Saturday, 4 October 2014

CBS Investigates Closed Captioning Hacking Incident

CBS Captioning Statement
The closed captioning that we receive from CBS in New York for tonight's episode of Blue Bloods was hacked and unfortunately contained profanity and other statements that do not represent those of News 9 or CBS. We sincerely apologize for this and the lack of captioning for our hearing impaired viewers.
CBS is currently investigating and will implement steps to insure that this does not happen again.

Phone hacking: News of the World’s Ian Edmondson pleads guilty

The News of the World's Ian Edmondson has admitted he was involved in phone hacking
The News of the World’s Ian Edmondson has admitted he was involved in phone hacking. Photograph: Ray Tang/Rex Features
A former News of the World news executive has admitted he was involved in phone hacking, 16 months after pleading not guilty to the crime in the Old Bailey.
Ian Edmondson’s about-turn marks the final chapter in the phone-hacking trial that ended in June with the conviction of Andy Coulson and the acquittal of Rebekah Brooks, both former New of the World editors.
Edmondson, 45, spoke only to confirm his name and to say “guilty” when asked to formally enter his plea.
He was charged with conspiring to hack phones between 3 October 2000 and 9 August 2006 together with the paper’s former editor Andy Coulson and with hacker Glen Mulcaire, the paper’s former royal editor Clive Goodman, its former newsdesk executives Greg Miskiw, Neville Thurlbeck and James Weatherup, the paper’s former feature writer Dan Evans, and other persons known and unknown.
Edmondson was one of the original eight defendants at the Old Bailey trial but, for health reasons, was deemed “unfit” to continue on the 29th day of proceedings. He was deemed fit to stand trial in July.
Before he was released from trial, the jury heard how he was one of four news editors for whom convicted hacker Mulcaire worked.
Edmondson, who is now facing the possibility of jail, was bailed and will be sentenced at a date in November.
Edmondson’s barrister Sallie Bennet-Jenkins QC told the court that Mulcaire had frequently “bragged” about hacking and Edmondson was aware that this was one of the tools of his trade when tasking him.
She added, however, that Edmondson had been acting “under direct instructions by senior executives to use Mulcaire”.
Mark Bryant Heron QC, for the prosecution, told the court that Edmondson was not the most prolific tasker of Mulcaire during the six-year phone hacking conspiracy at the paper.
At one stage he even wanted to sack him, telling his bosses that the £2,019 a week for “special investigations” being paid to Mulcaire’s Nine Consultancy “had to stop”.
But, said the prosecutor, once Mulcaire’s previous handler Miskiw – also a former news editor – left the paper, Edmondson became a “frequent” tasker of the private investigator.
Between July 2005 and August 2006 records showed there were 800 callsand texts, or 90 a month Bryant Heron said.
The court also heard for the first time of a tape recording of a conversation between Edmondson and a News of the World colleague. The tape was undated but from its contents it was evidence the conversation took place following the arrest of the royal editor Clive Goodman in 2006 on suspicion of phone hacking.
The colleague said: “But you know what the vital difference is you haven’t done anything yourself or from your number. That is not what Clive’s caught on, he’s fucking done it himself ...”
Edmondson replied: “ Yeah – I’ve done it myself ...”
The prosecution said that Edmondson’s name was on 334 of the 8,000 notes seized from Mulcaire’s premises linking him to the hacking of celebrities, politicians and sportspeople.
In addition to Lord Prescott, former culture secretary Tessa Jowell, and Lord Freddie Windsor, targets linked to Edmondson’s instructions to Mulcaire included Sienna Miller, her friend Archie Keswick and her former boyfriend Jude Law, and George Best’s son Callum Best, the court heard.
He also employed Mulcaire to investigate Sir Paul McCartney and Heather Mills in May 2006.
The NoW published nine articles about the couple between over one month, said Bryant Heron. “Ian Edmondson wished, unsurprisingly, to get information on the marital break-up. He employed Mulcaire to do so.”
He told the court: “There was an aggressive newsgathering culture. The end justified the means to get results, to get the story, in an extremely competitive market.”
Edmondson worked for the paper in the 1990s, and then rejoined the tabloid’s news desk in 2004, becoming news editor in 2005, a position he held until he was suspended in December 2010 and subsequently dismissed for gross misconduct in January 2011.
He was in charge when Mulcaire and the paper’s royal editor Clive Goodman were arrested in August 2006 on suspicion of hacking.
His suspension four years later came after three emails implicating him in Mulcaire’s hacking came to light. These suggested that hacking was not confined to Goodman, who the company had claimed was operating as a single “rogue reporter” and led to the launch of Operation Weeting, Scotland Yard’s phone-hacking investigation in January 2011.
They contained the mobile and pin numbers for Joan Hammell, a special adviser to Lord Prescott, former culture secretary Tessa Jowell and royal Freddie Windsor.
The jury heard that during Edmondson’s reign on the news desk the paper also hacking rival journalists on the Mail on Sunday in an attempt to discover what they knew about Prescott’s affair with his diary secretary Tracey Temple in a “dog-eat-dog” fight for stories.
After the paper hacked Temple and her ex-husband and got nowhere, the prosecution said that Edmondson then got hold of Hammell’s number and passed it to Mulcaire. Mulcaire went on to get her pin and listened to 45 messages. He then emailed Edmondson telling him: “This is how you can hack the phone so that you too can hear them”, according to emails disclosed during the trial.
“In the dog-eat-dog world of journalism, in this frenzy to get the huge story and to try to get something other than everybody else, that is what you do, we suggest, if you are Ian Edmondson – you hack the competition,” prosecutor Andrew Edis QC told jurors in his opening speech.
One defendant had claimed that hacking was so widespread that Edmondson was even accessing Coulson’s voicemail to find out which stories he favoured.
When Mulcaire’s home was raided by police in 2006, officers discovered a large cache of notes recording who had tasked him to hack phones, including “Ian”.
His decision to plead guilty means that eight of the 10 so far charged and dealt with for phone hacking at the NoW have been convicted or pleaded guilty.
Before the trial had got underway had sought disclosure of internal emails distancing himself from the work of Mulcaire.
He sought the emails to prove that he thought Mulcaire was “inefficient” and “a waste of money” and wanted him sacked and that after he arrived at NoW in November 2004 that he cut down on the cash payments.

