Monday, 6 January 2014

New Year's Resolutions for Better Personal Security

Security New Year Happy New Year from Security Watch! While drafting my list of New Year's resolutions, I realized this was the perfect opportunity to adopt new habits to improve my security hygiene. In 2014, I resolve to take better care of my identity, my data, and my devices.
I Will Improve My…Passwords
No more poor passwords! The next time there is a data breach, we won't be astounded at the fact that people are using "iloveyou" "password123" and "monkey" for their passwords. For 2014, we will make sure every single online account has a long, complex, and unique password. We will also pledge to change our passwords on a regular basis, to keep them fresh.  
We aren't saying you have to store all the passwords in your head. Let 2014 be the year we finally start using a password manager such as 1Password or LastPass. Select a very complex password to secure your password manager, and then store each unique password inside. A password manager will also protect you from entering your login credentials into phishing sites.
Many sites, including Twitter, Facebook, Hotmail (Outlook.com), Gmail, and Dropbox, now offer two-factor authentication. Wherever we can, and unless we have a good reason ("not convenient" is not one), we will turn it on to protect our accounts from fraudsters trying to break in. We will check every few months in case more services have moved towards multi-factor authentication to secure our accounts.
I Will Protect My…Devices
Proper password usage won't be just limited to our online accounts; we will select strong passwords for our computers, the router for our home network, even for our mobile devices. A swipe-to-unlock is not secure at all. We should have a passphrase, a pattern unlock, or in the case of the iPhone 5, the fingerprint scanner, to keep thieves at bay.
Update software regularly. Adobe, Google, Microsoft, and Firefox offer automatic updates, where the application downloads and installs the latest version of the software in the background. Take advantage of the feature. For all other software packages—such as the printer driver, iTunes, or accounting software—let's break ourselves of the habit of ignoring the update prompt "for later," and update right away. Yes, in some cases, it will be annoying because it feels like the update prompt is coming every day. But it's much better than being told a month from now that the malware infection could have been avoided if we'd only updated Flash.
Speaking of malware, security software is critical, whether we are talking about a Mac, PC, or mobile devices. Just like all the other software packages, security software needs to be updated regularly as well.
Consider a firewall to prevent bad traffic from reaching the computer, and to block malware from "phoning home" with stolen data. Windows comes with a basic firewall, and there are third-party firewall software. I prefer to protect all the devices on the network—not just the computers, but also your smart TV, Apple TV, and anything else that has an IP address—in one swoop by turning on the firewall that comes with my network router.
I Will Secure My…Data
I pledge to improve my data security by encrypting all my information. Full disk encryption means that thieves can't access the data on the hard drive without guessing the password. I already encrypt my hard disk (thank you, Ubuntu), but I need to be better about encrypting all my data stored in the cloud and on flash drives, and when I am sharing files with other people. The biggest barrier to encryption is the fact that it isn't easy. Maybe it's time to think differently, to stop expecting everything to be easy.
We will regularly back up our files regularly, whether it's onto an external drive or using cloud services (encrypted, of course). Ransomware is very effective: after infecting the computer, the malware locks all the files. The only way to get all the photos, documents, and reports, back is to pay the ransom to the cyber-criminal. Or… if our files are properly backed up, we would be able to just wipe the hard drive and start over since our data is safe in a different location.
I Will Guard My…Identity
We will take advantage of the tools available to protect our privacy online, whether that's turning off location tracking, restricting who can see the contents of our social media profiles, or just plain thinking twice about posting something online. We will think twice about filling in every field on our social media profiles since some of the information can be used by criminals to guess our password hints (dog's name, place of birth, etc). I will also think twice about those silly memes where I enter my mother's maiden name or other facts that can be used to reset my passwords or unlock my accounts.
With every malware outbreak, data breach, and network incident, we shake our heads over security missteps, mistakes that in hindsight feel rather obvious, and user error. Instead of complaining about the same problems six months from now, let's make some changes in our personal security habits to avoid malware and phishing attacks. If we take some steps now, we may not be panicking during the next data breach (and we know there will be more).
Here is to a safe and secure year ahead!

Windows Error Reporting Exposes Your Vulnerabilities

Windows Error Reporting If you don't keep your operating system and applications up to date, you leave your PC vulnerable to attacks that exploit known security holes. We've said it again and again. Perhaps you think an attack is unlikely, since the bad guys have no way of knowing just which of your apps are vulnerable? Well, think again. In a recent blog post, Websense Security Labs reported that every time your computer sends an error report to Microsoft's Dr. Watson service, it reveals a ton of information in plain text, data that a hacker could sieve from your network traffic to craft an attack.
Can't Say No
It's true that when an application crashes, the resulting Windows Error Reporting dialog asks your permission before sending a report to Microsoft.
However, many everyday occurrences trigger a silent report, no permission required. Websense directory of security research Alex Watson (no relation to Microsoft's Dr. Watson) used a simple network traffic capture tool to reveal that even something as simple as plugging in a new USB device can trigger a report.
Dr. Watson transmits detailed information about the USB device and about the host computer in plain, unencrypted text form. This data includes the precise operating system, service pack, and update version for the host, as well as the host's BIOS version and unique machine identifier.
When an application crashes, the report naturally includes the name and precise version number for that application. It also reports the reason for the crash and the internal location of the instruction that served as the proximate cause. Knowing the details of the crash, an attacker could arrange to attack the affected application and potentially compromise security.
Not All Exposed
On the positive side, only the first stage of error reporting goes through in plain text. Stages two through four, which can contain personally identifiable information, are transmitted using HTTPS encryption. Microsoft clearly states that "All report data that could include personally identifiable information is encrypted (HTTPS) during transmission. The software 'parameters' information, which includes such information as the application name and version, module name and version, and exception code, is not encrypted."
The unencrypted first stage could actually be useful to the IT department of a large organization. Watson points out that an IT expert could use it "to understand uptake of new BYOD policies and to identify potential security risks." The problem is that a hacker could also identify those risks, and actively use them to penetrate security.
What Can You Do?
According to the report, Microsoft estimates that nearly 80 percent of all Windows PCs participate in the error reporting program. Websense recommends that businesses use a Group Policy called Corporate Windows Error Reporting. By configuring this policy so it redirects error reports to an internal server, the IT staff can ensure secure transmission to Microsoft and can also mine the resulting data for their own purposes.
That's all very well, but what about personal PCs? I asked Alex Watson what an individual can do about this potential leakage of vulnerability data. "There does not appear to be a straight forward solution for individual, unmanaged users to encrypt their Stage One error reports to Windows Error Reporting," said Watson. "If you are an individual user and have concerns about these reports potentially being intercepted, I would recommend disabling Windows Error Reporting on your PC as outlined by Microsoft."
"However, I would note that these reports are extremely useful to Microsoft and application developers to ensure quality of their products and prioritize bug fixes," continued Watson. "Taking yourself out of the WER program could make it that much slower for a bug affecting your computer to be noticed and fixed. An ideal solution is for Microsoft to use SSL/TLS on all stages of Windows Error Reporting, which would mitigate any concerns users or organizations face from a security perspective."
I can't argue with that! So, how about it, Microsoft? You're already encrypting the other three stages. When will you add protection to the first state of error reporting?

