Tuesday, 5 November 2013

Online Privacy: A Concern For All

privacy issues J.D.Power
Teenagers and twenty year-olds couldn't care less about online privacy. In fact, it's a thing of the past. That's probably what you think when you see the amount of activity on popular social networks like Facebook, Tumblr, or Twitter. Actually, younger people do care quite a bit about online security and protection. J.D. Power's report "Consumer Concerns about Data Privacy Rising: What Can Businesses Do?" reveals that personal privacy is a concern in all countries across all ages.
The study looked at persons in the U.S., China, and India, from the age of 13 years old through the pre-Boomer generation, people older than 67 years old. Privacy proves to be a global concern; 41 percent of consumers in both the U.S. and India are highly concerned about privacy while 50 percent of consumers in China feel the same way. The report reveals that even though more security measures have been implemented, consumers' mistrust of companies remains high.
Does Age Matter?Consumers' concern with data privacy increases with age: roughly 79 percent of the 13 through 17 year olds claimed to be concerned about their online privacy while 92 percent of the pre-Boomers held these same anxieties. This doesn't mean younger consumers don't care about their privacy; they do harbor their fair share of privacy concerns. The study posits that one reason why younger people may be less concerned is because they're more proactive in their online lives; they're more likely to take actions to reduce their privacy risk and thus worry less about their online security.
One of the study's most intriguing findings was that even though younger generations provide a lot more personal information online, oftentimes they give false information. As someone of Generation Y, I can confirm this; I rarely give out my real birthday, phone number, or emails on several sites that I frequent.
In addition, at least one-half of the people in Generation Z and Y reported that their social networks settings are private, while only 20 percent of pre-Boomers have the same security settings. In other words, older people are more likely to be truthful online while their younger counterparts.
Less Trust in CompaniesThe report revealed several other interesting tidbits as well. For instance, consumers place a lot of trust in laws to protect their privacy; over 50 percent claim they think existing laws and organizational practices provide a reasonable level of privacy protection. However, last year 81 percent of consumers voiced that they still don't feel safe online because they've lost control over how their personal information is collected and used by companies.
Companies should take note; if they want to build brand loyalty they need to be more transparent about privacy policies. Some of the most crucial problems include the facts that there is an increase in commercial use of consumer data and consumers are unaware of the extent to which their data is being collected and used, contributing to their mistrust. As long as privacy remains an issue, companies have a responsibility to make sure their consumers feel safe if they want to be trusted.

Dark Mail to Secure Email, Evade NSA Surveillance

darkmail If you are worried about what the government spooks are saying in the way of devastating disclosures about the National Security Agency's surveillance programs, Lavabit and Silent Circle's proposed secure email platform may help ease your worries.
Lavabit and Silent Circle announced the Dark Mail Alliance earlier this week at the Inbox Love conference. As an open platform designed for secure email, Dark Mail will be immune from future surveillance efforts, the companies said.
With Dark Mail, the companies hope to develop a "private, next-generation, end-to-end encrypted alternative" to email.
Lavabit and Silent Circle
It makes sense that Lavabit and Silent Circle are taking the lead on building a new, Web-based secure email platform that users could use to evade surveillance.
Lavabit used to offer a secure email service that allowed people to send emails that could not be intercepted. It is believed that ex-NSA contractor Edward Snowden may have used the service. Lavabit shut down its services in August rather than comply with the U.S. government's request to hand over its encryption keys. Silent Circle specializes in encrypted communications and preemptively shut down its own secure email service to avoid facing a similar situation.
"Since they faced the difficult choice to shut down their email services in response to the federal investigations, it feels as a natural consequence for them to come back harder, better, stronger," said Claudio Guarnieri, a security researcher at Rapid7.
What is Wrong With Email?
Email, using SMTP (Simple Mail Transfer Protocol), has worked just fine over the years, but it was never designed with security in mind. Privacy- and security-minded users could take extra steps to encrypt their messages to protect the contents from prying eyes, but existing options did not encrypt the metadata. Bits of information such as the sender, the recipient, the time the message was sent, the size of the message, and other items, can be sensitive data in certain contexts.
For example, being able to look at the message metadata and learning that the CEOs of two companies have been communicating directly may hint at a potential partnership or merger. The subject lines could also divulge secrets.
With Dark Mail, the mail server will send recipients a short routing message to the intended recipient of the email. The routing message, which will likely be encrypted using XMPP, will contain a link to the cloud storage location where the actual encrypted message is stored. The decryption key to unlock the actual email, which will be protected using a new encryption protocol developed by Silent Circle, will also be part of the routing message. Since the encryption keys will be stored on the sender's computer, ISPs won't be able to comply with government requests.
Who Will Sign On?
Don't get too excited yet. The platform will likely not be available until some time next year. And email providers would have to get on board and implement the protocol so that users could take advantage of the platform. That means if you are a Gmail user, you can take advantage of Dark Mail's secure delivery platform only if Google adds the protocol to its service. It also means that the recipient also has to be on a service that accepts Dark Mail.
Encryption hasn't been widely adopted simply because "encryption has largely been optional," Guarnieri said. For a technology like this to be effective, it would need to be widely adopted to be effective.  "Fortunately, I think this is exactly the right time for radical changes like this to be successful," he said.