Are Bots Hijacking Your Marketing Budget?

Editor’s note: Noam Schwartz is leading Business Development in SimilarWeb. His previous company Tapdog was acquired by SimilarWeb in the beginning of 2014.
Ad fraud is a well-known “secret” in the online marketing world, and it’s been around ever since ads have existed on the Internet. Experts estimate that for every $1 a company spends on online advertising, almost half is lost to digital ad fraud.
But in 2014, ad fraud has taken center stage. This month the Interactive Advertising Bureau (IAB) released their “Anti-Fraud Principles,” meant to reduce robotic traffic, or bots, and other forms of online traffic fraud. And earlier this year, IAB chairman and Ziff Davis CEO Vivek Shah publicly admitted that 36% of all web traffic is non-human traffic. (Other ad execs say it’s closer to 50%.)
What more, the problem seems to be growing. Last year, Google disabled ads from more than 400,000 sites hiding malware, up from 123,000 sites in 2012.

Bots, Stuffing, and Stacking Scams

So how exactly do fraudsters hijack your marketing budget? Unfortunately, there are a lot of ways to perpetrate traffic fraud, including the following:
  • Clickjacking malware. This kind of malware sends real users to websites they never planned to visit in the first place. Another method is to have bots imitate real users by “clicking” on ads or repeatedly loading a page.
  • iFrame stuffing. iFrame stuffing compresses an ad into a tiny one-by-one pixel size. The ad is served up on a site as a real ad and reported as a view, even though a real user would never be able to view such a tiny ad.
  • Ad stacking. In this type of scam, multiple ads are placed on top of each other in a single ad placement. Only the top ad is in view, but all of the ads are reported as viewed.
These kinds of traffic fraud manipulate metrics like page views and click-through rate, making cost-per-impression a dangerous pricing model for advertisers.
To get an idea of just how dangerous it can be, let’s look at one of the most elegant scams out there today, one that works using illegal bot activity. To set up the scam, a fraudster could create a magazine-style website for the sole purpose of hosting ads. Content is added automatically from content farms or copied from real publishers.
Then, the fraudster distributes malicious software (or piggybacks on existing ones), that causes the infected computers to open numerous browser windows in the background, completely hidden from the user.
The browsers are directed to the fraudster’s fake webpage and emulate human behavior by hopping from link to link, virtually moving the cursor, scrolling, and occasionally clicking on ads.
Here you can see a video of illegal bots in action:
So here’s where advertisers take a hit in the marketing budget. Let’s say that the fraudster manages to distribute malicious software to just 100,000 computers. If each of these computers opens 50 hidden browsers every day, spending 30 seconds on each page and clicking an ad once every 200 pages, the fraudster can generate 72 million fake clicks in a single day! And advertisers are paying for every one of those clicks.

