond any other activities you might perform on the Internet.  You may, however, wish to take a few extra precautions, as outlined in the previous two articles from We Live Security:

I would also suggest reading our Comic-Con 2014: Eight super-powered digital safety tips article.  While Comic-Con is not exactly the same type of conference as gamescom, going to any type of conference with your computer, tablet, smartphone and various digital devices poses similar risks these days, and you may find some helpful information in that article.

Thanks to my colleagues Bruce P. Burrell, David Harley and Righard Zwienenberg for their assistance with this article.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher, ESET

 

Selected Bibliography

For further reading, here is a fairly complete compendium of gaming-related articles from We Live Security:

The post Gamescom: How gaming grew up into a target for crime appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/15/gamescom/feed/ 0
5 ways to avoid credit card fraud http://www.welivesecurity.com/videos/5-ways-avoid-credit-card-fraud/ http://www.welivesecurity.com/videos/5-ways-avoid-credit-card-fraud/#comments Fri, 15 Aug 2014 16:55:03 +0000 5 ways to avoid credit card fraud http://www.welivesecurity.com/?post_type=post_video&p=49759 Your credit card information is highly sensitive and always at risk of theft. Check out our 5 ways of avoiding credit card fraud.

The post 5 ways to avoid credit card fraud appeared first on We Live Security.

]]>
Your credit card information is highly sensitive and always at risk of theft. Check out our 5 ways of avoiding credit card fraud.

The post 5 ways to avoid credit card fraud appeared first on We Live Security.

]]>
http://www.welivesecurity.com/videos/5-ways-avoid-credit-card-fraud/feed/ 0
5 tips for sharing an iPad or Android tablet in your home http://www.welivesecurity.com/videos/5-tips-sharing-ipad-android-tablet-home/ http://www.welivesecurity.com/videos/5-tips-sharing-ipad-android-tablet-home/#comments Fri, 15 Aug 2014 16:49:42 +0000 5 tips for sharing an iPad or Android tablet in your home http://www.welivesecurity.com/?post_type=post_video&p=49756 You don’t need to buy a tablet for every member of the family. Our insider tips will help you share a tablet rather than having to buy more than one device.

The post 5 tips for sharing an iPad or Android tablet in your home appeared first on We Live Security.

]]>
You don’t need to buy a tablet for every member of the family. Our insider tips will help you share a tablet rather than having to buy more than one device.

The post 5 tips for sharing an iPad or Android tablet in your home appeared first on We Live Security.

]]>
http://www.welivesecurity.com/videos/5-tips-sharing-ipad-android-tablet-home/feed/ 0
Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars http://www.welivesecurity.com/2014/08/15/security-news/ http://www.welivesecurity.com/2014/08/15/security-news/#comments Fri, 15 Aug 2014 16:44:23 +0000 Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars http://www.welivesecurity.com/?p=49683 Blackphone, billed as a privacy tool to keep the puplic safe ruled the headlines when it was is hacked in five minutes, Meanwhile, Wi-Fi routers were also shown up - and Android users face a toothy new threat,

The post Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars appeared first on We Live Security.

]]>
It’s still high season for security news, with the last days of DEF CON 22 luring out the best in the business – and causing controversy (as, of course, it should).

The biggest draw was a hack which knocked out the “ultra-private” encrypted Blackphone in just five minutes – although there was much discussion of the techniques used. Silent Circle, creators of the PGP encryption standard, took a secure, dignified response.

They patched – fast – and admitted their errors, saying, “No hard feelings — things get fixed by being found.”

Android versus RAT: Rodent wins

Android users in Russia were offered a bundle of free apps – with one catch. Each had been tweaked to hide malware – a RAT built to steal information. Remote Access Trojans (found on both PCs and Adroid devices) allows an attacker access to data – in the case of Android/Spy.Krysanec, GPS location, contacts lists, web history, contacts lists and more.

This backdoor trojan, which ESET detects as Android/Spy.Krysanec, was found as a malicious modification of MobileBank (a mobile banking app for Russian Sberbank), 3G Traffic Guard (an app for monitoring data usage) and a few others, including our own ESET Mobile Security. Naturally, it was shared through third-party app stores and social sites – not Google Play.

The malware was found to be distributed through several channels, including a typical filesharing (think Warez) site or a Russian social network.

ESET’s Robert Lipovsky says: “users should download not only our ESET Mobile Security but any application only from trustworthy sources, such as the official Google Play store. And even there, exercise caution by carefully examining the permissions requested by the app.”

Wi-Fi: The skies are safe once more

The good news – your aeroplane will not plunge from the skies thanks to hackers armed with iPads – and the idea of hacking planes via Wi-Fi is silly. The bad news: things ARE getting worse.

Black Hat is no stranger to world-changing hacks – but Ruben Santamarta’s talk was described by CNET as “the hacking presentation that will get the most attention”, claiming that plane security could be hacked wirelessly, by Wi-Fi or even SMS.

The debunking didn’t take long. Dr Phil Polstra of Bloomsburg University has the credentials – he holds 12 aviation ratings, all current, including aircraft mechanic and avionics technician, thousands of hours of flight time, and has worked on on the development of avionics found in modern airliners. He also recruited an even more qualified but anonymous pilot to help.

Short answer: planes cannot be hacked wirelessly – any model ever built. Strict rules prevent avionics systems from being accessible via wireless – except in Boeing aircrafts, which use a system “harder to hack” he says.

Several companies have already said wireless hacks were “impossible”, and that access to wired systems restricted: “In the aviation and maritime markets we serve, there are strict requirements restricting such access to authorized personnel only,” said one.

Polstra warned, however, that “increasing automation” may lead to problems in the future.

Security news: Your router is a time bomb

No wonder cybercrime gangs target routers – yet another “live fire” test against the devices proved they were packed with vulnerabilities. More than a dozen were found in the challenge at DEF CON – and one router-hunter found 11 on his own.

PC World described the devices – the portal into most home networks – as “insecure as ever” as hackers romped through challenges against big-brand devices from Linksys, Netgear, D-Link, Belkin and others.

Once again, the routers proved weak foes – and a second challenge, to extract information from the devices, proved equally easy for the contestants.

Cyberjacking: It’s a word, and it’s happening (soon)

Two researchers who have previously demonstrated hacks against cars declared a new threat this week – in-car web browsers.

In an exhaustive analysis of top car brands, the researchers found that while it WAS possible to compromise systems, the results were limited. A BlueTooth hack, for instance, would not compromise the vehicle – but allow attackers to ‘pair’ devices.

Charlie Miller and Chris Valasek in their paper A Survey of Remote Automotive Attack Surfaces conclude that the danger of “hackable” cars is expanding – but is about to grow rapidly, as web browsers are added to cars.

“Once you add a web browser to a car, it’s open. I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers.” The recent reported hack against the Tesla Model S relied on its connected control panel.

A SlashDot user claims to have found a hidden port on the Tesla Model S, and used it to prove the car ran a modified version of Firefox.

 

Two-factor security: We want it now!

Millions of Americans were directly affected by the breach at Target – and as cybercriminals increasingly take aim at POS terminals, similar tragedies look likely in future.

But American banks and card companies have been slow to reassure customers with measures such as two-factor security systems.

A report found that two-factor security was STILL not on offer at major banks such as Citibank, Capital One and for AmEx cards, when it came to online banking. Many other banks require customers to opt in.

The reason, the NYT claims, is economy – for the banks, “Companies have gone back and forth about whether to even allow their customers to sign up for that second factor and require the company to generate a one-time code to be entered in addition to a username and password.”

“While such precautions add to the consumer’s security, they can also increase the company’s tech support needs.”

An ESET video explains what two-factor is, and why it works, here.

One of the more disquieting aspects of the NYT report was that 2FA protection was offered only to some customers – and banks were not clear as to why.

 

The post Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/15/security-news/feed/ 0
Robin Williams’ last phone call? Sick Facebook video scam exploits celebrity suicide http://www.welivesecurity.com/2014/08/15/robin-williams-suicide-phone-call-scam/ http://www.welivesecurity.com/2014/08/15/robin-williams-suicide-phone-call-scam/#comments Fri, 15 Aug 2014 15:41:21 +0000 Robin Williams’ last phone call? Sick Facebook video scam exploits celebrity suicide http://www.welivesecurity.com/?p=49734 Sick-hearted scammers have proven themselves to have no morals once again, exploiting the death of Robin Williams with their latest Facebook scam.

The post Robin Williams’ last phone call? Sick Facebook video scam exploits celebrity suicide appeared first on We Live Security.

]]>
Be on your guard against yet another Facebook scam, this time exploiting the tragic death of comic actor Robin Williams.

The scam, which you may see shared by your Facebook friends oblivious to the fact that they are helping fraudsters earn money, claims to be a ghoulish video of Robin Williams making his last phone call before committing suicide earlier this week.

Of course, you might be fooled into believing it is genuine. After all, you have seen one of your Facebook friends share it on their wall.

But the truth is that they have been duped into sharing it by a simple social engineering trick, and you would be wise not to fall into the same trap.

The first thing you see is a post made by one of your Facebook friends:

Robin Williams Facebook scam

ROBIN WILLIAMS SAYS GOODBYE WITH HIS PHONE VIDEO BEFORE SUICIDE

If you click on the link you are taken to a third-party website, which claims to have a phone video made by the award-winning comedian in the minutes before his death:

Robin Williams Facebook scam

EXCLUSIVE VIDEO: ROBIN WILLIAMS SAYS GOODBYE WITH HIS CELL PHONE BEFORE HANGING HIMSELF WITH A BELT AND CUTTING HIMSELF WITH A POCKET KNIFE. HE CAN STILL MAKE EVERYONE LAUGH WITH THIS VIDEO BUT IT WILL MAKE EVERYONE CRY A RIVER AT THE END.

You would have to be pretty ghoulish to proceed any further, but the truth is that the internet has deadened our sensitivities and made many of us all too willing to watch unpleasant things on our computer screens.

However, the truth is also that no such video is known to exist, and if you click to watch it you will be told that you have to share the link on your Facebook wall – encouraging your friends and family to go through the same process that you have – and ordered to complete an online survey before you may watch the footage.

Robin Williams Facebook scam

And that’s the point of the scam.

By tricking thousands of people into taking a survey, in the misbelief that they will watch the final moments of a comedy legend whose life ended tragically, the scammers aim to make affiliate cash.