Fake Law Enforcement Says, "Pay or We Arrest Your Cousin!"

Kids walking around in goblin and vampire costumes don't scare me on Halloween, nor do scary movies on TV. So what is the scariest thing that happened so far today? It was a phone call.
According to the Caller ID, this was a local number. When we answered, a male voice identified himself as calling from the "Kings County Sheriff's Office" and asked for a member of my family. When we explained she wasn't available, we were told that there was an outstanding warrant out for my family member. We were also told this family member was going to be arrested in the next 45 minutes, because of outstanding federal taxes from 2010.
We are always willing to cooperate, within reason, so we asked for more information. After giving us a a phone number and the name of the person we should speak with at the federal government office, the caller transferred us to that number. The federal agent who answered the phone claimed if we wanted to resolve this right away, we would have to provide a cell phone number. The person wasn't very pleased when we refused, and kept repeating that our lack of cooperation meant this family member would be arrested in 45 minutes.
Scary? A little bit.
Red Flags AplentyLong-time readers of SecurityWatch would have noticed right away some of the red flags indicating that this was a scam, and not a real call. Let's walk through them.
1. New York City residents know that we don't have a "Kings County Sheriffs Office." We have the NYPD. However, we do actually have a Sheriff's Office, though, and it does handle tax evasion issues, but as the friendly spokesperson at the Sheriff's Office told me today, the office doesn't do anything with the federal government. The Sheriff's Office handles only cases for local taxes, and even that isn't a big part of their normal caseload, he said.
2. The caller kept saying "federal government"—not the IRS. Not the Internal Revenue Service. Try again, buddy.
3. Law enforcement doesn't call and say "pay up or we will arrest you." Not only would they not call me at home first, but they also won't give me the opportunity to make this go away first. As my new buddy at the Sheriff's Office said, "That's not how the system works." If there really was a warrant, the arrest would happen first, and then there will be the opportunity to fix it. Usually with a judge.
4. The time pressure to "act in 45 minutes" was clearly a social engineering tactic to create a high-pressure situation, said White Hat Security's Robert Hansen. This is a little similar to the kind of ransomware and scareware scams we've talked about in the past, where they create a sense of urgency, and if we don't take action right away, something bad will happen. In the cases of CryptoLocker and other types of ransomware, the malware might actually carry out on the threat.
5. I didn't mention this in the above summary, but we were told we were going to be transferred to speak with "Michael Black." Yet when he answered, he said, "This is Khan." When we asked for Michael Black, he said, "It's the same." You know, if you are going to run a scam operation, get your names straight.
When I mentioned to the Sheriff's Office spokesperson the caller claimed the amount due was $1,798, he laughed and said, "There are people who owe tons more than that and don't get arrested."
Remember, if there really was an issue of overdue taxes, the IRS, or any government entity for any kind of problem really, would first send a letter by postal mail. And follow up by mail. The initial call wouldn't come from law enforcement.
"You don't get an arrest warrant. You just get a lot of mail," Chester Wisniewski of Sophos told me.
The scammers wanted us to act quickly, and were mad we didn't. They kept mentioning how it would be our fault if the arrest happened. In this case, and I really hope I am right, it's unlikely an arrest will happen any time soon.
Don't Panic. Think.It helped that we didn't panic and fall into the trap of thinking we had to do something right away, because we were able to detect other flags.
"Probably the best way to react is to relax first," Hansen recommended.
We demanded information. They didn't have much, and kept insisting on a cell phone number. Eventually they asked for an email address. Haven't seen anything in my inbox yet, but as soon as it arrives, rest assured I will be sending it to trusted experts to find out what it has.