Significant Security Stories of 2013 - Security Watch

2013 review Looking back, 2013 felt like a roller coaster, as we lurched from good news to bad news every few weeks: Data breaches, privacy, cyber-espionage, government spying, advanced malware, significant arrests, improved security features, etc.
The biggest story—or rather, series of stories—of the year revolves around the documents ex-National Security Agency contractor Edward Snowden stole and released to the media. However, it wasn't the only major story of 2013. For the first time, a security company laid out a definite case of how China spies on American businesses, and the US government officially discussed the issue with the Chinese government. Law enforcement had some significant victories, breaking up a large credit card theft ring and arresting the creator of the Blackhole Exploit Kit. Data breaches continued, but the Experian breach highlighted the problem of data brokers aggregating personal information. Regular users started talking about online privacy as Google Glass users hit the streets. Companies committed to better security practices, such as encrypting data in transit, implementing two-factor authentication, and becoming more transparent about what information it provides the government.
2013 was a busy one for security professionals and individuals alike. Here is a review of the year's significant security stories, in no particular order.

Secret NSA Surveillance Programs
We could fill an entire column with nothing but the NSA revelations. The initial articles about the phone records collection program were shocking enough, but it feels like each subsequent revelation is more explosive than before. The agency spied on Web activity, snooped traffic going to and from Google and Yahoo data centers, intercepted shipments to install spyware and backdoors in electronics equipment, and allegedly eavesdropped on leaders of other countries and gamers. While NSA chief Gen. Keith Alexander continues to insist that the agency acts within its boundaries and that it was careful to preserve civil liberties, calls for reform is growing louder. Congress is debating what to do about the problem of the NSA, a conservative federal judge ruled, in Klayman v. Obama, that the NSA's phone-records program possibly violated the Fourth Amendment, and the independent panel selected by the White House recommended the NSA programs need to be curtailed.
A group of tech giants, including Apple's Tim Cook, Google's Eric Schmidt, and Yahoo's Marissa Mayer spoke with President Barack Obama about their concerns regarding NSA's activities. AOL, Apple, Facebook, Google, LinkedIn, Twitter, Yahoo and Microsoft banded together to demand that while governments need to take action to protect their citizens' safety and security, "current laws and practices need to be reformed."
More companies are releasing transparency reports to disclose what kind of information they hand over to the government, and encrypted email service Lavabit shut down in order to avoid having to hand over information about its users. RSA, the security division of EMC, is currently defending its reputation following a Reuters report that it took $10 million from the NSA to push a compromised cryptographic algorithm in its security products.

China, China, China
We've been so enthralled by the waves of information coming out about NSA's activities that it's easy to forget that we began 2013 with an explosive report outlining China's role in cyber-espionage. The APT1 report from Mandiant was the first definitive statement clearly laying out what cyber-attackers from China was doing to break into US business and government networks. The report outlined how these attackers stole intellectual property, installed backdoors, and damaged systems. 
Shortly after the report was released, various government officials spoke out about China's activities. In May, the Pentagon's Annual Report on China directly blamed that nation's government for government and military attacks against the US. President Obama even brought up the accusations during a meeting with Xi Jinping, the president of China. The Chinese government even accused the US of essentially doing the same thing. (A little bit of foreshadowing for Snowden?)

Attacks Against Media Outlets
The media came under attack this year, with The New York Times, Washington Post, and Wall Street Journal disclosing they'd been infected with sophisticated malware. The finger of suspicion pointed—where else?—China. The Syrian Electronic Army went on a spree against the Twitter accounts for The Onion, Guardian, and other outlets. The fake post on AP's Twitter account, "Breaking: Two Explosions in the White House and Barack Obama is injured," even caused a little blip on the stock market, with the Dow Jones temporarily dipping 140 points.
The attack against the New York Times website where the SEA managed to change the site's domain name system settings highlighted just how easily attackers could interfere with Web operations. The SEA in this attack didn't even hack in to the network—the group accomplished this attack via spear phishing.

Focus on Application Security
The Affordable Care Act and the rollout of the healthcare exchange website brought the importance of security testing to the forefront. Security professionals know how critical it is that applications be tested for security issues before going live, but when the clock is ticking and time is running out to ship the product on time, security falls by the wayside. Some of the issues identified in the HealthCare.gov after its botched rollout raised the possibility that attackers will target the site. There were reports that individuals were seeing sensitive information belonging to other users on the site.
Executives who followed the whole saga probably won't be so quick to skip security testing the next time they have a major application rollout. Or so we hope.

Distributed Denial of Service Attacks
DDoS is not new, but this year we saw two major developments. DDoS was frequently used against financial sites, especially as part of Operation Ababil, but attackers expanded their targets to include other industries. One of the largest attacks of the year was against Spamhaus in March, with peaks hitting 300 gbps.

Major Cyber-Crime Arrests
In May, the U.S. Attorney for the Eastern District of New York in May announced charges in a $45 million bank heist involving stolen account information. The gang allegedly hacked into financial institutions to steal account information and then withdrew millions of dollars from ATMs.
In July, the U.S. Attorney for New Jersey charged another cyber-crime ring for breaching the computer networks of at least 17 major retailers, financial institutions, and payment processors to steal more than 160 million credit and debit card numbers. Targeted networks included Nasdaq, 7-Eleven, Visa, and J.C. Penney, among others.
Russian authorities claimed to have arrested Paunch, the creator of the Blackhole Exploit Kit. Security experts believe that with the arrest, there is a void cyber-criminals are currently scrambling to fill. "With no clear successor to Blackhole, cyber criminal gangs may be investing in other places to make up for the lost income due to less sophisticated delivery mechanisms for malware," said Alex Watson, director of security research at Websense.
Watering Hole Attacks
Watering hole attacks were pretty prominent this year, with websites being hacked to compromise employees at major tech firms such as Facebook, Apple, Microsoft, and Twitter, as well as against defense contractors and government employees. These watering hole attacks took advantage of zero-day vulnerabilities in Internet Explorer, Java, and other commonly used technologies.
Watering hole attacks were also discovered against pro-Tibetan activists, as attackers targeted Chinese-speaking people visiting the Central Tibetan Administration and the Tibetan Homes Foundation, as well as the Uyghur website maintained by the Islamic Association of Eastern Turkistan.

