Wednesday, 12 March 2014

Courier Scams – don’t give away your bank card

Here’s an elaborate scam I’ve seen reported a few times in the UK in the past few months. (Some of these wrinkles would actually work in the US, but Chip and PIN is much less used there, which may account for the lack of exactly corresponding reports there.)  I was actually holding back on blogging about it as I’ve been unable to confirm some of the details, but some fraud along these lines certainly seems to be taking place.
(There are other scams and malware delivery messages that could be described as courier scams – for instance, those where a malicious attachment is passed off as information about a delivery that a courier is unable to deliver – but that’s a whole difference kettle of phish/vish.)
The essence of the scam as it has been reported is this: the scammer calls you posing as the anti-fraud department of your bank (or as a police officer) and tells you that suspicious activity has been detected on your bank card. It’s not that unusual for your bank to ring out of the blue to ask you to verify a transaction, but what (reportedly) happens next is quite different.

It’s not me, it’s you

If your bank (or anyone else ‘official’) does ring you unexpectedly, you should bear in mind that it’s more important for you to be able to verify their identity than vice versa.
After all, they have your telephone number. The reports say that sometimes the scammer pre-empts that thought by suggesting that you ring the number on the back of your bank card to confirm, but that they don’t put the phone down at their end, so that you’re still connected to the number that they called from. (This allows time for transferring legitimate calls between extensions, for instance.)
I guess that the victims don’t insist that the caller puts the phone down, wait for the dial tone, realize that they’re not actually able to call out, or worry about not getting a ringing tone before they hear someone speaking on the ‘new’ number. On the other hand, I can think of at least one technically unsophisticated way round that, so if you’re feeling really paranoid, you could ring a completely unconnected number and see if you get a response from ‘your bank’ or ‘PC 49’ rather than the real holder of that number. In fact, the line shouldn’t remain open indefinitely if only one party hangs up, and in any case the scammer will not to want to tie his phone up longer than he needs to: things to do, other people to scam… It might, however, take several minutes for the line to clear automatically, though I’ve seen estimates for how long it takes ranging from five to 12 minutes. If you’re checking a number someone’s given you like this, it’s worth using a different line (if available) or a mobile phone.
According to a NatWest description of this scam, the scammer may give you a different number. Of course, if someone just says ‘ring the following number’ they could be directing you absolutely anywhere. If they suggest ringing a verifiable number, however, clearly they could be using the same technique for keeping the line open. In this instance of a different scam, all the scammer needs to do is stay on the line to convince the victim that his phone has been temporarily disconnected.

PINs and needles

The scammer may ask you for full details of your account and ask you to enter your PIN.
First of all, the bank doesn’t need full details in order to verify who you are. Any bank worth your custom may well ask for something like the 2nd, 4th and last letters of your ‘special word’, and slightly dubious old favourites like your mother’s maiden name, and even the last four digits of your card number, and all that has some potential value to a scammer, if combined with information gleaned in other ways. But your bank already knows your account details, and doesn’t need info like the card security code (the magic three digits on the back of the card) in this context. The only reason anyone would ask you for all that information is for fraudulent purposes. We’ll get back to that in a minute. 
As for keying in your PIN, there is no legitimate reason why your bank should ask for it. They already have access to that information, and they certainly don’t need it to cancel the card or to activate the new one: the point is that if you do key it in, the scammer can see what it is on his own phone display. (If they were sure your card had been used illegitimately, they’d almost certainly have cancelled or blocked it before they even talked to you.)
Your account number tells them which bank you’re with, even if you haven’t told them already. Did they tell you which bank they were at the beginning of the call, or did you assume that they were genuine and let slip the information as the call proceeded? Unfortunately, there are quite a few other ways in which they might have already known which company you bank with or whether you have an XYZ credit card. However it’s more common for scam calls to be made more or less randomly, with the scammer relying on getting the information he needs from you and the telephone directory.

Sending the lads round

The next stage, according to the alerts I’ve seen, is that the scammer tells you he will come round or send a courier to collect your ‘compromised’ card. This is a dead giveaway: it would be a very expensive way for a bank to deal with a compromise: they could simply cancel your card without needing any information from you. They might, of course, want you to return it by post. If they send you a new card, they might want you to verify it by phone.
The chances of their coming round personally or sending a courier to take the old card and give you a new one are tiny. That’s a very expensive way of doing business, and frankly, I suspect that most banks don’t care about most of their customers enough to give you such instant service. Actually, I’m surprised that it’s economical for scammers to pay for a courier, but apparently it is. I suppose if he gets to that point, he’s reasonably sure he’s going to get the card. It seems to be carried out exclusively by people who are geographically (fairly) close to the victim: this probably works well for the scammer, since many people are nowadays less likely to believe everything they’re told by someone with a ‘foreign’ accent, due to the prevalence of West African and Indian telephone (and other) scams.

