Thursday, 7 November 2013

NSA and Wall Street: online activity shrinks, changes post-Snowden

Our recent survey about consumer opinion in the wake of the Snowden revelations about mass NSA electronic surveillance suggests that the economic implications could be deeper than experts have yet acknowledged, including negative impact on corporate profits and GDP. At the same time, like every economic challenge, the NSA revelations present some interesting opportunities for the enterprising.

The digital economy takes a hit

How could the Snowden/NSA news damage GDP and profits? How about a reduction in online shopping and online banking. Our survey data suggests this reduction is not hypothetical, it is real, and not just a few percentage points. Close to one in five Americans we surveyed said they were doing less banking online as a result of the Snowden/NSA revelations. That’s a 20% hit to a trend that the retail banking sector has been counting on to achieve profitability targets: people shifting away from banking at costly branches and through postal mail. That trend could be stalling and those targets could now be in jeopardy.
Internet online shopping concept with computer and cartAnd retail banking is just one of many sectors of the economy that has been relying on ever-increasing levels of online activity to maintain profitability.
Consumer spending drives the American economy and shifting that spending from brick-and-mortar stores to the digital realm has been a key strategy for retail firms.
Our survey indicates that, post-Snowden/NSA, retailers are looking at 14% of Americans doing less shopping online. That doesn’t necessarily mean less total shopping, but it does undermine the strategies and logistics behind the biggest retail spending period of the year, which is now well under way. I doubt that retailers have planned to staff and stock physical stores to cope with an unforeseen surge in foot traffic diverted from websites due to a drop in online trust sparked by news of government surveillance.
Beyond the obviously Internet-dependent sectors of banking and retailing, the drop in online technology confidence that we charted in our survey impacts all Internet-using entities in general, and technology firms specifically. For example, one in five Americans surveyed said that they were now less inclined to use email. Consider what that means for state and local governments, for email advertisers, for phone companies and other firms that rely on email for billing and support. And how about healthcare, where parties of all stripes have pinned their hopes for cost containment on greater leverage of the Internet?

Giant feet of clay

nsa-social-media-47So you might be wondering what this means for two of the biggest plays in tech stocks, social media giants Facebook and Twitter. Yes, I know that Twitter has not IPO’d yet, but the IPO is coming and the “NSA factor” could influence pricing. How? Some 47% of people we surveyed said that they had changed how they used social media because of the Snowden/NSA revelations. Changed how? They agreed with the statement: “I am more careful about what I share via social media.” This does not mean a bunch of people are dropping social media, but I find it pretty shocking that almost half who do use it are now thinking differently about what they share.
Of course, one could quip that security professionals like myself have spent years trying to get people to be more careful about what they share on social media so we owe NSA a big “thank you” for achieving this sudden boost in awareness. But if the business plan of your social media company, or the one in which you’re thinking of investing, is predicated on people sharing more, not less, then I would be troubled, particularly since things are not likely to get any less scary for consumers, and assurances of privacy and confidentiality are easy to make while new revelations keep on appearing.
And this is where the NSA may have unwittingly poisoned the well for a broad swathe of technology companies, while undermining some of the pillars of cyberspace, like Google and Yahoo. Even before it was revealed that the NSA had tapped the fiber optic cables connecting the data centers used by these two Internet giants, a solid 50% of our survey respondents agreed with this statement: “I am now less trusting of technology companies, such as Internet service providers and software companies.”
Ouch! You don’t need a team of economists to tell you it’s not good for businesses or consumers or the country as a whole when technology companies, such as Internet service providers and software companies, lose that amount of trust. And you don’t need to be an expert in irony to see that knowledge of the actions of the NSA appears to be undermining the fabric of our cyber-based economy and society.
Actually, that team of economists might be handy for figuring out all the ways in which our responses to mass electronic surveillance impact our use of electronics, and what that will mean for businesses and consumers over the next few years. Hopefully politicians will consider those impacts as they try to restore the public’s faith in the branches of its government whose mission is supposed to be defending and enabling peace and prosperity.
74% approve taking a standIf there is a bright note in all of this, here it is: 74% of people we interviewed said they would admire a company “that took a stand against unlimited government access to my personal information.”
If anyone at Google or Yahoo or Facebook or Twitter is wondering how to play this whole NSA thing, I would take my cue from that 74%. Taking a stand is clearly a chance to earn goodwill while you figure out how to get the public to do more with the Internet, not less.
[Update November 6, 2013: At the time I wrote the above paragraph I was not aware that Google's Eric Schmidt was giving an interview to the Wall Street Journal in which he would "take a stand" against the NSA, calling NSA surveillance outrageous. Maybe Google had done its own market research on this strategy. Personally, I think Mr. Schmidt was expressing genuine feelings that are widespread within his organization, employees of which have now made it clear how angry they are at the way the NSA was trespassing in its systems, trying to undo their hard work. Warning, this link about Google/NSA contains adult language.]
Of course, our survey was only a snapshot (first reported here). A bigger survey might show different results, although the news for high tech companies has only gotten worse since we did our polling