Experian Data Breach
We tend to remember the last major data breach and forget all the other ones that came before. While the recent data breach suffered by Target in which nearly 40 million debit and credit card numbers were compromised during the holiday shopping season is pretty major, the scariest data breach involving user information was the Experian data breach.
Experian is one of the organizations in the business of buying and selling personal information—social security numbers, addresses, bank account details. This information was sold to an overseas crime ring, according to an investigation by security writer Brian Krebs. The breach also highlighted the fact that many knowledge-based authentication systems, where people are asked to verify their identity by saying what car they own, or where they used to live, are now even more vulnerable.


People Wake Up to Online Privacy
When Google unrolled the future of wearable tech with its first wave of Google Glass "explorers," people freaked out. People were finally cognizant of the impact facial recognition and the ability to post anything online could have on their privacy. Is the future of tech one where there is no privacy, or where people can be booted from restaurants and other establishments for being a threat to privacy?
We've already looked ahead to 2014, with our predictions for new attacks, a national Internet, online payments, mobile security, and the Internet of Things. Welcome to 2014. Will it be a year of uncertainty or victories? Stick with Security Watch in the new year as we follow the ups and downs of security.

Greetings, Android! 12 tips to toughen up your new device for the real world

 This holiday season was a boom time for Android devices – with activations of Android smartphones and tablets on Christmas day hitting new heights, and narrowing the gap against rival Apple, according to analyst Flurry.
If you’re one of the lucky ones who unwrapped a Google Nexus tablet or one of Samsung’s army of different-sized Androids, congratulations – but there are a few sensible steps to take before taking that device into the ‘real world’, especially if you intend to use it for work.
There have been many scare stories about Android this year, often relating to malware targeting the OS – some rather overstated, but many, sadly close to the truth.
If you’re a user ‘switching sides’ from an Apple iDevice, you might be alarmed – and it’s easy to feel at risk when you’re getting used to a new system. But it’s not quite as bad as it seems.
Thankfully, Android itself now offers some great built-in protection against theft and malware – including a great anti-theft system quietly rolled out by Google to many Android users.

Once it’s started up, lock it down
Various Android devices from different manufacturers offer their own different security systems built in, but the really bulletproof ones are Google’s, and common to all up-to-date Android devices – the most basic one is getting a screen lock in place, and it’s common to every model. Do this before you take your device anywhere. Head to Settings > Security > Screen Lock. On new devices, you’ll usually get a choice of pattern, PIN, or password. A pattern’s less secure than a PIN, and a password is your best choice. If you’re using your tablet or smartphone for business, be extra careful.

While you’re at it, double-lock the important stuff
If someone does crack your code (sometimes possible simply by turning a handset sideways and looking for greasy finger marks – which is why choosing a pattern code can be risky), you can add another line of defense by locking individual apps – a very sensible step, and the reason that the excellent, free App Lock is, its makers claim, the most-downloaded app on Google’s Play Store. App lock lets you create a PIN which locks important apps – your email, Dropbox, or anything else which could hand data to cybercriminals. Better still, App Lock is pretty good at defending itself – it has mechanisms to ensure it can’t be uninstalled unless you have the PIN.


If you share ANY devices, be careful with Google Now
Google’s Now service can be accessed on Android via either a swipe up from the bottom of the screen, or via a Google Search box on screen, depending on which make of Android you choose – offering “predictive search” – ie guessing information you might need, based on your habits. Used carefully, it’s great – offering reminders of flights you have to catch (culled from Gmail), and traffic conditions on your commute (based on GPS data harvested by the handset). But while the ‘predictive’ search experience adds a lot to Android, it can also give a lot away. Any device signed in to the same Google account – ie a tablet you share at home – will ‘know’ whatever information you opt to share with Now, including potential privacy minefields such as your web search history. Thankfully, you can tailor how it works for you from Now, or from Google’s dashboard page – do so carefully.

Taking your phone to work? Talk to IT first
The trend for workers “bringing their own devices” to work is increasing year-on-year – but your boss, and your IT department will thank you if you ask first. Around 30-40% of devices in workplaces fly “under the radar”, according to former vice-president of security body ISACA Rolf von Roessing, who warned that workplaces faced a “tidal wave” of threats unless users were educated about risks. If you’re taking your own phone to work, ask your IT department for advice – and remember that even an email ‘Sent’ box can contain information invaluable to a criminal looking to penetrate a company network. Your boss will thank you if you’re open about using your own smartphone in the workplace – or even for working from home.

Lost it already? Don’t panic!
Despite frequent malware attacks – and an official app store that is still home to thousands of malicious and spammy apps – Google offers a pretty decent selection of security features built in – including a location tracker, which can help find a lost device, even if it’s just down the back of the sofa. Visit  Google’s Android Device Manager page to activate it, while logged into your Google account, and you’ll be able to force a device on silent mode to ring, remote-lock a device, and view its location on a map. If you own several Androids, you’ll be able to see them all. 

Keeping sensitive info on your smartphone? Don’t store it on a removable SD card
If you are keeping sensitive information on your phone – you really shouldn’t, if at all possible – don’t keep it on a removable SD card. This makes it easier for attackers to access data. If, for instance, your photos include an image of your credit card or passport, don’t store them in external memory.  Ensure anything you want to keep safe is stored in your device’s internal memory, and protect this using a strong password. Google’s Android Device Manager page offers useful options to wipe data remotely if a phone is stolen.

 Encrypting your phone WILL slow it down – but keep your data safe
Encrypting your device – so that all data on board is PIN-protected – isn’t for everyone – it will slow your device down, which can be painful if you’ve just unwrapped a top-of-the-range smartphone. But if you are carrying work information on it, it’s a good way to ensure sensitive data is safe, even if the device falls into the wrong hands.  Thankfully, it’s easy to encrypt your device in Android’s own settings menu – Settings/Security/Encryption – in an option available since  Android Gingerbread 2.3.4. Choose Encrypt Device and Encrypt External SD Card, then wait while the device crunches your data (this takes a while). After that point, your data is PIN-protected. This will slow your device, though.