All cut up about it

A variation I’ve seen reported here is that the scammer advises you to cut up the card before you hand it over, but subsequently tapes it back together to use in an ATM. I’m not sure how reliably a sellotaped bank card works in an ATM, (certainly if it’s been cut into several pieces, as it should be if you want to render it unusable) but it could certainly be used to get or confirm information about the card that hadn’t already been captured over the phone and use that information to clone the card or use it over the internet or some other form “Card Not Present” (CNP) fraud.
So here’s a possible reason why they might want all that information about your account even though they’ll get most of it anyway once you hand over the card: it’s really not difficult to take a bank card blank and add all the information that they have given you so that it looks like a genuine replacement card. Of course, it won’t actually work. Even if the scammer is able to clone your card accurately from the information you give him, he certainly doesn’t want you to have access to the account he’s about to plunder.

Variations on a rip-off

An alert from the Metropolitan Police (London’s ‘Met’) reports some variations:
  • The scammer wants you to withdraw lots of money from your bank and take it home as part of a ‘police investigation’, perhaps into a corrupt employee. At some point they will want to take the money off you so as to put it back into the banking system. Which may well be the case, but it will be the scammer’s account that it goes into, not yours, and they certainly won’t have marked the bank notes. Helping a police investigation is the last thing they’re thinking about.
  • Another variation is to ask you to purchase ‘an expensive watch or other expensive items’ and hand that/those over. I’m not sure how that works, but no doubt there is some convincing reason presented by the scammer.

Points to remember

  • Banks don’t usually do home visits.
  • A compromised bank card can simply be cancelled: the bank probably doesn’t need it at all, and certainly won’t treat collecting it as a matter of urgency.
  • Your bank doesn’t need all your account data to authenticate your identity, and won’t ask for your PIN. Banks use different authentication criteria for internet banking, telephone banking, ATM access and counter transactions.
  • The police don’t offer a card replacement service, and they aren’t likely to ask you to help with an undercover operation. They won’t ask for your PIN either.
  • Legitimate, honest couriers and taxi services can be used for dishonest purposes.
  • When you put your phone down, it doesn’t mean the line is immediately cleared. This may be changed at some point because of the ways in which this feature can be misused, but the system does have legitimate advantages: for instance, if the phone is put down on 999 call, it allows the operator to trace the call (for instance, where the caller has disconnected under duress). I can’t say if the same is true with 911 calls.
The scam has been referred to by some resources as a vishing scam, which is fair enough. However, it’s only one type of vishing (Voice over IP or VoIP phishing), not an alternative term. Sometimes a phishing message will include a number to call rather than a web link, and of course that’s no more to be trusted than an unsolicited URL.

Bitcoin bank Flexcoin shuts down after attackers loot $570,000 from “hot wallet”