Ghost in the machine: Mysterious malware “jumps” between disconnected PCs, researcher claims

It sounds like the stuff of security researchers’ nightmares, but a mysterious, indestructible strain of malware can infect PCs, Macs and Linux machines – and even “jump” between machines with power cables, Ethernet, Wi-Fi and Bluetooth pulled out. At least, one researcher believes so.
The claims, made by researcher Dragos Ruiu, have invited both alarm – and ridicule, with the rootkit compared to both MRSA and the Loch Ness Monster.
For Ruiu, though, the threat is all too real – in an interview with Ars Technica, the researcher claims that, infected machines could communicate with other infected machines even when their power cords, Ethernet cables, Wi-Fi cards and Bluetooth aerials were removed.
The ability to leap over “air gaps” – a term for when an infected machine is isolated from the network – is only one of BadBIOS’s superpowers, Ruiu claims. He has battled the malware with his team for three years – and found it near-impossible to destroy, he claims.
“”We had an air-gapped computer that just had its BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD,” the researcher said in an interview with Ars Tehnica.
“At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys.”
Ruiu concluded that the machines “talked” via their speakers. Describing the malware as “the stuff of urban legend”, The Verge described Ruiu’s conclusion that the malware communicated at high frequency through computer speakers to “jump” air gaps as “the first stages of a larger attack.”
The idea that malware could communicate in this way is not far-fetched in itself – earlier this year, We Live Security reported on research from the University of Alabama at Birmingham, where sound was used as a “trigger”. Researchers found signals could be sent from a distance of 55 feet using “low-end PC speakers with minimal ampliļ¬cation and low-volume”, the researchers said.
“We showed that these sensory channels can be used to send short messages that may eventually be used to trigger a mass-signal attack,” said Nitesh Saxena, Ph.D., of UAB. “While traditional networking communication used to send such triggers can be detected relatively easily, there does not seem to be a good way to detect such covert channels currently.”
The researchers presented a paper titled “Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices,” at the 8th Association for Computing Machinery Symposium on Information, Computer and Communications Security (ASIACCS) in Hangzhou, China.
Describing BadBIOS as “the Loch Ness Monster of malware”, The Register said that some in the security community had raised a “quizzical eyebrow” but  that Ruiu would reveal more after the PacSec event in Tokyo in two weeks time. “The security conference in Japan may bring much-needed hard information to light on the Abominable malware. Ruiu has suggested he is holding back on the details until patches for software bugs exploited by BadBIOS are made available,” the site said.
Ruiu, though,  in Ars Technica’s long and detailed piece, seems pessimistic. “This is the tip of the warhead,” he says.

Tom Hanks and Donald Trump among 850,000 victims as limo firm hack leaks addresses and AmEx numbers

