Security COVERAGE FROM AROUND THE WEB
![[Christofer] Hoff](http://a0.twimg.com/profile_images/3271013901/062cd4f5f0b0cd066d8fb9f8ceb3a003_normal.jpeg){kind=small}
This is a user-submitted list of websites and services that enforce a password policy that is detrimental to password security. This includes password policies that exclude special characters or enforce a maximum length. As explained on the password restrictions page, these unreasonable password policies are signs that the passwords are being stored in plain text, not hashed with salt.Cryptographic hash functions will take any input and produce a fixed-length cryptographic signature of the input. If the passwords are being hashed, there is no need for password restrictions, so we can assume any websites that impose these restrictions are storing passwords in plain text...until they prove otherwise.Of the top 100 websites as rated by Alexa, 59 allow users to create accounts that are unique to that site (e.g. ebay.com and ebay.de are counted as one). Of those 59 websites, 49 (83%) impose an upper bound on password length. Over 50% limit passwords to 20 characters or less. 14 (24%) restrict passwords to alpha-numeric characters only. It has been confirmed that at least two of the 59 sites store passwords in plain text.Keep in mind that this is not a true random sample, since the selection was made from the top 1,000,000 sites.
It is, thus, obvious that passive DNS may be very useful in malware investigations as it may help researchers in discovering network infrastructure operated by the same group of criminals, other domains being to used to distribute a given malware variant, algorithm-governed C&C communication points, etc.
Similarly, if you use the domain:example.domain.com search modifier you will be redirected to a site with information regarding the given domain.:
We are really excited about this new feature, not only because it is going to help the security community but because it opens the door to future improvements of the IP address and domain information panes. Wouldn't you love to be able to answer the following questions?
With this new feature there is also a commitment from our side to work on answering these questions so that you can make your malware investigations more productive.
Posted on 29 March 2013. | A new law concerning funds given to U.S. federal agencies has been signed by President Obama.Posted on 28 March 2013. | Retaliation being hard to justify because of the difficulties surrounding correct attack attribution in cyberspace, many experts have been mentioning the need for effective attack deterrence.Posted on 27 March 2013. | The number of IT professionals considering leaving their job due to workplace stress has jumped from 69% last year to 73%.Posted on 27 March 2013. | The DDoS attacks mounted against Spamhaus over a week ago have escalated in the last few days, reaching a never previously experienced level of some 300 gigabits per second at peak hours.Posted on 26 March 2013. | Web application attacks are the most significant security threat for IT infrastructures. Web application attacks impacted more than half (52 percent) of the cloud hosting provider environments in the study.
Innovation never stops in the mobile world, and that rule applies to security threats as well. Network attacks are becoming more sophisticated and even high-tech businesses with the most advanced security may find themselves in the crosshairs as we shift to more devices and anywhere access. Just a few weeks ago, multiple leading social networking and large enterprises were hit with an attack when their employees visited a known and trusted website focused on mobile application development. Attackers used a method commonly referred to as “water-holing,” where they compromise a legitimate site commonly visited by employees of their target organizations. Using zero-day vulnerabilities and malicious code that change at a rapid rate, these attacks highlight the need to consistently enhance traditional defenses based on signatures or reputation with global and local context analysis. This episode underscores how important security is in a more mobile, more connected world—attackers are paying attention, using these industry trends to create targeted and sophisticated attacks that can bypass traditional defenses. The Cisco 2013 Annual Security Report found that Android Malware grew 2,577 percent in 2012 alone. The Internet of Everything is taking shape and the number of online connections is soaring. According to Gartner’s Top 10 Strategic Technology Trends for 2013, 30 billion things will be connected by 2020.
Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online. The conventional wisdom is that this was a run-of-the-mill software security issue. "It’s the kind of server misconfiguration you see on the internet ten times a week," one might say. "And it’s not as if your iTunes password even gets you to real money. This is why Apple added two-step verification." Or, "Apple saw the hole and shut it down before most users even knew it was there. This is how things are supposed to work."
No. It isn’t. It’s a troubling symptom that suggests Apple’s self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn’t going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple’s entire ecosystem of devices, stores, software, and services."Apple's iForgot server is essentially the master password reset for its entire cloud service," says cryptographer Matthew Green, a professor at Johns Hopkins University (and self-described "Apple fanboy"). Apple IDs have become the point of entry "for all of the data that people store on their phones, for all of the email they sort through iCloud. All of that data can be accessed essentially by resetting somebody's password on iForgot."
Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.
Don't show me this againHi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.
Don't show me this againDon't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos.
Don't show me this againHi there! If you're new here, you might want to subscribe to our RSS feed for updates.
Don't show me this againAlready using
Google+? Find us on Google+ for the latest security news.
Don't show me this againTo remind taxpayers to be on the lookout for scams ranging from identity theft to return-preparer fraud, the Internal Revenue Service (IRS) on Tuesday posted its Dirty Dozen list of tax scams for 2013. The IRS compiles the list every year. It notes that taxpayers can expect the scams any time of year, but many of the schemes peak now, during filing season. Steven T. Miller, IRS acting commissioner, noted that scams come in many forms, so be careful with trickery over email, in person, over the phone, or even via tweet.
The internet around the world has been slowed down in what security experts are describing as the biggest cyber-attack in history.A row between a spam-fighting group and hosting firm has sparked retaliation attacks flooding core infrastructure.It is having an impact on widely used services like Netflix - and experts worry it could escalate to affect banking and email services.Spamhaus, a group based in both London and Geneva, is a non-profit organisation which aims to help email providers filter out spam and other unwanted content.To do this, the group maintains a number of blocklists - a database of servers known to be being used for malicious purposes.Recently, Spamhaus blocked servers maintained by Cyberbunker, a Dutch web host which states it will host anything with the exception of child pornography or terrorism-related material.Sven Olaf Kamphuis, who claims to be a spokesman for Cyberbunker, said, in a message, that Spamhaus was abusing its position, and should not be allowed to decide "what goes and does not go on the internet".Spamhaus has alleged that Cyberbunker, in cooperation with "criminal gangs" from Eastern Europe and Russia, is behind the attack.Writing exactly one year ago for the BBC, Prof Alan Woodward predicted the inherent weaknesses in the web's domain name system.
Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.
Don't show me this againHi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.
Don't show me this againDon't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos.
Don't show me this againHi there! If you're new here, you might want to subscribe to our RSS feed for updates.
Don't show me this againAlready using
Google+? Find us on Google+ for the latest security news.
Don't show me this againFor us guys and gals in SophosLabs, ransomware is a common sight. We see many different versions every day. But as to be expected, the authors think up a new gimmick that makes us take notice. This is one of those cases.Recently we received a ransomware sample from one of our customers, which immediately piqued our interest as it used Windows PowerShell program to perform file encryption. For those who may not be aware, Windows PowerShell is a scripting language from Microsoft designed to help system administrators automate some the tasks required to run a Windows network. It’s included with Windows 7 and later but can be installed on earlier Windows operating systems too.
Mozilla chief privacy officer Alex Fowler relayed a vivid anecdote last week during RSA Conference 2013 that illustrates the lengths third parties such as advertisers, data brokers and others who traffic in users’ online behavior will go to track you once you land on a website.Fowler said that in his typical daily web surfing across four popular online destinations, nearly 120 third-party domains were able to track him, dropping more than 300 cookies onto his machine. All of this is perfectly legal and convolutedly spelled out in privacy policies, but most users are oblivious to how much information is collected about their surfing habits and what it’s used for—which is primarily to serve targeted advertising.Privacy measures such as the Do Not Track W3C specification are mired in conflicting political and business debates, forcing the hand of browser vendors such as Mozilla to adopt their own tracking mitigation. Announced last week, Mozilla said the next version of Firefox will come with a patch that blocks third-party cookies; in order for cookies to be placed on a user’s computer, they must directly interact with a site. Mozilla’s approach is similar to what Apple has implemented with its Safari browser for a decade.