Because every survey that is taken earns them some cents – and the more people they can drive towards the survey (even if they use the bait of a celebrity death video), the more money will end up in their pockets. In other cases, scammers have used such tricks to install malware or sign users up for expensive premium rate mobile phone services.

The scammers have no qualms about exploiting the death of a famous actor and comedian to earn their cash, and give no thought whatsoever to the distressed family he must have left behind.

Always be extremely wary about what links you click on on social networks, and never Share or Like something before you have seen it for yourself, and decided whether it warrants sharing with your online friends.

Because you might not just be putting yourself at risk, you could also be endangering your friends and family.

The post Robin Williams’ last phone call? Sick Facebook video scam exploits celebrity suicide appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/15/robin-williams-suicide-phone-call-scam/feed/ 0
Russian PM has his Twitter account hacked, announces “I resign” http://www.welivesecurity.com/2014/08/15/russian-pm-twitter/ http://www.welivesecurity.com/2014/08/15/russian-pm-twitter/#comments Fri, 15 Aug 2014 14:15:59 +0000 Russian PM has his Twitter account hacked, announces “I resign” http://www.welivesecurity.com/?p=49693 There may be red faces in Red Square, after Russian prime minister Dmitry Medvedev had his Twitter account hacked.

The post Russian PM has his Twitter account hacked, announces “I resign” appeared first on We Live Security.

]]>
There may be red faces in Red Square, after Russian prime minister Dmitry Medvedev had his Twitter account hacked.

The Russian-language account @MedvedevRussia, which has more than 2.5 million followers, was compromised on Thursday by hackers who posted messages suggesting Medvedev was immediately resigning, and making criticisms of Russia’s president Vladimir Putin.

The hackers tweeted out a resignation message from the Russian PM

I resign. I am ashamed for the actions of the government. I’m sorry

If such an announcement were genuine, of course, it would make headlines and raise eyebrows around the world.

But when the hackers followed up by posting messages on the account proposing the banning of electricity, and that the Russian PM would now pursue a career as a professional freelance photographer, it should have become obvious to everyone that Medvedev was no longer in control of his social media account.

According to media reports, the Twitter account was under the control of hackers for approximately 40 minutes yesterday before control was wrestled back by the PM’s office.

The only silver lining is that whoever hacked the account did not take advantage of the situation to direct some of the Medvedev’s 2.5 million followers to websites which might have contained malware designed to infect their computers.

A hacker calling themselves Shaltay Boltay (“Humpty Dumpty”) has claimed responsibility for the hack. Besides the attack on Medvedev’s Twitter account, Shaltay Boltay has also in the past published internal Kremlin documents and leaked private emails from government officials.

Shaltay Boltay's Twitter account

Shaltay Boltay, who describes him or herself as a member of Anonymous on their Twitter profile, posted a message claiming that they they had also managed to compromise the Gmail account and three iPhones belonging to the Russian prime minister. However, whether that is true or not is open to question.

In all likelihood, a busy chap like Dmitry Medvedev isn’t running his Twitter account on his own. Chances are that he has staff in his office who assist him with his social media presence.

And there lies the problem.

Although Twitter has introduced extra levels of protection like two factor authentication to better protect accounts from being hijacked, it doesn’t have good systems in place that work well when more than one person is accessing and posting from a Twitter account.

It would only have taken Medvedev, or one of his staff, to have been careless with their passwords once, or to have used an easy-to-guess password, or to have used the same password elsewhere on the web, for the hackers to have found the weak point necessary to break in and seize control.

Remember – you should always be careful with your passwords. Choose passwords wisely, make sure that they are hard to crack, hard to guess and that you are not using them anywhere else online.

If you find it hard to remember your passwords (which would be understandable if you are following the advice above) use a password management program which can remember them for you, and store them securely behind one master password that you *will* remember.

And once you’re following a strong password policy, ensure that you are always careful where you are entering your passwords, that you never enter them on a third-party site that could be phishing for your credentials, and be sure not to share passwords with friends or colleagues unsafely.

The post Russian PM has his Twitter account hacked, announces “I resign” appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/15/russian-pm-twitter/feed/ 0
‘Biometric’ earbuds invisibly prove it’s you, with no need for passwords http://www.welivesecurity.com/2014/08/15/biometric-earbuds-passwords/ http://www.welivesecurity.com/2014/08/15/biometric-earbuds-passwords/#comments Fri, 15 Aug 2014 13:47:44 +0000 ‘Biometric’ earbuds invisibly prove it’s you, with no need for passwords http://www.welivesecurity.com/?p=49661 Biometrics are touted as a replacement for the passwords and PINs we all know and hate - and Intel’s new earbuds could be the most discreet way of authenticating a user ever.

The post ‘Biometric’ earbuds invisibly prove it’s you, with no need for passwords appeared first on We Live Security.

]]>
Biometrics such as fingerprints or eye-scans are touted as a replacement for the passwords and PINs we all know and hate – and Intel’s new smartphone earbuds could be the most discreet way of authenticating a user ever.

The earbuds, designed with SMS Audio, harvest heart-rate information using optics inside the ear – monitoring blood pulses and eliminating “noise” according to Business Insider.

The SMS Audio Fitness buds are built for fitness fans, but Intel plans further applications – and is vocal in its opposition to passwords. Other gadgets, such as the Bionym bracelet, already use heart-rate as an identifier: it’s more unique than fingerprints, and the SMS Audio buds could be a step towards a wearable “password” you can almost forget.

“A built-in optical sensor that continuously measures heart rate during intense exercise, states of relaxation and every moment in between – while dynamically removing noise signals caused by body motion and ambient light,” says Intel in a statement.

In the past month, We Live Security reported five major database leaks, usually of passwords.

Passwords: Let there be light?

Gizmodo reports that biometric devices have so far failed to gain widespread acceptance in part because of their bulk – whereas the SMS Audio devices charge themselves using motion, removing the need for extra batteries or chargers.

“In the wearable space, we see a lot of hype. I don’t think the market is ever going to be that big if all we have are just square cellphones taped to your wrist,” says Mike Bell, General Manager of Intel’s New Devices Group.

There are competitors which use the reading – but the Bionym bracelet relies on being charged, unlike Intel’s, which communicates directly with smartphones via the audio jack.

It was actually observed over 40 years ago that ECGs had unique characteristics,” Bionym chief executive Martin said. “The modern research into practical systems goes back about 10 years or so. What we do is ultimately look for the unique features in the shape of the wave that will also be permanent over time. The big breakthrough was a set of signal-processing and machine-learning algorithms that find those features reliably and to turn them into a biometric template.”

For you, no charge

ESET Senior Research Fellow David Harley discusses the advantages of biometric systems in a We Live Security blog post, “The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques. Biometrics and one-time passwords and tokens are much more secure, especially when implemented in hardware as a two-factor authentication measure.”

Intel said, “The complexity of keeping digital identities safe grows as mobile applications and devices become a more important part of our daily lives. Intel’s intent is to intensify our efforts dedicated to making the digital world more secure, and staying ahead of threats to private information on mobile and wearable devices.”

TechCrunch reports that, “additional application support” will be added. Intel is reaching out to developers to make apps:  “Intel has created an SDK called the Intel IQ Software Kits for any companies that want to use the features that Intel developed while building the circuitry inside the BioSport.”

 

The post ‘Biometric’ earbuds invisibly prove it’s you, with no need for passwords appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/15/biometric-earbuds-passwords/feed/ 0
Gamescom 2014: World of Malware? http://www.welivesecurity.com/2014/08/15/gamescom-2014-world-malware/ http://www.welivesecurity.com/2014/08/15/gamescom-2014-world-malware/#comments Fri, 15 Aug 2014 08:36:12 +0000 Gamescom 2014: World of Malware? http://www.welivesecurity.com/?p=49274 The gaming industry keeps growing, and the crowds at Cologne's Gamescom 2014, show why big game titles are rapidly becoming a target for cybercrime. Our tips will help you enjoy the latest games - without hackers declaring 'Game Over'.

The post Gamescom 2014: World of Malware? appeared first on We Live Security.

]]>
The gaming industry keeps growing in terms of popularity, and the large population of gamers, and the crowds at Cologne’s Gamescom 2014, represents an opportunity for miscreants to make money. In this blog post, we will explore various attacks specifically tailored to gamers, by starting with trojanized legitimate games, then by exploring some malicious software and targeted attacks against the video games industry. Finally, we will describe some recent exploits found in video games.

Gamescom 2014: Bitcoin Miners

Recent years have seen the introduction of Bitcoin, Dogecoin and other trendy and trending cryptographic currencies. These currencies are created by solving computationally-intensive cryptographic challenges, which require a lot of processing power. As gaming rigs are built with powerful processors and cutting-edge video cards, they can be considered one of the most efficient environments in which to “mine” these digital currencies, with the advantage of being widely spread among the Internet-using population.

In 2013, an employee of the ESEA Counter-Strike league silently introduced a Bitcoin miner into their anti-cheating software, which every member of the league had to install in order to participate. Fortunately the stratagem was uncovered rather quickly, and less than $4,000 worth of bitcoins were ‘earned’ by the malicious employee. More recently, a pirate version of the game ‘WatchDogs’ included a bitcoin mining Trojan which made a profit for the torrent’s author.

Keyloggers and Information Stealers

As the size of the gamer population has increased, some in-game goods have acquired some real monetary value. High-level/high-value characters, in-game currency, legendary items or even hats can be purchased with real money. But when something is worth money, it also means that for some people, it is worth stealing. Consequently, some malicious software focuses on stealing video games credentials. These information stealers are usually distributed under false pretenses, hiding behind so-called “game experience enhancers” or disguised as legitimate tools.

Keyloggers are the most prevalent type of malware in the gaming world, identified as Win32/PSW.OnLineGames by ESET. These programs can be pretty simple but have proven to be very effective at stealing players’ credentials, in order to resell items and characters. So many accounts are compromised that games editors are used to it and have implemented an FAQ and process to handle this situation.

To counter this type of malware, some MMORPG creators, such as Blizzard (who publish World Of Warcraft), have introduced two-factor authentication – and new titles introduced at Gamescom 2014 will do the same. This two-factor authentication takes the form of an electronic device (or a smartphone application) delivering unique six-digit codes that are active and valid only for a limited time before a new code has to be generated.