"Don't trust anything that is coming to you that you don't know where it is coming from," Wisniewski said. "Hang up, and call back the bank, the government, whoever the person is, and verify this is real." If this was a legitimate employee from a company, or a member of law enforcement, they will immediately provide the necessary information, such as the name, extension, and badge number, so that you can verify who they are.
The same rule applies if this happened over email instead of a phone call. Don't click on the link, but go directly to the organization site and see if you can get more details.
We immediately called the IRS—not with the number the caller gave us, but by looking it up on IRS.gov—and also the Sheriff's Office. In fact, when we called the Sheriff's Office, the spokesperson immediately said that we weren't the first ones reporting this scam.
You should also try to gather as much information as possible on the person calling so that you can report it to the real law enforcement. We got the person's "name"—both the first name and last name—and the phone number. We were unable to get more details, such as their title, their badge number, the department they work at, the docket number/case number they are working from, etc.
"Trust your gut. If the call doesn't seem right, trust that feeling," Wisniewski said. He also noted that in these situations, hearing an Indian accent generally puts him on guard because of past scams (such as the Microsoft support scam) originating from Indian call centers. I am not saying all Indian accents are suspect (my entire family has an accent), or that non-accented callers are always legitimate. But consider that there have been a lot of suspicious calls recently and it is one thing to consider if you are feeling suspicious.
What Was the End Game?I described the whole scam to Wisniewski and he was intrigued, saying this sounded like a new type of scam. I am curious as to what the end game was. Was the cell phone number so that they could SMS me a link to the payment portal? Why didn't they ask for a credit card number?
This could have been an attempt to sign me up to a premium-rate number where I would get billed for services such as Joke-of-the-Day, but it seems like the caller was taking a lot of risks with this approach, noted Wisniewski. This could have been an attempt to send out SMS spam, as well.
It's possible they were originally trying to reach my family member directly to get identifiable information such as social security number and credit card information, suggested NetIQ's Geoff Webb. Since the person didn't answer the phone, they then switched to "cramming" me, where they would append fake charges to the cell phone bill, Webb speculated.

Swisscom plans 'Swiss Cloud' to hide data from PRISM spies

Cloud computing
The fallout from the PRISM spying scandal continues to rumble on with Swisscom revealing plans for a dedicated cloud service based within Switzerland. This should help firms to ensure data is protected from government spies.
Swisscom's head of IT services Andreas Koenig told Reuters that although plans for the so-called Swiss Cloud have been in place for some time, they would definitely help allay fears that the PRISM scandal has brought to light.
He said that given the nation’s strong association with privacy it made sense to offer such a service, although he acknowledged that the firm would still be bound to reveal data if the relevant laws applied.
"Data protection and privacy is a long tradition in Switzerland, and that's why it's pretty difficult to get to something," Koenig said.
"But if legal requirements are there and we are asked by the judge to obtain or deliver certain information then we would obviously have to comply with it."
European officials have warned that cloud services could suffer as a result of PRISM, although they have urged firms to still consider the use of cloud computing, given its cost savings and productivity benefits.
The move by Swisscom to offer such a service underlines the growing push by European-based infrastructure firms to ensure privacy of data. Last month Deutsch Telekom said it wanted a local internet to stop traffic having to leave the country.
The PRISM scandal, which started when whistleblower Edward Snowden revealed documents showing the extent of US and UK efforts to gather data, continues to impact the tech market with new claims that the National Security Agency (NSA) has accessed Google and Yahoo data centres.
The head of the NSA has denied these claims, but tensions around data privacy remain high.

