Password Security - The Only Secure Password Is the One You Can’t Remember

Let's assume you log onto a bunch of different websites; Facebook, Gmail, eBay, PayPal, probably some banking, maybe a few discussion forums, and probably much, much more. Consider a couple of questions:

• Do you always create unique passwords such that you never use the same one twice? Ever?
• Do your passwords always use different character types such as uppercase and lowercase letters, numbers and punctuation? Are they "strong"?

If you can't answer "yes" to both these questions, you've got yourself a problem. But the thing is, there is simply no way you can remember all your unique, strong passwords and the sooner you recognize this, the sooner you can embrace a more secure alternative.

Let me help demonstrate the problem; I'll show you what happens when you reuse or create weak passwords based on some real world examples which should really hit home. I'll also show you how to overcome these problems with a good password manager so it's not all bad news, unless you're trying to remember your passwords.

The tyranny of multiple accounts

Think about it; how many accounts do you have out there on the internet? 10? 20? 50? I identified 90 of mine recently and there are many more I've simply forgotten about. There is absolutely no way, even with only 10 accounts, you can create passwords that are strong, unique and memorable.

What happens is that people revert to patterns including family names, pets, hobbies and all sorts of natural, somewhat predictable criteria. Patterns are a double-edged sword in that whilst they're memorable, they also predictable so even if the pattern might seem obscure, once it's known, well, you've got a bit of a problem.

Patterns and predictable words are bad, but what's even worse is password reuse. Because we simply end up with so many of the damn things, the problem of memorising them gets addressed by being repetitive. Easy? Yes. Secure? No way.

Continue reading the full article: http://lifehacker.com/#!5785420/the-only-secure-password-is-the-one-you-cant-remember

[Lifehacker]

Mobile Phones are Being Hacked and Cloned

Cloning occurs when hackers scan the airwaves to obtain SIM card information, electronic serial numbers and mobile identification numbers, and then using that data on other phones.

Cloning can happen anywhere, anytime that you’re using your phone. The bad guy simply uses an interceptor, hardware, and software to make a phone exactly like yours.

A few years ago, I was in San Diego on business. Two weeks later I received a call from my carrier alerting me to $1500.00 worth of international calls I had not made. The activity triggered an alert within their system and they shut my account down.

Fortunately for me, my carrier recognized the fraud and relieved me of the charges, rather than me discovering it and having to fight to reverse the charges. Apparently, it was a known issue that scammers in Tijuana were cloning U.S.-based phones.

Anita Davis, another mobile clone victim, wasn’t so lucky. One month, her cell phone bill showed $3,151 worth of calls in one month, to Pakistan, Israel, Jordan, Africa, and other countries.

Anita called her carrier immediately and told them she didn’t know anyone in those countries, or anyone outside the U.S. for that matter.

She says, “They told me I had to have directly dialed these numbers from my cell phone and I needed to make a payment arrangement or they would send my bill to collections.”

After begging and pleading, Anita convinced them to drop the charges.

The extent of your vulnerability varies depending on your phone and the network you’re on. Cloning mobile phones is becoming increasingly difficult, but consumers can’t do anything to prevent it from happening.

The best way to mitigate the damage is to watch your statements closely. The moment you see an uptick in charges, contact your carrier and dispute the calls.


Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses mobile phone spyware on Good Morning America. (Disclosures)

[InfoSecIsland]

TripAdvisor member database breached, part of it stolen

Just days after Play.com notified its customers of a breach that resulted in their email addresses being compromised and some of its users being targeted with malicious emails, it's the turn of another Internet giant to send out warning emails to its customer base.

According to Tom Mollerus, TripAdvisor has been contacting its users and notifying them of a breach.

"This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor's member email list. We've confirmed the source of the vulnerability and shut it down," says Steve Kaufer, co-founder and CEO of TripAdvisor, in the email.

"How will this affect you? In many cases, it won't. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident."

He also made sure to point out that the site does not collect members' credit card or financial information, and that it would never sell or rent its member list.

Information about the incident has already been shared with law enforcement, and an investigations into the breach is ongoing.

[Net-Security]

Lock Down Your Life: How to Secure Your Home, Auto and Smartphone

The more sophisticated technology gets, the more sophisticated the criminals get.
Because of that, protecting yourself and your family these days involves a lot more than just making sure the front door is locked and that you haven't left the keys in the car.

Smartphone owners, for example, are increasingly the target of the same sorts of attacks and scams — many of which can result in identity theft — that have been plaguing computer users for years.
Users of Android-based phones users recently learned that more than 50 malicious apps had been uploaded to the Android Market app store, and then installed on roughly 260,000 phones within a few days.

(Google yanked the apps from the Android Market, then used its “kill switch” to remotely remove the installed apps from users’ phones; Apple has a similar “kill switch” for iPhones and iPads.)

Landlines can also be hit by scams, such as the call-forwarding *72 attack in which a stranger tricks the victim into forwarding all incoming calls to another number — and then proceeds to rack up charges on the account.

Even cars, which have security systems built into nearly all new models, continue to be a major target. According to the National Insurance Crime Bureau, a vehicle is stolen every 33 seconds in the United States.

And, of course, home break-ins continue. The FBI reports that in 2009, the most recent year with confirmed data, there were 2.2 million burglaries in the U.S., costing victims an estimated $4.6 billion in lost property.

So how can you protect yourself from scams and break-ins?

In addition to writing down the vehicle-identification number of your car and serial numbers for expensive equipment, such as a flat-screen TV or computer, there are several ways to protect everything from your phone to your home using some relatively simple technology.

Smartphones: For your smartphone, first make sure you've enabled password protection. Then consider a "lost phone" tracking app, as well as anti-virus/malware software.

There are several on the market, including one from Lookout Mobile Security. A free version is available for Android and Blackberry phones, and it includes a lost/stolen-phone location service and virus scanning. If you can't get your phone back, it will also remotely wipe your personal info from the device.

Credit: Lookout, Inc.

A premium version, for $29.99 a year, includes privacy tracking and protection.

Vehicles: Car and truck owners can also take advantage of GPS tracking and warning devices. For GM owners, there's the OnStar service, but any car can be outfitted with similar security and tracking features.

LoJack has an Early Warning Package for $995 (installed). If your car is moved, the LoJack network can send a phone, email or text message alert.
Credit: Lojack


However, LoJack is available only in 29 states. For nationwide coverage, there's the Escort EntourageCIS, $400, plus $60 for installation and a $180-a-year subscription.
Credit: Escort, Inc.

Like LoJack, the EntourageCIS can warn a driver via email, text or phone message if a car is moved. More important, if your car is stolen and you don’t respond to alerts, a 24-hour monitoring station will contact local law enforcement and send them after the thieves.

Home: As the summer approaches and more home owners leave for long vacations, alarms and monitoring services can be useful. As an alternative to calling in a professional (and paying monthly fees), you now have the option of installing your own cameras and monitoring equipment.

Among the raft of do-it-yourself equipment now available is the $300 Logitech Alert 750i Master System. The video-based monitoring system can be installed in about 30 minutes and uses a home's electrical circuits to connect to a home network and the Internet.