Tom Hanks and Donald Trump are among a client list of 850,000 users of limousines and town cars to become the latest “trophy” claimed by hackers, after a breach at a nationwide limousine firm – which netted unencrypted details including full credit card details and other “notes” on customers.
Personal details including addresses and no-limit credit card details were stolen and stored on the web, according to security expert Brian Krebs. A break in at CorporateCarOnline exposed a huge amount of data on customers – including CEOs, politicians and celebrities.
The information was stored in a plain text file, Krebs claims, and contained details including credit card numbers, names and addresses – including some 241,000 high- or no-limit American Express cards. Krebs says that these are among the most highly prized items for sale on the global cybercrime underground. The data was found in the same online “cache” containing information about recent hacks against Adobe and global press release firm PR Newswire.
Sites such as TechDirt pointed out the potential value of such information to gossip sites. Krebs said that the leak has the potential to have the highest “social impact” of any of the breached data related to the recent Adobe hack.
Krebs spoke to CorporateCarOnline’s CEO, who said, “I’d prefer not to talk to anybody about that.”
The data stored on the server, and uncovered by Krebs, includes information from a breach at Adobe, makers of Acrobat and Photoshop, which ESET Researcher Stephen Cobb described the breach as “unprecedented” at the time – due to the fact that attackers also appeared to have accessed source code for Adobe’s Acrobat software.
Source code is a highly useful tool for hackers looking to craft new attacks against users of particular software packages – and Acrobat, used to read PDFs, is used by millions, on almost every computing platform.
Adobe has admitted around 38 million active users may have had IDs and encrypted passwords accessed by unknown attackers in a breach earlier this year. Krebs said, “It also appears that the already massive source code leak at Adobe is broadening to include the company’s Photoshop family of graphical design products. The company now admits that “numerous” products were affected by the breach.
 Information from 10,000 accounts for marketing and press release distribution firm PR Newswire was found in the same cache. The firm admitted to a large-scale breach, in which usernames and passwords were stolen – but claims hackers have not sent out “fake” releases, a powerful tool in the wrong hands.

Adobe breach reveals really terrible passwords are still popular – 2 million used “123456″

Adobe’s security breach laid bare 38 million passwords to the world – and a security researcher claims that 1.9 million of these are the simple “123456”.
Half a million craftier customers chose “123456789”, according to a report by The Register, quoting researcher Jeremi Gosni, a self-styled “password security expert” who found the passwords in a dump online.
The entire top 20 is filled with “simplistic” passwords which are a “cause for concern,” according to PC Retail’s report.
The passwords are to be found on several online dumps, Gosni said. Adobe initially said that three million accounts were affected, but has since raised that figure to 38 million, with another 150 million at risk.
Password                      Number of users
  1. 123456              1,911,938
  2. 123456789       446,162
  3. password          345,834
  4. adobe123          211,659
  5. 12345678          201,580
  6. qwerty               130,832
  7. 1234567             124,253
  8. 111111                  113,884
  9.  photoshop        83,411
  10.  123123              82,694

The Register called the list of passwords “pathetic”, saying that it made their staff, “wonder if criminals should have bothered breaking in to steal them: with 1.9 million users relying on “123456” there’s a better than one in one hundred chance of unlocking an Adobe account with blind luck.”
ESET Senior Research Fellow David Harley says that in cases such as these, even users with “strong” passwords are at risk – and should think carefully about other sites where they may have used the same password:“Where your login credentials have been revealed, it’s obviously a good idea to change your password, and in fact the compromised site may force you to do so. However, an attacker is likely to assume that you use the same credentials on other sites, and he may try them on other sites of interest to him. (Of course, they may not be sites of interest to you.) So it’s a good idea (if an irksome task) to change your password on other sites that do use the same credentials.”
A We Live Security guide to what to do in the event of a breach can be found here.
ESET Researcher Stephen Cobb described the breach as “unprecedented” at the time, due to the fact that attackers also appeared to have accessed source code for Adobe’s Acrobat software.
 Cobb says, “Access to the source code could be a major asset for cybercriminals looking to target computing platforms such as Windows or mobile operating systems such as Android.”

Five interesting facts about the Morris worm (for its 25th anniversary)

Last Saturday marked 25 years of what has been one of the most important pieces of malicious code in the history of malware: the Morris worm. On November 2nd, 1988 the worm was released by its author and, less than twenty-four hours later, it caused the greatest damage ever witnessed by a piece of malware up to that point. The worm slowed thousands of systems down to a crawl by creating processes and files in temporary folders and triyng to spread copies of itself.  By the following day (Thursday, November 3rd), it had the attention of thousands of users who started to get worried about these unusual facts. Ever since, this worm has been considered the first worm to spread over the Internet, and given the fact that it propagated through the exploitation of vulnerabilities on VAX and Sun Microsystems systems as well as vulnerabilities in the UNIX email delivery software – sendmail, the first multi-platform malware
The worm infected systems through two propagation vectors: TCP connections (1), or SMTP connections (2), as can be seen in the following code pieces, explained in the  paper about the threat by Professor Eugene H. Spafford from Purdue University:

On the one hand, this malicious code has marked the history of malware and, at the same time, several curiosities emerge from its analysis, which clearly explain the moment when the worm propagated and how it has changed the Internet and malware in these 25 years. That is why we have compiled these five interesting facts about the Morris worm:
  1. Extent of the Infection – the Morris worm infected about 10% of the computers connected to the Internet, the only malware case in history that reached that magnitude (at least, which was verified.) It is worth mentioning that the numbers at that time were much lower, since the ARPANET network connected around 60,000 computers and 6,000 became infected by the malware. The compromised computers belonged to the NASA, Berkley and Stanford universities, MIT and the Pentagon, among many others, and stayed infected for almost 72 hours.
  2. The Heritage – the worm writer, Robert Tappan Morris, Jr. is the son of Robert Morris, Sr. a famous cryptographer and computer professional who, in the 1960s and ’70s, while working for the Bell Labs, made significant contributions to UNIX, such as the bc programming language, the program crypt and the el encryption scheme used by passwords in this operating system. Robert Morris, Sr., (father) was also one of the creators of CoreWar, a game that used assembly language to leave the computer out of memory, and which is considered one of the predecessors of computer viruses. A chip off the old block…
  3. The Force of the Law – on January 22nd, 1990, Robert Tappan Morris was prosecuted under the charge of fraud and deception and was convicted by the Syracuse Federal Court in New York. He was sentenced to three years of probation, plus a fine of $10,000 and 400 hours of community work. Such sentence was the first one which used the 1986 computer fraud law, and Morris was the first malware writer who was convicted in history.
  4. The Size of the Internet – The report developed by the GAO (US General Accounting Office) described the Internet as “the main computer network used by the U.S. research community” and began its report indicating that the Internet was “a multi-network system connecting more than 60 thousand computers nationwide and overseas”. This report also mentioned that “no one organization is responsible for Internet-wide management” and that there were plans for the “Internet to evolve into a faster, more accessible, larger capacity network system.” Apparently, they have achieved their goal – according to the Internet WorldStats Website, nowadays Internet has more than 7 billion users.
  5. Regarding Operating Systems – the same GAO report mentioned above indicated that “UNIX is the most commonly used operating system on the Internet. [It is] estimated that about three-quarters of the computers attached to the Internet use some version of UNIX”.
For technology geeks and programmers, it is possible to check the source code of the threat developed in C. It is worth mentioning that its writer has included several comments making the routines even clearer. This is how we start the week, by remembering that a day like last Saturday, 25 years ago, the history of the Internet, malware and computer security began to change

FBI adds five new targets to its Cyber’s Most Wanted list – with bounties up to $100,000

The FBI added five new cybercriminals to its Most Wanted list – including a new entry at number one, Alexsey Belan.
A reward of $100,000 is offered for any information on Belan, a Latvian with a Russian passport, who is alleged to have hacked major e-commerce companies in the U.S. in 2012 and 2013.
“The FBI will not stand by and watch our cyber adversaries attack our networks; we will track down and arrest individuals who have made it their mission to spy on and steal from our nation and citizens,” said Richard McFeely, executive assistant director of the FBI’s Cyber branch.
“Because cyber crime knows no boundaries, cyber criminals think they can hide overseas. But we are using our international partnerships and the publicity generated by our Cyber’s Most Wanted to ferret them out.”
Mashable commented that, “The gangsters of Cyber’s Most Wanted are more diverse than those that mixed with former Most Wanted mainstay James ‘Whitey’ Bulger, Irish godfather of Boston. The list, along with rewards for turning in the hustlers, offers a window into the global evolution of cybercrime.”
The five new additions bring the total on the list to ten, according to The Guardian’s report, and encompass crimes as diverse as hacking and fraud, and are responsible for, “hundreds of thousands of victims and tens of millions of dollars in losses,” the Guardian said.
Russia Today, however, merely commented that “Russian hackers top FBI’s most wanted,” quoting research from Group-IB showing that Russian cybercrime is now worth $4.5 billion.
The current top five are below – the FBI’s full list is here.
belan1. Aleksey Belan
Reward: $100,000
Age: 26
Nationality: Latvian/Russian
Alexsey Alekseyevich Belan is wanted for his alleged involvement in the unauthorized taking of data from three U.S.-based companies in 2012 and 2013. Belan is also alleged to have knowingly possessed and used, without lawful authority, means of identification belonging to employees of the companies.
sahurovs2. Peteris Sahurovs
Reward: $50,000
Age: 25
Nationality: Latvian
Peteris Sahurovs is wanted for his alleged involvement in an international cybercrime scheme that took place from February of 2010 to September of 2010. The scheme utilized a computer virus that involved the online sale of fraudulent computer security programs that defrauded Internet users of more than $2 million.
semenov3. Artem Semenov
Reward: $50,000
Age: Unknown
Nationality: Russian
Artem Semenov is wanted for his alleged participation in an Eastern European cyber crime ring, operating out of New York, which is known for recruiting money mules to open bank accounts, cashing out money received through unauthorized money transfers, and then transferring the money overseas.
jain4. Shaileskumar P Jain
Reward: $20,000
Age: 43
Nationality: Indian
Shaileshkumar P. Jain is wanted for his alleged involvement in an international cybercrime scheme that caused internet users in more than 60 countries to purchase more than one million bogus software products, resulting in consumer loss of more than $100 million. It is alleged that from December 2006 to October 2008, through fake advertisements placed on legitimate companies’ websites, Jain and his accomplices deceived internet users into believing that their computers were infected with “malware” or had other critical errors in order to encourage them to purchase “scareware” software products that had limited or no ability to remedy the purported defects.
sundin5. Bjorn P Sundin
Reward: $20,000
Age: 35
Nationality: Swedish
Alleged co-conspirator of Shaileskumar P Jain (above).