At the beginning of this year, malicious software named Disker was able to bypass this double-authentication mechanism. Disker appears to be as complex as malicious software that focuses on stealing banking information and it has the ability to steal both the victim’s account credentials and his or her authenticating six-digit passcode.

But as the passcode remains valid only for a short period of time, the attacker has to be behind his keyboard when the information is exfiltrated so as to be able to use it. So Disker implements a way to circumvent this problem: as it leaks the 6-digit passcode to the attacker, it will actually send a wrong passcode to the World Of Warcraft server, preventing the user from logging in. At this point, the victim will almost certainly disable the two-factor authentication in order to enjoy his game. Once this is done, the attacker is no longer restricted to operating within a short period of time.

Targeted Attacks

Players are not the only target in the gaming ecosystem, games companies can also be specifically attacked. For example Kaspersky discovered last year a malware targeting no less than 30 MMORPG game companies. In this case the attack was intended to:

  1. Deploy malware on gamers’ computers by using the MMORPG update server
  2. Manipulate in-game currencies
  3. Steal digital-certificate to create signed-malware, making the malware easier to propagate
  4. Steal the MMORPG source code to deploy it on rogue servers

Exploits

MMORPGs are not the only targeted type of games, other kinds of multiplayer games are also potential targets. Recently, security researchers Luigi Auriemma and Donato Ferrante have been looking for vulnerabilities in games and game engines.

The results are impressive: they found vulnerabilities in the Source Engine, making any game based on this engine vulnerable, such as the famous Counter-Strike Source, Team Fortress 2 and Left 4 Dead. Those vulnerabilities could be used to execute code on a player’s computer without their knowledge and consent, potentially leading to installation of malware without requiring any action from the user other than his usual gaming activity.

Today, no known malware spreads using vulnerabilities in games but the rising value of in-game goods could motivate malicious people enough to use this kind of attack to spread game-targeted malware.

Conclusion

The emergence of such malware shows that the high value of in-game goods is appealing to bad guys – and the titles shown at Gamescom 2014 will be high-value targets.

The complexity of these types of malware, and the implementation by Blizzard of protective measures similar to those used by banks, indicate that we are at the beginning of an arms race between criminals and the gaming world. In this race, everyone has a role to play, editors by securing players’ accounts adequately, and players by educating themselves about the dangers, the existing solutions, and how to behave in order to enjoy safer gaming.

The post Gamescom 2014: World of Malware? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/15/gamescom-2014-world-malware/feed/ 0
Phone scams: card fraud with that steak, Sir? http://www.welivesecurity.com/2014/08/14/phone-scams/ http://www.welivesecurity.com/2014/08/14/phone-scams/#comments Thu, 14 Aug 2014 17:04:28 +0000 Phone scams: card fraud with that steak, Sir? http://www.welivesecurity.com/?p=49557 A new telephone scam in upscale restaurants in London, has “convincing” scammers calling restaurant staff and tricking them into believing there's a problem with the card system - and insisting customers call a bogus phone line.

The post Phone scams: card fraud with that steak, Sir? appeared first on We Live Security.

]]>
A new telephone scam has been targeting upscale restaurants in London, with “convincing” scammers calling restaurant staff and tricking them into believing there’s a problem with their payment system – according to a report issued by Financial Fraud Action. The scammers have targeted restaurants in affluent areas such as the West End and Twickenham.

The fraudsters give staff a phone line to call for customers to make payments, the Telegraph reports. Transactions are then funneled through the fraudulent phone line – restaurant owners have been warned to phone banks on a number known to be legitimate to check before changing payment methods. Katy Worobec, Director of Financial Fraud Action UK, said “It’s important that restaurant owners are alert.  Fraudsters can sound very professional – don’t be fooled.”

Phone scam: ‘Classic social engineering’

To customers, Financial Fraud Action said, “If you receive any calls from your bank claiming there’s a problem with payments, make sure you phone them on an established number to confirm the request is genuine. In addition, always wait five minutes to ensure the line is clear, as fraudsters will sometimes try to stay on the phone line and pretend to be your bank.” The tactics used are variations of those in many current phone scams. In the common ‘courier scam’ used to obtain cards and PINs, the caller waits on the phone and pretends to be a new connection after the caller dials.

Phone scams: Old tricks

ESET senior researcher David Harley says, “The ‘staying on the phone line’ gambit is worth mentioning: it’s certainly been used a lot in the context of other scams.” The tactic works simply because few users take measures to ensure the caller is not waiting – and when they dial, they are still connected. All that happens is the fraudster hears a series of beeps. Harley suggests ‘interrupting’ the call by hanging up and dialing another number – or calling on a different phone.

Action Fraud said,”When the restaurant calls the phone number, the fraudster asks to speak with the paying customer and then goes through their security questions. Once sufficient security details have been obtained from the customer, the fraudster will instruct the restaurant to put the transaction through.” The fraudster then subsequently calls the customer’s bank – usually within five minutes – and attempts to transfer funds, the Daily Mail said.

The scam is not new – and several elements are “classic social engineering” says ESET Senior Research Fellow David Harley – but it has spiked in the past six weeks, “Certainly there’s a problem with the concept of answering security questions over the phone unless the bank or other caller has already authenticated themselves to you,” Harley says.

Harley says the key to avoiding such scams is not to place trust in unknown callers. If unsure, hang up, and call back on a known number. “In this case, a restaurant that falls for this has clearly failed to verify the credentials of the ‘bank’ and a customer who goes along with it has put too much trust in the restaurant. The ‘security questions’ must persuade the customer to give quite a lot of information away if they have any hope of persuading the bank to make the fraudulent transaction over the phone. One would hope…”

The post Phone scams: card fraud with that steak, Sir? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/14/phone-scams/feed/ 0
Will web browsers turn cars lethal? http://www.welivesecurity.com/2014/08/14/will-web-browsers-turn-cars-lethal/ http://www.welivesecurity.com/2014/08/14/will-web-browsers-turn-cars-lethal/#comments Thu, 14 Aug 2014 17:00:02 +0000 Will web browsers turn cars lethal? http://www.welivesecurity.com/?p=49611 Two researchers have launched a petition to change how car companies and technology cmpanies work together - with a new villain: in-car web browsers.

The post Will web browsers turn cars lethal? appeared first on We Live Security.

]]>
Two researchers have launched a petition to change how car companies and technology companies work together – with a new villain: in-car web browsers.

“We request that you unite with us in a joint commitment to safety between the automotive and cyber security industries,” the researchers say via Change.org.

A paper presented at Black Hat, shows a danger crossing the line from “proof of concept” to reality. The researchers point out that while hacking a car to give total control is extremely hard, it’s easier to, for instance, attack individual systems, such as commuications or navigation, both of which could be lethal.

Car code is complex, and often bespoke – which means attacks tend towards the level of disabling locks, or affecting electric windows, rather than outright destruction. Even Bluetooth – often hyped as the Achilles’ Heel.

Internet of Things: Car crash ahead?

“Bluetooth has become ubiquitous within the automotive spectrum, giving attackers a reliable entry point to test,” they write. But hacks would be of the level of adding an unauthorized device – not outright control.

When CNN Money devotes a section to the year’s “most hackable cars”, automotive security is clearly a real issue – a prize won by the Cadillac Escalade and 2014 Toyota Prius incidentally.

Charlie Miller and Chris Valasek in their paper A Survey of Remote Automotive Attack Surfaces conclude that the danger of “hackable” cars is expanding – but is about to grow rapidly, as web browsers are added to cars.

“Once you add a web browser to a car, it’s open. I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers.” The recent reported hack against the Tesla Model S relied on its connected control panel.

A SlashDot user claims to have found a hidden port on the Tesla Model S, and used it to prove the car ran a modified version of Firefox.

Nick Bagot, Motoring Editor of the Mail on Sunday says, “Web browser obviously considerable safety issues – and it’s questionable why they’re needed. The inclusion of browsers in cars may well be to do with the convenience of advertising, and lucrative tie-ups with car brands and particular browsers, than it is for delivering value to the consumer.”

“Google is, primarily, an advertising company. Google products are built to feed into Adwords. Self-driving cars are an incredible technology – but what is it for?”

Safety first?

Car technology ignites passions from many sides. Last year a U.S senator urged auto manufacturers to change – and his open letter ignited a spate of commentary, with Market Oracle describing the crime as “cyberjacking”, and pointing out that the average family car contains 100 million lines of computer code, and that software can account for up to 40% of the cost of the vehicle, according to researchers at the University of Wisconsin-Madison.

Most in-car innovations have a clear point – car cameras are part of the technology revolution, but increase safety. Which Magazine writes “The importance of having these in-car cameras is becoming more obvious each day, with the devices not only providing UK drivers with an independent witness – but also as we see awareness of the product increase, we hope to see the road safety standards improve and fraudulent crashes and claims decline.

The importance of having these in-car cameras is becoming more obvious each day, with the devices not only providing UK drivers with an independent witness- but also as we see awareness of the product increase, we hope to see the road safety standards improve and fraudulent crashes and claims decline.”

Other innovations bring less clear benefits, reports The Register. “The problem is that cars are becoming more heavily computerized and that leads to more networking so the driver and passengers can get access to up-to-date information while on the move: most newish cars have a Bluetooth system hidden inside, a connection to the cellular data network, and so on,” the site said.

On the researchers’ page, I am the Cavalry, they say, Modern cars are computers on wheels and are increasingly connected and controlled by software. Dependence on technology in vehicles has grown faster than effective means to secure it.

The post Will web browsers turn cars lethal? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/14/will-web-browsers-turn-cars-lethal/feed/ 0
2FA – are big banks failing America? http://www.welivesecurity.com/2014/08/13/2fa/ http://www.welivesecurity.com/2014/08/13/2fa/#comments Wed, 13 Aug 2014 16:04:49 +0000 2FA – are big banks failing America? http://www.welivesecurity.com/?p=49418 The Target breach caused real damage to millions of American card users - but big financial institutions are doing little to remedy security issues by offering extra security such as 2FA.

The post 2FA – are big banks failing America? appeared first on We Live Security.

]]>
The Target breach caused real damage to millions of American card users – but big financial institutions are doing little to remedy security issues, according to the New York Times.