Credit: Logitech

Using a Web browser, owners can log in any time for free to see and hear what's going on back home, or they can have email alerts sent to them whenever motion is detected.

Some people may find all this monitoring and scanning technology brings with it a touch of paranoia.

But, if you're ever the victim of a burglary or lose your phone, you won't seem so paranoid any more.

[SecurityNewsDaily]

Serious cyber attack targets EU institutions on eve of summit

Today is the first day of the first EU summit that takes place under the Hungarian presidency, and European leaders have gathered in Brussels to discuss matters such as the rising European debt crisis and the Libyan unrest and the subsequent military action.



But on the very eve of the summit, an unexpected occurrence cast a dark shadow over the event. The BBC reports that the European Commission and the External Action Service - the Community's diplomatic arm - have been hit by a "serious" cyber attack.

So far, details about the attack have not been divulged.

"We are already taking urgent measures to tackle this. An inquiry's been launched. This isn't unusual as the commission is frequently targeted," said EU spokesman Anthony Gravali.

An anonymous source confirms: "We're often hit by cyber attacks but this is a big one." Other sources compare the attack to the recently revealed one that targeted the computers of the French Ministry of Finance, when more than 150 machines were compromised.

Even though Gravali says that the European Commission will not speculate on the origin of the attacks, the similarities raise the possibility that the attackers could be the same ones that targeted the French. At the time, internal sources said that some of the files were redirected to Chinese sites, but they conceded that this fact doesn't say much.

The entire European Commission staff has been asked to change their passwords and to make sure to exchange information via secure email systems. The Commission has also shut down external access to email and the Comission's intranet, so that unauthorized information doesn't leak out.

[Net-Security]

Adobe, Apple Release Urgent Security Updates

It was Patch Tuesday for the second time this month — except this week it’s Adobe and Apple, not Microsoft, products that have urgent security updates.

Adobe yesterday released updates for its Acrobat and Reader applications and Flash Player browser plug-in to patch a dangerous vulnerability reported last week.

Bad guys had already been using the hole to attack PC users via Excel files infected with bad Flash objects.
The vulnerability affects all major PC operating systems (Windows, Mac and Linux), plus a minor one (Oracle’s Solaris) and Android OS smartphones, as well as all browsers.

Google’s Chrome got a jump on the Flash Player patch a few days earlier, thanks to a tight relationship with Adobe. Users running Chrome will still have to patch other browsers and the stand-alone Reader and Acrobat applications.

As has been the case for years, Internet Explorer requires a separate Flash Player plug-in from the other browsers.

Apple iOS devices will not need a patch; Steve Jobs’ ban on Flash for the iPhone and iPad seems to extend to Acrobat and Reader as well. (iOS reads PDF files natively.)

All patches are available from Adobe’s website here.

Slightly less urgent, but no less comprehensive, is Apple’s latest and possibly final major update to its Snow Leopard version of OS X.

This one bumps the version number up to 10.6.7 and patches 40 vulnerabilities in Apple and open-source apps and services, many related to the handling of image files.

Sophos’s Naked Security blog notes that the update also boosts Apple’s Safari browser to 5.0.4, which patches another 60 or so security holes.

Similar security upgrades are also available for OS X 10.5 Leopard, the last version of OS X to run on PowerPC-based Macs.

Apple’s OS X 10.7 Lion is scheduled to come out this summer.

Apple’s Software Update should automatically download the updates and prompt users to install them. If not, the updates can be found here.

[SecurityNewsDaily]

‘Granny Scam’ Uses Facebook to Target Seniors

The good hearts and generosity of grandparents are being exploited in a cruel new scam.

The “grandparent scam” occurs when an unsuspecting senior citizen receives an urgent phone call from someone claiming to be a grandchild. The impostor tells the grandparent that he is seriously hurt, or in jail, and desperately needs hundreds or thousands of dollars wired to him immediately.

Believing the caller to be their grandchild, the frightened grandparents wire money to the scammer.

“Scams in which criminals prey on senior citizens, manipulating their fears and stealing their savings, are among the most malicious in our society,” New Jersey Attorney General Paula Dow said.

Yesterday (March 23), Dow, with the N.J. State Division of Consumer Affairs and the Consumer Federation of America, launched a campaign to combat and educate against the grandparent scam.

While many traditional frauds – the Nigerian 419 scam, for example – are easy to detect and avoid, the grandparent scam comes with an air of authenticity that adds a frightening element of reality to an otherwise phony phone call.

Social networking sites offer a wealth of family information – often including the grandparents and grandchild’s name, address and date of birth -- that a scammer can use to effectively pose as the victim’s grandchild. Armed with those details, a frantic “Grandma, I need help” call creates an extremely vulnerable victim.

Speaking at the New Jersey campaign launch, Jim and Dorothy, a couple from Wayne, N.J., told the story of how they received a call on Feb. 15 from a young person pretending to be their grandson. He said he had broken his nose in a car accident, and was now in jail in Canada and needed $2,800 for bail. The scammer used specific family details obtained from the grandson’s Facebook page.

“We thought our grandson was injured, in trouble and in need of money and we wanted to help him,” Jim told CBS New York. Thankfully, before they wired any money, Jim and Dorothy contacted their daughter — the alleged grandson’s mother — and found their real grandson was in school — not in Canada — and that they’d been scammed.

To steer clear of the grandparent scam, the Consumer Federation of America urges people to ask detailed questions of the caller, questions no impostor could know – “the name of the person’s pet, for example, or the date of their mother’s birthday.”

It’s important also to report the scam to the money-wiring service the grandchild wants the victim to use.

[SecurityNewsDaily]

Play.com customers receiving malicious emails, Silverpop blamed

The notification and the warning that Play.com sent out to its customers following a breach of systems belonging to the company that handles part of its marketing communications seems to have been a reaction to its customers' complaints on public online forums and direct complaints to the company.

"On Sunday the 20th of March some customers reported receiving a spam email to email addresses they only use for Play.com," said John Perkins, Play.com CEO, in a statement issued yesterday. "We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps.

He also identified the third-party marketing company that handles their communications: it's Silverpop. As you might remember, the compromise of Silverpop's systems has brought about problems to McDonald's, deviantArt's and Walgreens' customers.

"We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop," Perkins revealed.

When the Silverpop breach was first revealed, I believed that it would be a good idea for all Silverpop Systems clients - and there are many! - to warn their customers about the possibility of being on the receiving end of malicious spam, and now it seems that I was right.

The only thing that's bothering me is the fact that email addresses belonging to Play.com customers were misused only now - three months after the Silverpop breach was made public. Why did the spammers wait so long?

"Investigations at the time showed no evidence that any of our customer email addresses had been downloaded," said Perkins. Could it be that Play.com's mailing list was stolen in a second breach that happened more recently?

[Net-Security]

Second hand phones contain extensive personal data

People are unsuspectingly selling their personal information to complete strangers as a new report from CPP finds half (54%) of second hand mobile phones contain extensive personal data.



Second hand mobile phones and SIM cards purchased on eBay and used electronics shops by CPP were examined in a live experiment to see what personal information was available on the handsets and whether it constituted a threat to their former owners' identities.