Software makers Mozilla and Microsoft have worked DNT functionality into their browsers to protect online privacy, but Google and Facebook want people to remember that their services exist for free thanks to online advertising.FBI CISO Patrick Reidy and insider threat analyst Kate Randal spoke on behavioral-based indicators to determine insider threats within the workplace.Panel members believe a new White House strategy is a good first step to limiting foreign-led corporate cyber espionage, although don't expect change to come quickly.A group of security industry veterans, all now representing vendors, joined a panel Tuesday at the RSA Conference in San Francisco to discuss raising the price tag for adversaries to accomplish their mission. While most people assume the high price tag of an advanced attack comes from the cost of gaining access to a network, intruders also spend big money maintaining that foothold. And that is where some organizations, particularly those that are high-value targets for adversaries, may want to direct their security attention. "If you're Google, it doesn't matter how fast you run, the bear wants you," said Tim "TK" Keanini, chief research officer at nCircle, a vulnerability and risk management company.Richard Bejtlich, CSO of incident response firm Mandiant, said often companies are unaware for weeks or months than attackers have breached their firewall and are clandestinely conducting reconnaissance or siphoning out information.
Posted on 28 February 2013. | Solera Networks announced the results of the Ponemon Institutes 2013 report, "The Post Breach Boom," which revealed that organizations are unprepared to detect data breaches and contain them.Posted on 27 February 2013. | If you haven't set up automatic updating for Flash, you will have to find and download the update yourself - just be careful you don't end up with malware on your computer.
Posted on 27 February 2013. | Android malware levels increased more than five-fold between September and December 2012, according to the February 2013 Internet Threats Trend Report issued by Commtouch.Posted on 26 February 2013. | The percentage of overall IT security spending dedicated to encryption has almost doubled, demonstrating that organizations are prioritizing encryption over other security technologies.Posted on 26 February 2013. | SSO is a powerful tool, which is why it is particularly of interest to CIOs in light of the increased number and severity of data breaches occurring around the globe.
Posted on 22 February 2013. | Check Point uncovered the major security risks and threats that impact organizations worldwide.Posted on 22 February 2013. | In the past year, 75 percent of mobile phishing URLs were rogue versions of well-known banking or financial sites, warns Trend Micro.Posted on 21 February 2013. | McAfee Labs revealed that sophisticated attacks originally targeting the financial services industry are now increasingly directed at other critical sectors of the economy.Posted on 21 February 2013. | The goal of these attacks is simple, but the techniques the attackers use and the speed and determination with which they come up with new ones are enough to demoralize many infosec experts.Posted on 20 February 2013. | In 2012 identity fraud incidents increased by more than one million victims and fraudsters stole more than $21 billion, the highest amount since 2009.
Posted on 22 February 2013. | Check Point uncovered the major security risks and threats that impact organizations worldwide.Posted on 22 February 2013. | In the past year, 75 percent of mobile phishing URLs were rogue versions of well-known banking or financial sites, warns Trend Micro.Posted on 21 February 2013. | McAfee Labs revealed that sophisticated attacks originally targeting the financial services industry are now increasingly directed at other critical sectors of the economy.Posted on 21 February 2013. | The goal of these attacks is simple, but the techniques the attackers use and the speed and determination with which they come up with new ones are enough to demoralize many infosec experts.Posted on 20 February 2013. | In 2012 identity fraud incidents increased by more than one million victims and fraudsters stole more than $21 billion, the highest amount since 2009.
In the wake of high-profile compromises of companies such as Facebook, the New York Times, Apple and others, officials at Zendesk, an online customer support provider, said that the company also had been compromised and the attackers had made off with the email addresses of customers of Twitter, Tumblr and Pinterest, all of which use Zendesk's services.All three companies sent out emails to affected customers, notifying them of the incident and warning that their email addresses may have been compromised. In what has become an almost daily occurrence now, Zendesk officials posted a notice on the company's blog with the heading "We've been hacked". The Zendesk hack notice says that the company became aware of the attack on its network sometime this week and that the company then identified and patched the vulnerability the attackers had used."Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response," Mikkel Svane, the Zendesk CEO, wrote in the blog post.
This flaw allowed me to take a full control over any Facebook account, By exploiting this flaw I could steal unique access tokens that provides me full control over any Facebook account,
just to clarify there is no need for any installed apps on the victim's account, Even if the victim never allowed any application in his Facebook account, I could still be getting full permissions (This bug works on any browser)
To make this exploit work, The victim only need to visit a webpage,So OAuth is used by Facebook to communicate between Applications and Facebook users, Usally users must allow/accept the application request to access their account before the communication can start.