A report found that two-factor security was STILL not on offer at major banks such as Citibank, Capital One and for AmEx cards, when it came to online banking. Many other banks require customers to opt in.

The reason, the NYT claims, is economy – for the banks, “Companies have gone back and forth about whether to even allow their customers to sign up for that second factor and require the company to generate a one-time code to be entered in addition to a username and password.”

“While such precautions add to the consumer’s security, they can also increase the company’s tech support needs.”

2FA: Big savings – for banks

The opinion piece, a plea for increased adoption of two-factor authentication systems, has ignited debate.

Computer World discusses if there are any “silver bullets” for a world where passwords are stolen in industrial quantities. Some attacks such as a recent attempt against PayPal have attempted to bypass these systems – but they are still another hurdle for gangs to clear.

The below ESET video explains what two-factor is.

Two-factor systems are far more secure than passwords – many high-profile hacks, such as those against the Twitter accounts of media organizations last year, could not have happened if a 2FA system had been in place. Even if a hacker places malware on a PC and steals a password, they are still locked out.

2FA: Why are banks failing us?

Information Week says that 2FA systems are a key part of ensuring corporate security: “Passwords are the Achilles heel of any network. Around 80% of all domain compromises carried out by our Penetration Testing team come from either a weak password being set, or a password being reused somewhere. Any company that takes its security seriously should protect privileged accounts with strong two-factor authentication (2FA).”

recent report found that two-thirds of companies who allowed ‘working from home’ failed to provide secure access to company networks, putting private corporate information at risk.

Two-factor systems can help small businesses by allowing home working – and cutting overheads such as office space.

Bank attacks – safety tips

Both Information Age and Computer World suggested further measures – with Computer World suggesting Google Chromebooks as ideal for banking.

“Like private browsing, guest mode erases all traces of your browsing activity when you’re done, but in addition, it also starts you off with a clean slate. That is, when you logon as a Guest there are no cookies, favorites or browsing history to be discovered, stolen or manipulated,” the magazine writes.

One of the more disquieting aspects of the NYT report was that 2FA protection was offered only to some customers – and banks were not clear as to why.

Many sites – including Twitter, Gmail and Dropbox – offer two-factor systems already, free, although you have to enable them yourself – it’s usually found under Settings or Privacy, and most sites walk you through the process.

It’s worth doing so if you keep any private information in such accounts – and particularly if you store sensitive business information.

Two-factor authentication makes it far more difficult – although not impossible – for cybercriminals to break into accounts on sites such as Twitter and Dropbox. At present, though, the system is “opt-in” – you have to go to settings, and add your authentication method manually.

 

The post 2FA – are big banks failing America? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/13/2fa/feed/ 0
Wɑit! Stοp! Is that ℓιηκ what it claims to be? http://www.welivesecurity.com/2014/08/13/link-non-latin-gmail/ http://www.welivesecurity.com/2014/08/13/link-non-latin-gmail/#comments Wed, 13 Aug 2014 14:20:23 +0000 Wɑit! Stοp! Is that ℓιηκ what it claims to be? http://www.welivesecurity.com/?p=49437 Can you tell the difference between exɑmple and example?

Google adds non-Latin support to Gmail, and we explain why characters matter when it comes to protecting yourself from spam, phishing and other attacks.

The post Wɑit! Stοp! Is that ℓιηκ what it claims to be? appeared first on We Live Security.

]]>
The human brain is a funny old thing, and remarkably smart.

But sometimes it’s too smart for its own good.

Take, for instance, the infamous “Face on Mars” photographed by the Viking 1 Orbiter in 1976, which lead to rampant speculation and excitable headlines in the media that it must be evidence of intelligent extraterrestrial life.

Face on Mars

But was it really an ancient giant statue left by former inhabitants of the Red Planet?

Or was it, in reality, evidence that humans are hardwired to seeing human faces, based upon minimal data, and are prone to seeing faces – in clouds, on the moon, on the surface of Mars – where none really exists? Scientists call this psychological phenomenon pareidolia.

Observations by other spacecraft visiting the Cydonia region of Mars in the decades since have revealed that there is no giant face carved into the rock. Our eyes decided us, and we saw what we wanted to see.

And, perhaps surprisingly, this is relevant to computer security.

Because, just as people can see a face where none is present – so people can be duped by fraudsters and online criminals into believing they are reading one thing when in fact they are not.

Take this URL for instance:

http://www.exɑmple.com

Nothing wrong with that, right?

Wrong.

You see, that’s not a link for example.com. It’s a URL for exɑmple.com.

UnicodeYour mind read “a”, when it was actually an “ɑ”.

And when it comes to computers there is a world of difference between Unicode character U+0061 (an “a”) and U+0251 (“ɑ”).

http://www.exɑmple.com and http://www.example.com are going to take you to entirely different places on the internet. And it could mean the difference between you visiting the right website, or visiting one created by cybercriminals to infect your computer with malware or phish your login credentials.

All this talk of extended character sets and the opportunities for abuse is relevant, because last week Google announced support for non-Latin characters in Gmail.

Fortunately, Google is aware that some scoundrels might take the development as an opportunity to make more effective spam campaigns.

As Google describes in a blog post, it’s trivial for internet attackers to exploit near-identical looking characters to dupe unsuspecting users into clicking on dangerous links:

Scammers can exploit the fact that ဝ, ૦, and ο look nearly identical to the letter o, and by mixing and matching them, they can hoodwink unsuspecting victims.* Can you imagine the risk of clicking “ShဝppingSite” vs. “ShoppingSite” or “MyBank” vs. “MyBɑnk”?

And it’s not just links, of course. I’ve lost count of the number of times that I’ve received emails mentioning vιαgяα. I instantly know that the bad guys are referring to the little blue pills that enhance bedroom performance, even though they didn’t spell it v.i.a.g.r.a.

Some attempts, naturally, are more sophisticated than others.

Spam enlargement

The truth is though that they don’t always have to fool you, the user.

The first task of any spam campaign is to fool the computer – most of them actually *want* to be human-readable, but they don’t want to be easily interpreted by the computer program that is filtering your inbox for spam.

As Google explains, its Gmail service will now be rejecting suspicious letter combinations that could have been deliberately used in spam and phishing attacks:

The Unicode community has identified suspicious combinations of letters that could be misleading, and Gmail will now begin rejecting email with such combinations. We’re using an open standard—the Unicode Consortium’s “Highly Restricted” specification—which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused.

Iτ’s gяεατ το sεε Gοοgℓε τακε sτερs το βεττεя ρяοτεςτ τнειя gмαιℓ μsεяs. Iτ ωιℓℓ βε ιητεяεsτιηg το sεε нοω ωεℓℓ ιτ ωοяκs, αηδ ωнετнεя sραммεяs ωιℓℓ ƒιηδ ηεω мετнοδs το gετ τнειя мεssαgεs ιη ƒяοητ οƒ мιℓℓιοηs οƒ ελεβαℓℓs.

Lετs нορε τнατ οτнεя οηℓιηε sεяvιςεs ƒοℓℓοω Gοοgℓε’s εχαмρℓε, αηδ ςοηsιδεя ωнατ sτερs τнεy ςαη мακε το βοτн sμρροяτ α мοяε “gℓοβαℓ” ωεβ, αηδ ατ τнε sαмε τιмε ςμяταιℓ τнοsε ωнο τяy το αβμsε ιτ.

Feel free to leave a comment below. You get extra points (sorry, no prizes) if you manage to use some εχτεηδεδ ςнαяαςτεяs in your response that we have to decode.

The post Wɑit! Stοp! Is that ℓιηκ what it claims to be? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/13/link-non-latin-gmail/feed/ 0
Wi-Fi security – routers “like fish in a barrel” http://www.welivesecurity.com/2014/08/13/wi-fi-security-routers-like-fish-in-barrel/ http://www.welivesecurity.com/2014/08/13/wi-fi-security-routers-like-fish-in-barrel/#comments Wed, 13 Aug 2014 13:52:37 +0000 Wi-Fi security – routers “like fish in a barrel” http://www.welivesecurity.com/?p=49395 Researchers flexed their hacking muscles at DefCon 22 to hunt the technology world’s most defenceless beasts - routers. More than a dozen new vulnerabilities were found.

The post Wi-Fi security – routers “like fish in a barrel” appeared first on We Live Security.

]]>
Researchers flexed their hacking muscles at DefCon 22 for a hunting competition against the technology world’s most defenseless beasts – routers. Sure enough, more than a dozen new vulnerabilities were found.

PC World described the devices – the portal into most home networks – as “insecure as ever” as hackers romped through challenges against big-brand devices from Linksys, Netgear, D-Link, Belkin and others.

Once again, the routers proved weak foes – with more than a dozen new vulnerabilities found at the DEF CON 22 competition, according to ISP Review.

The SOHOpelessly Broken contest challenged researchers to crack into routers with zero-day attacks, and extract information from others. In total, 15 new flaws were found – eleven by one researcher.

Routers have come under scrutiny from security researchers in the past year, after a series of demonstrations showed ways to break into the devices.

Wi-Fi security: ‘Hopelessly broken’

Many popular models of wireless router from brands such as Linksys and Netgear were vulnerable  to a ‘backdoor’, which could allow attackers access to the router’s admin controls, according to a report by Ars Technica – offering full access to the network.

The backdoor, in various models of wireless DSL router, could allow an attacker to reset the router and, “commandeer a wireless access point and allow an attacker to get unfettered access to local network resources,” Ars reported. “The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users.”

The report follows the discovery of a serious “backdoor” vulnerability in various D-Link models. Another report suggested a majority of the top-selling routers on Amazon had known vulnerabilities.

The SOHOpelessly Broken contest aims to highlight these flaws. The Electronic Frontier Foundation hopes to create open-source firmware for routers which will offer increased security.

“By demonstrating that the issues persist and that consumers are still exposed, pressure will be applied to the manufacturers to take the necessary action to better protect their customers who are currently not empowered to protect themselves,” says Steve Bono, founder of ISE (Independent Security Evaluators).

Routers often have low profit margins, and thus are shipped with known vulnerabilities, particularly the cheaper models known as small office/home office routers, ISE claims.

 Wi-Fi attacks: Fighting back

Even normal home routers don’t have to be totally defenseless: ESET offers a video guide, and rule one is “change that password.” If it’s ‘password’, your neighbor can get in, never mind criminals.

