IT Security is a dynamic environment, every company/person need to guarantee their assess in order to achieve their goals. This blog focus on that and other topics of security manners, like: Information Security, Ethical Hacking, Vulnerability among others.
11 July 2012
22 March 2012
Did you know that tagcloud.swf allows CrossSite Scripting?
I would like to warn you about security vulnerabilities in plugin WP-Cumulus for
WordPress.
These are Full path disclosure and Cross-Site Scripting vulnerabilities.
Which is a web-application vulnerabilities which
allow attackers to bypass client-side security mechanisms normally
imposed on web content by modern web browsers.
By finding ways of injecting malicious scripts into web pages, an
attacker can gain elevated access-privileges to sensitive page content,
session cookies, and a variety of other information maintained by the
browser on behalf of the user.
Full path disclosure:
http://site/wp-content/plugins/wp-cumulus/wp-cumulus.php
XSS:
http://site/wp-content/plugins/wp-cumulus/tagcloud.
swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:
alert(document.cookie)'+style='font-size:
+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
Code will execute after click. It's strictly social XSS. There are a lot of vulnerable tagcloud.swf file in Internet (according to Google):
Full path disclosure:
http://site/wp-content/plugins/wp-cumulus/wp-cumulus.php
XSS:
http://site/wp-content/plugins/wp-cumulus/tagcloud.
swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:
alert(document.cookie)'+style='font-size:
+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
Code will execute after click. It's strictly social XSS. There are a lot of vulnerable tagcloud.swf file in Internet (according to Google):
http://www.google.com.au/search?q=filetype:swf+inurl:tagcloud.swf
So to all flash developers, I recommend you to attend to security of their flash files. And for the owners of sites, with vulnerables flashes like tagcloud.swf, fix them or turn over to your development team to fix it.
Kind Regards,
Alfredo Cedeno
IT Security Analyst & Advisor
http://ajcborges.blogspot.com
21 March 2012
Phishing gang steals victim's life savings of $1.6M
By
Tom Espiner,
ZDNet UK, 15 March, 2012 16:09
The 12 men and two women were detained on Thursday morning in raids in London and the West Midlands. More arrests may follow in the coming days, according to Metropolitan Police Central eCrime Unit (PCeU) head Charlie McMurdie.
"These were dawn raids," McMurdie told ZDNet UK. "Enquiries are still ongoing regarding potential further arrests."
The phishing gang sent out unsolicited emails with links to a fake banking website. It used a series of bank accounts assigned to individual 'money mules' to launder £1m siphoned from the life-savings account of one woman who had divulged her details. The cash was transferred via the internet, the Metropolitan Police said in a statement.
"The stolen money was spent over a three-day period, after suspects embarked on a spending spree during the Christmas sales," the Met said. "The victim, a UK citizen currently living abroad after relocating to care for an ill relative, saw her savings disappear overnight after her bank account details were illegally obtained and unauthorised access to the account was gained."
The suspected 'money mule' launderers received between £9,000 and £75,000 each from the account. All of the 14 suspects were in custody at the time of writing, according to the Met.
Around 150 police officers were involved in the operation. They included members of the PCeU, 50 special constables, and police from three regional e-crime hubs in the East Midlands, York and Humber, and the North West.
"We wanted to make the best use of resources in relation to where the suspects were located," McMurdie said.
The police said the "sophisticated" phishing operation highlighted the need for people to take care when doing banking online, warning the public not to click on links in unsolicited emails.
"This is an example of how cybercrime creates real victims through the indiscriminate actions of the criminals involved," Detective Inspector Stewart Garrick said in the PCeU's statement.
Article Source.
Dawn raids net 14 suspects in £1m phishing thef
Security Threats | ZDNet UK http://goo.gl/MYzKu
The 12 men and two women were detained on Thursday morning in raids in London and the West Midlands. More arrests may follow in the coming days, according to Metropolitan Police Central eCrime Unit (PCeU) head Charlie McMurdie.
"These were dawn raids," McMurdie told ZDNet UK. "Enquiries are still ongoing regarding potential further arrests."
The phishing gang sent out unsolicited emails with links to a fake banking website. It used a series of bank accounts assigned to individual 'money mules' to launder £1m siphoned from the life-savings account of one woman who had divulged her details. The cash was transferred via the internet, the Metropolitan Police said in a statement.
"The stolen money was spent over a three-day period, after suspects embarked on a spending spree during the Christmas sales," the Met said. "The victim, a UK citizen currently living abroad after relocating to care for an ill relative, saw her savings disappear overnight after her bank account details were illegally obtained and unauthorised access to the account was gained."
The suspected 'money mule' launderers received between £9,000 and £75,000 each from the account. All of the 14 suspects were in custody at the time of writing, according to the Met.
Around 150 police officers were involved in the operation. They included members of the PCeU, 50 special constables, and police from three regional e-crime hubs in the East Midlands, York and Humber, and the North West.
"We wanted to make the best use of resources in relation to where the suspects were located," McMurdie said.
The police said the "sophisticated" phishing operation highlighted the need for people to take care when doing banking online, warning the public not to click on links in unsolicited emails.