Online Ads Are Easy Targets

Online advertising is a fraudster’s heaven, and even the savviest advertisers lose millions of dollars each month.
So what makes ads so easy to target?
For one thing, advertisers often have no idea fraud has even occurred. Typically, advertisers only get standard metrics on their ad campaigns, like cost per lead and conversion rate. There’s no way to detect ad fraud or to know just how much it cost you because it’s just rolled into the cost of acquiring real customers.
Also, ad networks don’t ask a lot of questions when a new ad publisher registers their site. Usually the ad network only asks for a publisher’s basic traffic, engagement, and demographic stats, and that’s it. Then the publisher gets the code that will allow them to present ads from the ad network inventory. The ad networks have nothing to lose—if the publisher generates clicks, it’s a win. If not, the ad server will push the ads elsewhere.
Finally, those same ad networks actually benefit from ad fraud. They get paid for each click or impression, regardless of whether the ad is served to a real person or a fraudulent bot. So eliminating 36-50% of those bad clicks would negatively affect their bottom line.

What Advertisers Can Do About Ad Fraud

Few substantial and scalable solutions exist for ad fraud.
Ad fraud detection companies such as Telemetry, Forensiq, White Ops, (recently acquired by Google), and SimilarWeb’s Traffic Guardian use several approaches, including comparing visit patterns with known behavior, monitoring malicious software, proxy unmasking, device verification, and manipulation recognition.
For instance, an algorithm can determine whether a website is legitimate or fraudulent by comparing the way real people are using that website to actual online behavior. Advertisers can view that data themselves, which can help them decide whether one of their publishers needs to be red-flagged, or even rejected immediately.
Unfortunately, the outcome of the online ad game will not decided by a knockout. New technologies and state-of-the-art algorithms are continually being developed both by fraudsters and those trying to fight them.
And while it’s promising that agencies and publishers have started talking about the problem, advertisers have to be involved, too. After all, they’re the ones with the most skin in the game.

JPMorgan Chase Hacking Affects 76 Million Households

The Manhattan headquarters of JPMorgan Chase, which securities filings revealed was attacked by hackers over the summer.
 A cyberattack this summer on JPMorgan Chase compromised the accounts of 76 million households and seven million small businesses, a tally that dwarfs previous estimates by the bank and puts the intrusion among the largest ever.
The details of the breach — disclosed in a securities filing on Thursday — emerge at a time when consumer confidence in the digital operations of corporate America has already been shaken. Target, Home Depot and a number of other retailers have sustained major data breaches. Last year, the information of 40 million cardholders and 70 million others were compromised at Target, while an attack at Home Depot in September affected 56 million cards.
But unlike retailers, JPMorgan, as the largest bank in the nation, has financial information in its computer systems that goes beyond customers’ credit card details and potentially includes more sensitive data.
“We’ve migrated so much of our economy to computer networks because they are faster and more efficient, but there are side effects,” said Dan Kaminsky, a researcher who works as chief scientist at White Ops, a security company.
Until just a few weeks ago, executives at JPMorgan said they believed that only one million accounts were affected, according to several people with knowledge of the attacks.
As the severity of the intrusion — which began in June but was not discovered until July — became more clear in recent days, bank executives scrambled for the second time in three months to contain the fallout and to reassure skittish customers that no money had been taken and that their financial information remained secure.
The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan’s computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems, according to several people with knowledge of the results of the bank’s forensics investigation, all of whom spoke on the condition of anonymity.
Operating overseas, the hackers gained access to the names, addresses, phone numbers and emails of JPMorgan account holders. In its regulatory filing on Thursday, JPMorgan said that there was no evidence that account information, including passwords or Social Security numbers, had been taken. The bank also noted that there was no evidence of fraud involving the use of customer information.
Still, until the JPMorgan breach surfaced in July, banks were viewed as relatively safe from online assaults because of their investment in defenses and trained security staff. Most previous breaches at banks have involved stealing personal identification numbers for A.T.M. accounts, not burrowing deep into the internal workings of a bank’s computer systems.
Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime. In 2011, hackers broke into the systems of the Nasdaq stock market, but did not penetrate the part of the system that handles trades.
Jamie Dimon, chief executive of JPMorgan Chase, says that the digital threat is on the rise.Credit Richard Drew/Associated Press
Jamie Dimon, JPMorgan’s chairman and chief executive, has acknowledged the growing digital threat. In his annual letter to shareholders, Mr. Dimon said, “We’re making good progress on these and other efforts, but cyberattacks are growing every day in strength and velocity across the globe.”
Even though the bank has fortified its defenses against the attacks, Mr. Dimon wrote, the battle is “continual and likely never-ending.”
On Thursday, some lawmakers weighed in. Edward J. Markey, Democrat of Massachusetts and a member of the Senate Commerce Committee, said “the data breach at JPMorgan Chase is yet another example of how Americans’ most sensitive personal information is in danger.”
Hackers drilled deep into the bank’s vast computer systems, reaching more than 90 servers, the people with knowledge of the investigation said. As they analyze the contours of the breach, investigators in law enforcement remain puzzled, partly because there is no evidence that the attackers looted any money from customer accounts.
That lack of any apparent profit motive has generated speculation among the law enforcement officials and security experts that the hackers, which some thought to be from Southern Europe, may have been sponsored by elements of the Russian government, the people with knowledge of the investigation said.
By the time the bank’s security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bank’s computer servers, according to the people with knowledge of the investigation. It is still unclear how hackers managed to gain such deep access.
The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.
Beyond its disclosures, JPMorgan did not comment on what its investigation had found. Kristin Lemkau, a JPMorgan spokeswoman, said that describing the bank’s breach as among the largest was “comparing apples and oranges.”
Preparing for the disclosure on Thursday, JPMorgan retained the law firm WilmerHale to help with its regulatory filing with the Securities and Exchange Commission, people with knowledge of the matter said. Earlier on Thursday, some executives — Barry Sommers, the chief executive of Chase’s consumer bank — flew back to New York from Naples, Fla., where they had convened for a leadership conference, these people said.
The initial discovery of the hack sent chills down Wall Street and prompted an investigation by the Federal Bureau of Investigation. The bank was also forced to update its regulators, including the Federal Reserve, on the extent of the breach.
Faced with the rising threat of online crime, JPMorgan has said it plans to spend $250 million on digital security annually, but had been losing many of its security staff to other banks over the last year, with others expected to leave soon.