Failings by IT staff worsen these risks, the report found, according to Infosecurity Magazine‘s report. A study of 653 IT and security professionals and 1,009 remote workers found that 30% of IT professionals and 46% of remote workers do not change default passwords on their routers, and that nearly half of workers polled use WPS, an insecure standard that makes it easy for criminals to ‘crack’ passwords.

But simply changing your username is a first step: ESET Senior Research Fellow David Harley says that users should always, “Change default router administrator usernames and passwords, and change the default SSID.”

The SSID is the name of the network – which is broadcast to anywhere within Wi-Fi range. Leaving it as a default can broadcast information that is useful to an attacker – such as the model of router you are using, or whether you are using one supplied by your ISP. When choosing a new network name, avoid any personally identifying information such as your name or house number.

It’s worth considering making yours a “hidden network” – disabling the broadcast of the SSID’s name. That way you’re less visible to attackers – and to connect new devices, simply type in your network’s name on the gadget.

Harley warns that these precautions can be wasted if your router’s software is updated – which can occasionally revert settings to the default. “After any update, check these settings have not reverted,” he says.

 

The post Wi-Fi security – routers “like fish in a barrel” appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/13/wi-fi-security-routers-like-fish-in-barrel/feed/ 0
‘Secure’ Blackphone hacked in 5 minutes http://www.welivesecurity.com/2014/08/13/online-privacy-3/ http://www.welivesecurity.com/2014/08/13/online-privacy-3/#comments Wed, 13 Aug 2014 08:52:31 +0000 ‘Secure’ Blackphone hacked in 5 minutes http://www.welivesecurity.com/?p=49375 An ultra-secure phone claimed to be the first privacy-focused smartphone on sale swiftly fell victim to a security researcher - who hacked the “super secure” Blackphone in just five minutes.

The post ‘Secure’ Blackphone hacked in 5 minutes appeared first on We Live Security.

]]>
An ultra-secure phone claiming to be the first privacy-focused smartphone on sale swiftly fell victim to a security researcher – who hacked the “super secure” Blackphone in just five minutes according to Slashgear. The hack allowed root access to the phone – and was performed on stage at the DEF CON security conference, according to Gizmodo. TeamAndIRC found three vulnerabilities according to Tweaktown – although each had its own weakness. One required an unpatched version of PrivatOS and another required direct user interaction. Slashgear reported that users faced no “imminent danger.”

Online privacy – Blackphone cracked?

BlackBerry has previously described Blackphone as, “Consumer-Grade Privacy That’s Inadequate for Businesses. Blackphone responded via blogging platform Medium: “As I mentioned in my earlier post — we took on the challenge of building a secure and private smartphone system. TeamAndIRC threw a proverbial jab to the jaw, and well, our jaw is not made of glass. Kudos to @TeamAndIRC for explaining the exploit. No hard feelings — things get fixed by being found.” Nonetheless, we have a vulnerability and it is important to Blackphone to resolve this vulnerability fast. We pride ourselves on being able to provide a quick turnaround to security problems. We control the complete OTA process, and are able to fix issues as soon as they are disclosed, if they haven’t been pre-emptively fixed.” Slashgear said, “Blackphone still may be the most secure open-source smartphone around.” One patch has already been pushed out, and another is coming shortly.

‘Our jaw is not made of glass’

As well as a best-selling author and an ex-U.S. Navy Seal, Silent Circle features Phil Zimmerman, who wrote PGP (Pretty Good Privacy) in 1991, still the most widely used email encryption software on Earth. Encrypted phones have been on sale before – such as the GSMK Cryptophone – but have been complex to use, and expensive. Silent Circle hope that the steady flow of news about state spying could catalyze a sea-change in attitudes towards privacy. British-based security expert Graham Cluley, a 20-year veteran of the industry, said at the launch that the goals of Blackphone are laudable, “Most of us could take greater steps to make our lives more private, and make it harder for unauthorized parties (including governments) to spy upon our activities.”

The post ‘Secure’ Blackphone hacked in 5 minutes appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/13/online-privacy-3/feed/ 0
Krysanec trojan: Android backdoor lurking inside legitimate apps http://www.welivesecurity.com/2014/08/12/krysanec-trojan-android/ http://www.welivesecurity.com/2014/08/12/krysanec-trojan-android/#comments Tue, 12 Aug 2014 12:21:31 +0000 Krysanec trojan: Android backdoor lurking inside legitimate apps http://www.welivesecurity.com/?p=49332 One of the most important pieces of advice we give Android users is to refrain from downloading applications from dubious sources and to stick to the official Google Play store, where malware does show up from time to time but is much better controlled, thanks to the Google Bouncer, than on alternative app stores.

The post Krysanec trojan: Android backdoor lurking inside legitimate apps appeared first on We Live Security.

]]>
Figure 1 - Screenshot from Sberbank mobile banking app misused in order to distribute Android/Spy.Krysanec

Figure 1 – Screenshot from Sberbank mobile banking app misused in order to distribute Android/Spy.Krysanec

One of the most important pieces of advice we give Android users is to refrain from downloading applications from dubious sources and to stick to the official Google Play store. Malware does show up from time to time there, but it is much better controlled, thanks to the Google Bouncer, than on alternative app stores.

We discovered an interesting piece of Android malware that serves as a good example to emphasize the advice above. We found a RAT (Remote Access Trojan) masquerading as several legitimate Android applications.

Let’s take a closer look at how the malware spreads, what it does, and at its connection to a story that made recent news headlines.

Distribution vectors

One of the most common infection vectors for Android malware is to disguise itself as a popular legitimate app – from various games to other more or less useful pieces of software. Quite often the legitimate functionality is present, but with a malicious aftermarket addition – the very essence of a trojan horse. And quite often the application purports to be a cracked version of a popular paid application – so the danger is greater on less-than-trustworthy app stores and forums – but this is certainly not an indisputable rule.

Figure 2 - Spaces.ru account hosting Android/Spy.Krysanec

Figure 2 – Spaces.ru account hosting Android/Spy.Krysanec

This backdoor trojan, which ESET detects as Android/Spy.Krysanec, was found as a malicious modification of MobileBank (a mobile banking app for Russian Sberbank), 3G Traffic Guard (an app for monitoring data usage) and a few others, including our own ESET Mobile Security.

The Android app ecosystem offers a reliable countermeasure against such unwarranted and malicious modifications, and that is by digitally signing applications with the actual developers’ certificates.

Obviously, the masqueraded Krysanec variants did not contain valid certificates. Needless to say, though, not all users carefully examine the applications they install on their smartphones, especially those who search for apps from dubious sources, whether they’re looking for cracked versions of paid apps, or whatever other reason.

The malware was found to be distributed through several channels, including a typical filesharing (think Warez) site or a Russian social network. The screenshots below show an account that was used to host the trojan lurking inside legitimate apps.

Figure 3 - Spaces.ru account hosting Android/Spy.Krysanec

Figure 3 – Spaces.ru account hosting Android/Spy.Krysanec

Functionality

The infected applications contained the Android version of the Unrecom RAT (Remote Access Trojan), a multi-platform remote-access-tool.

In particular, the Android/Spy.Krysanec malware is able to harvest various data from the infected device, connect to its Command & Control (C&C) server and download and execute other plug-in modules.

The modules give the backdoor access on the device to:

  • Take photos
  • Record audio through the microphone
  • Current GPS location
  • List of installed applications
  • List of opened webpages
  • List of placed calls
  • Contact list
  • SMS (regular or Whatsapp)
  • And so on…
Figure 4 - Screenshot from Android/Spy.Krysanec control panel

Figure 4 – Screenshot from Android/Spy.Krysanec control panel

C&C servers

Interestingly, some of the samples that we analyzed connected to a C&C server hosted on a domain belonging to the dynamic DNS provider no-ip.com. No-IP was in the news recently when Microsoft’s Digital Crimes Unit took over 22 of the company’s domains that were used to distribute malware. Microsoft, however, subsequently dropped the case.

While remote-access-tools for Android are less common than their Windows desktop counterparts, the main message here is to stress that users should download not only our ESET Mobile Security but any application only from trustworthy sources, such as the official Google Play store. And even there, exercise caution by carefully examining the permissions requested by the app.

The post Krysanec trojan: Android backdoor lurking inside legitimate apps appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/12/krysanec-trojan-android/feed/ 0
Facebook privacy – is Messenger watching you? http://www.welivesecurity.com/2014/08/11/facebook-privacy-is-messenger-watching-you/ http://www.welivesecurity.com/2014/08/11/facebook-privacy-is-messenger-watching-you/#comments Mon, 11 Aug 2014 15:38:03 +0000 Facebook privacy – is Messenger watching you? http://www.welivesecurity.com/?p=49301 Facebook's new Messenger app has spared privacy concerns after a list of Permisssions appears to show the app could be taking video of users in secret, according to the Washington Post.

The post Facebook privacy – is Messenger watching you? appeared first on We Live Security.

]]>
Facebook’s Messenger app has people worried about their privacy – lots of people. A list of Permissions appears to show the app could be taking video of users in secret, according to the Washington Post.

Users of both the iPhone and Android versions of Facebook’s app have found the main app altered so that a second app – Messenger – is required to send person-to-person messages.Without the extra app, the function is removed – sparking further concerns over Facebook privacy.

Security-wise, there are serious issues with Messenger – clearly visible on Android, where apps are required to list Permissions showing what they are allowed to do.

Cosmopolitan writes, “Basically, it can control your whole phone. And, most scarily of all, CALL PEOPLE.”

Facebook privacy: Spy in your pocket?

Metro noted that the app – which attempts to take over SMS functions as well as in-app messaging – can record users with their camera, and send texts without permission.

“As we’ve said, our goal is to focus development efforts on making Messenger the best mobile messaging experience possible and avoid the confusion of having separate Facebook mobile messaging experiences,” a Facebook spokeswoman said.

“Messenger is used by more than 200 million people every month, and we’ll keep working to make it an even more engaging way to connect with people.”

The full list of Permissions is here:

  • Change the state of network connectivity
  • Call phone numbers and send SMS messages
  • Record audio, and take pictures and videos, at any time
  • Read your phone’s call log, including info about incoming and outgoing calls
  • Read your contact data, including who you call and email and how often
  • Read personal profile information stored on your device
  • Access the phone features of the device, like your phone number and device ID
  • Get a list of accounts known by the phone, or other apps you use.