"This is an example of how cybercrime creates real victims through the indiscriminate actions of the criminals involved," Detective Inspector Stewart Garrick said in the PCeU's statement.
Article Source.
Dawn raids net 14 suspects in £1m phishing thef
Security Threats | ZDNet UK http://goo.gl/MYzKu
15 February 2012
Identify a Phishing Message in Five Steps
From IT Business Edge
Spear phishing, a type of email spoof, targets individuals or
departments within organizations and attempts to elicits a desired
action that could install malware, compromise login names and passwords
and steal data. Use Paul Mah's simple checklist to spot potential
phishing messages.
From the network breach at RSA to theft of intellectual property in
Operation Aurora, it is no secret that some of the most visible hacking
involves the use of spear phishing. A targeted form of phishing that is
custom-made for a specific organization, a spear phishing email message
seeks to elicit a desired action that could result in a Trojan being
loaded, or the unintended leaking of confidential or privileged data.
As
Paul Mah has written in the past, defending against spear phishing is a
challenging task that mandates some amount of user training. To assist
organizations on this front, Paul has come up with a simple checklist to
help identify a potential phishing message.
To have access to Paul's checklist visit the following URL:
http://goo.gl/lmpZR
14 February 2012
This February 14 be a Valentine not a Victim
As Valentine’s Day approaches, Better Business Bureau of Southern
Arizona warns that Cupid’s arrow may be aimed directly at consumers’
wallets. Those who find themselves awash in love’s emotion should
remember that con artists thrive on the fact that emotion can trump
logic.
There are three categories of scams that we all should be aware of at this romantic season as well as throughout the year.
Online Dating
Their photo may be attractive and their story may sound compelling
but that person you met through an online dating site may turn out to be
the very opposite of your soul mate. Photos, profiles and stories can
be easily faked on dating sites. One common tactic is to claim to be a
successful overseas businessperson with no family.
After what seems like sincere conversation in which many questions
are asked of you, the scammer can skillfully employ psychology to say
precisely what you want to hear.
Once the ice is broken and a comfort level has been reached on your
part, the heart of the matter is arrived at: they need financial
assistance. They may want you to cash a check for them or otherwise help
them out of a financial difficulty. It could be travel expenses,
medical expenses or some other type of debt. At any rate it is your
money less than your heart that they are after. MoneyGram, one of the
major global money transfer companies, has estimated that romance scams
defraud victims of over $10,000 for each occurrence. For those so
victimized, whatever the amount, a website called romancescams.org can
be helpful.
Online Florists
When love is in bloom many rely on the traditional symbol of
thoughtfulness, the bouquet, to convey their feelings for that special
person. But be aware that online florists are not always reliable. If
the flowers that are actually received by your loved one are inferior
arrangements from those ordered, or even not delivered at all, it can be
a wilting experience.
Scammers may send you emails saying that the flowers you ordered
cannot be delivered unless you log in to their site and re-enter your
credit card information. These emails are sent out in large numbers
hoping to eventually find the inboxes of someone who has really sent
flowers to their sweetheart. They are playing on consumers emotions by
planting the fear that the bouquet may not reach the intended and that
person will feel forgotten on Valentine’s Day. If you think the message
may be legitimate, go to the florist’s website or give them a phone
call, using the original site from which you ordered rather than the
link on the email.
The best way to assure that flowers reach your beloved just as you
ordered them is to rely on a local florist. A website devoted to
uncovering florist scammers can be found at floristdetective.com.
E-card Scams
Phishing attempts abound around the e-card industry. A frequently
used technique is to email a message saying you have a card waiting to
be viewed. You are then directed to a fake website that resembles a
popular site like Hallmark or American Greetings.
Once you are there a prompt tells you to download the latest version
of Flash Player in order to view the e-card. Click that link and a virus
is quickly downloaded and attacks your computer. Instead of having your
loved one steal your heart, a scammer has stolen your identity.
Consumers should always exercise care in opening emails, links or
attachments from those you do not know. Especially suspicious are
unsolicited messages with subject lines saying “Someone just sent you an
e-card” or “Send your loved one a Valentines Card today.”
Avoid becoming victimized by scammers who rely on the old adage that
“love is blind.” Keep a clear head and open eyes this Valentine’s Day.
Contact BBB by calling (520)888-5353 with questions or concerns if you
think someone is going less for your heart and more for your wallet.
Source Article: http://goo.gl/zaSED by bbbconsumeralert
13 February 2012
Hackers Ask 'Will You Be My Valentine?'
by Tony Bradley (PC World (US online))
With Valentine's Day around the corner, cyber criminals are ramping up
spam, phishing, and other attacks targeting the lover's holiday.
There are only five days to Valentine's Day. Those
of you who are shocked by that revelation are prime targets for
Valentine's Day related spam and phishing attacks as hackers hope to
catch you with your guard down for this day of romance.
Messages targeting Valentine's Day are expected to quadruple globally in the coming days -- in part because cyber criminals are adept
at targeting holidays and current events as bait for attacks. An offer
for a dozen roses for $5 might get some traction any time of the year,
but with the clock quickly counting down to Valentine's Day it has much
higher odds of duping frantic lovers in search of a last minute gift.