I found a way in to get a full permissions (read inbox, outbox, manage
pages, manage ads, read private photos, videos,etc..) over the victim
account even without any installed apps on the victim's account,
Another advantage in the flaw I found is that there is no "Expired
date" of the Token like there would be on any other application usage,
In my attack the token never expires unless the victim change his
password :),
Every application in Facebook have different app_id, For example
'Diamond Dash' will be app_id=2, And 'Texas Holdem Poker' will be app_id=3The next,redirect_uri parameter (next=,redirect_uri=), only accepts the owner app domain,
By Aaron Souppouris
on February 14, 2013 06:57 am
@AaronIsSocial
29Comments
A security flaw in Apple's iOS 6.1 lets anyone bypass your iPhone password lock and access your phone app, view or modify contacts, check your voicemail, and look through your photos (by attempting to add a photo to a contact). The method, as detailed by YouTube user videosdebarraquito, involves making (and immediately canceling) an emergency call and holding down the power button twice. We followed the steps and managed to access the phone app on two UK iPhone 5s running iOS 6.1. This isn't the first time this has happened — a very similar bug affected iOS 4.1, and was fixed in iOS 4.2. We've reached out to Apple for comment and will update you once we hear back.
Ethics Statement -
Community GuidelinesTerms of Use -
Privacy Policyv1.5.2, February 12, 2013
Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.
Don't show me this againHi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.
Don't show me this againDon't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos.
Don't show me this againHi there! If you're new here, you might want to subscribe to our RSS feed for updates.
Don't show me this againAlready using
Google+? Find us on Google+ for the latest security news.
Don't show me this againYou've probably seen the widely-covered news about an in-the-wild exploit against Adobe's Reader and Acrobat software.Even the new and improved security features in the latest version, Reader XI, aren't enough to head this one off at the pass, at least by default.(That's not an indictment of the security technology Adobe introduced in Reader X and boosted further in XI. It's just a reminder that the crooks don't simply give up when you raise the bar.)Adobe has identified critical vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.
Posted on 12 February 2013. | This article combines augmented reality with reasonable assumptions to present less optimistic, but probable, future augmented reality applications.Posted on 12 February 2013. | For the first time, the retail industry made up 45 percent of Trustwave data breach investigations with e-commerce attacks emerging as a growing trend surpassing the amount of point-of-sales attacks.Posted on 11 February 2013. | Bit9, a firm that provides software reputation, application control and whitelisting services to financial, IT and government sectors, has suffered a breach.Posted on 11 February 2013. | The growth in cloud storage devices means that corporate IT departments are now at the mercy of consumer-based applications, as more and more employees look to take their work out of the office and offline.Posted on 8 February 2013. | Are you that person to whom everybody turns for advice on how to keep secure online? Point them towards online tests where they can learn and test their knowledge by themselves.
An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho, Sept. 29, 2011.An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho, Sept. 29, 2011.There have been security flaws in software as long as there has been software, but they have become even more critically important in the context of cyberweapons development.In the past, security researchers who stumbled on a software flaw would typically report the flaw to the manufacturer of the software, so it could be fixed. That changed, however, when cyberweapon designers started looking at these flaws as vulnerabilities that could serve as a back door into a computer network. Most prized of all were "zero day vulnerabilities" — flaws whose existence was previously unknown.Richard Bejtlich was a cyber-specialist for the U.S. Air Force in the 1990s, a time when the U.S. military was going on the offense in the cyberwar. He remembers the day he realized how important a software vulnerability can be to a cyberweapons designer."Myself and a couple other guys, we found a zero day vulnerability in Cisco routing equipment," Bejtlich recalls. "And we looked at it, and we said, 'Did we really find this? Can we really get into these Cisco routers?'"
Posted on 11 February 2013. | Bit9, a firm that provides software reputation, application control and whitelisting services to financial, IT and government sectors, has suffered a breach.Posted on 11 February 2013. | The growth in cloud storage devices means that corporate IT departments are now at the mercy of consumer-based applications, as more and more employees look to take their work out of the office and offline.Posted on 8 February 2013. | Are you that person to whom everybody turns for advice on how to keep secure online? Point them towards online tests where they can learn and test their knowledge by themselves.Posted on 8 February 2013. | Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities that are being actively exploited to target Windows and OS X users.Posted on 4 February 2013. | While Graph Search is described as a way to allow people to make new connections, it's undeniably a powerful tool for unearthing a wealth information in a highly accessible manner. You could call it stalker's heaven.