But there may be another explanation, the FT says. The split may herald a move towards person-to-person messaging – after Facebook’s failed purchase of Snapchat.

“Snapchat over-indexes with the very segment where Facebook has cited falling engagement: teenagers,” said Geoff Blaber, of CCS Insight. “The continued introduction of new services, either organically or by acquisition, is essential to maintaining user engagement.”

Facebook – expanding even further?

Video functions were added to Snapchat recently, as were text messages and video calling.

Users are already concerned over the list of permissions granted to Facebook’s main app  - which has expanded. Many apps – such as Facebook’s, have come under fire for Permissions which change after the app has been installed. For instance, Facebook now requires the ability to turn a smartphone’s Wi-Fi connection on and off.

Protecting against apps which ask for further permissions after install is difficult. Apps built to go online update frequently, for perfectly valid security reasons – and often without alerting the users, at least not as clearly as the alerts on Android’s built-in Permissions menu.

“As Facebook users have noted over the last few weeks, for example, their Android app is now demanding access to SMS / MMS, calendar events, and WiFi control,” commented The Register.

The post Facebook privacy – is Messenger watching you? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/11/facebook-privacy-is-messenger-watching-you/feed/ 0
Wi-Fi security: Flight systems “are safe… for now” claims expert http://www.welivesecurity.com/2014/08/11/wi-fi-security-flight-systems-are-safe-for-now-says-expert/ http://www.welivesecurity.com/2014/08/11/wi-fi-security-flight-systems-are-safe-for-now-says-expert/#comments Mon, 11 Aug 2014 13:30:30 +0000 Wi-Fi security: Flight systems “are safe… for now” claims expert http://www.welivesecurity.com/?p=49280 An aircraft security expert has eased the worries of a lot of frequent flyers this week -- by reassuring them that aircraft are not “hackable” in mid flight. The claim was made at Black Hat last week.

The post Wi-Fi security: Flight systems “are safe… for now” claims expert appeared first on We Live Security.

]]>
An aircraft security expert has eased the worries of many frequent flyers this week — by reassuring them that aircrafts are not “hackable” in mid flight. Dr Phil Polstra of Bloomsburg University has the credentials – he holds 12 aviation ratings, all current, including aircraft mechanic and avionics technician, thousands of hours of flight time, and has worked on on the development of avionics found in modern airliners.

“Lots of bold claims concerning the feasibility of cyber-hijacking – and bold claims get lots of press. Most people don’t know enough to evaluate these claims. Whether you feel safer or even more scared should be based on facts,” he says.

Polstra’s collaborator, “Captain Polly” is also an academic dealing with avionics.

Santamarta’s presentation focuses on major brands, and widely used systems, and he claims that 100% of systems under test had vulnerabilities. Weak encryption and “backdoors” which could allow hackers control over communication are rife in all systems under test, according to RT. Some attacks can be performed with an SMS, Santamarta claims.

“These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it,” Santamarta says.

Wi-Fi security: Death in the skies?

“Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.”

The Black Hat security conference last week was dominated by one terrifying assertion – that avionics systems were vulnerable to hacks which could be set off as simply as by sending an SMS or via Wi-Fi.

Polstra’s presentation debunks the Wi-Fi hack threat, step by step. Strict rules prevent avionics systems from being accessible via wireless – except in Boeing aircrafts, which use a system “harder to hack” he says.

The Register reports, “Firstly, no commercial airliner’s avionics systems can be accessed from from either the entertainment system or in-flight Wi-Fi. Avionics systems are also never wireless, but always wired, and don’t even use standard TCP/IP to communicate.”

Physical access – not Wi-Fi signals

FAA rules state: “The applicant must ensure that the design provides isolation from, or airplane electronic system security protection against, access by unauthorized sources internal to the airplane. The design must prevent inadvertent and malicious changes to, and all adverse impacts upon, airplane equipment, systems, networks, or other assets required for safe flight and operations.”

Several companies have already said that the research was flawed: Cobham said wireless hacks were “impossible”, and that a hacker would require physical access to systems.

“In the aviation and maritime markets we serve, there are strict requirements restricting such access to authorized personnel only,” said Caires.

At least one company has already come forward to state that the Wi-Fi hack used would be impossible in a “real world” situation. Other vendors have dismissed the risks as “very small”.

Polstra says, however, that increasing computerization may lead to future problems.“Increasing automation while continuing with unsecured protocols is problematic. Airliners are relatively safe (for now),” he concludes.

The post Wi-Fi security: Flight systems “are safe… for now” claims expert appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/11/wi-fi-security-flight-systems-are-safe-for-now-says-expert/feed/ 0
Week in security: FBI malware, billion password leak – Chinese hotel goes mad http://www.welivesecurity.com/2014/08/08/week-in-security/ http://www.welivesecurity.com/2014/08/08/week-in-security/#comments Fri, 08 Aug 2014 22:52:23 +0000 Week in security: FBI malware, billion password leak – Chinese hotel goes mad http://www.welivesecurity.com/?p=49266 With Black Hat 2014 in full swing in Las Vegas, it was never going to be a quiet week - but revelations about FBI malware and a trove of a billion passwords inspired furious debate too.

The post Week in security: FBI malware, billion password leak – Chinese hotel goes mad appeared first on We Live Security.

]]>
With Black Hat 2014 in full swing in Las Vegas, it was never going to be a quiet week in the world of security – with hacks ranging from the surreal to the terrifying demonstrated, and vicious argument over the week’s most controversial presentation – which claimed that aeroplane communication systems could be hacked via in-flight Wi-Fi.

Even outside the presentations at the Mandalay bay, ripples were spreading through the secret world of Tor, with suspicions seemingly confirmed that the FBI had been using malware against site users on the hidden service to identify the MAC addresses of “hidden service” users.

Visit the wrong site – get malware from Feds

The story, broken by  Wired’s Kevin Poulsen offered adetailed analysis of the attacks, and their context: “For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind thepowerful Tor anonymity system.”

Most high-profile arrests of the administrators of Tor “hidden service” sites have relied on alleged perpetrators leaking information in the real world – as in the case of the arrest of alleged Silk Road founder Ross Ulbricht.

The FBI’s technique relied on a now-replaced version of the Tor browser bundle but used malware to send addresses to a server in Virginia, according to The Tor Projecct – but raised legal questions over what a government agency was doing using malware against suspects, malware which remained on computers “for years”, according to Poulsen. Even Tor’s most ardent defenders find “hidden” child pornography services difficult to define as “freedom  of speech” – but there are legal questions to be answered about the FBI’s methods.B

X marks the spot: Billion-password trove is ‘biggest ever’

Passwords are often posted online in thousands or millions – but this week, a security company revealed the existence of a treasure-trove thought to be the biggest in history: 1.2 billion usernames and passwords, along with 542 million email addresses.

The stolen credentials were in the possession of “CyberVor” – “vor” meaning “thief” in Russian – and had been stolen from 420,000 different websites, before being unveiled by Milwaukee Firm Hold Seurity, along with the New York Times.

Others were a little more skeptical of this hoard, the cyber equivalentP of finding both the Ark of the Covenant and the Holy Grail in one place – with Forbes questioning why the main use of this awe-inspiring collection of data had been thus far to send spam, and selling passwords to allow others to send more spam. This is not high-profit business – and with a billion passwords, you should surely be able to do soemething a bit bigger. It’s also unclear how new the credentials really are. Forbes also questioned Hold Security’s role as the company is a small player, with much to gain from publicity.

Point of sale terminals under assault

Point of sale systems are becoming scarier by the week – after  last week’s article here on We Live Security, Lysa Myers reports another very good reason not to use plastic to pay for anything in American stores.
A new PoS malware warning was issued this week by Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC),

The malware, which had already been detected for some time by ESET (Win32/Spy.Agent.OKG) is referred to as “Backoff” by US-CERT. Thetechnical details can be found here. There is also a report you can download as a PDF (click cover on the right).

Backoff brute-forces its way onto remote desktop access systems that have access to Point-of-Sale systems, and installs a RAM scraper which harvests credit card numbers. This sort of malware is multiplying – as Myers puts it, POS terminals are “low-hanging fruit”, and small businesses a particular target.

Myers’  guide to securing POS systems can be found here.

 DoS is dead: Cybercriminals prefer malware

America’s Computer Emergency Response Team has made headlines with grim regularity for years – but the British version just celebrated its 100th birthday. (A hundred days, this is).
The new agency has a firm grasp of fashions in cybercrime – claiming htat denial-of-service attacks were on the way out, and malware was “in”, with 25% of incidents reported to the agency related to malware, in what it described as a “cat and mouse” game between gangs and corporations.

During its first 100 days, the organization has dealt with 500 businesses, and says communication is critical in cases such as the co-ordinated action against GameOver Zeus. CERT said that it was ‘critical’ that, “information flows freely between Government and industry”No security conference would be complete without a few attacks against defenseless household appliances – last year, an e-toilet fell victim, and a Tesla Model S was hacked in motion by a group of Chinese students only last week. So Black Hat had to go one better: a presentation claimed that in-flight Wi-Fi could be used to hack aeroplane systems, and similar hacks could baffle ships and lead soldiers into ambushes.
Santamarta’s presentation focuses on major brands, and widely used systems – and he claims that 100% of systems under test had vulnerabilities. Weak encryption and “backdoors” which could allow hackers control over communication are rife in all systems under test,according to RT. Some attacks can be performed with an SMS, Santamarta claims.

“These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it,” Santamarta says.

“Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.”

The companies concerned responded quickly to expalin that while such hacks might work in the lab, the world was a rather more complex place

 Internet of Evil Things

Meanwhile, the Internet of Things once again fell victim to a hacker – who turned an entire Chinese hotel mad using only an iPad. Today’s fashion for high-end electronics in luxury hotels allowed a hacker to wreak havoc in 200 suites at once in a five-star hotel in China via an aging ‘internet of things’ system – switching off lights, changing the TV channel, raising blinds and fiddling with the temperature, according to Sky News.

Security researcher Jesus Molina said that his hack was pulled off using an in-room iPad and the hotel’s ‘internet of things’ system, and began simply because he was “bored”.  “I thought about looking to see if a similar system controlled the door locks but got scared,” says Molina, according to Wired’s report.

