Monday, 9 September 2013

Scammers pop up in Android’s Calendar App

Over the last couple of days, an IT security Research Group(webroot) intercepted a rather interesting fraudulent approach that’s not just successfully hitting the inboxes of users internationally, but is also popping up as an event on their Android Calendar apps.
How is this possible? Fairly simple.

Sample screenshot of the fraudulent Google Calendar invitation:
Google_Calendar_Dating_Scam_Email_Spam_Syndicate_Syndication
Through automatic registration — thanks to the outsourcing of the CAPTCHA solving process — fraudsters are registering thousands of bogus accounts to be later on abused as being part of Google’s Ecosystem, the Calendar feature in particular, which is also automatically syndicated on all Android devices.
Therefore, by automating the process of sending Calendar Invites, 419 advance fee scammers or virtually any type of scammers, are directly syndicating their fraudulent ‘proposals’ with the Android devices of their prospective victims. The tactics greatly remind us of known cases where 419 advance fee scammers are known to have abused Dilbert.com and NYTimes.com’s “Email This” feature in an attempt to successfully bypass anti-spam filters.
Due to the ease of registering tens of thousands of Google Accounts, or actually buying access to pre-registered accounts, we expect that this practice will continue, with the fraudsters behind it eventually shortening the time frame between the invitation and the actual event, to achieve a near real-time ‘reminder’ notification for a Calendar Event.

Make All Employees Part Of Your Data Security Team

Hackers get all the attention, but they’re just one actor in the show. In truth, even well-intentioned employees are your biggest threat because they open the door and turn the lights on for the hackers. And while IT can implement tools and procedures designed to safeguard confidential information, it’s really everyone’s job to protect your bank’s data. A robust defensive strategy starts with a culture of data security, and if a system is only as strong as its weakest link, you need to look for ways your organization can build an environment full of sturdy links.

Educated employees are the basis of a strong protection system, so start off by giving them the knowledge they need to spot potential security problems. Things like phishing e-mails are a good place to begin because they provide a way into your network that bypasses many of the security measures that are in place. Train everyone in your organization to detect and deal with suspicious e-mails, links and attachments. Stay abreast of new threats and communicate proactively to employees on how to react to them. We can’t expect employees to know what we don’t communicate to them.

Mobile devices (particularly those that are personally owned) also have the potential to create security gaps. Malware is being developed for smartphones and tablets at an alarming rate, making these devices fertile ground for the nastiest of viruses. Work with employees to help them choose and use robust antivirus software, and educate them on the need for a strong password on their device. You may also opt to use a mobile device management platform that enforces security policies, which can greatly limit your exposure by only allowing approved applications. But, links in mobile web browsers can still be used against you, so training and communication with your employees is even more important.

Public Wi-Fi networks are another area where employees may be operating without enough information about potential security dangers. Most employees do not know that any information they send unencrypted over a hotel Wi-Fi connection can be seen by anyone else on the hotel’s network.

Consider creating a Wi-Fi FAQ that explains to all employees with mobile devices how to use their laptop in the airport and coffee shop without opening up sensitive data to prying eyes. Even a simple device like a USB drive can be a dangerous tool in the hands of a cybercriminal.

Vulnerability assessment testers often dropped flash drives in the parking lot or other public areas to see what employees do with them. The result? The vast majority of employees pick them up and plug them into corporate computers with remarkable reliability. Employees often don’t understand that a USB drive could contain malware that auto-launches as soon as the device connects to your network. This has the potential to cause your bank considerable grief, and though it may be difficult to lock down all USB devices, an educated employee will be less eager to introduce a rogue flash drive into your bank’s network.

When an employee leaves the company, another security flag should go up. Be sure your IT team is diligent in locking down access, removing accounts, and disabling login credentials as soon as an individual is no longer an employee. This holds true for contractors and temps, too, whose access should be removed as soon as their work with the company is finished. This company-wide data security mindset doesn’t happen in a vacuum, and it’s crucial that all groups in the bank partner up to make it a reality. Human Resources must coordinate with IT when an individual joins the company, moves to a new role or department, or leaves. Supervisors need to commit to making time for employees to receive training and regular refreshers. It’s crucial that the leadership team is on board and committed to the effort, so that employees hear the same data security message from the top down. And communication lines must stay open at all levels.