Tesco sparks privacy concerns with face-detection advertising

Tesco has sparked privacy concerns following its decision to install technology that scans shoppers' faces in order to display video advertising on screens at its petrol stations.
This is the first national rollout of the system, known as OptimEyes, which claims to recognise facial characteristics that determine a customer's gender and age in order to show more relevant video adverts on screens as they queue at the till.
Simon Sugar, chief executive of Amscreen, the firm which sells the technology, admitted to The Grocer magazine that the technology has connotations of science fiction, but is looking to increase its reach further. "Yes, it's like something out of Minority Report, but this could change the face of British retail and our plans are to expand the screens into as many supermarkets as possible," he said.
OptimEyes uses facial detection software to display targeted ads to shoppers
OptimEyes makes use of face-detection software to display video advertisements to shoppers
The rollout has provoked anger from some privacy groups, with Big Brother Watch's Nick Pickles telling the Guardian that OptimEyes creates a "huge consent issue".
He continued: "If people were told that every time they walked into a supermarket, or a doctor's surgery or a law firm, that the CCTV camera in the corner is trying to find out who they are, I think that will have a huge impact on what buildings people go into."
The Information Commissioner's Office's (ICO) told V3 that the use of such equipment would have to be clearly marked and explained as a customer enters the premises – as with CCTV systems used for security – with additional explanation as to how their data would be used.
The ICO added: "As with any new technology, we would expect Tesco to be upfront about how people's information is being used. The privacy issues which this software might raise are obvious and so it is in the company's best interests to make sure they are explaining what information is being collected and why.
"We will be making enquiries with Tesco to find out more about the system and how it complies with the Data Protection Act."
OptimEyes promotional material (below) insists that the technology is merely face "detection" software rather than face "recognition", adding that data about a customer is immediately anonymised and processed as a string of numeric data. 
View the Video here:

Google, meanwhile, is thought to be developing similar technology. A recent patent from the firm showed software that could detect the emotions of a user as they look at an advertisement, creating a "pay-per-gaze" ad revenue system.
Advertising of this nature always divides opinion, with the public unnerved with how much information they inadvertently share simply by going about their business. In July, a London startup began fitting anonymous mobile phone-tracking sensors to rubbish bin-mounted screens in order to display advertisements.
However, the City of London Corporation brought an end to proceedings, saying similar projects in future would need to be "done carefully, with the backing of an informed public."

Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious online activity

Among the most common misconceptions regarding the exploitation (hacking) of Web sites, is that no one would exclusively target *your* Web site, given that the there are so many high profile Web sites to hack into. In reality though, thanks to the public/commercial availability of tools relying on the exploitation of remote Web application vulnerabilities, the insecurely configured Web sites/forums/blogs, as well as the millions of malware-infected hosts internationally, virtually every Web site that’s online automatically becomes a potential target. They also act as a driving force the ongoing data mining to accounting data to be later on added to some of the market leading malicious iFrame embedding platforms.
Let’s take a look at a DIY (do it yourself) type of mass Web site hacking tool, to showcase just how easy it is to efficiently compromise tens of thousands of Web sites that have been indexed by the World’s most popular search engine.