Virtualization software maker VMware issued an update last Thursday resolving a virtual machine communication interface (VMCI) vulnerability in its ESX Server, Workstation, Fusion and View products that could lead to a privilege escalation if unpatched.According to the VMware security advisory, a local attacker could potentially exploit a control code handling vulnerability in vmci.sys in order to tamper with memory allocation in the VMCI code and eventually obtain elevated privileges on Windows-based hosts and guest operating systems.The vulnerabilities affect systems running Workstation 9.0 as well as versions prior to 8.0.5; Fusion 5.x prior to version 5.0.2 and 4.x prior to version 4.1.4; View 5.x prior to version 5.1.2 and 4.x prior to version 4.6.2; ESXi 5.1 without ESXi510-201212102-SG, 5.0 without ESXi500-201212102-SG, 4.1 without ESXi410-201211402-BG, and 4.0 without ESXi400-201302402-SG; and ESX 4.1 without ESX410-201211401-SG and 4.0 without ESX400-201302401-SG.VMware users should read the patch release details and update their systems accordingly, the company said.VMware gives credit to Cylance Inc.’s Derek Soeder and Microsoft’s Kostya Kortchinsky for independently reporting the bug to them.You are missing some Flash content that should appear here! Perhaps your browser cannot display it, or maybe it did not initialize correctly.You are missing some Flash content that should appear here! Perhaps your browser cannot display it, or maybe it did not initialize correctly.
Posted on 8 February 2013. | Are you that person to whom everybody turns for advice on how to keep secure online? Point them towards online tests where they can learn and test their knowledge by themselves.Posted on 8 February 2013. | Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities that are being actively exploited to target Windows and OS X users.Posted on 7 February 2013. | The vulnerability affects the Tridium Niagara AX Framework, and lets remote attackers access the system's configuration file that contains login credentials for operator work stations.Posted on 6 February 2013. | A security flaw in D-Link's DIR-300 and DIR-600 routers could allow remote attackers to inject execute arbitrary shell commands via a simple POST request without being authenticated.Posted on 4 February 2013. | While Graph Search is described as a way to allow people to make new connections, it's undeniably a powerful tool for unearthing a wealth information in a highly accessible manner. You could call it stalker's heaven.
Smartphones and tablets are powerful and popular, with more than a thousand new mobile apps hitting the market each day. In this fast-moving era of entrepreneurship and creativity, is security keeping up? Apps and mobile devices often rely on consumer data — including contact information, photos, and location to name a few — and can be vulnerable to digital snoops, data breaches, and real-world thieves. The Federal Trade Commission (FTC), the nation’s consumer protection agency, offers these tips to help developers approach mobile app security.There is no checklist for securing all apps. Different apps have different security needs. For example, an alarm clock app that collects little or no data will likely raise fewer security considerations than a location-based social network. Apps that are more complex may rely on remote servers for storing and manipulating users’ data, meaning that developers must be familiar with securing software, securing transmissions of data, and securing servers. Adding to the challenge: Security threats and best practices evolve quickly.The FTC expects app developers to adopt and maintain reasonable data security practices and doesn’t prescribe a one-size-fits-all approach. This brochure offers a starting point to help you provide a secure experience for your users. If applied thoughtfully and consistently, these tips can help protect you, your users, and the reputation of your app.
Talks of cyberwar and a cyber Pearl Harbor seem to be a regular fixture of news reports in the last few months, with prominent U.S. administration officials like Janet Napolitano or Leon Panetta regularly touting the threat of a cyber attack on the United States. But not everybody is buying it. For one, Howard Schmidt, the former chief cybersecurity advisor to President Barack Obama, is skeptical. "I don't share the viewpoint that we're on the brink of disaster every time a new worm comes out or a new DDoS (distributed denial of service) comes out," he told Mashable. In fact, he even disagrees with the terminology that's being used. "I don't like using the word cyberwar, and I don't like using the word cyber 9/11, cyber Pearl Harbor and all these other things," he said.Schmidt sat down to talk with Mashable after the 2013 Kaspersky Cyber-Security Summit in New York City on Wednesday, where he discussed cybersecurity with Eugene Kaspersky, the head of the eponymous online security giant. Schmidt said he's not discounting the threat, in fact, he is well aware of the potential disruption that cyber attacks could cause. For him, the worst case scenario is an attack that takes out power, something that could have cascading and potentially very damaging effects. It's exactly for this reason that he also warns that using cyberweapons or malware against another nations should be a measure of last resort.