 Google’s Play store isn’t perfect – but it’s FAR safer than most ‘unofficial’ stores
For ‘defectors’ moving from iOS to Android, the fact that malicious and spammy apps sneak into Google’s official Play store may be a shock – unlike Apple’s App Store, there is not an approval process, so ‘bad’ apps can sneak onto Play. Play, though, remains a far safer place to shop than unofficial stores – or bogus ‘review’ sites offering free apps.  Google removes ‘bad’ apps once users complain – but some lurk around for quite a while. Watch out for close-but-not-quite clones of popular apps and games – a classic trick – and in general, think like you are shopping on eBay (ie does the developer sound legitimate? What do the reviews say?). Most apps on Play, though, ARE safe. But the most crucial google Play, Amazon’s App Store and GetJar, you will be much safer – although “bad” apps can still sneak into those.

Don’t feel you HAVE to root your Android
For many tech-savvy phone users, the chance to ‘root’ an Android device – gain root access to the phone’s OS, which allows users to, among other things, uninstall all the unwanted apps with which Samsung and other phone makers routinely bloat their devices. There are dozens of tutorials on how to root devices online, and many Android forums make it seem like a “first step” for users, allowing Android fans to run apps which require root access, such as firewalls – normally blocked by the OS. But rooting a phone opens users up to new risks – and cuts off many of the protections built into Android itself. It will also severely annoy your employer, if the handset happens to be a work one. Malicious apps with root access can cause far more damage than normal ones – and the unofficial app markets where apps for rooted devices are traded are filled with malware, sometimes disguised as popular apps. “Free” versions of the predictive text app Swiftkey appeared on pirate sites – infecting users foolish enough to download with a keylogger which took note of every keystroke in Swiftkey, with the goal of stealing data.

Read the “permissions” screen EVERY time you install an app
Most computer users are pretty impatient while shopping – and used to skipping straight past huge legal documents without reading a word – but while Android’s App Permissions page looks boring, it’s THE single most important defense built into the system.  “Bad” apps will request access to and control over huge amounts of your Android’s functions – such as reading all network communications, or sending SMS messages – if an app has a huge list of Permissions, it’s an “alarm bells” moment. Why WOULD a screensaver need to send SMS?
Don’t EVER install a banking app from a link
Governments around the world have warned of the risk to consumers from ‘fake’ banking apps – either delivered on their own, or as part of an attack against a PC, where the malware attempts to fool users into downloading the fake app by delivering messages through bogus bank sites. An increasing number of PC Trojans target Android devices with fake banking apps – with several families of  banking  malware attempting to fool users into installing malicious apps via their PC’s browser – aiming to bypass two-factor authentication systems used by banking sites. Banking Trojan Hesperbot uses a malicious webpage to instruct users to enter their cellphone number and make, and attempts to install a malicious app that bypasses security systems. Your bank will NEVER distribute apps in this way – instead, download your bank’s app from Google’s Play, and ensure yours is up to date.

Paying for something with your phone? Be VERY careful
Up-to-date Androids such as Samsung’s Galaxy S4 and HTC’s One ship with an NFC (Near Field Communication) chip – a new technology designed to transmit data over short distances, and used in some countries, such as Chile, as a tap-to-pay system in stores. But point-of-sale terminals have become an increasing target for cybercriminals. Any technology used for bank transfers is a potential target of computer attacks. As this means of payment becomes more popularly used, malicious code may appear to steal information relating to these transactions.” Be cautious about any means of storing money on your phone – such as Bitcoin wallets – or paying direct via NFC.

NSA ‘Intercepted PC Shipments To Install Malware’


The US National Security Agency (NSA) managed to sneak malware onto people’s PCs by intercepting them before they even shipped out of the country, according to previously top secret documents.
In an attack the NSA calls “interdiction”, the body can divert deliveries of machines to its own “load stations”, where it can either install software or hardware to spy on those computers. One document suggested this tactic was one of the “most productive” of the NSA’s hacking operations.
NSA hacking
The operations were carried out by the NSA’s Office of Tailored Access Operations (TAO), which has carried out numerous offensive hacking operations. Documents showed the body took on 279 missions in 2010, according to German publication Der Spiegel.
The revelations came a matter of days after a US judge declared the NSA’s hoovering up of phone metadata to be legal, contradicting a previous ruling that declared the actions “likely unconstitutional”.
A case brought by the American Civil Liberties Union (ACLU) was dismissed by Judge William Pauley III, who said the metadata collection was lawful under Section 215 of the Patriot Act and under the Fourth Amendment. The ACLU has promised to appeal, meaning a fight in the US Supreme Court is looking likely.
TAO has other sneaky ways of gaining access to targets’ machines. When a known machine is in need of a Windows update, TAO can determine what potentially exploitable flaws are resident on that PC.
The tools used by NSA agents carry names such as Angry Neighbour, HowlerMonkey and Waterwitch. The US government hopes to compromise around 85,000 computers with such offensive tools by the end of 2013.
The NSA told the German paper: “Tailored Access Operations is a unique national asset that is on the front lines of enabling NSA to defend the nation and its allies.” It would not respond to questions on the specific activities noted above.

cyber-thieves Using USB sticks in robbery of ATM


The criminals cut the holes in order to plug in USB drives that installed their code onto the ATMs.
Details of the attacks on an unnamed European bank's cash dispensers were presented at the hacker-themed Chaos Computing Congress in Hamburg, Germany.
The crimes also appear to indicate the thieves mistrusted each other.
The two researchers who detailed the attacks have asked for their names not to be published
Access code
The thefts came to light in July after the lender involved noticed several its ATMs were being emptied despite their use of safes to protect the cash inside.
After surveillance was increased, the bank discovered the criminals were vandalising the machines to use the infected USB sticks.
Once the malware had been transferred they patched the holes up. This allowed the same machines to be targeted several times without the hack being discovered.
To activate the code at the time of their choosing the thieves typed in a 12-digit code that launched a special interface.
Analysis of software installed onto four of the affected machines demonstrated that it displayed the amount of money available in each denomination of note and presented a series of menu options on the ATM's screen to release each kind.
The researchers said this allowed the attackers to focus on the highest value banknotes in order to minimise the amount of time they were exposed.
But the crimes' masterminds appeared to be concerned that some of their gang might take the drives and go solo.
To counter this risk the software required the thief to enter a second code in response to numbers shown on the ATM's screen before they could release the money.
The correct response varied each time and the thief could only obtain the right code by phoning another gang member and telling them the numbers displayed.
If they did nothing the machine would return to its normal state after three minutes.
The researchers added the organisers displayed "profound knowledge of the target ATMs" and had gone to great lengths to make their malware code hard to analyse.
However, they added that the approach did not extend to the software's filenames - the key one was called hack.bat.