Sample screenshots of the DIY mass Web site hacking/SQL injecting tool based on the Google Dorks concept:
Google_Dorks_SQL_Injection_Mass_Web_Site_Hacking_Tool Google_Dorks_SQL_Injection_Mass_Web_Site_Hacking_Tool_01 Google_Dorks_SQL_Injection_Mass_Web_Site_Hacking_Tool_02 Google_Dorks_SQL_Injection_Mass_Web_Site_Hacking_Tool_03 Google_Dorks_SQL_Injection_Mass_Web_Site_Hacking_Tool_04 The proxy (compromised malware infected hosts) supporting tool has been purposely designed to allow automatic mass Web sites reconnaissance for the purpose of launching SQL injection attacks against those Web sites that are vulnerable to this common flaw. Once a compromise takes place, the attacker is in a perfect position to inject malicious scripts on the affected sites, potentially exposing their users to malicious client-side exploits serving attacks. Moreover, as we’ve seen, the same approach can be used in a combination with privilege escalation tactics that could eventually “convert” the compromised host as part of an anonymous, cybercrime-friendly proxy network, as well act as a hosting provider for related malicious of fraudulent content like malware or phishing pages. With the list of opportunities a cybercriminal could capitalize on being proportional with their degree of maliciousness or plain simple greed, Web site owners are advised to periodically monitor their site’s reputation by taking advantage of managed Web application vulnerabilities scanning services, or through Google’s SafeBrowsing.
We expect to continue observing such DIY efficiency-oriented underground market releases, with the logical transformation of DIY type of products, to actual managed services launched primarily by novice cybercriminals, either enjoying a lack of market transparency through biased exclusiveness of their proposition, or through propositions aimed at novice cybercriminals who wouldn’t have access to such tools.

Deceptive ads lead to the SpyAlertApp PUA (Potentially Unwanted Application)

Whenever a user gets socially engineered, they unknowingly undermine the confidentiality and integrity of their system, as well as any proactive protection they have in place, in exchange for quick gratification or whatever it is they are seeking. This is exactly how unethical companies entice unsuspecting victims to download their new “unheard of” applications. They promise users the moon, and only ask in return that users install a basic free application. Case in point, our sensors picked up yet another deceptive ad campaign that entices users into installing privacy violating applications, most commonly known as PUAs or Potentially Unwanted Applications.

Sample screenshots of the landing page:
SpyAlertApp_Search_Donkey_PUA_Potentially_Unwanted_Application Landing URL: spyalertapp.com
Detection rate for the SpyAlertApp PUA: MD5: 183cf05e8846a18dab9850ce696c3bf3 – detected by 4 out of 47 antivirus scanners as Win32/ExFriendAlert.B; SearchDonkey (fs)
Once executed, it phones back to and
The following PUA domains are also known to have responded to the same IPs:
The following PUA MD5s are known to have phoned back to these IPs:
MD5: 5a4202e570997e6740169baac0d231cb
MD5: d461ced9efbba91fc9f672b4283ec9ce
MD5: 739974dc2cba93e265b8a4e3015f389d
MD5: a2abbbafbc74c0ee26b2d7cc57050033
MD5: 0c4b84ef70ea55fbadcd20c85e5df888
MD5: 1821d0ff30a9840db1a1be3133cee77f
MD5: 71a8639f45706cc034c37e39443774da
MD5: 9f08e58f38744753921090ee28eb3277
MD5: 8e2a368e139e81ae779e39304d03fb79
MD5: 2a65db19303587722aad675485f33ab4
MD5: 5a7751c7fb62bed7fafebbae36b29d8f
MD5: b1598ddaa466ae8c5ed7727fe8bf9bba
MD5: b960fcc346da8a64d969932fe993ed76
MD5: 32c0863bcb2543a55436ecd5bc1df462
MD5: 0f358896ee2bf4507a07ff971b7bc749
MD5: 82aad768bf3609f700947c689f024d9a
MD5: 2f1101cc2c834b4e404389fb14b43fd2
MD5: 0e76ffda3480511dbc9dda95b18d1c1b
MD5: ed6d97129f713a174d60eb10d5db0992
MD5: 126cf0cfe5f1da0106dfff9ce9cb7041
MD5: 84d31aaf279c57a0d2886639d7468ec5
MD5: 6b4e76e4655592d06828e0a932f260d5
MD5: e86c7ae3bae035e9cdd2a71db1c0fbea
Want to known who’s tracking your online activities? We advise you to give Mozilla’s Lightbeam, a try.