Microsoft releases workaround fix for Office, Lync and Windows Server exploit

Microsoft logo
Microsoft Trustworthy Computing (TwC) has released a workaround fix for a vulnerability in older versions of its Office, Lync and Windows Server services.
TwC group manager of response communications, Dustin Childs announced the workaround fix in a blog post. "We are aware of targeted attacks, largely in the Middle East and South Asia," he noted.
"While we are actively working to develop a security update to address this issue, we encourage our customers concerned with the risk associated with this vulnerability, to [...] apply the Microsoft Fix it solution, disable the TIFF Codec that prevents exploitation of the issue [and] deploy the Enhanced Mitigation Experience Toolkit (EMET)."
Childs confirmed the attacks target the flaw using a nefarious phishing message. The Microsoft manager moved to downplay the attacks' significance, promising customers using the latest version of Windows and Office are safe.
"The current versions of Microsoft Windows and Office are not affected by this issue. The exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment," he explained.
"If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user."
It is currently unclear when the full patch for the flaw will be released and Microsoft declined V3's request for further details. The lack of information means the update will presumably arrive as a part of Microsoft's monthly Patch Tuesday later this month.
Vice president and general manager at Barracuda Networks, Wieland Alge, cited the new targeted attack campaign as further evidence businesses of all sizes need to be more proactive about upgrading their systems.
"The ongoing action item for organisations of all sizes, however, is to enforce deeper defence and establish more resilient architectures. The technology and products are there and this time, the small and medium businesses cannot wait longer than the large ones to implement them," he said.
Businesses' sluggish approach to upgrading their systems has been an ongoing problem facing the security community. Security professionals have highlighted businesses' ongoing use of the near decade old Windows XP as being particularly troubling.
Microsoft will officially end support for its Windows XP operating system on 8 April 2014. This means XP will not receive any further security updates, potentially leaving businesses using it open to a myriad of new cyber threats

LinkedIn – How to exploit social media for targeted attacks

The professional social network LinkedIn is a mine of information for any king of attackers, a Websense post described a typical attack scenario.