Finally, it is important that training and communication are not limited to “new hire” training and posting on the Intranet. Employees can’t be expected to recall every detail of the hours and reams of information given to them when they are new and nervous. And, posting something on the Intranet is not “communicating.” Communicate frequently, clearly and in a manner that will be of interest to the employee if you want your security training and awareness program to be effective.

NSA Surveillance: Is There Any Way to Keep Web Communications Private?

NEWS ANALYSIS: There are still ways enterprises and individuals can keep communications private. But the quick and easy paths have already been compromised by the U.S.
Thanks to NSA leaker Edward Snowden we now know that most of the communications pathways you thought were secure can’t be relied on.

Most of the secure cloud storage, almost all of the on-line encryption to websites, the 4G wireless communications you use and your WiFi encryption have been compromised by the U.S. National Security Agency and probably by the intelligence services of other nations. In some cases the actual encryption has been cracked, and in other cases the encryption has been circumvented.

In a series of reports in the New York Times and other media, Snowden’s leaked secrets have revealed that most of the basic encryption you use, including SSL, has been broken. If it wants to, the agency can find out just what you bought from Amazon yesterday. But perhaps more important, the NSA can read what you’re storing on the public cloud, they can read your communications with Google when you send gmail, and they can read your banking transactions.

The fact that the National Security Agency can crack this encryption should be no surprise. After all, the NSA was chartered in the early 1950s specifically for code-breaking. So cracking such encrypted communications is actually what the agency is supposed to be doing. This is, after all, how the NSA tracks the communications of terrorists in Yemen, or the Taliban in Pakistan. But we didn’t expect that this would eventually give them the capability to read our business and personal messages at home.


But Snowden also revealed something that the NSA probably would prefer that you didn’t know. Good encryption still works, and there are types that the NSA still hasn’t cracked, such as PGP. When Phil Zimmermann created Pretty Good Privacy 22 years ago, the government tried to block its implementation. During the Clinton administration, the government even tried to force the adoption of the “Clipper” chip to create a permanent back door into computer systems through an embedded encryption chip with a built-in back door.

PGP encryption is still out there, although it’s owned by Symantec these days, and it still works. In fact, the US government is a major user of PGP encryption. But that doesn’t stop the NSA and the agencies of other governments from trying to get their hands on your communications, and most of the time they’re successful. The reason is that they don’t bother to crack encryption these days. They just siphon off unencrypted data before it’s encrypted or after it’s decrypted.

In addition, the NSA has been able to find and preserve encryption keys, with which decryption stops being an issue. Sometimes these keys are obtained legally, other times they’re retrieved through a back door to a server that holds the keys. But such back doors are limited to servers and encryption keys.
Much, perhaps most of the information the data the intelligence agencies want is found through a back door into the target machine itself. After all, why go to the trouble of cracking encrypted material when you can get it in the clear?

And this leads to the next question, which is, what’s actually safe on the Internet? As you’ve probably figured out by now, public e-commerce sites have almost certainly been compromised. Widely used VPNs have also been compromised, which means that the airline reservation system you use probably isn’t closed to intelligence agencies. Your public cloud provider, regardless of how secure it claims to be, probably isn’t.

The next question is whether this matters to you. Chances are the NSA isn’t going to be watching you buy Ethernet cables from Amazon even though it can because the NSA has more important things to worry about. But suppose you try to buy ammonium nitrate on Amazon? This chemical is a critical component in the fertilizer used in commercial farming. But it’s also a critical component that terrorists use in making bombs. What then?

This is where the much discussed back doors come in. If you’ve been reading my column for any period of time, you’re no doubt aware of the back doors in cellular switching equipment that have been blamed on Chinese telecom vendors Huawei and ZTE. But it’s alleged in some of the analysis of Snowden’s documents that the NSA has also built back doors in other equipment including server network interfaces. Not only would this allow traffic to be sent to an outside entity, it could do more.

As Dr. Steve Weis, CTO of PrivateCore explained to me in an interview, these networking adapters have access to the memory of the computer to which they’re connected. This is the same place where the encryption keys are stored when that server is encrypting data. Thus it’s no great trick to harvest the keys, which is one place where intelligence agencies can get those keys I mentioned earlier.