Cyber criminals have been targeting consumer data entered in POS systems


When consumers purchase goods or services from a retailer, the transaction is processed through what are commonly referred to as Point of Sale (POS) systems. POS systems consist of the hardware (e.g. the equipment used to swipe a credit or debit card and the computer or mobile device attached to it) as well as the software that tells the hardware what to do with the information it captures.
When consumers use a credit or debit card at a POS system, the information stored on the magnetic stripe of the card is collected and processed by the attached computer or device. The data stored on the magnetic stripe is referred to as Track 1 and Track 2 data. Track 1 data is information associated with the actual account; it includes items such as the cardholder’s name as well as the account number. Track 2 data contains information such as the credit card number and expiration date.

Description
POS Targeting

For quite some time, cyber criminals have been targeting consumer data entered in POS systems. In some circumstances, criminals attach a physical device to the POS system to collect card data, which is referred to as skimming. In other cases, cyber criminals deliver malware which acquires card data as it passes through a POS system, eventually exfiltrating the desired data back to the criminal. Once the cybercriminal receives the data, it is often trafficked to other suspects who use the data to create fraudulent credit and debit cards.
As POS systems are connected to computers or devices, they are also often enabled to access the internet and email services. Therefore malicious links or attachments in emails as well as malicious websites can be accessed and malware may subsequently be downloaded by an end user of a POS system. The return on investment is much higher for a criminal to infect one POS system that will yield card data from multiple consumers.
Impact
There are several types of POS malware in use, many of which use a memory scraping technique to locate specific card data. Dexter, for example, parses memory dumps of specific POS software related processes looking for Track 1 and Track 2 data. Stardust, a variant of Dexter not only extracts the same track data from system memory, it also extracts the same type of information from internal network traffic. Researchers surmise that Dexter and some of its variants could be delivered to the POS systems via phishing emails or the malicious actors could be taking advantage of default credentials to access the systems remotely, both of which are common infection vectors. Network and host based vulnerabilities, such as weak credentials accessible over Remote Desktop, open wireless networks that include a POS machine and physical access (unauthorized or misuse) are all also candidates for infection.

Solution
POS System Owner Best Practices

Owners and operators of POS systems should follow best practices to increase the security of POS systems and prevent unauthorized access.
Use Strong Passwords: During the installation of POS systems, installers often use the default passwords for simplicity on initial setup. Unfortunately, the default passwords can be easily obtained online by cybercriminals. It is highly recommended that business owners change passwords to their POS systems on a regular basis, using unique account names and complex passwords.
Update POS Software Applications: Ensure that POS software applications are using the latest updated software applications and software application patches. POS systems, in the same way as computers, are vulnerable to malware attacks when required updates are not downloaded and installed on a timely basis.
Install a Firewall: Firewalls should be utilized to protect POS systems from outside attacks. A firewall can prevent unauthorized access to, or from, a private network by screening out traffic from hackers, viruses, worms, or other types of malware specifically designed to compromise a POS system.
Use Antivirus: Antivirus programs work to recognize software that fits its current definition of being malicious and attempts to restrict that malware’s access to the systems. It is important to continually update the antivirus programs for them to be effective on a POS network.
Restrict Access to Internet: Restrict access to POS system computers or terminals to prevent users from accidentally exposing the POS system to security threats existing on the internet. POS systems should only be utilized online to conduct POS related activities and not for general internet use.
Disallow Remote Access: Remote access allows a user to log into a system as an authorized user without being physically present. Cyber Criminals can exploit remote access configurations on POS systems to gain access to these networks. To prevent unauthorized access, it is important to disallow remote access to the POS network at all times.
Consumer Remediation
Fraudulent charges to a credit card can often be remediated quickly by the issuing financial institution with little to no impact on the consumer. However, unauthorized withdrawals from a debit card (which is tied to a checking account) could have a cascading impact to include bounced checks and late-payment fees.
Consumers should routinely change debit card PINs. Contact or visit your financial institutions website to learn more about available fraud liability protection programs for your debit and credit card accounts. Some institutions offer debit card protections similar to or the same as credit card protections.
If consumers have a reason to believe their credit or debit card information has been compromised, several cautionary steps to protect funds and prevent identity theft include changing online passwords and PINs used at ATMs and POS systems; requesting a replacement card; monitoring account activity closely; and placing a security freeze on all three national credit reports . A freeze will block access to your credit file by lenders you do not already do business 

Symantec on Network Time Protocol (NTP) reflection DDoS attacks

Security researchers at Symantec have spotted a series of Network Time Protocol (NTP) reflection DDoS attacks during the Christmas Holidays.
DDoS attacks are very simple methods of offence that could cause serious problems to targeted systems, behind the word DDoS there are numeros techniques that could be exploited by attackers to reach their goals.
Last year principal security firms observed a significant increase for the DDoS attacks, the report issued by Arbor Networks on global DDoS attack trends for the first three quarters of 2013 provides an interesting overview into Internet traffic patterns and threat evolution. The data show a constant growth in the number or attacks and related efficiency, the analysts observed a significant increase (32%) for malicious traffic, the IPv4 traffic reached  69Tbps of peak, up from 47Tbps in registered in  Q2.
In particular is has been observed an increase in the adoption of DDoS methodology known as Distributed Reflection Denial of Service attacks (DrDoS) that substantially exploits misconfigured DNS (Domain Name System) to launch powerful DDoS attacks. The abuse of DNS systems is just an option for the attacker, security researchers at Symantec have spotted a new insidious methods to conduct DDoS attacks, cyber criminals started a series of Network Time Protocol (NTP) reflection DDoS attacks during the Christmas Holidays.
In the below graph it is possible to note that on December 16th were observed nearly 15000 IP addresses involved in the Network Time Protocol (NTP) reflection DDoS attack likely belonging to a botnet.


The Network Time Protocol (NTP) is a networking protocol widely used  for the clock synchronization purpose between systems over packet-switched, variable-latency data networks.
Network Time Protocol (NTP) implementations exchange timestamps using the User Datagram Protocol (UDP) on port number 123.
"NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don't worry about it after that.  Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks."  states the Symantec post to highlight how much dangerous is to not consider the evolution of each service that is used by our systems.
Exactly as DNS Reflection attack, in the Network Time Protocol (NTP) reflection DDoS the hackers sends a small spoofed 8-byte UDP packets to the vulnerable NTP server that requests megabytes of data to be sent to the target IP Address.
CVE has already coded the Network Time Protocol vulnerability as CVE-2013-5211, the attackers exploit the monlist command for the offensives.
"Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server.  For attackers the monlist query is a great reconnaissance tool.  For a localized NTP server it can help to build a network profile.  However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic" reports Symantec.
[root@server ~]# ntpdc -c monlist [hostname]
To protect Network Time Protocol server it is necessary to update it to NTP 4.2.7, a version that has excluded the support of 'monlist' query substituted by a new safe 'mrunlist' function which uses a nonce value ensuring that received IP address match the actual requester.
"If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file.  This will disable access to mode 6 and 7 query packetts (which includes monlist). "

Yahoo serving malware through advertisment


A Dutch security company  (Fox-IT) has found malware in the advertisement that is being showed in Yahoo. It seems that hackers found a way to leave malicious code in the advertisement module of Yahoo.
It seems that the ads.yahoo.com domain is serving the malicious code. The special thing about this malware is that it is being showed in the Yahoo e-mail inbox.
It is recommended to stay aware of these kind of threats.