Recently I read an interesting post published on the Websense security labs blog on the use of social network LinkedIn for the reconnaissance phase of an attack. The concept is not new, LinkedIn is a mine of information for OSINT activities and attackers could use it to acquire a huge quantity of personal information on the targets, the social media is ideal for long term cyber espionage operation.
I’ve coined in the past a very interesting concept, the social network poisoning, to indicate the way to abuse of social network platform to spy on specific profile or to modify the sentiment of a topic of interest (e.g. PSYOPs and social both).
It’s easy to build a network of fake profiles to attract “person of interest”, to monitor their professional activity and obtain precious information for further targeted attacks (e.g. partnership, collaboration and involvement in specific projects).
Let’s imagine that someone decides to attack my profile and note that within my last publications there is a work I made for banking sector evaluating the impact of cybercrime on modern online-banking. The ill intentioned hackers could collect information in the context where I made the presentation an the person who appreciated it or that work in the same area. Well LinkedIn gives to the attacker all the instruments and knowledge to try to compromise targeted profile.
I would act in this way, after noting that the audio of my presentation was not so good due line problems I’ll send a series to fake email apparently sent by me (if hackers are skilled they can also hack my mail account ;-) ) inviting people to download a new version of the presentation with a better audio. In this case LinkedIn provides the attackers info on my activities, on my contacts, on person who follow me and email address for many of them … Do you need something else?
“Search features within the social network provide an easy way for scammers and legitimate LinkedIn users to zoom in on their target audience.  Whether you are a recruiter looking for potential candidates, a dating scammer looking for “mature gentlemen”, or an advanced attacker looking for high-profile directors within particular industry sectors, LinkedIn users have access to tools to help refine their search.  LinkedIn’s own statistics report that 5.7 billion searches were conducted on the social network in 2012.”
Another curiosity is that an attacker could be an advantage of the subscription to a LinkedIn’s Premium Account service that provide a set of useful additional features to exploit for a targeted attack (e.g. Function, Seniority Level, and Company Size). Consider also that “premium” scammers could also contact any LinkedIn member and search across a greater number of profiles … Very very cool!
The Websense post highlights are:
  • Evidence indicates a reconnaissance phase is being conducted by the actors.
  • Websense telemetry across the 7 Stage life-cycle, collected over many years, provides valuable insight to connect the dots in such attacks that operate as a precursor to more sophisticated attacks.
  • The targeting method uses existing features of the LinkedIn social network to pin-point LinkedIn users that meet the scammer’s requirements.
  • The LinkedIn profile is actively engaging with legitimate LinkedIn members, and currently has just over 400 connections.
  • The destination website is hosted on the same ASN as sites known to host exploit kits and possibly illegal websites.
  • Current payload leads to a dating site.  While social engineering is primarily being used here, this could morph into something more nefarious over time.
The popular social networking could be used also to serve malware, inducing the users to visit a compromised website, or to realize more or less complex scam.
The technique adopted by malicious actors is quite simple, attackers repeatedly view the victim profile, every LinkedIn user can see the most recent 5 users who have viewed their profile and it is very simple, so take advantage of human curiosity.
linkedin view profile spam
Victims often visit the profile of the person interested to them, in the above image the scammer has a set up a profile under the guise of “Jessica Reinsch” that reads as a link to a dating website geographically located in Switzerland and hosted on IP 82<dot>220<dot>34<dot>47.
linkedIn landing website
Despite in the specific case the dating site is used merely as a lure, an alternative use could be to use is to serve a malicious exploit.
Websense remarked that at the time of writing no malicious code was deployed on the website, but other domains on that same IP have been known to host suspicious code such as black hat SEO.
“We also see that IPs used to host the dating site are hosted within the same Autonomous System Number (ASN) as multiple Exploit Kit Command and Control URLs, including RedKit and Neutrino exploit kits.”
This profile examined by security experts at Websense is likely to have been set up to gain connections and harvest intelligence, as I explained in the first part of this post, LinkedIn provides all the necessary information to arrange a targeted attack (e.g. spear phishing, watering hole).
During the RSA Europe security conference in Amsterdam last week, the cyberdefense specialist Aamir Lakhani, who works as a solutions architect at IT services provider World Wide Technology, made an interesting presentation on the abuse of LinkedIn network to launch an attack. He described an experiment that showed the effectiveness of using fake profiles on popular social network like LinkedIn and Facebook, the attack was part of a sanctioned penetration test performed in 2012.
Security experts used the profiles pretending to represent an attractive young woman to penetrate the defenses of a U.S. Government agency as part of an exercise that shows how effective social engineering attacks even against sophisticated organizations.
The attacker captured the attention of internal personnel via social media and the real attack started after victims opened a malicious birthday card link that compromised the target systems.
“This guy had access to everything. He had the crown jewels in the system,”  The whole social media deception project involving Emily Williams lasted three months, but the penetration testing team reached its goals within one week. “After that we just kept the project going for research purposes to see how far we can go,” 
“After we performed this successful attack we got requests from other companies that wanted to try the same thing,” Lakhani said. “So we also did the same type of penetration test for very large financial institutions like banks and credit card companies, healthcare organizations and other firms, and the results were almost exactly the same.”
“Every time we include social engineering in our penetration tests we have a hundred percent success rate,”"Every time we do social engineering, we get into the systems.” Lakhani said.
The lesson is beware of principal cyber threats related to social media abuse and limit to the necessary your media exposure.