The experiment revealed 247 pieces of personal data that had been carelessly left on a range of mobile phones and SIM cards. The personal data included credit and debit card PIN numbers, bank account details, passwords, phone numbers, company information and log in details to social networking sites like Facebook and LinkedIn.

In research that supported the experiment, half of second hand mobile owners said they have found personal information from a previous owner on mobile phones and SIM cards they have purchased second hand.

Worryingly, the vast majority (81 per cent) of people claim to have wiped their mobiles before selling them, with six in ten confident they have removed all of their personal information from them. However, the experiment revealed that 54 per cent of mobile phones and SIM cards contained sensitive personal information putting people at unnecessary risk of identity and card fraud.

The variance could be explained by the fact that most people who claimed to have 'wiped' their handsets tried to erase the data manually – a process that security experts acknowledge leaves the data intact and retrievable.

And it seems personal information comes cheap with individuals selling their old handsets and SIMs for an average price of 47 pounds Sterling.

As people rely heavily on their mobile phones to store personal data such as e-mail addresses, social networking log in details, banks account details and even debit and credit card PIN numbers, CPP is calling on people to make sure they remove all of their personal and financial information from their mobile phones and undertake adequate security measures to protect themselves from identity theft.

Senior Vice President of CRYPTOCard Jason Hart said: "The safest way to remove all of your data from a mobile phone or SIM card is to totally destroy the SIM and double check to ensure that all content has been removed from your phone before disposal. With new technology does come new risks and our experiment found that newer smartphones have more capabilities to store information and that information is much easier to recover than on traditional mobiles due to the increase of applications."

[Net-Security]

Most users unaware of smartphone security risks

Consumers are indifferent to the many serious security risks associated with the storage and transmission of sensitive personal data on iPhone, Blackberry and Android devices, according to The Ponemon Institute.



Following are three of the most alarming results of the survey:

• 89 percent of respondents were unaware that smartphone applications can transmit confidential payment information such as credit card details without the user’s knowledge or consent.
• 91 percent of respondents were unaware that financial applications for smartphones can be infected with specialized malware designed to steal credit card numbers and online banking credentials, yet nearly a third (29 percent) report already storing credit and debit card information on their devices and 35 percent report storing “confidential” work related documents as well.
• 56 percent of respondents did not know that failing to properly log off from a social network app could allow an imposter to post malicious details or change personal settings without their knowledge. Of those aware, 37 percent were unsure whether or not their profiles had already been manipulated.

Other smartphone security dangers include geo-tracking based on location data embedded onto image files; the transmission of confidential payment information without the user’s knowledge or consent; and unauthorized (and often unnoticed) premium-service orders on the monthly bill.


"The findings of this study signal what could be an overlooked security risk for organizations created by employees' use of smartphones. Because consumers in our study report that they often use smartphones interchangeably for business and personal, organizations should make sure their security policies include guidelines for the appropriate use of smartphones that are used for company purposes," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute.

According to the study, 28 percent of respondents were unaware that using their smartphone for business and personal reasons can put business information at risk.

[Net-Security]

Mac OS X 10.6.7 fixes security vulnerabilities

 Apple today released Mac OS X 10.6.7 which increases the stability, compatibility, and security of your Mac.



AirPort
A divide by zero issue existed in the handling of Wi-Fi frames. When connected to Wi-Fi, an attacker on the same network may be able to cause a system reset. This issue does not affect systems prior to Mac OS X v10.6.

Apache
Apache is updated to version 2.2.17 to address several vulnerabilities, the most serious of which may lead to a denial of service.

AppleScript
A format string issue existed in AppleScript Studio's generic dialog commands ("display dialog" and "display alert"). Running an AppleScript Studio-based application that allows untrusted input to be passed to a dialog may lead to an unexpected application termination or arbitrary code execution.

ATS
A heap buffer overflow issue existed in the handling of OpenType, TrueType and Type 1 fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.

Multiple buffer overflow issues existed in the handling of SFNT tables. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.

bzip2
An integer overflow issue existed in bzip2's handling of bzip2 compressed files. Using the command line bzip2 or bunzip2 tool to decompress a bzip2 file may result in an unexpected application termination or arbitrary code execution.

CarbonCore
When used with the kTemporaryFolderType flag, the FSFindFolder() API returns a directory that is world readable. This issue is addressed by returning a directory that is only readable by the user that the process is running as.

ClamAV
Multiple vulnerabilities exist in ClamAV, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating ClamAV to version 0.96.5. ClamAV is distributed only with Mac OS X Server systems.

CoreText
A memory corruption issue existed in CoreText's handling of font files. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.

File Quarantine
The OSX.OpinionSpy definition has been added to the malware check within File Quarantine.

HFS
An integer overflow issue existed in the handling of the F_READBOOTSTRAP ioctl. A local user may be able to read arbitrary files from an HFS, HFS+, or HFS+J filesystem.

ImageIO
A heap buffer overflow issue existed in ImageIO's handling of JPEG and XBM images. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

A buffer overflow existed in libTIFF's handling of JPEG encoded TIFF images and CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution.

An integer overflow issue existed in ImageIO's handling of JPEG-encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.6.

Image RAW
Multiple buffer overflow issues existed in Image RAW's handling of Canon RAW images. Viewing a maliciously crafted Canon RAW image may result in an unexpected application termination or arbitrary code execution.

Installer
A URL processing issue in Install Helper may lead to the installation of an agent that contacts an arbitrary server when the user logs in. The dialog resulting from a connection failure may lead the user to believe that the connection was attempted with Apple. This issue is addressed by removing Install Helper.

Kerberos
Multiple cryptographic issues existed in MIT Kerberos 5. Only CVE-2010-1323 affects Mac OS X v10.5.

Kernel
A privilege checking issue existed in the i386_set_ldt system call's handling of call gates. A local user may be able to execute arbitrary code with system privileges. This issue is addressed by disallowing creation of call gate entries via i386_set_ldt().

Libinfo
An integer truncation issue existed in Libinfo's handling of NFS RPC packets. A remote attacker may be able to cause NFS RPC services such as lockd, statd, mountd, and portmap to become unresponsive.

libxml
A memory corruption issue existed in libxml's XPath handling. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

A double free issue existed in libxml's handling of XPath expressions. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.6.

Mailman
Multiple cross-site scripting issues existed in Mailman 2.1.13. These issues are addressed by updating Mailman to version 2.1.14.

PHP
PHP is updated to version 5.3.4 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.

PHP is updated to version 5.2.15 to address multiple vulnerabilities, the most serious of which may lead to arbitary code execution.

QuickLook
A memory corruption issue existed in QuickLook's handling of Excel files. Downloading a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.6.

A memory corruption issue existed in QuickLook's handling of Microsoft Office files. Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution.

QuickTime
Multiple memory corruption issues existed in QuickTime's handling of JPEG2000 images. Viewing a maliciously crafted JPEG2000 image with QuickTime may lead to an unexpected application termination or arbitrary code execution.

An integer overflow existed in QuickTime's handling of movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.5 this issue was addressed in QuickTime 7.6.9.

A memory corruption issue existed in QuickTime's handling of FlashPix images. Viewing a maliciously crafted FlashPix image may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.5 this issue was addressed in QuickTime 7.6.9.