Could new malware steal data from INSIDE your SD card? Researchers claim even solid-state PC drives could be at risk

Two researchers have demonstrated an attack that could allow malware to alter and steal data direct from MicroSD cards, using tiny microcontrollers on the cards themselves. The attack could be used to copy or steal data – and even modify sensitive data such as encryption keys.
Even cards that have, in theory, been ‘erased’ could carry such malware, independent researchers Andrew “bunnie” Huang and Sean “xobs” Cross warned in a talk and blog post this week, and say that in high-sensitivity environments, the best way to dispose of such cards is with a “mortar and pestle”.
In a video demonstration, they describe the vulnerability, which could allow attackers access to “keys” used to access sensitive data, as perfect for “man in the middle” attacks. “Man in the middle” attacks intercept or alter data as it is transmitted, for instance by working within internet browser software, and are used in malware such as the advanced banking Trojan Hesperbot, analyzed by ESET researcher Robert Lipovsky here.
The researchers, who unveiled their technique at the Chaos Computer Congress in Berlin,say that the attack may well be possible against the solid-state drives increasingly used as a replacement for hard drives in PCs, or against the embedded memory in mobile devices such as smartphones, according to CNET’s report.
“Some SD cards contain vulnerabilities that allow arbitrary code execution — on the memory card itself,” the researchers write. “On the dark side, code execution on the memory card enables a class of MITM (man-in-the-middle) attacks, where the card seems to be behaving one way, but in fact it does something else.”
The researchers claim that current memory cards are so riddled with errors that each ships with a microcontroller – and on some models, it is possible to force this controller to execute code. The controllers are put in place to manage the fact that flash memory is “riddled with defects” – the downside of such cheap, portable storage.
“Flash memory is really cheap. So cheap, in fact, that it’s too good to be true. In reality, all flash memory is riddled with defects — without exception. The illusion of a contiguous, reliable storage media is crafted through sophisticated error correction and bad block management functions,” the researchers say.
This means that every “managed flash” device – including, the researchers claim, “microSD, SD, MMC as well as the eMMC and iNAND devices typically soldered onto the mainboards of smartphones and used to store the OS and other private user data,” has a microcontroller that can be subverted, and that “similar classes of vulnerabilities exist in related devices, such as USB flash drives and SSDs.”
“Even the diminutive microSD card contains not one, but at least two chips — a controller, and at least one flash chip (high density cards will stack multiple flash die).”
The vulnerability comes due to the fact that manufacturers need to update code on these controllers, according to Boy Genius Report.
“In some cases, the microcontroller and its firmware are not secured,” the site reported, “Hackers who knew how to take advantage of this series of flaws… would be able to replace the default firmware on the microcontroller with malware.”
The researchers demonstrated an attack against two models of Apppotech SD card which would allow a simple sequence of commands to ‘force’ the card to run the next 512 bytes of information it received as code – enough, the researchers say, to take over the card and run programmes of their own.
“From the security perspective, our findings indicate that even though memory cards look inert, they run a body of code that can be modified to perform a class of MITM attacks that could be difficult to detect; there is no standard protocol or method to inspect and attest to the contents of the code running on the memory card’s microcontroller,” the researchers say.
“Those in high-risk, high-sensitivity situations should assume that a “secure-erase” of a card is insufficient to guarantee the complete erasure of sensitive data. Therefore, it’s recommended to dispose of memory cards through total physical destruction (e.g., grind it up with a mortar and pestle).”

Former UK government CIO defends NSA spying practices

UK government chief information officer John Suffolk
The UK government’s former chief information officer has defended the rights of nations to gather data and spy on citizens, although warned that there must be clear oversight into these practices.
John Suffolk, who left a post in the UK government in 2011 to become global cyber security officer for Chinese vendor Huawei, wrote in a blog post that nations must have the ability to scan data and try to protect citizens from any threats.
“I am quite clear I want my government to have as much data as possible. I want them to have the tools, techniques and resources to mine this data to stop a terrible event from occurring – stopping one event is good enough for me,” he said.
However, he admitted that it was vital that policies were in place from the highest level to protect private businesses from becoming government pawns.
“Having said that I want the legal frameworks to be in place, I want transparency, I want oversight and I do not want my government (or any government) to cross the line and weaken security for all by building in backdoors, weakening crypto or any of the shenanigans that have occurred with the American tech industry,” he said.
“The moment we confuse the role of the state in national security and the private sector in national security we are all doomed to a life where there are no holds barred.”
Nevertheless, Suffolk said that given the needs of governments to gather data, and the fact that many systems in use do not have the highest levels of protection, the ability for spy agencies to access data should not come as a huge surprise.
“In summary we need a little more realism about what security agencies do and their capability to attack and breach the security of companies and governments through any vendor’s equipment,” he said.
“No government will demand that every technology system they operate runs at top secret. No company will demand that every system they run is at top secret and few citizens will demand their phone, tablet, PC, etcetera runs at top secret. So we should not be surprised that the NSA has a catalogue of tools and techniques to break into vendors' equipment given this is what they do.”
Suffolk also used the revelations from the PRISM spying scandal and its fallout to urge the security sector to come together and work harder to improve standards.
“There are no internationally agreed security standards; there are no agreed standards on product verification; there are no agreed internal laws or standards of behaviour for governments to operate in the digital world," he said.
"In our view, it is paramount that the entire ecosystem of governments, industry and end users step up to collectively work on the problems and challenges we will face in the future.”
The comments come a few days after more data concerning the NSA's spying agenda was made public, with claims that it is working on a quantum computer to have the ability to crack any encryption codes.