So can you protect your data? For most routine Internet activities the answer is you can’t. If you start looking for ammonium nitrate or you are communicating with co-conspirators in a terrorist attack plot, it’s possible that someone will find out. It could be through a back door; it could be through the retail vendor or the communication service you are working with; it could be somewhere else along the way. If you have really important data to protect, there’s almost nothing you can do short of encrypting your data before it ever reaches the computer that’s attached to the network.

But even then you have to store those encryption keys someplace really secure, which also means not on a computer attached to the network. In short your only real hope is that whatever you do is too boring to be interesting to any intelligence organization.

NEWS ANALYSIS: There are still ways enterprises and individuals can keep communications private. But the quick and easy paths have already been compromised by the U.S.

Thanks to NSA leaker Edward Snowden we now know that most of the communications pathways you thought were secure can’t be relied on. Most of the secure cloud storage, almost all of the on-line encryption to websites, the 4G wireless communications you use and your WiFi encryption have been compromised by the U.S. National Security Agency and probably by the intelligence services of other nations. In some cases the actual encryption has been cracked, and in other cases the encryption has been circumvented. In a series of reports in the New York Times and other media, Snowden’s leaked secrets have revealed that most of the basic encryption you use, including SSL, has been broken. If it wants to, the agency can find out just what you bought from Amazon yesterday. But perhaps more important, the NSA can read what you’re storing on the public cloud, they can read your communications with Google when you send gmail, and they can read your banking transactions. The fact that the National Security Agency can crack this encryption should be no surprise. After all, the NSA was chartered in the early 1950s specifically for code-breaking. So cracking such encrypted communications is actually what the agency is supposed to be doing. This is, after all, how the NSA tracks the communications of terrorists in Yemen, or the Taliban in Pakistan. But we didn’t expect that this would eventually give them the capability to read our business and personal messages at home.
Unleashing the Power of PaaS to Harness the Cloud
But Snowden also revealed something that the NSA probably would prefer that you didn’t know. Good encryption still works, and there are types that the NSA still hasn’t cracked, such as PGP. When Phil Zimmermann created Pretty Good Privacy 22 years ago, the government tried to block its implementation. During the Clinton administration, the government even tried to force the adoption of the “Clipper” chip to create a permanent back door into computer systems through an embedded encryption chip with a built-in back door.
PGP encryption is still out there, although it’s owned by Symantec these days, and it still works. In fact, the US government is a major user of PGP encryption. But that doesn’t stop the NSA and the agencies of other governments from trying to get their hands on your communications, and most of the time they’re successful. The reason is that they don’t bother to crack encryption these days. They just siphon off unencrypted data before it’s encrypted or after it’s decrypted. In addition, the NSA has been able to find and preserve encryption keys, with which decryption stops being an issue. Sometimes these keys are obtained legally, other times they’re retrieved through a back door to a server that holds the keys. But such back doors are limited to servers and encryption keys. - See more at: http://www.eweek.com/security/nsa-surveillance-is-there-any-way-to-keep-web-communications-private.html#sthash.rLjvBOlI.dpuf

Four out of five people are “locked out” of websites due to lost passwords

Four out of five consumers have been “locked out” of websites due to not remembering log-ins – and over a fifth rely on password resets “on a regular basis,” according to a survey conducted by Ping Identity.
The survey, of 1,000 computer users in the UK, highlighted the problems in expecting consumers to remember long, complex passwords, and negotiate difficult log-in processes.
Nearly a quarter of consumers now remember log-ins for up to five consumer websites (24%) and almost a third of shoppers remember log-ins for up to 11 and 20 websites according to Ping’s research.
ESET’s guide to how to create strong passwords (without driving yourself mad), and keep them safe is here – helping you shop freely without handing the keys your email (or bank account) to a cybercriminal.
“With more than half of respondents logging into an online shopping site with a password up to five times a day, this login barrier could cost businesses dearly,” said Andrew Hindle, director at Ping Identity. “E-tailers need to make the registration and payment process as seamless as possible.”
Nearly 71% of consumers admitted to having “abandoned” web businesses due to having been forced to fill in long, complex web forms, according to Ping’s survey.
The need to remember up to 20 different passwords and usernames highlights why so many users re-use passwords, or use simple variations on existing ones.
In Deloitte’s Technology, Media and Telecommunications Predictions 2013 earlier this year, the firm predicted that 90% of user generated passwords will be vulnerable to hacking this year, and could lead to “billions” in losses.
“This is due to factors such as password re-use, advances in hardware and software used to crack passwords, and non-random distribution of characters,” says Deloitte.“As the value of the information protected by passwords continues to grow, attracting more hack attempts, high-value sites will likely require additional forms of authentication.”