Botnet hits over 17,000 Mac OS X users via Reddit

Botnet hits over 17,000 Apple Mac computers running OS X
A RUSSIAN SECURITY FIRM has discovered a botnet that has hit over 17,000 Apple Mac computers, using information posted in messages on social media website Reddit to navigate.
Researchers at Russian antivirus company Dr Web said in a report that the sophisticated "multi-purpose backdoor" malware that it dubbed "Mac.Backdoor.iWorm" has infected more than 17,000 computers running Mac OS X by allowing criminals to issue commands to carry out a wide range of instructions on the infected machines.
"Criminals developed this malware using C++ and Lua. It should also be noted that the backdoor makes extensive use of encryption in its routines," said Dr Web in its report. "During installation it is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically."
Compromised computers receive commands from servers under the control of botmasters using information posted in messages on Reddit as navigational aids. Then Mac.Backdoor.iWorm opens a port on an infected computer and awaits an incoming connection. It sends a request to a remote website to acquire a list of command and control (C&C) servers, and then connects to the remote servers and waits for instructions.
"It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at, and - as a search query - specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date," said Dr Web. "The search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd."
Security expert Graham Cluely said on his blog that while it isn't presently documented how the malware spreads, the consequences clearly can be serious.
"Like any computers that have been recruited into a botnet, Macs that have been hijacked in this attack could have information stolen from them, further malware planted upon them, or be used to spread more malware or launch spam campaigns and denial of service attacks," Cluley explained.
Security firm Lancope CTO TK Keanini added that the botnet "will begin to co-evolve as countermeasures are put in place and they engineering and innovate around them".

The internet will never be hacker free, warns DARPA

Hackers are here to stay, says DARPA
The US Defense Advanced Research Projects Agency (DARPA) has warned that users of the internet will never be fully secure.
DARPA director Arati Prabhakar made the claim during the Washington Post's Cybersecurity Summit, arguing that the only way fully to secure the internet is to seal it off and make it available only to selected people.
"The power of information technology, and the reason we put up with all these problems, is that it is phenomenally capable for all the things that change how we live and how we work and how we create national security," she said.
"You don't want to cut out any of that capability in the process of building cyber security."
Prabhakar added that, while wholly securing the internet is impossible, DARPA is working on new ways to track hackers and criminals operating on the Dark Web.
She listed the need for increased computing power and more advanced, scalable big data analytics tools as key challenges in this endeavour.
"[When searching for cyber criminals] you start by creating a different way to look at this vast information environment," she said.
"The moon shot for cyber security, in my view, is to find techniques that scale faster than the explosion in information."
Prabhakar revealed that DARPA began working on advanced big data solutions in March, and is also working on several projects designed to bolster global cyber security levels.
She highlighted a research project to create an "unhackable system" as particularly important owing to its potential application in critical infrastructure.
"What [the unhackable software project] means is there is a mathematical proof that this particular function can't be hacked from a pathway that wasn't intended," she said. "That won't solve the entire problem, but it might make it more manageable."
Attacks on critical infrastructure are a problem facing governments across the globe owing to their use of insecure SCADA systems.
These concerns peaked in September when researchers uncovered a critical bug, codenamed Shellshock, in the bash code used in Unix and Unix-like systems that could theoretically be exploited to hack SCADA systems.