Facebook sued for profiting from private message 'interception'

facebook-thumbs-down
Facebook is facing yet more legal action as a result of its privacy practices, this time surrounding alleged "systematic interception" and commercial use of private messages sent between users on the site.
The case, which is being filed as a class action lawsuit in California, focuses on the ways in which Facebook makes use of links shared in its messaging system, something the claimants say contradicts the social network's promises of "private" messaging.
Claimants Matthew Campbell and Michael Hurley state that Facebook keeps a record of links being shared within its messaging platform, undermining the concept of a private experience. They claim it "enables Facebook to mine user data and profit from those data by sharing them with third parties - namely, advertisers, marketers, and other data aggregators".
The pair cite a 2013 study by Swedish security firm High-Tech Bridge, which found Facebook uses so-called "web crawlers" to study links shared in messages, the data from which is then seemingly used to build link previews and increment any Facebook 'Like' counters that feature on the page being shared. From this, the claimants extrapolate that Facebook is profiting commercially from private messaging data.
The case states that Facebook's user agreement does not make any mention of such methods. This would leave the firm in breach of the 1986 Electronic Communications Privacy Act, which forbids acts such as wiretapping without court consent. Whether this act applies to internet communications made on a commercial platform remains to be seen.
Campbell and Hurley are seeking a sum of $100 for every day Facebook breached the Electronic Communications Privacy Act for each user affected. That amounts to any US user who has sent a link via a private message since the practice has been in effect, which could add up to a hefty amount.
In a statement shared with V3, Facebook said that it would defend itself "vigorously" and that the claims were "without merit".
In 2013, Google came under fire for displaying advertising based on a user's Gmail inbox. However, it rebuffed criticism by saying users should not expect complete privacy in an email service. In Facebook's case, there are no specific mentions of its use of the content of users' messages in any of its user agreements.
Class action suits against the social network have worked in the past. Facebook paid out $20m in compensation in a 2013 case relating to the use of users' images in advertisements.

NSA building quantum computer to crack any encryption codes

Artist's impression of quantum data - Stephanie Simmons (CC BY)
The National Security Agency (NSA) has been working on a quantum computer that would enable it to crack almost any encryption code as part of its wide-ranging surveillance operations.
The Washington Post revealed the information based on documents handed over by whistle blower Edward Snowden, claiming that the work is being carried out under a programme called ‘Penetrating Hard Targets’.
The work is being carried out in Maryland, as part of an $80m research project that would give the US government a massive advance in the field of quantum computing.
Quantum computing is based on the notion that data is held in two states at once – as ones and zeroes – so it can perform multiple calculations simultaneously. This could create computers with huge power, able to crack even the toughest encryption codes.
As such, the value of this technology to an agency like the NSA would be enormous. However, even with its clout and vast budget it is likely to find the task a huge challenge, given the complexity of quantum computing.
This was a point made by Scott Aaronson, an associate professor of electrical engineering at the Massachusetts Institute of Technology, when speaking to the Post.
“It seems improbable that the NSA could be that far ahead of the open world without anybody knowing it,” he said.
However, despite the difficulties it poses, quantum technology is growing in understanding, with the world record for how long data can be held in a quantum state rising to 39 minutes last November.
The University of Bristol, meanwhile, currently offers its own cloud-based quantum computer, open to anybody who wishes to conduct their own experiments.
Based on these examples, the NSA could well be making good progress with its project, although it has not made any statement relating to the revelations.

FireEye pays $1bn for Chinese APT hacker trackers Mandiant

fireeye logo
FireEye has acquired security firm Mandiant in a $1bn deal that is designed to offer its customers improved protection against advanced cyber attacks.
The deal is a notable coup for FireEye as Mandiant hit the headlines last year when it reported linking over 141 advanced cyber attacks on Western companies to a Chinese military unit based in Shanghai's Pudong district in 2013.
The acquisition will see FireEye integrate Mandiant's existing endpoint threat detection and response technologies into its Oculus threat prevention platform. The deal follows a wider partnership by FireEye and Mandiant. In April 2012 Mandiant became a strategic alliance partner of FireEye.
Chief executive of FireEye, David DeWalt, said the combination of technologies will help it offer a raft of key services to companies that are facing an increasing number of advanced threats targeting their systems.
"Organisations today are faced with knitting together a patchwork of point products and services to protect their assets from advanced threats," said DeWalt.
"Together, the size and global reach of FireEye and Mandiant will enable us to innovate faster, create a more comprehensive solution, and deliver it to organisations around the world at a pace that is unmatched by other security vendors."
The deal will see Mandiant's founder and chief executive officer, Kevin Mandia, become senior vice president and chief operating officer of FireEye.
The deal follows signs that the cyber threat facing businesses will escalate in 2014. In December, widespread reports claimed the Israeli and Saudi Arabian governments are working to create a new, even more destructive variant of the notorious Stuxnet malware.
Already in 2014, both Snapchat and Skype have been hit by hackers, as the risks posed to firms of all sizes and in all sorts of industries, continues to escalate.