A cross-origin issue existed in QuickTime plug-in's handling of cross-site redirects. Visiting a maliciously crafted website may lead to the disclosure of video data from another site. This issue is addressed by preventing QuickTime from following cross-site redirects.

A memory corruption issue existed in QuickTime's handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.5 this issue was addressed in QuickTime 7.6.9.

Ruby
An integer truncation issue existed in Ruby's BigDecimal class. Running a Ruby script that uses untrusted input to create a BigDecimal object may lead to an unexpected application termination or arbitrary code execution. This issue only affects 64-bit Ruby processes.

Samba
A stack buffer overflow existed in Samba's handling of Windows Security IDs. If SMB file sharing is enabled, a remote attacker may cause a denial of service or arbitrary code execution.

Subversion
Subversion servers that use the non-default "SVNPathAuthz short_circuit" mod_dav_svn configuration setting may allow unauthorized users to access portions of the repository. This issue is addressed by updating Subversion to version 1.6.13. This issue does not affect systems prior to Mac OS X v10.6.

Terminal
When ssh is used in Terminal's "New Remote Connection" dialog, SSH version 1 is selected as the default protocol version. This issue is addressed by changing the default protocol version to "Automatic". This issue does not affect systems prior to Mac OS X v10.6.

X11
Multiple vulnerabilities existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. These issues are addressed by updating FreeType to version 2.4.3. 

[Net-Security]

The Seven Deadly Sins of Cybercrime Victims

Like athletes and chess players, cybercriminals are skilled at identifying their targets’ weak points.
Today’s increasingly online and social world offers a host of techniques for preying on potential victims and their weaknesses.
Following are seven weaknesses that you need to watch out for to avoid falling prey to these scams — whether they take the form of emails, social networking chats, or phone calls.

• Lust: Scammers try to tempt users into action by masquerading as an attractive man or woman, particularly on social networks. You should assume that a flirtatious advance from someone you don’t know has a less-romantic purpose behind it.

• Greed: Like the adage says, “If something is too good to be true, it probably is.” If you receive a free iPod offer, or a percentage of a Nigerian wire transfer, resist the urge to make a deal.

• Vanity: Scammers often try to convince potential victims that they have been chosen, that they’re winners, or that they are somehow part of a select group on the receiving end of an exclusive offer. As harsh as it may sound, you should assume you’re not that special.

• Misplaced Trust: In some scams, cybercriminals attempt to convince you that they represent a high-profile brand and therefore can be trusted. Other times, scammers pretend to be a “friend of a friend” so that your trust for your friend extends to this unknown person. Question any message or phone call that plays on a trust relationship.

• Sloth: Criminals rely on our laziness to ensure that poorly written messages and shortened URLs don’t rouse suspicion. For instance, many users will click on a link in an email from their “bank”, instead of calling the bank or visiting the bank’s website to determine if the email is legitimate.

• Excess Compassion: In 2009, one of the most successful scams on Facebook involved criminals hijacking users’ accounts, then posting status updates claiming that the account holder was stranded somewhere and needed money. Many kindhearted people fell for this ploy. Other similar scams involve requesting donations to nonexistent nonprofits when a major disaster occurs, such as the earthquake in Haiti. Maintain a high level of skepticism toward these types of messages.

• Urgency: Hand-in-hand with compassionate pleas are scams that insist on a fast response and tell you to “act now” or “time is running out.” Double-check these requests with the sender or a colleague, and don’t feel pressured to respond immediately.

Excerpted and adapted from the Cisco 2010 Annual Security Report


[InfoSecIsland]

What To Do When Your Identity Gets Stolen

OK, so it happens. A lot. Companies and people don’t always do the right things and sometimes, criminals win. They steal identity data and get the chance to commit massive fraud. We all know about it. We hear the stories and we hear people talking, but we don’t think it will happen to us, until it does.
What now? What should you do when such an event occurs in your life? Well, this great article from our friends over at Help Net Security summarizes best practices for identify theft victims and their support systems as described by the Consumer Federation of America (CFA). I thought the article was not only good content, but an excellent point of reference for folks who might be impacted by identity theft. You should check it out here. Here are some more tips:

1. You should also be well aware of your legal rights and responsibilities and not be afraid to engage with your state Attorney General’s office if you suspect vendors are not playing by the rules. You can find a list of state Attorney General contacts here: http://www.consumerfraudreporting.org/stateattorneygenerallist.php
2. Legal representation may also be of assistance if the fraud you face is large enough to warrant the cost of representation. Don’t be afraid to engage with an attorney if the fraud costs are large or the legal complexity you face is astounding. Contact your state bar association for information on finding reputable consumer law attorneys in your area.
3. If you are considering something like one of these consumer data/life “locking” services or the like, please check out a DIY approach here.

We hope you never have to use this information, but if you do, these are a few quick tidbits to get you started while avoiding further scams, fraud and abuse. As always, thanks for reading and stay safe out there!

[StateOfSecurity]

HTTPS Is More Secure, So Why Isn’t the Web Using It?

You wouldn’t write your username and passwords on a postcard and mail it for the world to see, so why are you doing it online? Every time you log in to Twitter, Facebook or any other service that uses a plain HTTP connection, that’s essentially what you’re doing.

There is a better way, the secure version of HTTP — HTTPS. That extra “S” in the URL means your connection is secure, and it’s much harder for anyone else to see what you’re doing. But if HTTPS is more secure, why doesn’t the entire web use it?

HTTPS has been around nearly as long as the web, but it’s primarily used by sites that handle money — your bank’s website or shopping carts that capture credit card data. Even many sites that do use HTTPS use it only for the portions of their websites that need it — like shopping carts or account pages.

Web security got a shot in the arm last year when the FireSheep network-sniffing tool made it easy for anyone to detect your login info over insecure networks — your local coffeeshop’s hotspot or public Wi-Fi at the library. That prompted a number of large sites to begin offering encrypted versions of their services on HTTPS connections.

Lately even sites like Twitter (which has almost entirely public data anyway) are nevertheless offering HTTPS connections. You might not mind anyone sniffing and reading your Twitter messages en route to the server, but most people don’t want someone also reading their username and password info. That’s why Twitter recently announced a new option to force HTTPS connections(note that Twitter’s HTTPS option only works with a desktop browser, not the mobile site, which still requires manually entering the HTTPS address).

Google has even announced it will add HTTPS to many of the company’s APIs. Firefox users can go a step further and use the HTTPS Everywhere add-on to force HTTPS connections to several dozen websites that offer HTTPS, but don’t use it by default.

So, with the web clearly moving toward more HTTPS connections, why not just make everything HTTPS?

That’s the question I put to Yves Lafon, one of the resident experts on HTTP(s) at the W3C. There are some practical issues most web developers are probably aware of, such as the high cost of secure certificates, but obviously that’s not as much of an issue with large web services that have millions of dollars.

The real problem, according to Lafon, is that with HTTPS you lose the ability to cache. “Not really an issue when servers and clients are in the same region (meaning continent),” writes Lafon in an e-mail to Webmonkey, “but people in Australia (for example) love when something can be cached and served without a huge response time.”