It’s not the first time boffins have proposed the use of smartphone accelerometers as an attack vector, but it’s scarily efficient: with as few as five guesses, Swarthmore College researchers say they can use phone moments to reveal user PINs.As noted in his paper (PDF - Practicality of Accelerometer Side Channels on Smartphones, lead author Dr Adam Aviv says phones' movements have been investigated as an attack vector before. Prior work has, however, used the phone’s gyroscope – or a combination of gyro and accelerometer – as the input sensor, and with relatively low accuracy (he cites a test that gave a worst case needing 81 guesses to arrive at the correct PIN).This new study collected 9,600 samples from 24 users both sitting and walking, and tested both pinpad and swipe-pattern data entry. The data-gathering apps installed on the test phones captured the phones’ movements during PIN/swipe entry, and matched these against a database of known patterns:“In controlled settings ... with the participants sitting still] our prediction model can on average classify the PIN entered 43% of the time and pattern 73% of the time within 5 attempts when selecting from a test set of 50 PINs and 50 patterns. In uncontrolled settings, while users are walking, our model can still classify 20% of the PINs and 40% of the patterns within 5 attempts.”
Posted on 29 January 2013. | Arbor Networks released its 8th Annual Worldwide Infrastructure Security Report offering a rare view into the most critical security challenges facing todays network operators.Posted on 29 January 2013. | Imperva announced a new report which examines the dangers of third-party code in cloud computing.Posted on 28 January 2013. | The past 12 months have been, to say the least, an active time for the information security landscape in Europe.Posted on 28 January 2013. | Help Net Security put SafeNet's new President and CEO in the hot seat to learn more about his background, as well as future plans.Posted on 25 January 2013. | Here's advice on what users should do to minimize the danger to themselves and others if they have fallen for these scams, and what they can do to stop falling for similar ones in the future.
If you are an owner today of a merchant-based business, whether online or run from a brick-and-mortar establishment, it is difficult to make sense of the ongoing rage over mobile payments and how they will change the way that basic commerce, as we know it, is conducted in the future. Yes, smartphone technology will have a dramatic impact on merchant activities, but hold on, we have heard similar predictions before.The internet did change merchant commerce, as we knew it, but those changes did not happen overnight. Technology professionals are not bankers. They may be able to wire things together to make things work, but when it comes to money and changing how consumers are to spend it, there are many more considerations that must be addressed along the way, especially ones to do with potential fraud risks. Risk concerns tempered the excitement with internet commerce, and they will do the same with mobile payments.To begin with, let’s divide “mobile” into its two component parts. The merchant-based initiative is called “Wireless Processing.” This new approach to remote merchant payment capability replaces an assortment of cumbersome equipment that would permit payment processing on-the-go, “24×7,” anywhere and at any time.This technology has already been battle-tested and is currently being marketed by several firms on national television channels. A simple device plugs into you smartphone, allows you to swipe a card stripe, and then conducts a typical payment transaction, complete with authorization, email confirmation, and a deposit of net proceeds into your merchant account. Risks are known. Cardholder behavior is not a formidable obstacle, but some will still be worried about privacy and whether their personal information will be compromised.
An unusual new strain of ransomware makes good on its threat, doing what the majority of other varieties only claim to do. The Trojan actually encrypts data on infected machines, effectively rendering certain files inaccessible to users on compromised computers in order to block removal.This veracious new version of the otherwise well-known police ransomware Trojan is unique but only in the sincerity of its promise. According to a report by Hynek Blinka on the AVG News and Threats blog, most ransomeware campaigns deploy a familiar warning, asserting that some crime has been committed by the user and that the user’s machine will remain locked down or encrypted until that user pays the fine associated with their transgression.In most cases, the malware can be found and subsequently removed without paying the fine (which may or may not resolve the problem anyway). In this case however, Blinka has witnessed the Trojan encrypting images, documents and executables in an attempt to hinder any removal attempts. Whomever is responsible for the malware is not in the business of completely crippling machines, so Windows system files are not included in the forced encryption. Infected computers will still function for the most part, but data will be lost and many third-party programs will not work.