Bitcoin bank Flexcoin has shut down after it was unable to cover losses from a hacker attack in which 896 bitcoins were lost – valued at $570,000 according to The Guardian’s report.
The attackers were able to steal all the bitcoins stored in the bank’s “hot wallet” – the portion of its funds on computers accessible via the internet – due to a transaction flaw in its code. Much of the bank’s assets was in “cold storage” – ie on devices not accessible via the web, but the bank was unable to cover the losses from the theft.
The closure comes just days after Mt Gox lost a reported $500m in a theft which the exchange claims was due to hackers exploiting flaws in the site code, as reported by We Live Security here. Flexcoin said in a statement, “We have failed the Bitcoin community.”
PC Pro reports that the attack on Flexcoin began with an attacker creating a username for the site, then depositing a number of bitcoins.
Flexcoin said in a statement, “On March 2nd 2014 Flexcoin was attacked and robbed of all coins in the hot wallet. The attacker made off with 896 BTC. As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately.
“Users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity. Once identified, cold storage coins will be transferred out free of charge. Cold storage coins were held offline and not within reach of the attacker.
“The attacker then successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to “move” coins from one user account to another until the sending account was overdrawn, before balances were updated.This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins.”
Another bitcoin exchange, Poloniex, admitted that it had lost 12.3% of its reserves to hackers exploiting a security flaw, according to the Guardian’s report. Poloniex’s owner said in a statement ,“ I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.” The Guardian commented that the recent spate of large-scale thefts highlighted a broader problem with security.
Flexcoin said in a statement, “Flexcoin has made every attempt to keep our servers as secure as possible, including regular testing. Having this be the demise of our small company, after the endless hours of work we’ve put in, was never our intent. We’ve failed our customers, our business, and ultimately the Bitcoin community.”
This week, bitcoin exchange Mt Gox  admitted that nearly $500 million in bitcoin had “disappeared” a new statement posted online – as computer code posted on Pastebin appeared to be part of the backend for the exchange, which would tally with CEO Mark Karpele’s claims that the site was hacked, as reported by We Live Security here.
Ars Technica reports that a chunk of PHP code posted to the website Pastebin appears to originate from Mt Gox, and tally with CEO Mark Karpeles’ claims that the site was hacked. “The block of PHP code appears to be part of the backend for MtGox’s Bitcoin exchange site, and it includes references to IP addresses registered to Karpeles’ Web hosting and consulting company, Tibanne,” Ars Technica’s Sean Gallagher writes.
The site’s statement says, “At the start of February 2014, illegal access through the abuse of a bug in the bitcoin system resulted in an increase in incomplete bitcoin transfer transactions and we discovered that there was a possibility that bitcoins had been illicitly moved through the abuse of this bug. We believe that there is a high probability that these bitcoins were stolen as a result of an abuse of this bug and we have asked an expert to look at the possibility of a criminal complaint and undertake proper procedures.”
Wired claimed that many of the company’s troubles could be traced to its CEO, Mark Karpeles, quoting unnamed “insiders” who described Karpeles as more of a computer coder than a CEO. One company insider, speaking to Wired on condition of anonymity, said, “Mark liked the idea of being CEO, but the day-to-day reality bored him.”
The company’s website was taken offline last week, shortly after a statement was published online by digital wallet company Coinbase, denouncing Mt Gox, and endorsed by other leading Bitcoin exchanges, saying, “ As with any new industry, there are certain bad actors that need to be weeded out, and that is what we are seeing today.  Mtgox has confirmed its issues in private discussions with other members of the bitcoin community.”
Rumours had circulated that the company faced insolvency after it halted withdrawals earlier this year, according to Bloomberg Businessweek. The company had halted withdrawals after what it described as ‘unusual activity’.

Five ‘new friends’ to avoid like the plague on social networks

Social scams come in all shapes and sizes – but many begin with a simple offer of friendship…  fake friendship.
Befriending the wrong person on Facebook can hand a criminal the tools for an identity theft attack – and on LinkedIn, talking to the wrong ‘recruiter’ can lead to disaster.
Even on Twitter, where users collect followers like stamps, spambots will try every trick in the book to get you to follow back – and hope that you will help spread their malicious message to the world.
Social scams can affect you on anything – whether you’re idly flicking through friend requests on a smartphone, or on a work PC or Mac. The platform doesn’t matter – it’s often the human being sat in front of it that new “friends” are taking aim at, hoping for you to offer up private information freely, or even to enlist your help to spread their attacks.
ESET Senior Research Fellow David Harley warns that no one is ‘immune’, “Identity theft and threats to privacy are no respecters of operating systems. Twitter account hijacking, fake Facebook friends, LinkedIn phishing, Facebook pages offering non-existent freebies as a way of collecting clicks or worse, this is all stuff that’s difficult to automate detection for, whether you’re selling an operating software or third-party security software.”
The Facebook friend who ‘must have unfriended you’
If you receive a Facebook friend request from someone you already befriended on the network, it’s easy to have a wry smile, and think that they must have clicked the ‘unfriend’ button at some point – and have now decided to welcome you back. Be careful. That might be true – but it might be a scammer on an account “cloned” from your friend’s. Cloning accounts by befriending someone, copying their profile, then blocking them and sending requests to all their friends can be a rich source of data for cybercriminals, according to scam site Even cautious site users who have set profiles to share information with Friends Only can then be data-mined by the scammer – or the ‘new friend’ is free to bombard you with malicious links.
The Pinterest followers who let you repin for prizes
Pinterest’s security teams have issued warnings about fake followers on the site – often identifiable by the fact that all their pins are shortened via sites such as, or that they have only one or two pins. Most of these are links designed to take you to surveys (built to harvest information) or fake ‘deals’ where you’re asked to repin the link, spreading it to other users for the chance to win prizes. The site’s Debra Atkins offers a detailed page of warnings about such ‘fakes’, saying, ‘These links are fake pins meant to redirect you to another site – don’t click on them.’
The Twitter followers who appear when you used a rude word
Merely using a word with a double meaning on Twitter can summon hordes of spam-bots – who enthusiastically retweet your potentially rude post, then lurk in your follower list in the hope you’ll follow them back. Sometimes, this can be baffling – for instance, Yahoo News found a tweet about a space exploration vehicle was retweeted hundreds of times, simply because the vehicle was called a “penetrator”. Following any of these ‘new friends’ back can be a recipe for constant, irritating spam and direct messages. If you’ve just said something rude, be careful if your follower count spikes – they’re probably spammers, drawn in by your dirty words.
The attractive recruiter with an easy job just for you
LinkedIn accounts are high-value targets for cybercriminals –  the nature of LinkedIn means people post large amounts of factual information on the site, such as addresses, phone numbers and work email addresses, key tools for ID theft. Bogus LinkedIn invitations have become a key tool for phishers - but even within the site, you can’t trust every invitation, especially when it comes to job offers. Bogus ‘recruiters’ have begun to offer too-good-to-be-true jobs on the site (often offered by profiles who happen to be attractive women) – with the aim either of harvesting personal details, or diverting users to fake sites to harvest passwords and inject malware. Before accepting any friend request on LinkedIn, check the user’s profile – does it look real? Do you share any contacts. If you don’t share even second-degree contracts, there may well be something fishy (or phishy) going on.
The lover who showers you in gifts
On dating sites, scams are pure social engineering – often crafted over years. Criminals are also much cleverer, and more professional, than used to be the case. To fool ‘lovers’ into parting with money, cybercriminals will even offer their victims gifts – before repaying themselves tenfold. Mark Brooks of OnlinePersonalsWatch says, “Scammers will take months to groom a target.  They’ll send gifts, and make users feel beautiful and cared for, and then it them with a test.  A small request to open up their wallets.  Then they’re off to the races.”