Lafon also notes that there’s another small performance hit when using HTTPS, since “the SSL initial key exchange adds to the latency.” In other words, a purely security-focused, HTTPS-only web would, with today’s technology, be slower.

For sites that don’t have any reason to encrypt anything — in other words, you never log in, so there’s nothing to protect — the overhead and loss of caching that comes with HTTPS just doesn’t make sense. However, for big sites like Facebook, Google Apps or Twitter, many users might be willing to take the slight performance hit in exchange for a more-secure connection. And the fact that more and more websites are adding support of HTTPS shows that users do value security over speed, so long as the speed difference is minimal.

Another problem with running an HTTPS site is the cost of operations. “Although servers are faster, and implementations of SSL more optimized, it still costs more than doing plain HTTP,” writes Lafon. While less of a concern for smaller sites with little traffic, HTTPS can add up, if your site suddenly becomes popular.

Perhaps the main reason most of us are not using HTTPS to serve our websites is simply that it doesn’t work with virtual hosts. Virtual hosts, which are what the most common cheap web-hosting providers offer, allow the web host to serve multiple websites from the same physical server — hundreds of websites all with the same IP address. That works just fine with regular HTTP connections, but it doesn’t work at all with HTTPS.

There is a way to make virtual hosting and HTTPS work together — the TLS Extensions protocol — but Lafon notes that, so far, it’s only partially implemented. Of course that’s not an issue for big sites, which often have entire server farms behind them. But until that spec — or something similar — is widely used, HTTPS isn’t going to work for small, virtually hosted websites.

In the end there is no real reason the whole web couldn’t use HTTPS. There are practical reasons why it isn’t happening today, but eventually the practical hurdles will fall away. Broadband speeds will improve, which will make caching less of a concern, and improved servers will be further optimized for secure connections.

In the web of the future the main concern won’t just be how fast a site loads, but how well it safeguards you and protects your data once it does load.

[WebMonkey]

CSIS expert lists worst cyber security breaches since January 2010

According to Bank Info Security, testimony was given before the House Homeland Security Committee last week by James Lewis, senior fellow at the Center for Strategic and International Studies (CSIS).

Lewis's testimony included a list of serious security incidents that have taken place since January 2010.

This list is reproduced below, with thanks to Bank Info Security.

Lewis is reported to have stated that the list "is not a record of success". He added "Whatever we are doing is not working...While individual government agencies have made strenuous efforts to improve our cyberdefenses, as a nation, despite all the talk, we are still not serious about cybersecurity."

This looks really rather damning of today's security infrastructure. But, I can't help but wonder how many cyber attacks weren't successful, thanks to the security that is place today? While I would agree that no one should rest on their laurels when it comes to security, I also know that there is no silver bullet.

I wonder if Lewis will also be providing advice on what needs to be done to help better secure against attacks. No one wants to be a victim, and most companies out there are doing what they can to stave off attacks.

January 2010: Google announced that an attack had penetrated its networks, along with the networks of more than 80 other US high-tech companies. The goal of the penetrations, which Google ascribed to China, were to collect technology, gain access to activist G-mail accounts and to Google's password management system. 

January 2010: At the same time, Intel experienced a harmful cyberattack. 

January 2010: Global financial services firm Morgan Stanley experienced a "very sensitive" break-in to its network by the same hackers who attacked Google, according to leaked e-mails. 

March 2010: A number of successful cyberattacks against NATO and European Union networks have increased significantly over the past 12 months, the international organizations revealed. 

March 2010: Australian authorities say there were more than 200 attempts to hack into the networks of the legal defense team for executives from Australian energy company Rio Tinto, to gain inside information on the trial defense strategy. 

April 2010: Hackers break into classified systems at the Indian Defense Ministry and Indian embassies around the world, gaining access to Indian defense and armament planning.

May 2010: A leaked memo from the Canadian Security and Intelligence Service says, "Compromises of computer and combinations networks of the government of Canada, Canadian universities, private companies and individual customer networks have increased substantially. ... In addition to being virtually unattributable, these remotely operated attacks offer a productive, secure and low-risk means to conduct espionage."

October 2010: Stuxnet, a complex piece of malware designed to interfere with Siemens industrial control systems discovered in Iran, Indonesia and elsewhere, results in significant physical damage to the Iranian nuclear program. 

October 2010: The Wall Street Journal reports that hackers using Zeus malware, available in cybercrime black markets for about $1,200, were able to steal over $12 million from five banks in the United States and Britain. 

December 2010: British Foreign Minister William Hague reported last month attacks by a foreign power on the British Foreign Ministry, a defense contractor and other British interests. The attack succeeded by pretending to come from the White House. 

January 2011: The Canadian government reports a major cyberintrusion involving the Defense Research and Development Canada, a research agency for the departments of National Defense Finance and the Treasury Board, Canada's main economic agencies. The intrusions forced the Finance Department and the Treasury Board to disconnect from the Internet. 

March 2011: Hackers penetrate French government computer networks in search of sensitive information on upcoming G-20 meetings. 

March 2011: South Korea said that foreign hackers penetrated its defense networks in an attempt to steal information on the American-made Global Hawk unmanned aircraft, provided to Korea as it considers whether to buy the aircraft.

CSIS experts conduct research and analysis and develop policy initiatives grouped under three themes: defense and security policy, global trends, and world regions. James Andrew Lewis focuses on technology, national security, and the international economy. Before joining CSIS, he worked in the federal government as a foreign service officer and as a member of the senior executive service. His assignments involved Asian regional security, military intervention and insurgency, conventional arms negotiations, technology transfer, sanctions, Internet policy, and military space programs.

[NakedSecurity]

Twitter users are not smarter than Facebook users - Profile views scam spreading fast

Hey Tweeple... yeah, those of you who like to dump on Facebook users all the time and prefer to trade your gossip on Twitter, I'm talking to you.

Thousands of Twitter users are falling once again for a scam that requires victims to grant access to a malicious application.

Today's scam seems to be a continuance of a trend in which the scammers are adapting their ego-driven bogus Facebook apps to operate on Twitter.

Just like on Facebook, Twitter users seem to be blindly allowing these apps to post to their accounts. The bogus app posts the following to the feeds of its victims:

"My profile was viewed ### times JUST TODAY! Click here to see how many views you got! http://tiny.cc/"

We observed a similar scam earlier this month, so we expect to see increasing scams as Twitter gains more and more traction in the social networking space.

If you accept the application, not only will it post to your Twitter feed, it will also display an image with a random number that supposedly represents the number of people who have viewed your profile.

Not surprisingly, the revenue generating opportunity for these scammers is a fake IQ test that suggests you could win a free iPad.

Upon completion of the test, you are asked for your mobile number, and if you read the small print you find out that they will send you a trivia question via SMS 4 times per week at $2 per question... about $32 a month. There is always a reason they want to trick you into propagating their scam and it is almost always money.



The advice remains the same as for Facebook. Be cautious of which games/apps you approve and carefully audit the authorization page to see if an app wants control of your account or permission to post.

If you're an IT administrator and would like some free tools to help educate your users about safe usage of social media, download our Social Media Security Toolkit.