Fujitsu CTO sees the lighter side of Internet of Things security concerns

Dr Joseph Reger of Fujitsu brandishes a smart light bulb
MUNICH: Afraid of the dark? Perhaps you should be afraid of the lights. That's the twisted future envisioned by light bulb-wielding Fujitsu chief technology officer Joseph Reger.
Patrolling the floors of the Fujitsu Forum in Germany, Dr Reger explained to onlookers how one of the most innocuous objects in your house could become part of a global attack.
The Internet of Things, perhaps one of the most highly-talked about technologies nobody in the real world actually uses, is expected to take hold within the next decade, and with it will inevitably come cyber threats, as with any new technology. Reger chose to use intelligent light bulbs as an example:
"I'm not concerned about someone hacking into your home and turning off your lights," he said. We at V3 are very concerned about that, for the record. "What I'm talking about is that someone hacking into your home and looking at the usage pattern of your light bulbs and determining whether you're on vacation. And when it might be a good time to break in."
Such concerns have been voiced before with Philips' Hue lightbulb singled out as a cause for concern by security researchers. Reger went further, though, to envision a world of slave lightbulbs run by some sort of domestic super villain.
"If this light bulb is a little bit more intelligent, if they're intelligent enough, you can inject malicious code into the bulb itself if it's not protected properly. What's the problem with that? All of a sudden I have an army of attackers I've just programmed and I can launch a denial of service attack on anybody using billions of soldiers."
We've heard this described before in the form of toaster armies mining the currency Bitcoin - and perhaps the metaphors are getting out of hand - we're sure Reger knows this, and we have to say we enjoyed his demonstration.
The real point here is that we haven't moved on from this novelty, this funny notion of light bulbs stealing your lunch money and laughing at you. In the world of business and industry, machine-to-machine communication is commonplace. That's not to say it isn't serious either - a recent UK government report highlighted the notion of a need for a ramping up of security among connected machines.
So, who to believe? It's very difficult to know exactly how much of a threat these things are, especially because the amount of people with intelligent light bulbs in there home is so low crooks probably couldn't even DDoS your mum's laptop.
Until there's more of this stuff out there, we can't know for sure what possibilities - positive or negative - IoT can offer.

Microsoft offers bug hunters $100,000 for early attack alerts

Microsoft logo
Microsoft has extended the payment criteria of its bug bounty programme to include early alerts about active cyber attacks on its services.
Senior security strategist at the Microsoft Security Response Center, Katie Moussouris, announced the extension in a blog post, confirming early attack spotters could be eligible for a payment of up to $100,000.
"We are expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas to include responders and forensic experts who find active attacks in the wild. That means more people can 'sing along' to earn big bounty payouts than ever before," read the post.
"[This] means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000."
Microsoft's bug bounty programme was originally announced in June but had far stricter payment criteria and would only reward the author of an exploit. This meant it was all but impossible for bug hunters to earn money for their spot if it was already being exploited by the blackhat community.
Moussouris said the new payment system will help Microsoft radically improve its defences, offering an added incentive for the whitehat community to report any attacks they spot.
"We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we'll pay for them even if they are currently being used in targeted attacks if the attack technique is new - because we want them dead or alive," read the post.
The news has been welcomed by the security community. Technical evangelist at WhiteHat Security, Robert Hansen, mirrored Moussouris' sentiment, arguing the move will make it far more difficult for blackhat hackers to target Microsoft products undetected.
"I think it will make a lot of waves amongst the community who has, thus far, paid exclusively on attributable vulnerabilities. It could even somewhat disrupt some of the blackhat markets, by encouraging blackhats to buy or find each other's vulnerabilities and sell them to Microsoft to reduce the competition. I just hope Microsoft is prepared for the onslaught of vulnerability reports they'll be receiving," he said.
Microsoft is one of many companies to use bug bounty programmes to help improve its products security. In October Google extended its Vulnerability Reward Program to pay bug hunters and security professionals up to $3,133 for security improvements to a number of open source projects.