A blog post from McAfee
warns, "Many consumers look for a little romance on Valentine's Day,
whether it is a thoughtful gift, a romantic getaway, or a heartfelt
e-card, but if you're looking for these things online, beware."
McAfee points out a number of types of Valentine's Day themed threats you should be aware of:
Phishing Scams
Attackers
will send out spam promoting bargains for flowers, romantic dinners,
jewelry, or other Valentine's Day gift related themes. Clicking on the
offer might take you to a malicious site
that could compromise a vulnerable PC, or it could take you to a site
that looks legitimate, and asks for your credit card, and other personal
information to "complete the order".
Malicious eCards
Any
holiday that traditionally involves giving and receiving cards is a
prime target for cyber criminals. Everyone loves to receive a
personalized greeting card -- especially if it seems to be from someone
that may be romantically interested.
Seriously, though, what are the odds that someone you don't know decided to send you an ecard for Valentine's Day out of the blue? Right.
Mr. (or Mrs.) Wrong
Another
scam to watch out for are fake profiles on online dating sites. Cyber
criminals create online dating profiles designed to be as attractive as
possible to lure unsuspecting love seekers. The idea is to make
connections, and establish trust as a means to further criminal
activity.
McAfee outlines some additional
threats to watch out for in its blog post. To steer clear of Valentine's
Day cyber threats, follow the basic principles of online common sense.
Don't open emails or file attachments, or click on links from people or
sources you are not familiar with -- and even if you do know the
sender, think twice about whether that person would really send you a
Valentine's Day email.
Another basic rule is
that if it sounds too good to be true, it probably is. Don't fall for
unbelievable last minute Valentine's Day gift ideas no matter how
desperate you are for a gift.
Protect your wallet, your identity, and your heart by avoiding Valentine's Day cyber scams.
Source Article: http://goo.gl/NEVuU
10 February 2012
Free Email Providers Launch DMARC.org To Prevent Phishing Scams
Leading free email providers like
Google, Microsoft and Yahoo are teaming up in an effort to prevent
“phishing” scams. As WWJ’s Rob Sanford reports, the unprecedented effort
was announced this week.
The companies have created a working group – DMARC.org – to promote a standard set of email technologies that they say will lead to more secure email.
According to its website, DMARC, which stands for “Domain-based
Message Authentication, Reporting & Conformance,” standardizes how
email receivers perform email authentication. This means that senders
will experience consistent authentication results for their messages at
AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing
DMARC.
With the rise of the social internet and e-commerce, spammers have a
tremendous financial incentive to compromise user accounts, enabling
theft of passwords, bank accounts, credit cards and more. Email is easy
to manipulate and criminals have found spoofing to be a proven way to
exploit user trust of well-known brands. Simply inserting the logo of a
well-known brand into an email gives it instant legitimacy with many
users.
CNET executive editor Molly Wood said phishing is threatening the legitimacy of email.
“I think it’s hard sometimes for these companies to work together.
They don’t always think it’s in their best interest to come together,
but I think it’s gotten to the point now where phishing scams are so
prevalent, that all of these companies are worried that their customers
are going to stop trusting their legitimate email,” said Wood.
The arrangement will not stop all spam or phishing but will stop what
they call a “significant chunk” of malicious messages sent.
DMARC helps email senders and receivers work together to better
secure emails, protecting users and brands from painfully costly abuse.
Find more information at DMARC.org.
Source: http://cbsloc.al/zhdnzo
09 February 2012
I will NEVER ask for your password
There are a lot of bad things on the Internet, and few are worse than
phishing scams. But there is a certain class of phishing scam that has
earned a special level of disdain and disgust, at least from me. I’m
talking about the phishing scams that target Hotmail customers using my name, my picture, and even my signature. Grrrr.
Let me clear something up right off the bat: I will never ask for your password. No one from Hotmail or Microsoft will ever ask for your password. In fact, no legitimate service will ever ask for your password. If you ever get an email asking for any password to any
service, you can be sure, without a shadow of a doubt, that the email
is a phishing scam. Just junk it. (Or, in Hotmail, mark it as a phishing
scam using the “Mark As” menu.)
Phishing scams
Spammers want to send spam. That’s what they do. As I said in my last post,
we’ve made it hard for them to send spam with new accounts due to the
effectiveness of our account reputation work. So, spammers have turned
to hijacking customer accounts in order to send more spam.
Phishing
scams are one of the simplest ways that spammers use to gain control of
your account. The spammer sends an email that asks for your password,
usually with a threat that your account is about to be closed. You
reply, providing your password, and, Voila! Your account (and
reputation) is hacked.
Spammers do this on all networks and all
services – Hotmail, Gmail, Yahoo!, Facebook, AOL – spammers do not
discriminate, and no service is immune.
How my picture got out there
Hotmail
sends email to our customers fairly regularly to update people on
various things, such as the availability of new software or features, or
even to remind people about security measures, like creating a strong
password or adding your mobile phone number to your account.
About
a year ago, we decided that we would make these messages more personal
by including my name, my picture, and my signature.
That decision has really come back to haunt me.