PRISM: Fallout from NSA internet spying scandal will linger throughout 2014

shutterstock-133773500
For years governments have been wrestling with the question of how to deal with the internet.
As noted by numerous politicians - including vice president of the European Commission Neelie Kroes - the internet's free, international, border-crossing nature boasts huge business benefits.
But, as with all powerful things, it also has the potential to cause great harm by opening up businesses to cyber threats, including the risk of theft of corporate and customer data.
These concerns reached new heights in 2013 as news of the PRISM data-gathering campaign surfaced. It proved businesses not only face a challenge to protect customer data from crooks, but also from their own governments.
The PRISM scandal first broke in June 2013, when ex-CIA analyst Edward Snowden leaked documents showing that government bodies, including the US National Security Agency (NSA) and UK Government Communications Headquarters (GCHQ), were siphoning vast amounts of web user data from metadata treasure troves such as Google, Yahoo, Microsoft, Apple and Facebook. As yet, the full details remain unknown. The NSA said in a public report that agents investigated 0.00004 percent of the world's web traffic during their missions, but this is still a big chunk of user data.
This 'reveal' remains of little comfort to businesses, because even now at the start of 2014 the key firms cannot legally reveal what data the NSA took from them.
The US Foreign Intelligence Surveillance Act (FISA) gives the NSA free rein to force businesses to share information stored on their networks, but this also means the companies that receive FISA requests are banned from disclosing any information about them.
Even worse, as noted by Yahoo chief executive Marissa Mayer during an interview at the TechCrunch Dispute conference, the companies that break the gag orders not only put their ability to operate in the US on the line, they risk landing their executives in jail.
This makes it hard to fully evaluate the scale of the problem, what sort of data is being targeted by the NSA and to what level. Furthermore, it means the companies involved have their reputations tarnished as well. At a time when cloud computing services are helping businesses save costs and work more productively, this setback could make firms wary of providers.
This was noted by Kroes soon after the scandal broke, when she pointed out that the US government's attitude to privacy could have disastrous consequences. "If businesses or governments think they might be spied on, they will have less reason to trust the cloud, and it will be cloud providers who ultimately miss out," she said.
The year ahead
Kroes's comments are more relevant than ever in 2014. This is because in August 2013, Kroes's warning was proved right when reports broke that the Chinese government planned to investigate IBM, Oracle and EMC, following concerns that the NSA could be using those vendors' technologies for cyber espionage. Even now, months on, many companies are still working hard to be more transparent about what requests they received from the NSA, and are also taking defensive measures designed to make it more difficult for the agency to get the data.
This has included a number of court cases against the NSA from Microsoft, Google and Yahoo. Google also rushed to encrypt information stored in, and passing through, its data centres in a bid to protect its customers from snooping government agencies.
While the companies' proactive attempts to help fix the problem are a positive, it is unlikely that they will be particularly effective any time soon. More revelations have shown that some of the most widespread encryption methods used to secure the web, including HTTPS and SSL, have been cracked by government agencies, showing that they are not above taking companies' data by force.
For this reason, as noted by numerous security professionals, such as Silent Circle chief executive Mike Janke, if this issue is going to be solved, open conversations about privacy and data protection have to start again.
"We have to educate the world about what's going on, about how much of people's privacy is gone - which is most of it - and actually have a calm conversation with governments to try and get it back," he said.
Since then Facebook founder Mark Zuckerberg has mirrored Janke's sentiment by arguing for governments around the world to be more transparent about what data they collect.
"What I can tell from the data that I see at Facebook is that I think the more transparency and communication the government could do about how they're requesting the data from us, the better everyone would feel about it," Zuckerberg said.
"From reading in the media, you couldn't get a sense whether the number of requests that the government makes is closer to 1,000 or closer to 100 million. I think the more transparency the government has, the better folks would feel."
However, there is some hope that European businesses will gain some power back in this situation. EU justice commissioner Viviane Reding has called for key changes to the European Data Protection Regulation currently being debated that would minimise and monitor what data can be taken from an EU-based server to a US one.
"The Regulation includes clear rules on the obligations and liabilities of cloud providers who are processors of data. As PRISM has shown, they present an avenue for those who want to access data," said Reding.
While these measures would not make businesses impenetrable to government snooping, they would at least mean companies can actually show what data is being siphoned by groups such as the NSA.
Hopefully Reding's call for change will be heard and implemented in 2014, and the PRISM revelations will finally serve as a wake-up call for better privacy laws, not as a death knell for international trust as they currently stand.

Syrian Electronic Army hacks Skype blog and Twitter account

Skype logo
The Syrian Electronic Army (SEA) has hacked into Skype's blog and Twitter account, which resulted in messages slamming parent company Microsoft's privacy practices and criticising spying.

Skype has reassured users that none of their data was compromised during the attack on its Twitter account and official blog.
Hacktivist group the SEA has claimed responsibility for the messages posted on the Twitter account, which has more than three million followers. One tweet said: "Don't use Microsoft emails (hotmail,outlook). They are monitoring your accounts and selling the data to the governments."
Posts were also made on Skype's blog, which runs on WordPress, under the byline of Skype's content marketing manager Shana Pearlman. Skype's blog is entirely inaccessible at the time of writing, having previously displayed blog posts containing the same text as seen in the rogue tweets. "Hacked by the Syrian Electronic Army.. Stop Spying!", another post said.
Skype's Twitter account later posted this message after deleting the offending tweets:
Before Christmas, the New York Times reported that both its staff and journalists from other news outlets including CNN had been sent phishing links attempting to trick users into entering username and password details into an online form, action it attributed to the SEA following an FBI notice warning media organisations of the group's intentions.
The SEA has a track record of such actions, infamously gaining access to the Associated Press' Twitter feed and subsequently sending tweets reporting explosions at the White House. High profile hacks have also seen Twitter feeds at The Washington Post, The Telegraph and the Financial Times compromised, leading to a call for Twitter to allow users to enable two-factor authentication, effectively rendering passwords useless without access to a one-time use code sent to either a phone or an email address.
Sophos security advisor Chester Wisniewski speculated in a blog post that Skype's woes could have been avoided by enabling the security feature.
"Microsoft, would you care to explain why you apparently are not using it?" he said. "I suppose this can be a lesson to the rest of us. Take advantage of the safety net of two-factor authentication whenever possible. While it may be less than perfect, so are you."
Such a basic method of gaining access to such a high profile company's online presence is another warning shot to businesses which take advantage of external social media platforms, with simple human error and naivety often a simple method of compromising otherwise strict security practices.

Hackers post 4.6 million Snapchat users’ phone numbers online

Hacker
Hackers have posted the contact details of over 4.6 million Snapchat users online in a high-profile security incident that underlines the threats facing firms of all sizes for the year ahead.
The hackers posted the information on a website called SnapchatDB.info on Wednesday. At the time of publishing the website had been taken offline and Snapchat had not replied to V3's request for comment on whether a breach had occurred.
TechCrunch reported the owners of SnapchatDB confirmed the hack was done to force Snapchat to fix an ongoing flaw in its security.
"Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does," read the statement.
The flaw was reported in late December by Gibson Security. Gibson Security later published the exploit online, claiming Snapchat was not adequately addressing the flaw. The hackers mirrored Gibson Security's sentiment confirming they used the exploit in the attack.
"We used a modified version of Gibson Sec's exploit/method. Snapchat could have easily avoided that disclosure by replying to Gibson Sec's private communications, yet they didn't. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data," they noted.
"Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent."
The hackers moved to stop other malicious users using the leaked information by removing the last two digits of the compromised phone numbers.
Snapchat is a popular photo and video sharing service. It lets users send photos and videos that automatically delete themselves after being viewed. Snapchat is listed as raising $123m in funding since launching two years ago.
Snapchat is one of many communication services hit by hackers in recent days. The Syrian Electronic Army hacked Skype's Twitter and blog, forcing it to post anti-Microsoft messages earlier this week. The breaches are a sign that the number of cyber attacks targeting businesses will continue to grow in 2014.

Happy New Year from Cyberinfocts Community

On  behalf of Cyberinfocts Community we wish You all  a very happy and healthy New Year. The New Year is a blank slate full of possibility. It is a time to look back and rejoice in what we have accomplished. And it is a time to look forward, with hope and optimism.

I know that we can achieve anything that we put our minds to, individually and as a team. Let's  use our limitless energy, initiative and imagination to build the mighty future we see before us. Everything we do, we do for our children and for each other, to make sure that we are all healthy, successful and secured, and the cyber space we live in is safe, prosperous and happy.

Happy New Year Everyone.