Oh, and if you're on Twitter and want to learn more about security threats, be sure to follow Naked Security's team of writers.


Creative Commons image of Twitter cigarette pack courtesy of CarrotCreative's Flickr photostream.


[NakedSecurity]

How to Make Sure Your Online Banking Is Safe

When was the last time you went to your bank and withdrew cash from an honest-to-goodness bank teller?

For many of us, it was probably years ago, as most people now prefer the ease and 24/7 availability of online banking and automated teller machines.

Today's bank robbers prefer them, too. They’ve gone high-tech, using ATM skimmers to get hard cash out of our accounts, and computer malware to raid accounts the electronic way.

New “banking Trojans” such as Tatanga are so well-concealed that they escape antivirus detection, and so sneaky that just a visit to any of thousands of compromised websites will infect your PC.

In fact, depending on computers for bank transactions has gotten so risky that getting to know our bank tellers is starting to sound good again.

This raises the question: Should we quit banking online altogether?




Ways to beef up your security

Of course not, said Josh Shaul, chief technology officer with New York-based Application Security Inc.
Shaul does all his banking online or at ATMs and never worries about the risk. He leaves that worry to the banks. For that reason, Shaul recommended that consumers, instead of panicking, learn how their banks approach security.

“I think larger banks tend to have more-sophisticated security systems than smaller banks can offer,” although smaller banks may be catching up or devising cost-effective security methods, he said.

Shaul said consumers shouldn’t hesitate to ask their bank about how they handle online banking security. What kind of authentication system do they use? How do they notify the customer who has forgotten a password? What are the security policies in place in case there is a breach?

“If you feel you don’t know enough about security to judge the bank’s security application, talk to a friend who does,” Shaul said.

Harry Sverdlove, CTO for Bit9, based in Waltham, Mass., is another security expert who has no problem with banking online.


The bank's job

But Sverdlove would like to see banks step up with another layer of security, especially as the most dangerous malware focuses on keylogging (recording keystrokes to steal passwords, PINs and bank numbers) or man-in-the-middle attacks (where it appears that an online transaction is happening as normal, but the malware hijacks and controls the information).

“One of the banking sites I deal with gives you a random generic [on-screen] keypad and you use the mouse to click in your PIN,” Sverdlove said. “Keyloggers won’t be able to read it because I use my mouse, not my keyboard.”

He’d also like to see banks use a card swipe or biometrics — something that has to be physically done by the consumer, separate from typing in login authentication.

That way, Sverdlove said, even if a criminal has the financial login information, he can’t do anything without the second layer of authentication.

For the most part, Sverdlove and Shaul agree that the platform used for online banking doesn’t make much difference.

Macs may be a little safer than Windows right now, simply because the vast majority of malware is still written for Windows machines. (Shaul says the increased use of iPads and iPhones will spur the creation of malware written for those platforms.)

The type of browser used makes little difference as well. Most of the banking malware is written to cross browser platforms.


Wise up about smartphones

What about using mobile devices for online banking? This is where Sverdlove and Shaul part ways, at least slightly.

Sverdlove said he doesn’t use his smartphone for banking.

“Banks will use SMS or text messages to authenticate things with you, and that information can be intercepted,” he said. “But the real reason I don’t use mobile banking is because how easy the device can be lost. Once the attacker has physical access to your device, a wealth of opportunities opens up.”

While Shaul agrees that the biggest risk in mobile-device banking is loss, he believes mobile devices are actually safer because the banking malware technology hasn’t caught up yet with banking apps.

But again, this can change as more people use banking apps and hackers refocus their efforts.
Online banking can be done safely if consumers follow some basic best practices:

• Keep up to date with patches. Shaul said malware will sneak in through the vulnerabilities in operating systems, browsers and software, so if your computer is alerting you of an update, install it immediately.
• Check your online account once a week to make sure everything looks okay.
• Use the “smell test.” Sverdlove said that if you log into your account but the interface is different or the look of the site has changed, contact your bank as soon as possible using the number printed on your ATM card.
• Ask your bank about its security practices.
• Do all of your banking from one computer. If you have a desktop, use that for banking. If you have to use a laptop, make sure banking information is not stored in a browser’s “cookies” before traveling with it.
• Never use an unfamiliar computer, such as a library computer or a friend’s laptop, to conduct banking.

Finally, maybe it isn’t always safest to visit the teller.

Christen Gentile, corporate PR specialist with Kaspersky Lab Americas, related an alarming story.

“I saw a case in the Netherlands where the bad guys had gone as far as renting office space for their scam,” Gentile told SecurityNewsDaily. “Victims were sent emails with information on the 'new office' complete with a special phone number. The office was completely branded as the targeted bank, complete with desk clerks and fake customers.”

[SecurityNewsDaily]

Rustock Botnet: Dead Or Just Reloading?

Reports indicate that the massive drop in spam levels are linked to the sudden disappearance of the Rustock botnet. However, recent history suggests the interruption may only be temporary.

Spamhaus’s Composite Spam Blocklist (CBL) claims that dozens of Rustock’s internet servers, which for years have been pumping spam messages and slinging faux pharmaceutical ads, stopped operating Wednesday morning in near simultaneity.

While there's agreement that Rustock is offline - at least for now- its not clear if the interrpution in spam is the result of a take-down or of Rustock reloading.

CBL’s data suggests that Rustock’s spam levels have been surging and plummeting on a daily basis. At times, the botnet accounted for as much as 75 percent of global spam, only to drop back to zero percent the next day. Such has been the case for the last week, for every significant peak, the following day brings subsequent drop to zero percent of global levels, only to rise and fall again. That was the case in December, 2010, when Rustock disappeared for a period of time, only to re-emerge.

Thus far, Rustock interruptions have been sporadic and short-lived, creating a statistical ebb and flow where its volume has hit and hovered around zero, but never staying there for any significant period of time. Not so with the latest interruption in service, which shows Rustock flat lining since 10:54 am EST Wednesday.

Rustock has been the leading source of spam for some time, generating between 50% and 70% of worldwide spam volumes. While no firm data is available on the numbers of e-mail messages sent out through Rustock, the number is likely to be staggering, which is impressive considering Threatpost reported yesterday that the relatively smaller Pushdo botnet has generated some 1.7 trillion spam messages.

This, despite efforts to limit the impact of botnets by using blacklists to block traffic from infected systems.

[ThreatPost]

Five security secrets your IT administrators don't want you to know

As valued members of your organization, IT administrators work every day to keep your infrastructure up and available. But in today’s rush to contain operational costs, your IT administrators could be taking more shortcuts than you’d expect. And perhaps no aspect of IT suffers more from cutting corners than does security. Here are five facts about IT security that your administrators probably don't want you to know.

Most passwords never change

Certainly, regulations may call for frequent password changes on all accounts in your infrastructure. But though your IT administrators may be tasked to change passwords on a regular basis, your organization probably lacks the automation to reliably change what could be thousands of the passwords that matter most.

Sensitive accounts like administrator logins, embedded application-to-application passwords, and privileged service accounts often keep the same passwords for years because IT staff may not have the tools to track and change them. And, because systems and applications often crash when IT personnel attempt to change interdependent credentials, many of your organization’s most privileged logins can go unchanged for extended periods of time.