Top e-commerce sites still fail to warn users who choose “password”

Two-thirds of top e-commerce sites still accept the weakest passwords, such as “123456” and “password”, without warning users that these are the very first passwords hackers will use in attempts to breach their accounts, according to a survey of 100 leading sites by password manager company Dashlane.
Two-thirds of the British companies surveyed, including Amazon UK, make no attempt to block users after 10 incorrect password entries. This could allow hackers to run malicious software which attempts multiple log-ins in an effort to breach user accounts.
The survey, which focused on 100 e-commerce sites in the UK, found that one-quarter of sites still emailed passwords in plain text, and that 60% of sites still failed to advise users on creating stronger passwords.
“It’s clear that it’s time for companies to implement better password security, which can be done cheaply and quickly using open-source technology,” the company’s Ashley Thurston writes. “On the flip side, consumers can protect themselves by creating strong passwords that are long (more than 8 characters), complex (include a letter, number, a mix of upper and lower case letters, and/or symbols).”
The survey rated companies +1 and -1 for criteria such as requiring alphanumeric passwords, emailing users when a password was changed, and using a password-strength meter to show users when they had chosen a strong password, to arrive at a total score between 100 and -100. Overall, Apple scored highest for good security practice.
The current survey is a companion to Dashlane’s previous surveys of U.S. e-commerce sites, which performed slightly better than UK companies across virtually all categories, as shown in Dashlane’s detailed breakdown here. As The Register notes, the UK results are more encouraging than those from France, where nearly one in two sites send passwords and account confirmations via email in plain text.
Veteran security writer Graham Cluley details some of the difficulties in persuading users to practise good password hygiene – and some solutions, in a We Live Security blog post here.

Fridge attacks “raise big questions” says Microsoft security chief

The emerging ‘internet of things’ raises big security questions, and vulnerabilities in connected devices such as ‘smart’ fridges may force companies to work together in a way never previously seen, according to Microsoft’s Director of Cybersecurity Policy EMEA, Jan Neutze, speaking at CeBIT in Germany this year.
In a wide-ranging keynote speech, reported by V3 Neutze asked, “What happens when somebody attacks your refrigerator? Who’s going to patch your fridge?”
“Is it the energy company that runs your smartgrid, is it the software company, is it the manufacturer of the device? We’re going to have to look at new models of collaboration that have never existed before.”
Neutze said that the sheer amount of data generated by connected devices may pose its own problems, “With autonomous systems comes the question: all this data that’s generated, who owns this data and how is that data controlled? Many of those questions aren’t fully resolved,” he said.
Also at CeBIT, British Prime Minister David Cameron earmarked £45m ($74.8m) for research into the ‘internet of things’, as reported by The Inquirer.
The ‘internet of things’ hit headlines recently after Belkin’s Popular WeMo smart home system was found to have security flaws which could allow attackers to switch off lights in homes remotely, deactivate motion sensors, and even start fires, as reported by We Live Security here.
Veteran security researcher and writer Graham Cluley said this week that producers of ‘connected’ devices need to ensure that security is a major consideration in their design processes. “To produce such devices without paying proper attention to security could backfire when users realize they are leaking personal information,” Cluley said, as reported by Computer Weekly.
Earlier this year, networking giant Cisco has launched a “grand challenge” to invent a security solution for the “internet of things”, as reported by We Live Security here.
Chris Young, senior VP of security at Cisco, said in a blog post, ““We’re connecting more of our world every day through smart, IP-enabled devices ranging from home appliances, healthcare devices, and industrial equipment. … It is, unfortunately, too easy to imagine how these world-changing developments could go terribly wrong when attacked or corrupted by bad actors.”
ZDNet comments that for many businesses, connecting devices is desirable as a way to build up large amounts of data, but that, thus far, security has been weak, saying, “If a cyberattacker is able to break in to one such system, they potentially can harm thousands of people with little effort,” citing the example of connected door locks as a potential risk.”
At this year’s Consumer Electronics Show (CES) in Las Vegas, ‘smart homes’ were clearly a big trend on the show floor – and much debate was ignited about their security.
The normally sober BBC warned, “In the future, it might not just be your smartphone that leaks personal and private data, it might be your smart fridge too.”
But ESET Senior Research Fellow David Harley said in a commentary post at the time, “It may be a little early to worry too much about what your fridge or your medicine cupboard is able to reveal to a hacker about your eating habits and the state of your health,” Harley says.
“After all, there are all too many more direct ways for retailers, insurance companies, and pharmaceutical companies to get that sort of information. (And those are issues more people should be worried about.)”