A gift to spammers
Almost
immediately, the spammers copied that email, including my picture, name
and signature, and modified the content so that it said something like
“Your account is about to be shut down unless you reply to this email
with your account name and password.”
This is a classic example of a phishing scam, and one of the most common ways that accounts get compromised. Here’s an example:
The bottom of that same email looks like this:
Yep. That’s me, all right. But that email is definitely not from me.
Even smart people fall for it
Phishing
messages can look very real and convincing, so even smart, tech-savvy
people fall for them. I get asked about this quite a bit.
Here’s
a conversation that took place on my public Facebook page. The first
person asks, “I got this message, is it really you?” In response, our
Development Manager, Eliot, displayed both his penchant for pithiness
and his mastery of high school French:
Phishing
scammers know that they’ll get better response rates by using my
pictures and my signature to produce email messages that look
legitimate. They even translate their scams into multiple languages to
broaden their reach.
The telltale signs of a phishing message
As I’ve said, any
email that asks for your password is a phishing scam and shouldn’t be
trusted. You don’t need to look any further to know the message is a
fake. Nonetheless, it’s interesting to see how “creative” the scammers
can get. Here are some tactics scammers use to get people to provide
their account info:
They copy Hotmail’s marketing images. These phishing messages usually contain the latest image from Hotmail’s own marketing campaigns, like this one:
They provide a bogus reason for needing your password.
The messages usually contain an introduction that offers a false
explanation about why they need your password. Some of my favorites
include:
- “We are currently upgrading our data base and e-mail account center.”
- “We are deleting all unused accounts to create more space for new accounts.”
- “We encountered a problem with our database and a lot of records were lost, we are restoring our database to enable us serve you better.”
- “We are having too many congested email due to the anonymous registration of Hotmail Msn-Live Accounts in our database system.”
Rest assured: NONE of these will EVER be a legitimate reason to ask for your password.
They design a subject line to scare you. The subject lines call for your immediate attention and are often intended to be scary. Here are a few common examples:
- Some variation of “Account Alert!!!”, or “Account upgrade alert,” or “Email account alert.”
- Some variation of “Account renewal process,” or “Verify your account details.”
- Some variation of “Email Warning!!!”, or “Verify your email now to avoid being closed!!!!!”
(Scammers really like to use exclamation points!!!! A lot!!!)
They send the email from a bad “From” address.
The “From” address in the email is often a dead giveaway. At a glance,
it might look like you’ve gotten mail from the Hotmail Team. But if you
look at the actual email address, it’s almost always something fishy
(phishy?). Typically, scammers just use the name of a Hotmail customer
account.
Get educated, educate others
In a perfect
world, no one would ever give out their password, and the phishing scams
would be ineffective, and would just stop. You’ve already taken a step
to helping us get there by reading this post, and now you can help pay
it forward by educating others.
Any email that asks for
your password is a phishing scam. If anyone ever asks you, “Hey, is this
email legit?” just say, “If it asks you for your password, then it is
absolutely, definitely, without question a scam! Report it as junk!”
As a final note, some of you might be wondering, Why can’t Hotmail detect these scams?
We can detect these scams and do detect many of them. But it’s just a
numbers game, and spammers are capable of producing a huge volume of
phishing scams, with enough variation in the text and images to fool our
filters a small percentage of the time. In addition, it’s important for
us to keep the false positives low – meaning that we don’t want to
mistakenly identify a legitimate email sent from a good user as spam.
So,
until we get to that perfect world without spammers, we’ll be here
building better and better systems to battle the bad guys. Thanks for
reading, and thanks for using Hotmail.
08 February 2012
Sir Spamalot and Lady Phishing
I am a millionaire. Actually, I’m a
multi-millionaire. Or rather I could be if I helped the honorable Mr.
Nagumba get his money out of Nigeria, or helped Barbara get her money
out of Brazil, or picked up my unclaimed lottery winnings, or helped
another half dozen people in the last month.
I have won $1500 several times a day for the last few months. I have
won a new car. I have important packages waiting to pick up from FedEx
and UPS. I am being audited by the IRS and they sent me an attachment
that included an executable notice with instructions. I won a 15 day
cruise if I qualified – they only needed a credit card number to confirm
my identity and that I am over 18. I can get my teeth whitened or Lasik
eye surgery for 80% off. I have qualified for a special deal on a new
BMW 335 with experimental pricing, and can get in a brand new one for
under $15,000. Two of my credit cards have been compromised so I needed
to log onto the included website to verify and change my account
information. As a matter of fact, another credit card that I don’t even
have was also compromised, and I needed to log on there too. One of my
bank accounts appears to have some out-of-date information associated
with it. I can get really cheap Viagra (sic) cheap online, Heather
thinks I’m hot, and there seems to be way too many people interested in
my manhood.
My personal spam folder is pretty thin. I try to trim spam
aggressively. Just in the last 24 hours I have received 42 emails. Three
from family, 21 advertisements from retailers (it’s beyond me why I
need a daily reminder from a retailer telling me that they are still
open and selling the same stuff they’ve been selling for the last five
years), and 18 spam. Now, I have no idea how much spam my ISP trims
before it even gets to me, but I assume it is a lot. A quick search
shows unofficial estimates that spam is somewhere between 60 and 97% of
all email sent. By the best accounts I can find, that means around 40
billion spam emails every day (give or take a few billion). The numbers
are down slightly from 2010 partially because three botnets (Rustock,
Lethic, and Xarvester) have been somewhat throttled. The closure of spam
specialist Spamit helped as well. But, as we all know, spam has not
gone away.