Bored hackers flick Shellshock button to OFF as payloads shrink

Malicious and benign attacks against systems vulnerable to Shellshock had halved by Sunday after peaking three days following the bug's disclosure, Akamai researchers say.
The variety of payloads targeting vulnerable sites increased dramatically over the same period before tapering off, in a possible sign that hackers were bored with the bug.
The number of unique payloads increased from 43 on day zero to a whopping 10,716 just 24 hours later. It peaked on 27 September at 20,753 before falling off.
The numbers demonstrated the effectiveness of Shellshock as an attack vector, researchers Ezra Caltum, Adi Ludmer and Ory Segal wrote in a co-authored post.
"One of the troubling aspects of the Shellshock vulnerability is the ease of exploitation, which can be seen by the dramatic increase in the number of unique payloads between the first and the second days," they said.
"The sheer number of creative payloads also demonstrates how effective and deadly this vulnerability can be – most of the scanning and exploitation process is already fully automated.
"With such a low barrier to entry, and the simplicity of writing powerful exploits, we believe that Shellshock-based attacks are going to stay around for months if not years, and will probably top the botnet infection method charts in the near future."
Two-thirds of the 22,487 unique attacking IP addresses were from the US, with Germany, Britain and seven other countries sharing the remainder.
Almost 300,000 gaming domains made up the vast majority of Shellshock targets, with consumer electronics, email marketing among the less affected industries.
More than half of all detected Shellshock probes however were illegitimate scans of the sort conducted in unpaid security research which did not involve exploitation, while about a third were legit.
Akamai found eight percent of payloads were attempts by internet idiots to exploit Shellshock to open CD trays, play audio files, and dump nonsensical payloads.
More malicious acts including Bitcoin and database stealers made up less than one percent of payloads.

Marriott fined $600k for deliberately JAMMING guests' Wi-Fi hotspots

Marriott has been fined $600,000 by the FCC for paralyzing guests' personal Wi-Fi hotspots, forcing them to use the hotel giant's expensive network instead.
The US watchdog today said the Marriott Gaylord Opryland in Nashville, Tennessee, used equipment to illegally boot hotel and convention center guests off their own networks, which were typically smartphone hotspots.
Meanwhile, Marriott managers encouraged everyone to connect to the hotel's Wi-Fi network, which cost from $250 to $1,000 to access.
According to the commission, the Gaylord Opryland installed an Allot NetEnforcer, and configured it to continually flood the surrounding ether with de-authentication packets. An attacker does not have to know a Wi-Fi network's password, or be authenticated in any way, to send a successful de-auth packet. All devices and computers that receive the management frame over the air are instructed to disassociate from their network.
Essentially, it was virtually impossible to use Wi-Fi, unless it was the Marriott's.
"It is unacceptable for any hotel to intentionally disable personal hotspots while also charging consumers and small businesses high fees to use the hotel’s own Wi-Fi network," said FCC enforcement bureau chief Travis LeBlanc.
"This practice puts consumers in the untenable position of either paying twice for the same service or forgoing internet access altogether."
The fine is part of a consent decree [PDF] Marriott has signed in order to end the watchdog's investigation into Wi-Fi jamming. Marriott has also agreed to send a report on its Wi-Fi "containment functionality" tools to the commission.
Allott Communications, which makes the NetEnforcer hardware used by Marriott, did not respond to a request for comment on the matter. It markets the devices as "purpose-built appliances for monitoring and managing data traffic on enterprise, cloud and broadband service provider networks."
Allott has boasted that it provides network services to the Gaylord Opryland as well Gaylord hotels in Florida, Texas and Maryland.
"In each of the facilities, dedicated internet service is provided by a Gigabit fiber-optic backbone with 100 megabit edge connections for meeting rooms, ballrooms and exhibit hall space," the company writes [PDF].
"Each resort provides an always-up installation that serves thousands of internet users every day of the year."
Thousands of users ... willing or not, it seems.