Microsoft releases fix for critical Windows XP flaw ahead of April cut-off

Microsoft Windows XP screen
Microsoft has plugged a critical vulnerability in its Windows XP operating system in its latest patch Tuesday update, just weeks before it is due to end support for the decade-old platform.
The Windows XP patch related to a critical vulnerability in the operating system's DirectShow service that could theoretically have been used by hackers to remotely execute code. Microsoft downplayed the significance of the vulnerability, confirming that it had been disclosed to the firm privately and only affects Windows XP.
However, the flaw is troubling as Microsoft is due to officially cease support for Windows XP on 8 April. The cut-off has led to concerns within the security community. Experts from EY, FireEye and Trend Micro said they believe hackers are preparing XP exploits for use after Microsoft officially cuts support which could pose seriously problems for firms still running XP.
Microsoft also released a permanent fix for a critical flaw in Internet Explorer (IE). FireEye discovered the flaw on 14 February and it is known to have been used by criminals to mount a sophisticated hacking campaign, codenamed Operation SnowMan.
Microsoft Trustworthy Computing (TwC) group manager of response communications Dustin Childs listed the fix as critical and called for IT managers to install it as soon as possible. "Our top deployment priority this month is MS14-012, which address 18 issues in Internet Explorer," he said.
"This cumulative update addresses one public and 17 privately disclosed issues in Internet Explorer. These issues could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. We are aware of targeted attacks using CVE-2014-0322 against Internet Explorer 10."
The March Patch Tuesday also included a fix for a previously undisclosed vulnerability in Microsoft Silverlight.
"MS14-014 provides an update to address a security feature bypass in Silverlight. The issue wasn't publicly known and it isn't under active attack, however it can impact your security in ways that aren't always obvious," said Childs.
"Specifically, the update removes an avenue attackers could use to bypass ASLR [address space layout randomisation] protections. Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable."
The update also features patches for flaws in Microsoft's Windows Kernel-Mode Driver and Security Account Manager Remote (SAMR) Protocol. Both vulnerabilities are ranked as important.
The Kernel-Mode Driver flaw could be used to bypass some Microsoft security services while the SAMR flaw could be used by hackers to escalate their privileges on victims' systems.

European MPs back draft data protection laws but plans could end up on the scrapheap