Unfortunately, spam means money. Spam brings with it a variety of
issues, but it also delivers chunks of money and other opportunities to
those who generate it. Pay-per-click sites still exist, and if you send
100 million spam messages and get 1% of recipients to click through –
ka-ching! Say you send 50 million spam messages that contain a link for a
free virus scan, and you can get .5% of those recipients to follow
through with a fake purchase for ONLY $29.99 – that’s $7.5million –
ka-ching! Credit card information is not worth what it used to be, but
if you can send 100 million fake “change your password” notices to
BigBlueBank customers, and 1% of them go through your fake link and
update their password – ka-ching! And even if they can’t get something
from you, maybe they can compromise some low percentage of recipients
with a Trojan or sniffer. The numbers add up quickly because of volume.
But spam and phishing emails are not always obvious, are they? Well,
some of them are. If the email subject line includes things like
“Cialis” or “Replica Handbags” I think the chances it is spam is
probably something around 100%. But do we always know? I included an
example of a recent phishing email I received (names have been changed).
It looks pretty good at a glance, but there is a lot wrong with it if
you pay attention.
Let’s look through it in detail.
Let’s work on the premise that the logo and all the colors are
correct, and that at a glance, this looks authentic – it appears to be
an email from BigBlueBank, where you have an account registered with
online access. What is wrong with the email?
1. BigBlueBank Online may be the correct
name, but the chances that return email address is correct is low (read
“low”, think “nonexistent”). Notice that it is @onlinesvc.com. If this
was really from BigBlueBank chances are pretty good that it would be
@BigBlueBank.com. If the return address just shows as BigBlueBank
Online, hold your cursor over the name. The actual associated email
address should show in a mouse-over or in the lower left corner of your
browser.
2. “To: undisclosed-recipients” - If this
was genuine, it would actually be to your specific email address, and
NOT show as a bulk email with hidden addressees. Check what you bank
emails you now – they are all to your real email address.
3. “UPDATE YOUR INFORMATION!” – This
pushes an immediate sense of urgency. Not necessarily a blazing orange
flag, but it should raise your skepticism when you get an email so
obviously trying to raise your personal sense of alarm.
4. “This message is a critical one…” This
is obviously a person to whom English is not their primary language.
Normal English phrasing would be “This is a critical message…”. If
BigBlueBank is based in South Carolina this should get your attention.
If they are based in Germany, it probably still should, but not quite as
much.
5. “It has come to our attentions,” “This
require” - The extra “s” on attention and the missing “s” are perfect
examples of disagreement in tense, and errors. These are strong
indicators that the writer is not a natural English speaker, and that
whoever sent the email did not spend enough time proof reading and
editing the content. If BigBlueBank is a top 10 bank in the Americas,
what are the chances that they would not have a proof reader check
everything that went out (Hint: the answer is 0%).
6. “Your Account information” and “The
Account update…” – What is with the random capitalization of “Account”?
Errors like this should be blazing a hole in your brain by now.
7. “Is also a new BigBlueBank” – This is
just an awkward sentence. Read the whole sentence from the email.
Perhaps “the account update also includes” or something similar, but
again, it is an error in grammatical construction that should tell you
this is not a professional email.
8. “Services security statement…” – Again with the random capitalization of “Services”? Brain. Hole. Burning.
9. “Goes according” – Perhaps if it read
“is in accordance” this would not raise alarms, but the misuse of the
“ing” is a common error for a non-natural English speaker.
10. “On our terms of service” – “in” our
terms of service would be appropriate for an English speaker, and even
more appropriate in a professionally prepared communication.
11. 5:55 AM 20/01/2012 – This is actually
the first thing I saw in the email that made me say “fake”. The date is
shown as day/month/year, which is predominantly European or other
international convention. Standard in the United States would be
01/20/2012. I know the other way sorts better, but it is aberrant
construction in the U.S. If you are not from the U.S., this probably
does not bother you as much as it did me.
12. “May result on a suspension of your
account” – “on” is again wrong. A natural English speaker would say
“in”. This also implies a threat designed to increase your sense of
urgency and decrease your vigilance.
13. BigBlueBank Upgrade Home – Look at
that. How convenient it was of them to include a link back to
Bigbluebank for you. Just hold your mouse over the hyperlink (don’t
bother; it won’t work on the example, since the hyperlink has been
removed). By now you realize the chances that the link actually has
anything to do with bigbluebank is exactly 0%. In the example of this
email, it actually linked to something like the following – the fact
that bigbluebank is not the domain should be an obvious clue:
http//generalupdates.gh.ost.de/bigbluebank/account_update/index.php.