Cybercriminals differentiate their ‘access to compromised PCs’ service proposition, emphasize on the prevalence of ‘female bot slaves’

From Bitcoin accepting services offering access to compromised malware infected hosts and vertical integration to occupy a larger market share, to services charging based on malware executions, we’ve seen multiple attempts by novice cybercriminals to introduce unique value propositions (UVP). These are centered on differentiating their offering in an over-supplied cybercrime-friendly market segment. And that’s just for starters. A newly launched service is offering access to malware infecting hosts, DDoS for hire/on demand, as well as crypting malware before the campaign is launched. All in an effort to differentiate its unique value proposition not only by vertically integrating, but also emphasizing on the prevalence of ‘female bot slaves’ with webcams.

Sample screenshot of the cybercriminal’s underground market proposition showcasing some of the “inventory”:
Malware_Botnet_Girl_Female_Bots_Vertical_Integration_Cybercrime_Underground_Market Here’s a breakdown of the prices. A 100 bots that will also get resold to the next prospective buyer are offered for $5. A rather surprising monetization approach, given that once a cybercriminal gets access to a host, the first thing he’d usually do, is to remove competing malware from it. The novice cybercriminal is also offering 100 bots that will not be resold to anyone but the original buyer for $7. Moreover, 300 bots converted directly to malware infected hosts through an exploit kit are offered for $35, followed by the option offered as a separate service, namely, to obfuscate the actual malware for $3 per sample using a public crypter, and $5 using a private one. The boutique cybercrime-friendly shop is also offering DDoS for hire/on demand service, with the prices starting from $2 for one hour of DDoS attack. What we’ve got here is a very good example of UVP-aware novice cybercriminal, that’s basically having hard time trying to pitch commoditized underground market assets.
The novice cybercriminal’s attempt to monetize his fraudulently obtained underground market assets are worth discussing in the broader context of today’s mature cybercrime ecosystem. In particular, the emergence of propositions pitched by novice cybercriminals, who’d monetize virtually anything that can be monetized, including commoditzed goods and services, at least in the eyes of sophisticated attackers. This ongoing lowering of the entry barriers into the world of cybercrime, inevitably results in in the acquisition of capabilities and know-how which was once reserved exclusively to sophisticated attackers.
We expect to continue observing an increase of (international) underground marketplace proposition pitched by novice cybercriminals, to fellow novice cybercriminals, largely thanks to the general availability of leaked/cracked/public malware/botnet generating tools and kits.

Android Jelly Bean passes 50 percent user base as KitKat launches

Android Jelly Bean Google
The Jelly Bean version of Google's Android operating system is now installed on 52.1 percent of all Android smartphones and tablets, according to statistics from the Developer forum.
The statistic is a 11.6 percent increase on the 40.5 percent figure recorded in August. Despite the positive uptake, the majority of Jelly Bean users (37.3 percent) are still running the oldest 4.1 version. The forum says 12.5 percent are using the more recent 4.2 and just 2.3 percent are running the newest 4.3 version.
Below Jelly Bean the forum says Ice Cream Sandwich runs on nearly a fifth of all Android devices, with a 19.8 percent share of the user base.
The even older Gingerbread is still running on over a quarter of all Android devices, and is installed on 26.3 percent of all active Android smartphones and tablets. Despite Gingerbread's ongoing high user base the figure is a marked decrease from the 33.1 percent figure recorded in August.
The news comes just after Google unveiled its latest Android 4.4 KitKat operating system. The KitKat OS will come preinstalled on Google's latest flagship smartphone, the Nexus 5 and arrive on other devices such as the Samsung Galaxy S4 in the near future.
In the past security vendors have listed this fragmentation within the Android ecosystem as a key challenge to their efforts to keep it secure. This is because it makes patching Android vulnerabilities far more costly and time consuming, with vendors having to update multiple versions of their product.
Some security experts have questioned the validity of the Android Developer forum's statistics. F-Secure security analyst Sean Sullivan told V3 the way the forum measures Android use is misleading.
"I think it's growing ever more difficult to draw conclusions from the ‘numbers'. It's a measure of those that are active in Google Play. And I'll tell you, my mom has an Android device – and she hasn't used Play recently. Just when she set up the phone, and not much since. I suspect there are lots of folks like her," he said.
Android is currently listed by the security community as the most targeted mobile operating system in the world. The US Department of Homeland Security (DHS) currently lists 79 percent of all mobile malware as being designed to target Android.