Data protection artwork
New data protection laws moved a step closer on Wednesday after European MPs gave their backing to proposed legislation, although the content of the legislation is still open to debate and could still collapse.
Currently, the draft legislation contains several notable proposals including the ‘right to be forgotten’, the ability for citizens to request that companies remove any data gathered on them from their systems, and a single data protection body.
The European Parliament voted overwhelmingly in favour of the proposed draft directive with 621 votes in favour, 10 against and 22 abstentions.
Justice minister Viviane Reding, who has spearheaded calls for new data privacy legislation, said the vote proved MEPs had listened to citizens' demands for better data laws.
“Europe's Parliamentarians have listened to European citizens and businesses and, with this vote, have made clear that we need a uniform and strong European data protection law, which will make life easier for business and strengthen the protection of our citizens," she said.
Reding said the importance of good data laws that prioritised the privacy of individuals were needed now more than ever in light of the spying revelations that have emerged from the US.
"Strong data protection rules must be Europe's trademark. Following the US data spying scandals, data protection is more than ever a competitive advantage.”
But while Reding was upbeat about the vote there is still much negotiation ahead, and the final text of the law is far from certain. Some said it was not guaranteed that the new laws would survive after the next round of MEP votes.
Stewart Room, partner at law firm Field Fisher Waterhouse, told V3 the vote was "way too late in the day" to push the laws through in their current guise as the make-up of the Parliament is likely to change, with elections in May.
"The reform process is in a real mess and the European Parliament must take its share of the blame for dragging its heels. This vote could have happened a year ago. If it had, it would have applied immense pressure on the Council of Ministers," he said.
"Instead, EU member states who dislike the regulation – and there are more than the UK – will feel absolutely no pressure whatsoever, because they know that many of the MEPs who have just voted are going to be booted out in May by an increasingly Eurosceptic electorate."
As such, while Reding may have claimed the new laws were now "irreversible" Room claimed that such guarantees were not possible. "At the moment the regulation is a dead duck, or perhaps a zombie duck," he said.
Bridget Treacy, head of the UK Privacy and Cybersecurity practice at law firm Hunton & Williams, added that while the draft legislation has been voted through, that is no guarantee it will survive in its current form when debated by the Parliament and the European Council.
“Those negotiations will be crucial; it is abundantly clear that the Council does not agree with the Parliament on a number of important topics including the ‘one-stop shop’ mechanism and the level of fines for businesses,” she said.
“The Council is pushing for an approach that is risk based, rather than focusing on prescriptive details. All of this raises the question of what will be agreed and how quickly – all parties will need to make concessions for this initiative to proceed.”
Meanwhile Digital Europe, a lobbying group for numerous technology firms, said the proposed law remains “over-prescriptive” and will hamper businesses' ability to innovate.
John Higgins, director general of Digital Europe, said: “Lawmakers need to strike the right balance between protecting citizens’ privacy, while at the same time allowing further innovations in the way data is used.
“The text adopted in Parliament today fails to strike that balance. We urge national governments to continue their efforts to find the right balance. This law is too important to rush through,” he added.

Data breach at Seattle Archdiocese affects 90k employees and volunteers

Hackers breached the database of Seattle Archdiocese and compromised the data belong to thousands of employees and volunteers.

Church conducts a background check for employees and volunteers where they are asked to give their Social Security numbers, which will be stored in a database.

According to reports, this database has been compromised by attackers which reportedly affects more than 90,000 employees and volunteers.

The Archdiocese has reported the data breach to the FBI and IRS.  A cyber forensic team is trying to determine the source of the breach.

Those who think they might have been affected are advised to contact the IRS identity protection specialized unit.

NSA Has Been Hijacking the Botnets of Other Hackers

NSA slide via The Intercept
NSA slide via The Intercept
The NSA doesn’t just hack foreign computers. It also piggybacks on the work of professional for-profit hackers, taking over entire networks of already-hacked machines and using them for their own purposes.
That’s one of the surprising details to emerge from the latest Edward Snowden leaks.
The big disclosure in today’s story from The Intercept is that the NSA, by July 2010, had built a system called TURBINE designed to scale up its sophisticated computer-hacking operations. The NSA has infected between 85,000 and 100,000 machines with “implants,” according to previous Snowden stories. With TURBINE as its new command-and-control platform, the NSA can potentially boost that to handle “millions of implants” at once.
TURBINE accomplishes that “by creating a system that does automated control implants by groups instead of individually.”
That’s exactly the solution the computer underground came up with over 10 years ago, when hackers faced an embarrassment of riches in the form of massive numbers of vulnerable Windows machines. Infecting thousands of machines was easy; controlling them in a coherent way wasn’t.
So black hat developers invented the “bot” – a type of malware that would silently join an IRC chat room controlled by the hacker. From there, the hacker could issue mass commands to all the hacked computers at once, or direct commands to a subset of them.
Large modern botnets can contain 2 million hacked machines, and are used for click fraud, denial of service attacks, password theft, bitcoin mining and other things.
It makes sense for the NSA to seize on a similar solution. What’s interesting is that the NSA isn’t just building its own botnet. Since August 2007 it’s had a program called QUANTUMBOT dedicated to taking over the command-and-control systems of existing, but idle, bots. One top secret slide describes the program as “highly successful” with “over 140,000 bots co-opted.”
It’s not clear what the NSA wants with 140,000 randomly infected machines. Hackers fight for control of each other’s botnets all the time – a good botnet can be rented out in the underground for cash money. But the NSA has plenty of money. Computer security researcher Nicholas Weaver theorizes the agency could use bot software as a “deniable implant” – if you find your computer slaved to a known hacker botnet, you’re not likely to suspect the most sophisticated intelligence agency in the world is behind it. At least, not until now.