14. 1-888-XXX-XXXX – Very nice to have an
included phone number. It really does help make the whole thing look
better. Especially if you dial the number and someone in a call center
answers it “Big Blue Bank – Customer Service, how can I help you?” First
of all, check the provided number against the customer service number
on your bank statements or against the number provided on Bigbluebank’s
real website. It may be close but it will not match. Your second clue is
that someone actually answered the phone and you did not have to go
through a Voice Response system – when was the last time that happened?
15. “Will be helping” – there is that
“ing” again. “This will help us” would not raise alarm, but the improper
English should have your spinal column on fire by now. You should
almost expect it say to “will to be helping us” like some alien speaking
through an electronic translator.
If in doubt, bring up the genuine bigbluebank.com website by typing
it into your browser yourself (completely ignoring their link, if you
please), and check for information there. Locate their contact
information to email, or call them to ask if they sent the information.
Chances are that bigbluebank has its own security group that is
interested in abuse and phishing emails. They may want you to forward a
copy of the email to them for their own review if you feel like going
that far.
Perhaps this was not the best example because this email was chock
full o’ clues. But these are exactly the types of indicators you will
see in many phishing emails. The fact that you even got this email
should immediately raise your level of awareness, so everything else
should follow.
07 February 2012
Social Engineering Yourself A BotNet
Not too long ago the announcement about an
Internet Sponsorship Law, SOPA, basically caused the Internet to blow up
with people voting, supporting,
and showing how much they disliked this proposed bill. The way the
“Internet Community” came together is a lesson in mass influence itself,
but we are going to focus on a different aspect of this drama.
The hacktivist group Anonymous reared its head in this debate to show
it’s disdain for any law that would censor or prohibit the use of the
Internet, and they do so using a form of social engineering.
One of the less influence based forms of social engineering involves
drawing people to a website that is either loaded with malicious
software/code or has downloads that are dangerous or infected.
Apparently, Anonymous used this form of social engineering to create, in
essence, one of the world’s largest botnets full of unsuspecting
participants.
How?
Anonymous used its legions of faithful supporters to spread shortened links that drew interested parties to certain links. Since a user can’t possibly know what to expect when they load a URL, Anonymous capitalized on this to create it’s botnet.
As users went to the list of URL’s, their browsers were hijacked and
then some code was executed. Once executed it causes the users browser
to make a massive amount of requests to the targets websites (in this
case DOJ and FBI). When you get hundreds or thousands or even more
people hitting these malicious URL’s so much traffic is sent that it
DDoS’ the sites in question.
What are the implications of this type of attack? This form of social
engineering is pretty malicious. Even simple curiosity can make the
site visitor an unwilling participant in an act that could be considered
terrorism. This, of course, is a very serious matter as traffic from
home or work users becomes inundated with this malicious traffic.
In the age of shortened URL’s, this kind of a story just makes it
ever more clear that the user needs to take responsibility before
clicking a link. These types of attacks are how people’s computers get
hacked and how accounts are compromised. Now, it’s how massive botnets
are created.
06 February 2012
Be on the Lookout for Phishing Emails
Posted on: February 2, 2012 in Industry Issues by Chris Williams
If you keep up with tech news, you might have seen the story recently about a new technology standard developed by Microsoft, Yahoo, Google, and Facebook
to cut down on spam emails and phishing attempts. It’s an exciting new
technology that will help protect users by increasing checks and
reporting on sent emails.
However, even with stricter standards for spam filtering, the
occasional phishing email might still find its way to your inbox.
Phishing emails are standard emails from people trying to convince you
to give them information like passwords, usernames, credit card numbers,
social security numbers, or other secure data. Every email user needs
to know how to spot phishing emails so they can be deleted.
Here are five easy things to look for that you can use to spot phishing emails before you respond with sensitive information.
Emails from companies or people asking for information they should already have, such as accounts and passwords – a company will never ask you for your password.
Emails asking for personal identity information – your date of
birth, bank account information, social security number, or other
personal information. There’s no reason to ever give personal information via email.
Emails with weird formatting, spelling mistakes, or bad grammar – most phishing attempts come from overseas, so they often contain mistakes a native English speaker wouldn’t make. Others are hurriedly prepared, so they may contain mistakes as well.
Links or attachments you didn’t request – never click on a link in an email, or open an attachment, if you didn’t request for a link or attachment to be sent to you.
Unknown senders or strange domain names – if the domain name
of the sender looks strange, or the sender is unknown to you, learn more
about the sender or company before you take action. If it looks strange, delete or report the email.
Here’s an example of a phishing email:
For more information on spotting a phishing email, check Microsoft’s support page. If you’re a Google user and receive phishing emails, you can learn how to report them to Google here.
Remember the first step is staying vigilant. Don’t provide personal
or sensitive information through email if you can avoid it, especially
to people you don’t know.
...don't forget to leave a comment... thanks.
03 February 2012
9 Reasons to Enforce Web Security within the Organization
Considering the wide range of malicious content threatening your
users, implementing strong web security within the organization is a
crucial part of any defense-in-depth strategy. Web security doesn’t have
to mean blocking your users’ access to the Internet, but it does mean
protecting them from the types of threats they will encounter every day.
Here’s a rundown of the top nine threats that are there to help you
understand the importance of strong web security. Some of these are
threats to your users; others are threats to their productivity. All are
things web security can help you protect against.