Anonymous threatened to wage war on the Singapore government

A hacker group claiming to be the notorious Anonymous collective has put up a YouTube video promising that it will declare war on the Singapore government if it does not stand down from an internet licensing framework that critics have said restricts freedom of speech.
The video, which surfaced online two days ago, was removed from YouTube just minutes after it went viral on Facebook and Twitter today with over 4,000 shares. The video, however, has been reposted on Facebook, other channels on YouTube, and various video platforms.
The message goes: “the primary objective of our invasion was to protest the implementation of the internet licensing framework by giving you a sneak peak of the state of your cyberspace if the ridiculous, communistic, oppressive and offensive framework gets implemented.”
It continues: “We have faced much larger and more secured corporations such as the FBI and the NSA. Do you think the IDA will be a problem for us? … so mark our words when we say that we Anonymous stand firm on our belief that no Government has the right to deprive their citizens the freedom of information.”
The video then called on “fellow Singaporean brothers and sisters” to start a public protest by dressing in black and red on November 5 and blacking out their Facebook profile pictures.
Announced in May this year, the framework mandates that news websites exceeding 50,000 unique visitors in Singapore must put up a performance bond of S$50,000, following existing practices by broadcasters in the country. Ten online news sites, mostly government-related, were ordered to apply for licenses, with sg.news.yahoo.com being the only non-state-sanctioned site implicated.
Internet giants like Google, Facebook, and eBay have come out strongly against the move, issuing a joint statement saying that “this new regulation – and the regulatory trend that this may be indicative of – could unintentionally hamper Singapore’s ability to continue to drive innovation, develop key industries in the technology space and attract investment in this key sector.”


LinkedIn – How to exploit social media for targeted attacks

The professional social network LinkedIn is a mine of information for any king of attackers, a Websense post described a typical attack scenario.