We've found a file spying backdoor in Samsung phones – Replicant devs

The developers of Replicant, a pure free-software version of Android, claim to have discovered a security flaw in certain Samsung Galaxy phones and tablets – one so serious that it could potentially grant an attacker remote access to the device's file system.
Among the devices said to be vulnerable are the Nexus S, Galaxy S, Galaxy S 2, Galaxy Note, Galaxy Nexus, Galaxy Tab 2, Galaxy SIII, and Galaxy Note 2 – and there may be others.
The flaw lies in the software that enables communication between the Android OS and the device's radio modem, according to the Replicant project's Paul Kocialkowski.
"This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write and delete files on the phone's storage," Kocialkowski wrote in a guest post to a Free Software Foundation blog. "On several phone models, this program runs with sufficient rights to access and modify the user's personal data."
Like most smartphone vendors, Samsung ships its mobes with a preinstalled version of Android that's a mix of open source and proprietary software. Generally speaking, any code that directly interfaces with the hardware is proprietary – and that includes the modem.
In the case of Galaxy devices, Android's Radio Interface Layer (RIL) communicates with the modem using a Samsung-specific protocol. According to the Replicant website, that protocol includes support for a complete set of commands for performing read/write operations on the phone's internal file system.
That's troubling, Kocialkowski says, because the modem is powered by a separate microprocessor from the CPU that runs the rest of the phone's functions. And because this processor runs a proprietary operating system – like virtually all phone modems do – it's not readily apparent what it's capable of doing.
If the modem can be controlled remotely over the cell network – which Kocialkowski believes is not just possible but likely – then it can potentially be made to issue file system commands that leak, overwrite, corrupt, or otherwise compromise the handset's data.
"It is possible to build a device that isolates the modem from the rest of the phone, so it can't mess with the main processor or access other components such as the camera or the GPS," Kocialkowski says. "Very few devices offer such guarantees. In most devices, for all we know, the modem may have total control over the applications processor and the system, but that's nothing new."
The solution, Kocialkowski says, is to replace the device's stock Android firmware with a purely free-software OS, such as Replicant. In the course of building a version of Android that can run on existing phones without relying on any proprietary components, the Replicant project has had to write its own free replacement for Samsung's proprietary RIL.
"Our free replacement for that non-free program does not implement this back-door," Kocialkowski wrote. "If the modem asks to read or write files, Replicant does not cooperate with it."
He cautioned, however, that if the modem can potentially take full control of the device's main application processor, further remote exploits may still be possible, including ones that even an OS replacement like Replicant can't block.
Samsung did not immediately respond to The Reg's request for comment on the matter.

WhatsApp chats not as secret as you think

Mark Zuckerberg's $US19-billion darling, WhatsApp, isn't as secure as we thought: a Dutch researcher has found that chats can be accessed and read by other apps.
Bas Bosschert has described a process by which the chat database can be read even if it's encrypted. His proof-of-concept, here, runs through the process.
Here's the short version: Bosschert first created a php Web server to run on the target device, then with a bit more code work, he uploaded the WhatsApp message files to his own app – msgstore.db and wa.db for older versions, msgstore.db.crypt for newer versions.
If an attacker was to “combine it with something like FlappyBird and a description how to install applications from unknown sources,” he writes, “you can harvest a lot of databases”.
Code snippet WhatsApp vulnBas Bosschert has worked out how to read WhatsApp stored chats
For unencrypted stores, the work's already done. For newer versions of WhatsApp, he writes, decryption is already available from the WhatsApp Xtract backup tool.
For Bosschert's attack to work, all that's required is that the user grants sufficient permissions to the malicious app. As he writes: “ since [the] majority of the people allows everything on their Android device, this is not much of a problem.

DDoS attack is launched from 162,000 WordPress sites

With some old-fashioned trickery, hackers were able to get more than 162,000 legitimate WordPress-powered Web sites to mount a distributed-denial-of-service attack against another Web site, security researchers said Monday.
Security firm Sucuri said hackers leveraged a well-known flaw in WordPress that allows an attack to be amplified by harnessing unsuspecting Web sites. It's unclear which site was the victim of the cyberattack, but Sucuri said it was a "popular WordPress site" that went down for many hours.

"It was a large HTTP-based (layer 7) distributed flood attack, sending hundreds of requests per second to their server," Sucuri chief technology officer Daniel Cid said in a blog post. "All queries had a random value (like "?4137049=643182?) that bypassed their cache and force a full page reload every single time. It was killing their server pretty quickly." While hundreds of requests per second don't seem that big when looking at other recent DDoS attacks -- like the ones against Namecheap and a CloudFlare customer last month that reached volumes from 100 gigabits per second to 400 gigabits per second -- Cid said this attack is still remarkable since it could have originated from just one person.
"Can you see how powerful it can be?" he wrote. "One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows."