That did not stop him from switching on and off the “Do Not Disturb” signs on hotel rooms, according to the South China Morning Post.

The post Week in security: FBI malware, billion password leak – Chinese hotel goes mad appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/08/week-in-security/feed/ 0
Internet of Things: Google’s Nest hacked into “full-fledged” spy gizmo http://www.welivesecurity.com/2014/08/08/internet-of-things-nest-hacked/ http://www.welivesecurity.com/2014/08/08/internet-of-things-nest-hacked/#comments Fri, 08 Aug 2014 22:31:03 +0000 Internet of Things: Google’s Nest hacked into “full-fledged” spy gizmo http://www.welivesecurity.com/?p=49261 Yet another “connected” device was outed as a potential spy this week - as researchers showed how Google’s Nest thermostat could be turned into a “fully-fledged spying device”.

The post Internet of Things: Google’s Nest hacked into “full-fledged” spy gizmo appeared first on We Live Security.

]]>
Yet another “connected” device was outed as a potential spy this week – as researchers showed how Google’s Nest thermostat could be turned into a “fully-fledged spying device”.

Tom’s hardware acknowledged that Nest, designed by Tony Fadelll, a product expert known as “the father of the IPod” is among the more secure connected devices – but said that physical access could turn it into a spy device which could inform attackers of when you were home – and provide access to the home Wi-Fi credentials.

The result: “A house fully controlled by the attackers.”.

The researchers say that measures put in place to prevent wireless hacks against the Internet of Things icon actually allow a simpler, wired hack by pressing the power button, then inserting a USB Flash Drive. “However, the smartness of the thermostat also breeds security vulnerabilities, similar to all other smart consumer electronics.”

Internet of Things: Feel the heat

The hack is not the first against Google’s successful Internet of Things thermostat device – and like the earlier attack, it requires physical access to the Nest.

Yahoo News reports, though, that the scope of the attack is wide-rangng: “”Entering into that mode allows you to upload your own code, your custom code, which allows you to attack existing code, implant your own and reboot normally, but maybe have something else running in the background. We have access to the device on the highest level, and we can send stuff that Nest sends to us as well.”

House fully controlled by attackers

Nest has previously been hacked, again using a USB device – allowing “total control” over the gadget. Any attacker would need physical access to the device, but once installed, the proof of concept code would allow an attacker to “make changes without ANY restrictions”,the researchers write.

ESET’s 2014 Mid-Year Threat Reportis to discuss the increasing security concerns over internet-connected devices in a segment entitled, “The Internet of (Infected) Things”. The full talk is available to download viahttps://www.brighttalk.com/webcast/1718/110971.

The post Internet of Things: Google’s Nest hacked into “full-fledged” spy gizmo appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/08/internet-of-things-nest-hacked/feed/ 0
Flash Memory Card Risks http://www.welivesecurity.com/podcasts/flash-memory-card-risks/ http://www.welivesecurity.com/podcasts/flash-memory-card-risks/#comments Fri, 08 Aug 2014 16:40:20 +0000 Flash Memory Card Risks http://www.welivesecurity.com/?post_type=post_podcast&p=49319 The post Flash Memory Card Risks appeared first on We Live Security.

]]>
The post Flash Memory Card Risks appeared first on We Live Security.

]]>
http://www.welivesecurity.com/podcasts/flash-memory-card-risks/feed/ 0
The state of healthcare IT security: are Americans concerned enough? http://www.welivesecurity.com/2014/08/08/healthcare-it-security-americans-concerned/ http://www.welivesecurity.com/2014/08/08/healthcare-it-security-americans-concerned/#comments Fri, 08 Aug 2014 16:20:46 +0000 The state of healthcare IT security: are Americans concerned enough? http://www.welivesecurity.com/?p=49243 The privacy and security of medical records is a matter of concern to many Americans now that most are now stored electronically, but is there cause for concern? And who is most concerned?

The post The state of healthcare IT security: are Americans concerned enough? appeared first on We Live Security.

]]>
With the health records of most Americans now stored, in whole or in part, on computers, it seems timely to ask how people feel about that. Are they happy with this aspect of healthcare evolution? Are they concerned? Do they have reasons to be concerned? This article examines these questions and supplies some numbers that may provide answers.

[Update, August 18, 2014: "Hack of Community Health Systems Affects 4.5 Million Patients" is reported in the New York Times, which cites the figure of 24,800 medical records exposed per day in 2013, detailed in this article.]

Cause for concern: numbers

When you ask people how they feel about anything health-related you tend to get a wide range of responses and some of them are, understandably, personal and even emotional. So let’s start with some relatively clinical facts, like 24,800. That is the average number of Americans who, by my calculation, had their Protected Health Information (PHI) exposed, per day, in 2013.

I refer to this as my calculation because I derived it from a spreadsheet that I built out of the database that is published by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on the web page known in the healthcare IT world as “the wall of shame” (seriously, just Google: OCR wall of shame). The database contains all of the reports of PHI exposure required under the Health Insurance Portability and accountability Act of 1996 also known as HIPAA.

Every time I quote that figure of 24,800 records breached, per day, on average, I go check my formulas to make sure I have this number right, and I’m pretty sure I do, with a couple of caveats,

  • First, the official title of the page is Breaches Affecting 500 or More Individuals, and that describes the content of the database they publish, which covers 2009 through May of this year. In other words, that average of 24,800 for 2013 does not include breaches that year which affected less than 500 people, of which there were scores if not hundreds.
  • Second, my count is based on the year of the breach, or the final year in the case of a multi-year breach. Obviously, this could be different from the year in which the breach came to light. That’s one reason I am quoting 2013, because the numbers for 2014 are not going to be anything like “complete” until at least mid-2015.*
  • For reference, my total count for 2013 is 9,054,35. The total for all reports, from late 2009 to the most recent posting I captured (Minneapolis VA Health Care System, 5/22/14) came to: 33,738,538. So far in 2014, the count is about 1.5 million, but sadly the year is yet young in terms of breaches coming to light.

To be clear, I am not equating breaches with harm, but harm definitely occurs in some cases (a good source for insight on this would be the Ponemon Institute Survey on Medical Identity Fraud which estimated the financial impact to consumers at $12 billion in 2013). Many of the millions of records that are exposed each year don’t end up in the hands of bad people, but we know for sure that some do, and nobody has a good handle on exactly how many. For a well-documented example of how criminals sell and exploit personal information stolen from medical companies, see Brian Krebs’ article on the doctors hit by tax fraud earlier this year.

I definitely think the current state of IT security in the healthcare world is cause for serious concern, although some would say medical data breach statistics pale in comparison to the number of premature deaths associated with preventable harm to patients (recently estimated at more than 400,000 per year). However, data breaches and medical errors are not unrelated, particularly when greater use of IT systems and digital devices is often put forward as a way to reduce preventable medical errors. That is not reassuring, given some of the attitudes toward information security that I have observed in different parts of the medical world.

Cause for Concern: Attitudes

The recent SANS Health Care Cyber Threat Report, sponsored by threat intelligence vendor Norse and reported in detail by Dan Munro on Forbes, contains not only troubling numbers about healthcare IT security, but also reminds us that medical devices, many of which are actually computers, are at risk. For example, I am writing this article at Black Hat, an annual security event in Las Vegas known for revealing new vulnerabilities in digital devices and systems. Yesterday I had a chance to talk to Jay Radcliffe, the man who opened a lot of eyes to the vulnerability of medical devices when he hacked his own insulin pump at Black Hat in 2011. So I asked Radcliffe, himself a Type 1 diabetic, if things had changed since then, “Not really,” said Radcliffe, who has tried to raise awareness of security issues among medical device makers, adding, “In fact, that’s the main reason I no longer use an insulin pump.” (You can read more about Radcliffe on the blog of Boston-based cybersecurity firm Rapid7 where his job title just happens to be the same as mine: Senior Security Researcher.)

Right before Black Hat, I was at an event called ChannelCon, put on CompTIA, the computer trade industry association. Channelcon is a great place to meet the people who actually sell and deliver IT products and services, from enterprises to small businesses. Those products and services include security, including firewalls, antivirus, encryption, authentication, backup and recovery and threat intelligence. I asked a number of IT integrators and managed service providers about selling security in the medical sector, specifically doctors’ offices. The answer I heard loudest and most often? “Doctors don’t care.” When I asked “But what about HIPAA?” The answer was: “They just don’t care.”

Obviously this is not true of all doctors, but I’ve now heard this refrain enough times to think there is a real problem here. After all, aren’t doctors required to protect electronic health records by professional ethics as well as law? Is there some sort of collective denial going on here? I think that question has probably come up at OCR, which continues to find that even large and well-funded hospital systems not meeting HIPAA privacy and security requirements. And before anyone says these are too onerous or were imposed too quickly, consider this:

“We are looking at a federally-mandated standard for security practices within companies involved in healthcare or handling health-related information. Note that these are considered practices necessary to conduct business electronically in the health care industry today. In other words, normal business costs, things you should be doing today…”

That is a direct quote from my first conference presentation on the importance of getting ready for HIPAA’s privacy and security requirements, delivered in March of 2001. That’s right, more than 13 years ago. The point being, health information on computer systems should have been protected in 2001, before the rules and regulations were finalized, before the compliance deadlines, before the first fines were levied, before the multimillion dollar fines, of which we are likely to see more before the year is out.

Signs of Concern

With all these causes for concern, how concerned are Americans? Not to be glib, but the answer really depends on whom you ask. For example, earlier this year we asked 1,734 American adults if they were concerned about the security and privacy of their electronic patient health records and 40 percent said they were, while 43 percent said they were not. However, the other 17 percent said that, to their knowledge, their health records were not in electronic format. So if we take them out of the equation, the “concerned or not?” question breaks down as 48 percent yes, versus 50 percent no.

Within these numbers, there are some interesting demographic variations. For example, those aged 45-54 are more likely to be concerned than those 18-44 years. Concern was greater among those with college education and among those with children in the household (54 percent vs. 46 percent). Concern was expressed more often among those at the upper and lower ends of the household income scale, with those in the $75K to 90K range concerned less often (45 percent).

I should point out that this survey population may not be entirely representative of the whole adult population. For a start, it is a subset of the 2,034 people to whom we put this question: “How familiar, if at all, are you with the recent NSA news about secret government surveillance of private citizens’ phone calls, emails, online activity, etc.?” The people we quizzed about medical records were “at least somewhat aware” of the Snowden/NSA revelations, about 85 percent of the original sample.