Recently I read an interesting post published on the Websense security labs blog on the use of social network LinkedIn for the reconnaissance phase of an attack. The concept is not new, LinkedIn is a mine of information for OSINT activities and attackers could use it to acquire a huge quantity of personal information on the targets, the social media is ideal for long term cyber espionage operation.
I’ve coined in the past a very interesting concept, the social network poisoning, to indicate the way to abuse of social network platform to spy on specific profile or to modify the sentiment of a topic of interest (e.g. PSYOPs and social both).
It’s easy to build a network of fake profiles to attract “person of interest”, to monitor their professional activity and obtain precious information for further targeted attacks (e.g. partnership, collaboration and involvement in specific projects).
Let’s imagine that someone decides to attack my profile and note that within my last publications there is a work I made for banking sector evaluating the impact of cybercrime on modern online-banking. The ill intentioned hackers could collect information in the context where I made the presentation an the person who appreciated it or that work in the same area. Well LinkedIn gives to the attacker all the instruments and knowledge to try to compromise targeted profile.
I would act in this way, after noting that the audio of my presentation was not so good due line problems I’ll send a series to fake email apparently sent by me (if hackers are skilled they can also hack my mail account ;-) ) inviting people to download a new version of the presentation with a better audio. In this case LinkedIn provides the attackers info on my activities, on my contacts, on person who follow me and email address for many of them … Do you need something else?
“Search features within the social network provide an easy way for scammers and legitimate LinkedIn users to zoom in on their target audience.  Whether you are a recruiter looking for potential candidates, a dating scammer looking for “mature gentlemen”, or an advanced attacker looking for high-profile directors within particular industry sectors, LinkedIn users have access to tools to help refine their search.  LinkedIn’s own statistics report that 5.7 billion searches were conducted on the social network in 2012.”
Another curiosity is that an attacker could be an advantage of the subscription to a LinkedIn’s Premium Account service that provide a set of useful additional features to exploit for a targeted attack (e.g. Function, Seniority Level, and Company Size). Consider also that “premium” scammers could also contact any LinkedIn member and search across a greater number of profiles … Very very cool!
The Websense post highlights are:
  • Evidence indicates a reconnaissance phase is being conducted by the actors.
  • Websense telemetry across the 7 Stage life-cycle, collected over many years, provides valuable insight to connect the dots in such attacks that operate as a precursor to more sophisticated attacks.
  • The targeting method uses existing features of the LinkedIn social network to pin-point LinkedIn users that meet the scammer’s requirements.
  • The LinkedIn profile is actively engaging with legitimate LinkedIn members, and currently has just over 400 connections.
  • The destination website is hosted on the same ASN as sites known to host exploit kits and possibly illegal websites.
  • Current payload leads to a dating site.  While social engineering is primarily being used here, this could morph into something more nefarious over time.
The popular social networking could be used also to serve malware, inducing the users to visit a compromised website, or to realize more or less complex scam.
The technique adopted by malicious actors is quite simple, attackers repeatedly view the victim profile, every LinkedIn user can see the most recent 5 users who have viewed their profile and it is very simple, so take advantage of human curiosity.
linkedin view profile spam
Victims often visit the profile of the person interested to them, in the above image the scammer has a set up a profile under the guise of “Jessica Reinsch” that reads as a link to a dating website geographically located in Switzerland and hosted on IP 82<dot>220<dot>34<dot>47.
linkedIn landing website
Despite in the specific case the dating site is used merely as a lure, an alternative use could be to use is to serve a malicious exploit.
Websense remarked that at the time of writing no malicious code was deployed on the website, but other domains on that same IP have been known to host suspicious code such as black hat SEO.
“We also see that IPs used to host the dating site are hosted within the same Autonomous System Number (ASN) as multiple Exploit Kit Command and Control URLs, including RedKit and Neutrino exploit kits.”
This profile examined by security experts at Websense is likely to have been set up to gain connections and harvest intelligence, as I explained in the first part of this post, LinkedIn provides all the necessary information to arrange a targeted attack (e.g. spear phishing, watering hole).
During the RSA Europe security conference in Amsterdam last week, the cyberdefense specialist Aamir Lakhani, who works as a solutions architect at IT services provider World Wide Technology, made an interesting presentation on the abuse of LinkedIn network to launch an attack. He described an experiment that showed the effectiveness of using fake profiles on popular social network like LinkedIn and Facebook, the attack was part of a sanctioned penetration test performed in 2012.
Security experts used the profiles pretending to represent an attractive young woman to penetrate the defenses of a U.S. Government agency as part of an exercise that shows how effective social engineering attacks even against sophisticated organizations.
The attacker captured the attention of internal personnel via social media and the real attack started after victims opened a malicious birthday card link that compromised the target systems.
“This guy had access to everything. He had the crown jewels in the system,”  The whole social media deception project involving Emily Williams lasted three months, but the penetration testing team reached its goals within one week. “After that we just kept the project going for research purposes to see how far we can go,” 
“After we performed this successful attack we got requests from other companies that wanted to try the same thing,” Lakhani said. “So we also did the same type of penetration test for very large financial institutions like banks and credit card companies, healthcare organizations and other firms, and the results were almost exactly the same.”
“Every time we include social engineering in our penetration tests we have a hundred percent success rate,”"Every time we do social engineering, we get into the systems.” Lakhani said.

badBIOS - Malware

Good story of badBIOS, a really nasty piece of malware. The weirdest part is how it uses ultrasonic sound to jump air gaps.
Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected machine that had no obvious network connection with -- but was in close proximity to -- another badBIOS-infected computer. The packets were transmitted even when one of the machines had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.
With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.
"The airgapped machine is acting like it's connected to the Internet," he said. "Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird."
I'm not sure what to make of this. When I first read it, I thought it was a hoax. But enough others are taking it seriously that I think it's a real story. I don't know whether the facts are real, and I haven't seen anything about what this malware actually does.