Be prepared for major cyberattack ;Kim Komando

Former Homeland Security Secretary Janet Napolitano gave her farewell speech last week. She had quite a bit to say, but there was one thing that caught my attention: She warned that a major cyberattack is on the way.
I believe it. Most major U.S. companies have been under siege from hackers over the past 18 months.
In fact, two days after Napolitano's speech, a hacker group called the Syrian Electronic Army hacked the New York Times' website and Twitter feed - for the second time this year.
Of course, Napolitano wasn't just talking about American business. She was talking about America's infrastructure: power grid, communications, banking and so forth.
Every one of these services relies on computers. A well-placed virus could do a lot of damage.
Imagine waking up one morning with no power. Cellphones can't connect, banks are closed, the Internet is down and credit cards don't work.
In localized emergencies, workers from other areas help to restore services quickly. A cyberattack could affect wide regions of the country, overwhelming the available manpower.
It could take days, weeks or months for basic services to be fully restored. Not a pretty picture.
Now, a cyberattack might not take down everything, but it could make basic services unreliable. That's why you need a backup plan for your family. I would plan for at least 30 days of limited to nonexistent services.
Keep a supply of water and canned food on hand, along with a first-aid kit. Knowing exactly what other survival tools to include can be difficult. Fortunately, the government's site - tulsaworld.com/ready - can help you plan your disaster kit.
Your emergency kit should contain cash. After all, debit and credit cards may not work.
Keep important documents within easy reach, too. You may not be able to get to documents stored on your computer. Keep physical copies in a small safe near your disaster kit.
In a disaster, remember it's better to text than to voice call. Texts use less information, so they don't overwhelm local cellular towers. Plus, texts can wait to send, so they'll still get through without your constant attention.
In localized disasters, it is often easier to contact people outside the area. Designate an out-of-town relative as a contact person. However, cellular towers aren't as robust as traditional landlines. Don't count on your cellphone working reliably. I would have one or more sets of two-way radios. They'll work in any situation.
An AM/FM radio is another essential for any emergency kit. Radio stations have generators and can still keep broadcasting important information when other communication systems fail.
Whether a cyberattack ever happens, these are still good planning ideas. You never know when another kind of disaster might strike.

New Facebook exploit: Mark zuckerburg targetted again

A video post on youtube  said he is a 16 years old Albanian and find a new Facebook graph exploit and he suggest friends to Mark Zuckerberg.
According to the terms of Facebook’s white hat program, those who find bugs and follow Facebook’s rules in reporting them are paid a bounty. The minimum bounty for any bug is set at $500, with Facebook paying more based on the bug’s severity.
 Click to watch the video below:
http://www.youtube.com/watch?feature=player_embedded&v=fl0T1FCIVIQ