Just under half of American adults who are sufficiently in touch with news and technology tend to be aware of both the Snowden revelations and the fact that their health records are stored electronically are concerned about the privacy and security of those records. Shouldn’t we be seeing a greater level of concern than this? In my opinion, the answer is yes, but that alone is not likely to change many minds. What will change minds is something like the Snowden or Target of electronic health records, a revelation or incident so far-reaching and egregious that just about everyone in the country sits up and takes notice. If that happens there will be headlines, accusations, letters to congress, recriminations, investigations, jobs lost and eventually huge fines and damage awards.

It would be very sad to something like that embroil see the healthcare industry in America, in which so many people work so hard to improve the lives of others. But unless attitudes change and numbers improve, and unless our government decides to get serious about reducing cybercrime, the outlook is stormy at best.

 

Note that additional results from the survey referred to in this article, which was conducted by ESET in conjunction with Harris Interactive, were published here and additionally here.

*The issue of when breaches occur versus when they come to light can be seen in this article in Health IT Outcomes about the 2013 statistics. It was written early in 2014 and cites a smaller number of total breaches: 8 million versus the 9 million that are listed as “2013″ by July 0f 2014 (to paraphrase the Dude: “New breaches have come to light”). However, the article goes on to quote a very interesting source that asserts the total breach numbers are way higher than is reported.

The post The state of healthcare IT security: are Americans concerned enough? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/08/healthcare-it-security-americans-concerned/feed/ 0
Internet of things: Hacker unleashes “mayhem” in 200 hotel rooms http://www.welivesecurity.com/2014/08/08/internet-of-things-mayham-in-200-room-hotel-hack/ http://www.welivesecurity.com/2014/08/08/internet-of-things-mayham-in-200-room-hotel-hack/#comments Fri, 08 Aug 2014 16:18:31 +0000 Internet of things: Hacker unleashes “mayhem” in 200 hotel rooms http://www.welivesecurity.com/?p=49207 Today’s fashion for high-end electronics in luxury hotels allowed a hacker to wreak havoc in 200 suites at once in a five-star hotel in China - switching off lights, changing the TV channel, raising blinds and fiddling with the temperature.

The post Internet of things: Hacker unleashes “mayhem” in 200 hotel rooms appeared first on We Live Security.

]]>
Today’s fashion for high-end electronics in luxury hotels allowed a hacker to wreak havoc in 200 suites at once in a five-star hotel in China via an aging ‘internet of things’ system – switching off lights, changing the TV channel, raising blinds and fiddling with the temperature, according to Sky News.

Security researcher Jesus Molina said that his hack was pulled off using an in-room iPad and the hotel’s ‘internet of things’ system, and began simply because he was “bored”.  “I thought about looking to see if a similar system controlled the door locks but got scared,” says Molina, according to Wired’s report.

That did not stop him from switching on and off the “Do Not Disturb” signs on hotel rooms, according to the South China Morning Post.

The Register reports that Molina’s hack was possible due to an aging home automation system – KNX/IP – which dates from the Nineties. It’s still used widely in the Far East and in some hotels in Europe. Molina’s results formed part of the Black Hat security conference in Las Vegas.

Internet of Things: Tool for thermostatic war

Molina found that the iPads – handed out in the five-star St Regis in Shenzhen – connected to one another via the hotel’s network, he was able to access other rooms and cause (mild) mayhem. The SCMP reported that a “digital butler” app allowed Molina to control electronics at will – and map out the IP addresses of each room.

Shenzhen, the SCMP reports, is considered the “Silicon Valley” of China, and plays host to wealthy tech executives. In a previous case, a Spanish hacker seized control of automated rooms in another hotel via its Internet of Things system.

“Guests make assumptions that the channel they are using to control devices in their room is secure,” Molina says. But the protocol used in the St Regis is not. “The KNX/IP protocol provides no security so any hotel or public space that have deployed it on an insecure network will make it easy to exploit.”

‘Ever had the urge to create mayhem?’

Molina’s presentation, ‘Learn How To Control Every Room At A Luxury Hotel Remotely’ is not a “hack”as such – it takes advantage of an old communication system without modern protection. Earlier this year, veteran security reporter Brian Krebs reported that hotel business centers were plagued with keylogger malware.

Hacks against hotels and their wealthy clientele are not rare in China. Earlier this year, a huge amount of private information harvested via hotel Wi-Fi networks went on sale in China – including phone numbers, dates of birth and addresses from hotel guests who logged in to networks in their rooms.

“People rushed to check hotel bookings by celebrities and their family members,” says Patrick Boehler, a journalist for the South China Morning Post,who worked on the story, speaking to WeLiveSecurity.

Molina’s hack penetrated deeper into the hotel’s Internet of Things systems – and he says the protocol is still used in well-known hotels in the West.

“Have you ever had the urge to create mayhem at a hotel? Force every hotel guest to watch your favorite TV show with you? Or wake your neighbors up (all 290 of them!) with blaring music and with their blinds up at 3 AM?” Molina asked. ” I was able to create the ultimate remote control: The attacker does not even need to be at the hotel – he could be in another country.”

The post Internet of things: Hacker unleashes “mayhem” in 200 hotel rooms appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/08/internet-of-things-mayham-in-200-room-hotel-hack/feed/ 0
Common password mistakes we all make http://www.welivesecurity.com/videos/common-password-mistakes-make/ http://www.welivesecurity.com/videos/common-password-mistakes-make/#comments Fri, 08 Aug 2014 14:58:50 +0000 Common password mistakes we all make http://www.welivesecurity.com/?post_type=post_video&p=49244 Passwords are critical to safeguarding our personal and financial information, but when using them so often it can be easy to make mistakes. Follow these five simple steps from We Live Security to keep your passwords safe.

The post Common password mistakes we all make appeared first on We Live Security.

]]>
Passwords are critical to safeguarding our personal and financial information, but when using them so often it can be easy to make mistakes. Follow these five simple steps from We Live Security to keep your passwords safe.

The post Common password mistakes we all make appeared first on We Live Security.

]]>
http://www.welivesecurity.com/videos/common-password-mistakes-make/feed/ 0
Online privacy – FBI ‘using malware’ to track site visitors http://www.welivesecurity.com/2014/08/07/online-privacy-fbi-using-malware-track-site-visitors/ http://www.welivesecurity.com/2014/08/07/online-privacy-fbi-using-malware-track-site-visitors/#comments Thu, 07 Aug 2014 15:02:24 +0000 Online privacy – FBI ‘using malware’ to track site visitors http://www.welivesecurity.com/?p=49174 For several years, FBI agents have been taking an unusual approach to detective work online - using malware against suspects who have not been proven guilty, just visited the wrong Tor site.

The post Online privacy – FBI ‘using malware’ to track site visitors appeared first on We Live Security.

]]>
For several years, FBI agents have been taking an unusual approach to detective work online – using malware against suspects who have not been proven guilty, just visited the wrong site.

Wired’s Kevin Poulsen has a detailed analysis of the attacks, and their context: “For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system.”

If true, the technique is at least controversial, and possibly questionable in legal terms. The technique, which Poulsen’s sources claim has been in use for years, relies on a “drive-by download” where site visitors are infected with malware – in this case, to de-anonymize users of child pornography sites.

Most high-profile arrests of the administrators of Tor “hidden service” sites have relied on alleged perpetrators leaking information in the real world – as in the case of the arrest of alleged Silk Road founder Ross Ulbricht.

Online privacy: Tor users targeted

Tor’s security – best understood as a layered onion skin – hence the name ‘Onion Router’ – bounces signals round thousands of relays, making sites and users hard to trace.

It is claimed that the FBI malware not only logged MAC addresses, but persisted on victim computers for years after they had visited “hidden services” alleged to host child pornography.

Designed with the help of U.S. military experts, The Tor Project is still heavily funded by the U.S. government – even the NSA grudgingly admits it is “the king” of anonymity – but its dark web sites are now full of discussions about thieves, informers, hackers, and PGP keys.

Tor is a privacy tool which allows users to access “hidden” sites, with the .onion suffix, which cannot be accessed via regular web browsers – users instead use customized bundles of open-source browsers. It’s used by political activists – but also plays host to markets selling child pornography, hacked data, drugs and weaponry.

Online drug bazaars

Forbes commented: “Because looking at child porn is a crime, it’s a fairly unobjectionable deployment of FBI spyware but the method — which the FBI calls the “network investigative technique” — raises questions about when else law enforcement might feel it has the right to drop spyware on your computer just for visiting a website. Will browsing an online drug bazaar get you reported to the cops even if you don’t buy?”

Tor has been in the news constantly after an alleged attack aimed at de-anonymizing users, which was due to be part of a presentation at Black Hat 2014, but was pulled amid legal concerns.

“This is such a big leap, there should have been congressional hearings about this,” says ACLU technologist Chris Soghoian, an expert on law enforcement’s use of hacking tools. “If Congress decides this is a technique that’s perfectly appropriate, maybe that’s OK. But let’s have an informed debate about it.”

Anonymity under threat?

Several high profile arrests have been linked to suspected outbreaks of ‘de-anonymizing’ malware on Tor. 28-year-old Eric Eoin Marques, described as “the largest facilitator of child porn on the planet”, was arrested after unknown software harvested PC MAC addresses and sent them to a remote webserver.

It’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services,” Tor said in its official post.

Wired’s Threat Level blog claimed the information was being sent to an address in Virginia, home of the FBI.

Poulsen’s in-depth report claims that agents installed the malware on “hidden services” after arresting an American man for hosting child pornography. Visitors to his sites then had their MAC and IP address logged – big news on Tor. Poulsen reports that “over a dozen alleged users of Tor-based child porn sites are now headed for trial as a result” according to Gizmodo.

Slashdot users were dismissive – one said ,”In a nutshell, they simply had any computer that contacted the web site send back the computer’s real IP address and its MAC address. The actual security of the Tor wasn’t affected. Just that compromising information was sent through the Tor network. Just as any other data would be sent through the Tor network.”

 

The post Online privacy – FBI ‘using malware’ to track site visitors appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/07/online-privacy-fbi-using-malware-track-site-visitors/feed/ 0