Digital video recorders have revolutionized home and business security, making it possible to easily store and play back hundreds of hours of surveillance camera footage. But a few design flaws in their software, it seems, can quickly turn the watchers into the watched.Eighteen brands of security camera digital video recorders (DVRs) are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company’s firewall, according to tests by two security researchers. And one of the researchers, security firm Rapid7′s chief security officer H.D. Moore, has discovered that 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet.“The DVR gives you access to all their video, current and archived,” says Moore. “You could look at videos, pause and play, or just turn off the cameras and rob the store.”Early last week a security researcher who goes by the name someLuser published a blog post detailing his dissection of a DVR built by the security firm Swann, disassembling the device and running tests on it via its serial port. He found that commands sent to the device via a certain connection, port 9000, were accepted without any authentication. And worse, he was able to use that unprotected connection to retrieve the login credentials for the DVR’s web-based control panel. “Anyone who can connect to port 9000 on the device can send this request and retrieve that information,” said someLuser, who declined to reveal his real name when I reached him by instant message.
Today, I am pleased to announce Cisco’s intent to acquire Cognitive Security, a privately-held company headquartered in Prague, Czech Republic. Cognitive Security is focused on taking cutting edge research in the field of network security and applying artificial intelligence techniques to detect advanced cyber threats. Cognitive Security’s solution integrates a range of sophisticated software technologies to identify and analyze key IT security threats through advanced behavioral analysis of real-time data.Mobility and cloud are drastically changing the IT security landscape, where traditional security approaches aren’t enough to protect customers against an evolving threat landscape. Today’s threats are more targeted, complex, and disruptive than ever before. Cognitive Security’s technology identifies and detects security anomalies, and when coupled with the network for mitigation, allows Cisco to uniquely address our customers’ security requirements.Cisco’s security vision is to provide always on, integrated security to empower customers to realize the benefits of a mobile, cloud-enabled business. Cisco’s cloud-based global threat intelligence and Cognitive Security’s real-time behavioral analytics, will integrate to a common policy engine that controls distributed network enforcement in an intelligent network and mitigates advanced cyber threats.Cognitive Security has a long-standing collaboration with the Czech Technical University (CTU), benefitting from CTU’s scientific contribution to the field of network security through a joint research program. Cisco and Cognitive Security plan to continue to expand on this relationship going forward.
Let me just reset the password to the factory default of 123456. Then you can get in to fix it - just reset the password when you are done.Actually, no need to get Barracuda to actually give you the password. You have physical control of the device, replace the ssh binary with one that grabs the password for you, then call Barracuda for support. Done.
Google has never been stingy when it comes to paying for information about security vulnerabilities in products. Now it’s offering an especially large–and especially nerdy–sum of money.At its third Pwnium hacking competition in Vancouver in March, the company is ponying up a total of $3.14159 million in prizes for hackers who can demonstrate critical security vulnerabilities in its Chrome OS operating system running on a Samsung Series 5 550 Chromebook, according to a notice posted Monday on its Chromium blog. Any participant who can take over a Chromebook user’s browser or entire computer via a malicious Web page can earn a $110,000 payout. And if the hacker can maintain persistent control over the system between reboots of the machine, he or she can win $150,000.Those prizes are a significant bump over Google’s already generous rewards for hackers who demonstrate flaws in its products and share information to help fix them. Though the total, pi-sized bounty is mostly a marketing gimmick–Google has only ended up paying out a few hundred thousand dollars of its $1 and $2 million dollar total offerings in previous Pwniums contests–its $150,000 reward is $30,000 more than it’s offered in the past for any single hack.