Anonymous has leaked 7GB contracts, financial data of Azerenergy

A group claiming to be an Armenian branch of hacker collective Anonymous has leaked 7 GB worth of documents relating to Azerenergy, the leading energy producer in the Eurasian country of Azerbaijan.
Financial details, offshore communications, contracts, research and photos of passports are among the documents that have been leaked, with the group adding “illegal schemes” to the mix in an announcement posted Tuesday afternoon to cyberguerilla.org – a forum designed to maintain anonymity.
The entire multi-gigabyte package was broken into 13 parts and hosted on AnonFiles.com, an anonymous file- hosting website unrelated to the similarly named hacker collective.
“We are not that very much happy with Aliev's politics therefore this release is just another leap in a series of releases to fight Azerbaijani mafia clans,” the group wrote in its post, indicating there would be more to come.
An Azerenergy representative could not immediately be reached for comment.
Ilham Aliyev is the president of Azerbaijan since 2003 who was described as comparable to mafia figures in a US Embassy diplomatic cable posted to WikiLeaks in 2009.
This is the second time this year that an Azerbaijan organisation has suffered an information leak by a group claiming to be Anonymous.
In April, a group calling itself Anonymous leaked 1.5 GB of data from the Ministry of Communications and Information Technologies of the Republic of Azerbaijan.
The group called attention to ties between various corporations and government agencies that were said to have financed terror groups.
Anonymous continues to make headlines – most recently in July for three consecutive releases of lists of FEMA contacts – but the collective has remained under the radar in recent time due to a number of high-profile arrests by the FBI.
Among those FBI arrests are key members of Anonymous splinter group Lulz Security, as well as distributors of the Gozi virus, who are not said to be associated with Anonymous. The Gozi virus infected millions of computers and stole millions of dollars from financial institutions around the globe.

Snowden leaks :NSA tapped into networks of Google, Petrobras, others

The U.S. government tapped into computer networks of companies including Google Inc. and Brazilian state-run oil firm Petroleo Brasileiro SA, according to leaked U.S. documents aired by Globo, Brazil's biggest television network.
A week after it broadcast a report that the U.S. National Security Agency spied on the presidents of Brazil and Mexico, Globo said the agency had also spied on major companies.
It showed slides from an NSA presentation, dated May 2012, that it said was used to show new agents how to spy on private computer networks.
In addition to Google and Petrobras the presentation suggested the NSA had tapped into systems operated by France's foreign ministry and the Society for Worldwide Interbank Financial Telecommunication, an international bank cooperative known as Swift, through which many international financial transactions take place.
The report did not say when the alleged spying took place, what data might have been gathered or what exactly the agency may have been seeking.
As with its previous report, Globo disclosed the information in coordination with Glenn Greenwald, an American blogger and journalist for the Guardian newspaper, who has worked with former NSA analyst Edward Snowden to expose the extent of U.S. spying at home and abroad.
During an interview in the Globo broadcast, Greenwald said the documents he obtained from Snowden contain "much more information on spying on innocents, against people who have nothing to do with terrorism, or on industrial issues, which need to be made public."
In an email exchange with Reuters, Greenwald declined to discuss the report further.
Petrobras, which has made some of the world's biggest oil finds in recent years, did not respond to requests for comment on Sunday. Spokespeople for Swift and Google couldn't be reached for comment. Officials at the French embassy in Brazil also could not be reached.
TRADE SECRETS
James Clapper, the U.S. Director of National Intelligence, said U.S. agencies do collect information about economic and financial matters and that it is used to combat terrorist financing and predict problems that could lead to financial crises or disrupt financial markets.
"What we do not do," Clapper said in a statement, "is use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of - or give intelligence we collect to - U.S. companies to enhance their international competitiveness or increase their bottom line."
Especially before the Snowden revelations began three months ago, U.S. officials regularly accused China of stealing trade secrets from Western countries, including oil and gas firms.
At the very least, revelations of U.S. spying on Petrobras are likely to further complicate the tension between the United States and Brazil over allegations that the NSA spied on the private phone calls and emails of Brazilian President Dilma Rousseff.
Brazil has demanded a formal apology and Rousseff aides have said the issue could derail a state visit she is due to make to the United States in October.
The tensions led to an impromptu meeting between Rousseff and U.S. President Barack Obama last week at the G20 meeting in Russia. Obama said he would investigate the allegations.
Any spying on Petrobras is sure to raise hackles in Brazil, which has long been suspicious of foreign designs on its abundant natural resources.
U.S. officials, including Obama on a 2011 trip to Brazil and Vice President Joe Biden during a visit in June, have cited the importance of Brazil's big new oil finds and flagged intentions to work closely with the country for future energy needs.
Brazil's so-called sub-salt polygon, where many of the new finds have been discovered, may contain as much as 100 billion barrels of oil, according to Rio de Janeiro State University. One find alone, the giant Libra field, has estimated reserves of up to 12 billion barrels of oil, or enough to supply all U.S. oil needs for nearly two years.