1.Compromised sites hosting malware
Every day you can read about sites that have been compromised by attackers. Hacked sites hosting malware are a common way to spread the damage to hundreds or thousands of others very quickly. Strong web security can protect your users by blocking access to compromised sites, and by scanning any downloads for malware.
Every day you can read about sites that have been compromised by attackers. Hacked sites hosting malware are a common way to spread the damage to hundreds or thousands of others very quickly. Strong web security can protect your users by blocking access to compromised sites, and by scanning any downloads for malware.
2.Cross-site scripting attacks
Cross-site scripting can steal credentials, direct users to sites specifically hosting malware, and worse. Web security can detect when an XSS is attempted and protect users from the effects.
Cross-site scripting can steal credentials, direct users to sites specifically hosting malware, and worse. Web security can detect when an XSS is attempted and protect users from the effects.
3.Typo-squatters
It’s common for people to register domains that are either misspelled, or simple one-offs from other sites to try to get traffic from users’ typos. Sometimes these sites simply have aggressive sales content; other times they are set up to look like the real site to fool users. Either way, web security can prevent this all too common mistake from doing damage.
It’s common for people to register domains that are either misspelled, or simple one-offs from other sites to try to get traffic from users’ typos. Sometimes these sites simply have aggressive sales content; other times they are set up to look like the real site to fool users. Either way, web security can prevent this all too common mistake from doing damage.
4.Phishing sites
Phishing emails almost always include links to sites, where the real damage can be done. Web security can block access to these phishing sites.
Phishing emails almost always include links to sites, where the real damage can be done. Web security can block access to these phishing sites.
5.Adult content
The last thing you need is an HR issue to deal with because someone clicked the wrong link in some search results. Web security can enforce the acceptable use policy, preventing both the intentional and accidental violations from occurring.
The last thing you need is an HR issue to deal with because someone clicked the wrong link in some search results. Web security can enforce the acceptable use policy, preventing both the intentional and accidental violations from occurring.
6.Controversial content
Adult content is not the only risk; political and religious sites may not be appropriate for users to access while at work and web security can ensure that Internet access is business appropriate.
Adult content is not the only risk; political and religious sites may not be appropriate for users to access while at work and web security can ensure that Internet access is business appropriate.
7.Time sinks
If you have ever surfed the web, you have probably experienced the time loss that comes from a planned 30 second check-in that becomes a 30 minute catch up with what else is going on. “Just one more click…” can cost your company hours of lost productivity. Web security doesn’t have to block all personal Internet access; it can permit that within reasonable time limits.
If you have ever surfed the web, you have probably experienced the time loss that comes from a planned 30 second check-in that becomes a 30 minute catch up with what else is going on. “Just one more click…” can cost your company hours of lost productivity. Web security doesn’t have to block all personal Internet access; it can permit that within reasonable time limits.
8.Bandwidth hogs
One Internet audio stream may seem like it uses an insignificant amount of bandwidth, but with everyone streaming music, your pipe can quickly become clogged. Web security can monitor and identify the major bandwidth users, or block access to streaming media completely to save that bandwidth for important things, like customer orders.
One Internet audio stream may seem like it uses an insignificant amount of bandwidth, but with everyone streaming music, your pipe can quickly become clogged. Web security can monitor and identify the major bandwidth users, or block access to streaming media completely to save that bandwidth for important things, like customer orders.
9.Copyright violations
If a user downloads a pirated movie from your network, you could face liability. Web security can block access to these download sites, and block torrents and peer-to-peer sharing so you don’t worry about C&D letters or lawsuits.
If a user downloads a pirated movie from your network, you could face liability. Web security can block access to these download sites, and block torrents and peer-to-peer sharing so you don’t worry about C&D letters or lawsuits.
With strong web security protection
technology in place, you protect your users, your infrastructure, your
data and, ultimately, your company. Look at web security as a critical
component of your information security strategy.
02 February 2012
User error is the biggest threat on the Internet
Sophos unveiled a detailed assessment of the threat landscape - from
hacktivism and online threats to mobile malware, cloud computing and
social network security, as well as IT security trends for this coming
year.
Year in review: Under attack
2011 was characterized by a rise in cybercrime. The availability of commercial tools designed by and for cybercriminals made mass generation of new malicious code campaigns and exploits trivial and scalable. The net result was significant growth in the volume of malware and infections.
Cybercriminals also diversified their targets to include new platforms, as business use of mobile devices accelerated. Politically motivated hacktivist groups took the media spotlight, even as the more common threats to cyber security grew.
Hype over hacktivism
The emergence of LulzSec and Anonymous marked a shift from hacking for financial gain to hacking as a form of protest. Hacktivists sowed chaos by leaking documents and attacking websites of high-profile organizations and even defense contractors. LulzSec dominated headlines in the first half of the year with attacks on Sony, PBS, the U.S. Senate, the CIA, FBI affiliate InfraGard and others, and then disbanded after 50 days.