Ad-hoc change processes and handwritten scripts might succeed in updating the passwords of some types of privileged accounts, but unless your organization has invested in privileged identity management software you can be sure that many of the passwords that grant access to your organization’s most sensitive information are never changed. This means that access to this data – whether by IT staff, programmers, subcontractors and others who ever had access – will continue to spread over time.

Too many individuals have too much access

Regardless of your written policies, highly-privileged account passwords are almost certainly known to large numbers of IT staff. And chances are, for the sake of convenience these logins have been shared with individuals outside of IT.

As a result contractors, service providers, application programmers, and even end-users are likely to have the ability to gain privileged access using credentials that may never change. Unless you’ve got technology in place to track privileged logins, delegate access, and change these powerful credentials after each time they’re used you’ll never know who now has access.

Your CEO's data isn't private

With all the recent headlines about corporate and government data leaks, you might still be surprised to know how many individuals have access to the files on your executive’s computers, and to the data resident in the applications that senior managers use every day. Anyone with knowledge of the right credentials can gain anonymous access to read, copy and alter data – including the communications and application data belonging to your executive staff. In many cases these credentials are known not only to senior IT managers, but also to IT rank and file, application programming teams, contractors and others. More than likely your low paid help desk workers have access to more sensitive data than your CFO. And those subcontractors in India? It’s likely that they can access the CEO's account, too.

IT auditors can be misled

If your administrators know about security gaps or failed policies that your IT auditors haven’t discovered they will most likely try to take the knowledge to their graves. IT staff have limited time to complete higher-visibility projects that influence performance ratings and paychecks, so in most cases you can forget about them fixing any security holes that your auditors fail to notice.

Security often takes a back seat

Is your IT administrators’ pay structure tied to security? No? Then they’re probably not as proactive as you might expect when it comes to securing your network. Most IT administrators won’t tell you about the security vulnerabilities they discover in the course of their jobs because they’re not paid to fight losing battles to gain resources necessary to close each discovered security gap.

Because pay packages are rarely tied to safeguarding your network, your IT administrator is also probably not taking the initiative to update her technical skills when it comes to security. As a result, even when budgets allow for purchases of new security technologies, your staff may have no clue how to actually use these new tools effectively.

Fundamentally, the security of each organization hinges on how well IT balances convenience with controls and accountability. All too often IT is given free reign to operate under its own rules when it comes to security and resists working under the same types of controls that apply to others in the organization.

Those organizations that work to bring IT into balance – introducing accountability through segregation of duties and adequate auditing controls while providing sufficient resources and incentives to provide proactive security – often come out ahead.

[Net-Security]

Scammers Pushing Fake AV Via Skype

Rogue anti virus software companies have decided to "reach out and touch someone," according to a new report from Krebsonsecurity.com.

Groups responsible for pushing the bogus anti malware programs are using Internet-based phone calls over the Skype network to trick unsuspecting users into downloading their fraudulent wares, the site reports.

Skype users are reporting they’re getting automatic calls from vendors pushing rogue anti-virus, according to a post on Krebsonsecurity.com. The scam is not unlike an unwanted telemarketer call, with users asked to follow instructions given by the mechanized call. Those who fall for the ruse find themselves hit with a ubiquitous scareware page, warning them that their computer is infected and advising them to erase the threats from their computer. After clicking through the warning, users are sent to a “shopping cart” which convinces them to purchase their “professional online repair service.”

Previously spammers have used Skype to peddle their malware via online notifications, while larger projects, like spam campaigns and worms, have become more commonplace with the software.

[Krebs on Security] via [ThreatPost]

Wi-Fi security befuddles clueless home users

Two out of five UK home users don't have a clue about how to change the security settings of their home wireless network.

The 21st century equivalent of a failure in understanding how to program home video recorders was exposed in a survey commissioned by privacy watchdogs at the Information Commissioners Office (ICO).

The online survey of around 2,000 British adults, carried out by YouGov earlier this month, also found that 16 per cent of users were unable to say whether or not they were running security on their home Wi-Fi network.

The commissioner's office then advised the public to make sure they had switched on passwords to protect their home Wi-Fi networks.

The ICO is calling for ISPs and equipment manufacturers to provide clearer instructions on how to make home wireless systems more secure, alongside clear arguments on why running insecure connections open up people to privacy and potentially legal liability risks.

In the meantime, the ICO has published its own guidance on security home networks. This is after the privacy watchdog realised it had no existing guidelines on password-protecting Wi-Fi networks.*

While welcoming the survey, one leading home wireless equipment manufacturer said that security settings may have been too complicated in the past but have reached the point of being more or less idiot-proof.   Chris Davies, general manager for D-Link UK & Ireland argued that security settings on home networking kit have simplified over the years towards the point where there's no real excuse for getting it wrong.

"There is no doubt that in the past setting up security on wireless networks could be tricky, but this is no longer the case with most wireless products," Davies said.

Security on home wireless kit from the likes of D-Link and Linksys can be set up in a matter of minutes, using built-in software wizards. No prior technical knowledge is required.

D-Link is co-operating with internet service providers in a bid to make sure that security settings come pre-configured on equipment, thereby making it as easy as possible for even the technically inexperienced to set up home networks. "Most modern routers today also have WPS (Wi-Fi Protected Set-up) buttons where wireless security is set up at the touch of a button," Davies added. ®

Bootnote

The ICO did clear Google's mass collection of unsecured UK Wi-Fi data and Mac addresses by its fleet of Street View cars. Just three months later, after lengthy criticism, the ICO changed its mind and decided Google had breached the Data Protection Act – after which the watchdog got Google to sign a piece of paper promising not to break data laws again.

[The Register]

UK cyclists hit by fraud after online purchase at website

Updated A suspected security breach at popular UK-based biking site chainreactioncycles.com has been linked by victims to multiple instances of fraud.

Various bike enthusiast forums are alive with complaints (here and here) from customers of the site, several of whom are reporting unauthorised charges on their credit or debit cards. The victims are tied together by having shopped at the bike site over the last fortnight or so.

The majority of fraudulent transactions reported seem to involve mobile phone top-ups to either Vodafone or O2, typically two transactions valued at £15 or so for a total fraudulent amount of £30. However, a small percentage of victims have been taken for thousands of pounds.

The experiences of a Reg reader, who wishes to remain anonymous and was the first to tell us of potential problems, seems typical: "I recently purchased items from the online cycling retailer Chain Reaction. A few days after payment went through, I had a couple of fraudulent transactions on my Visa card, which I cancelled, and got money refunded."

Banking regulations in the UK mean that victims should be able to recover the lost sums, but in the meantime they face an anxious wait and the possibility of being short of cash to pay bills until the mess is sorted out.

Chain Reaction Cycles (CRC) released a holding statement, republished via a thread on popular mountain biking portal MoreDirt.com, that acknowledged reports of problems and stating that it had started an investigation. "Our own infrastructure is routinely and independently tested and we are confident that it is robust," it said. "We are working with industry experts including the card processing companies to identify possible causes both inside and outside the control of CRC."