NSA system designed to attack 'millions' of computers -- report

One NSA "implant," once installed could bypass encryption by making a secret copy of calls made over Skype or other voice-over-Internet Protocol communications, according to a document leaked by Edward Snowden.
One NSA "implant," once installed could bypass encryption by making a secret copy of calls made over Skype or other voice-over-Internet Protocol communications, according to a document leaked by Edward Snowden.
(Credit: The Intercept)
Through an operation called Turbine, the NSA crafted an automated system designed to hack "millions" of computers, new documents from Edward Snowden's leaks on government surveillance reveal.
According to documents published by The Intercept on Wedesday, Turbine created "implants" that let it gain access to peoples' computers. Getting the implants onto machines involved an array of deceptions: fake Facebook Web pages, spam emails with malicious links, and man-in-the-middle attacks that would "shoot" bogus data at a target's computer when the NSA detected it was visiting a Web site the NSA could spoof.
Once the National Security Agency implants were installed, they could be used to gain access to data before it was encrypted. As the article describes some of the work:
An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer's microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer's webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer.

Though the system was designed to work at large scale, through automated attack mechanisms that don't require human intervention, it's not clear exactly how broadly it actually was used. However, it appears the NSA was interested in more people than just the direct targets.
Attacking system administrators at foreign telecommunications and Internet service providers apparently was one broader group, for example. "Sys admins are a means to an end," according to one document, since they make it easier to target a "government official that happens to be using the network some admin takes care of."
In a statement to The Intercept, the NSA didn't comment on specifics but said, "As the president made clear on 17 January, signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes."

MUM's WordPress recipe blog USED AS ZOMBIE in DDoS attacks

Tens of thousands of vulnerable WordPress sites have been co-opted into a server-based botnet being used to run DDoS attacks.
More than 160,000 legitimate WordPress sites were abused to run a large HTTP-based (layer 7) distributed flood attack against a target, which called in cloud security firm Sucuri for help.
Security experts discovered that the attack traffic was coming from WordPress sites with pingbacks enabled on blog posts, which is on by default. Pingbacks allow automatic backlinks to be created when other websites link to a page on a WordPress blog.
The problem can be fixed by installing a simple plugin, as explained by Sucuri CTO and OSSEC Founder Daniel Cid in a blog post.
"Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites," Cid explains. "Note that XML-RPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features you’re likely very fond of. But, it can also be heavily misused."
Sean Power, security operations manager for DOSarrest, a DDoS mitigation technology services firm, said the attack relied on exploiting vulnerabilities in old versions of WordPress. This type of issue has been known about since 2007 and the specific problem abused in the latest run of attacks was fixed more than a year ago in a WordPress core release in January 2013.
"Attackers exploited a vulnerability in the core WordPress application and therefore it could be used for malicious purposes in DDoS attacks," Power explained. "The fix for this feature was actually released in the 3.5.1 version of WordPress in January 2013 and would be picked up by most good vulnerability scanners.
"This is a prime example of how users aren't regularly performing updates to their websites, because if they were, we wouldn't still be seeing DDoS attacks being carried out by websites taking advantage of this old flaw,” Power added.
WordPress is an open source blogging platform and content management system (CMS) that's used by millions of websites across the interwebs.

NSA is stopped from deleting pertinent phone records

A CALIFORNIA US District Court has ruled that the US National Security Agency (NSA) must not delete data that it might have gathered illegally, as it might be used in lawsuits.
The court has already ruled that the NSA is not allowed to delete any related information for the foreseeable future because it could be used as evidence in legal cases. Now it has underlined this ruling with a restraining order.
"It is undisputed that the Court would be unable to afford effective relief once the records are destroyed, and therefore the harm to Plaintiffs would be irreparable. A temporary restraining order is necessary and appropriate in order to allow the Court to decide whether the evidence should be preserved with the benefit of full briefing and participation by all parties," the court said in a statement.
"Defendants, their officers, agents, servants.employees, and attorneys, and all those in active concert or participation with them are prohibited, enjoined, and restrained from destroying any potential evidence relevant to the claims at issue in this action, including but not limited to prohibiting the destruction of any telephone metadata or 'call detail' records, pending further order of the Court."
On Friday the US Foreign Intelligence Surveillance Act (FISA) court ruled that the US Department of Justice (DoJ) is not allowed to keep similar data indefinitely, despite its protests. According to a report at The Verge the judge was sure of his decision and quickly denied the DoJ appeal.
Judge Reggie Walton said that letting data be stored longer than five years "would further infringe on the privacy interests of United States persons whose telephone records were acquired in vast numbers and retained by the government".
"The government seeks to retain these records, not for national security reasons, but because some of them may be relevant in civil litigation in which the destruction of those very same records is being requested," he added.
The ACLU was not particularly moved by the attempt to get a stay on deletion when it first came up, and suggested that the issue was just wasting time.
"This is just a distraction," said ACLU legal director Jameel Jaffer. "We don't have any objection to the government deleting these records. While they're at it, they should delete the whole database."