Posted on 25 January 2013. | Here's advice on what users should do to minimize the danger to themselves and others if they have fallen for these scams, and what they can do to stop falling for similar ones in the future.Posted on 24 January 2013. | The backdoor accounts are present on in Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances.Posted on 23 January 2013. | Augmented Reality is not the stuff of science fiction any more, and we should all be at least familiar with its current and likely future uses. This book aims to be an easy-to-digest guide on the subject matter.Posted on 22 January 2013. | Senior Threat Researcher for GFI Software, Christopher Boyd, talks about cunning scamming techniques and their evolution.Posted on 21 January 2013. | Information security is a dynamic field that promises a lot of fascinating work, so it's no wonder that so many individuals want to break into it.
Summary: The U.S. Sentencing Commission website has been hacked a second time. A code distributed by Anonymous "Operation Last Resort" turns ussc.gov into a game of Asteroids.The U.S. Sentencing Commission website has been hacked a second time and code distributed by Anonymous "Operation Last Resort" turns ussc.gov into a game of Asteroids. Read more in Anonymous Re-hacks U.S. Sentencing Site. Above is the AntiSec controls for using the keyboard to "fire" at the government webpage.Violet Blue is a Forbes Web Celeb, SF Appeal contributor, a high-profile tech personality and one of Wired's Faces of Innovation.Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.Don't miss "14 cloud security challenges for 2013," a live, interactive webcast featuring CBS Interactive's Distinguished Lecturer David Gewirtz, one of America's leading cyberdefense experts, and GFI's Phil Owens, a leading expert in malware defense. Cloudera Manager Free Edition will build and configure your single or multi-node CDH cluster and help you manage future changes to it. Download for free now.In this white paper, guidelines are established for selecting a new site or assessing an existing one. Common risks that affect the availability of a business are defined and techniques for minimizing these risks are presented.
MIT was hacked on Tuesday around noon, with MIT URLs redirecting to a webpage claiming credit for the attack in remembrance of Aaron Swartz.As a result of the hack, people who visited tried to reach MIT over the Internet were redirected to the hacked Web page pictured here: http://goo.gl/kxdm1. The hack affected all names under mit.edu, including web.mit.edu, tech.mit.edu, etc.The hack and subsequent outages were due to a compromise at EDUCAUSE, the registrar that provides information on all .EDU names. A registrar, which allows users to purchase domain names, also specifies the domain name system (DNS) servers for a domain, which convert domain names to IP addresses — needed to actually load the page.Anyone trying to use DNS in other ways — for example, to send email to people at MIT — would also have been affected. The rogue servers did not accept email for MIT.EDU, but merely refused connections, so it is expected that mail sent during the outage will eventually be delivered, rather than being lost forever. For approximately one hour, MIT’s DNS was redirected from internal servers to the company CloudFlare, where the hacker had configured the site to point to a page claiming credit for the attack.
Kim Dotcom, like every smart founder of a startup in a crisis, is pivoting. Since his Mega empire of filesharing websites and financial assets were seized in an indictment over massive alleged copyright violations last year, he’s been working on a relaunch designed to transform the company’s reputation from a business focused on piracy to one focused on privacy–specifically, airtight encryption like no other storage site has ever offered.But the security community knows that the boldest claims about new encryption technology demand the most scrutiny. And some crypto researchers are already punching holes in the secure lining of Mega’s cloud.“It’s a nice website, but when it comes to cryptography they seem to have no experience,” says Nadim Kobeissi, a 23-year old cryptographer and creator of the secure chat software Cryptocat, who began poring over the public portions Mega’s code as soon as it debuted over the weekend. “Quite frankly it felt like I had coded this in 2011 while drunk.”The most glaring issue for Kobeissi is that Mega claims to offer end-to-end encryption of users’ files without requiring them to download any software. All of the encryption takes place in the user’s browser automatically when he or she visits the site. Mega describes that system as “User-Controlled Encryption.”
Top Story
Europe Weighs New Data Breach Rules For Critical Companies
Mobile networks, banks, energy companies and other critical infrastructure providers could be required to report all breaches to EU authorities.
More News
Related Webcasts
This Week's Issue
Free Print Subscription
SubscribeCurrent Government Issue
In this issue:
Subscribe Now
- Anytime, Anywhere: Mobile applications are the new way to extend government information and services to on-the-go citizens and employees.
- Big Changes For U.S. Intelligence: New initiative aims to shift the 17-member Intelligence Community from agency-specific IT silos to an enterprise environment of shared systems and services.
- Read the Current Issue
Related Whitepapers
Related Reports