A spokesman for CRC told El Reg that the ongoing investigation, started on Monday, had thus far not come across anything amiss.

Digital forensics blog ForHacSec adds that the common theme of the fraudulent transactions was that they occurred between seven and 10 days after victims purchased goods from chainreactioncycles.com. Purchases at CRC between March 4 to 12 seem to be those most closely associated with subsequent fraud, it adds. ®

[The Register]

Top Five Online Scams

#1 Nigerian Scams:


While these types of scams are generally understood to be Nigerian in nature and origin, and are in fact named after the 419 Nigerian code that made them illegal, advanced-fee scams happen right here in the good old USA by Americans presenting to offer jobs or may ask help to transfer money.


#2 Romance Scams:

If you ever hear talk like this, run far and fast: “In me sweetheart you are going to find the most passionate, loving and romantic man you have ever met. There are very few promises in life but this is one of them! ROMANCE is the key to my happiness and to my heart and soul!”


#3 Classified Ad Scams:

This story caught my eye: “An online scam targeting pet-lovers is circulating the web, and it could cost you more than a new pet. An ad posted to a local online classified website by a man who claimed he was living in Florida. He was willing to give the Labrador Retriever puppy named Dely away for the cost of shipping, which was $220.”


#4 Phishing:

Phishing continues to become more sophisticated, more effective, and more prevalent. In one example, criminal hackers waited until Pennsylvania school administrators were on vacation, then used simple money transfers to liquidate over $440,000 out of the districts accounts.


#5 Spear Phishing:

Spear phishing occurs when the scammers concentrate on a localized target, usually an individual with control over a company’s checkbook.

This insidious type of phishing occurs when a recipient clicks a link, either in the body of an email or on the spoofed website linked in the email, and a download begins.

Don’t be taken. Keep your head up and recognize when someone’s trying to take advantage of you.


Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover.


[InfoSecIsland]

New teacher from behind Facebook likejacking attack leads to survey scam

This broken record continues to play. Yes, Facebook likejacking scams continue to plague Facebook users' walls. This one spreads to walls saying:

"New teacher from behind"
"(BADURL) When our new teacher terns towards a blackboard students are go haywire. VIDEO: New Teacher from behind"

Unlike some of these likejacking scams, this one is using many different URL shorteners, including goo.gl, tiny.cc, tinyurl.com and even direct URLs to domains registered in .info and .ro top-level domains. At the time of this writing, over 6,000 people have fallen victim to the scam and the numbers continue to climb.

In a trend we are seeing more often in web-based attacks, this attack only requires that you are using a modern browser and are logged into a Facebook account. It works regardless of the operating system your device uses, including Windows, OS X, Linux, iOS, Android and more.

The best defense against clickjacking attacks is to use the Firefox browser with the NoScript add-on.
Otherwise, to avoid these types of attacks, the only remedy (which isn't exactly practical) is to be sure you are not logged in to Facebook when clicking unknown URLs. If you are not logged into Facebook, you are presented with a pop-up window asking you to login, which is an indication that it is an attempt to likejack your account.

Personally, I use one browser just for Facebook and a different browser for all of my normal internet activities. If I choose to follow a URL from a Facebook wall, I use my non-Facebook browser so I can be alerted to the attack, as well as having protection from NoScript on my side.

For more best practices on Facebook security, visit the Sophos Security Hub where we have our guide to Facebook security. To stay up to date with all the latest security news you can follow Sophos on Facebook.

[NakedSecurity]

A Good Decade for Cyber Crime

Cybercrime is one of the most successful and lucrative industries of our time, growing by double digits year after year.

Over the last decade, cyber crooks have developed new and sophisticated ways to prey on an explosion of Internet users, with little danger of being caught.

Meanwhile, consumers face greater risks to their money and information each year.

A few famous exploits illustrate different eras of cybercrime:


“I Love You” worm’s false affection: $15 billion estimated damage
Emails with the subject line “I love you” proved irresistible in 2000. Millions of users downloaded the attached file, which was supposedly a love letter but was actually a virus. This infamous worm cost companies and government agencies $15 billion.


MyDoom’s mass infection: $38 billion estimated damage

This fast-moving worm, which first struck in 2004, tops McAfee’s list in terms of monetary damage. It delivered enough spam to slow global Internet access by 10% and reduce access to some websites by 50%, costing billions of dollars in lost productivity and online sales.


Conficker’s stealthy destruction: $9.1 billion estimated damage

This 2008 worm infected millions of computers. It went a step further than the other two worms on our list, downloading and installing a variety of malware that gave hackers remote control over victims’ PCs.
Some of the most common and nefarious scams include:


Fake antivirus software

Selling fake antivirus software is one of the most insidious and successful scams in recent years.
Cyber criminals play on users’ fears that their computers and information are at risk, displaying misleading pop-ups that prompt the victim to purchase antivirus software to fix the problem.
When victims enter their credit card information, it is stolen and, instead of security software, they wind up downloading malware.


Phishing scams

Phishing, or trying to trick users into giving up personal information, is one of the most common and persistent online threats. Phishing messages can come in the form of spam emails, spam instant messages, fake friend requests, or social networking posts.


Phony websites

In recent years, cyber crooks have become adept at creating fake websites that look like the real deal.
From phony online banking to auction sites and e-commerce pages, hackers lay traps in the hopes that you will be fooled into entering your credit card number or personal information.

For your own peace of mind, consider subscribing to an identity theft protection service such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, alerts when suspicious activity is detected on your accounts, and access to fraud resolution agents. For additional tips, visit CounterIdentityTheft.com.


Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

[InfoSecIsland]

Are you being stalked? Trust your instinct

It's not uncommon these days to hear about people who have suffered from cyber-stalking and online harassment.

Whether you've been bombarded with unwanted emails, or someone has written abusive things about you online, or created a fake Facebook profile in your name, the attention can be unpleasant, unwanted and disturbing.

The Network for Surviving Stalking (NSS), a registered charity in the UK, has today launched a campaign to increase the awareness of stalking (whether it be online or offline), and encourage potential victims to come forward and report the behaviour to the police.

The NSS claims in a press release that stalking is "a crime that's often not taken seriously but can ruin lives and even lead to murder" and that "even though we may feel uncomfortable with someone's obsessive behaviour – all too often we put up with it."

The charity has created a new website, www.trustyourinstinct.org, and have developed a quiz to help individuals determine if someone's behaviour is getting out-of-hand.

It seems to me that the wide adoption of the internet and social networking sites have just made it easier for stalkers to prey upon people, hiding their activities behind fake identities in order to be closer to the object of their attention.

Speaking personally, I've had a couple of unpleasant experiences where Facebook has been too slow to respond to harassment of me and my family.



I don't believe my experiences have been anything like as bad as what some people have had to suffer - but it does suggest to me that the social networks need to work much harder at combatting this problem.



If you want to support the "Trust Your Instinct" campaign, or are looking for more advice and information about protecting yourself from stalkers, you can follow the campaign on Twitter or join their Facebook page.

By the way - don't be fooled into believing some of the many messages and rogue applications that have spread via Facebook and Twitter in recent months which claim to be able to reveal who has been secretly checking out your profile. They're all scams.

[NakedSecurity]