Risky business
Increasingly, corporate users weren’t just at home or at work, but somewhere else on the “everywhere network.” And the consumerization of IT, sometimes called “bring your own device” or BYOD, became one of the newer causes of data vulnerability. Employees accessed sensitive corporate information from their home computers, smartphones and tablets. Moreover, corporate-issued mobile devices increased risk, as did the rise of cloud services and the use of social media.
According to the Sophos online poll, which asked users if their company allows personal laptops, desktops or phones for work, nearly 50 percent of respondents said yes. Another 10 percent who said their company doesn’t allow personal devices for work preferred they did.
Changing web threats and drive-by downloads
Cybercriminals constantly launched attacks designed to penetrate digital defenses and steal sensitive data. Almost no online portal proved immune from threat or harm. SophosLabs identifies an average of 30,000 newly-infected web pages each day. More than 80 percent of these web pages are on innocent web servers, which have been hacked by cybercriminals to make them part of the problem.
Additionally, 85 percent of all malware, including viruses, worms, spyware, adware and Trojans, comes from the web, according to the Ponemon Institute. Today, drive-by downloads have become the top web threat, and in 2011, one crimeware kit, known as “Blackhole,” rose to the number one on that list.
In the Sophos online poll, users were asked about the prevalence of malware compared to 2010; 67 percent of respondents felt it was on the rise.
The emergence of Mac malware
Microsoft Windows may be the most attacked OS, but the primary vectors for hacking Windows have been through PDF or Flash. Despite Microsoft’s regular updates to patch Windows OS vulnerabilities, the content delivery systems remained the largest vulnerability on any OS. In 2011, the emergence of malware for the Mac upstaged Windows malware. There's no doubt that the Windows malware problem is much larger than the Mac threat, but the events of 2011 show Mac users that the malware threat is genuine.
Top trends
There are many factors that will impact the IT security landscape this year and into the future. These include new attacks using social media platforms and integrated apps, more targeted attacks on non-Windows platforms, and mobile payment technologies under threat, among others which are highlighted within the report.
“As cybercriminals expand their focus, organizations are challenged to keep their security capabilities from backsliding as they adopt new technologies,” said Mark Harris, vice president of SophosLabs, Sophos. “And as we continue to access information in different ways, from different devices in different locations, security tools must be able to ‘protect everywhere’ - from desktops to mobile and smart devices and the cloud. But more importantly and oft-disregarded, cybercriminals will continue to stalk the easiest prey - security basics like patching and password management will remain a significant challenge.”
Year in review: Under attack
2011 was characterized by a rise in cybercrime. The availability of commercial tools designed by and for cybercriminals made mass generation of new malicious code campaigns and exploits trivial and scalable. The net result was significant growth in the volume of malware and infections.
Cybercriminals also diversified their targets to include new platforms, as business use of mobile devices accelerated. Politically motivated hacktivist groups took the media spotlight, even as the more common threats to cyber security grew.
Hype over hacktivism
The emergence of LulzSec and Anonymous marked a shift from hacking for financial gain to hacking as a form of protest. Hacktivists sowed chaos by leaking documents and attacking websites of high-profile organizations and even defense contractors. LulzSec dominated headlines in the first half of the year with attacks on Sony, PBS, the U.S. Senate, the CIA, FBI affiliate InfraGard and others, and then disbanded after 50 days.
Risky business
Increasingly, corporate users weren’t just at home or at work, but somewhere else on the “everywhere network.” And the consumerization of IT, sometimes called “bring your own device” or BYOD, became one of the newer causes of data vulnerability. Employees accessed sensitive corporate information from their home computers, smartphones and tablets. Moreover, corporate-issued mobile devices increased risk, as did the rise of cloud services and the use of social media.
According to the Sophos online poll, which asked users if their company allows personal laptops, desktops or phones for work, nearly 50 percent of respondents said yes. Another 10 percent who said their company doesn’t allow personal devices for work preferred they did.
Changing web threats and drive-by downloads
Cybercriminals constantly launched attacks designed to penetrate digital defenses and steal sensitive data. Almost no online portal proved immune from threat or harm. SophosLabs identifies an average of 30,000 newly-infected web pages each day. More than 80 percent of these web pages are on innocent web servers, which have been hacked by cybercriminals to make them part of the problem.
Additionally, 85 percent of all malware, including viruses, worms, spyware, adware and Trojans, comes from the web, according to the Ponemon Institute. Today, drive-by downloads have become the top web threat, and in 2011, one crimeware kit, known as “Blackhole,” rose to the number one on that list.
In the Sophos online poll, users were asked about the prevalence of malware compared to 2010; 67 percent of respondents felt it was on the rise.
The emergence of Mac malware
Microsoft Windows may be the most attacked OS, but the primary vectors for hacking Windows have been through PDF or Flash. Despite Microsoft’s regular updates to patch Windows OS vulnerabilities, the content delivery systems remained the largest vulnerability on any OS. In 2011, the emergence of malware for the Mac upstaged Windows malware. There's no doubt that the Windows malware problem is much larger than the Mac threat, but the events of 2011 show Mac users that the malware threat is genuine.
Top trends
There are many factors that will impact the IT security landscape this year and into the future. These include new attacks using social media platforms and integrated apps, more targeted attacks on non-Windows platforms, and mobile payment technologies under threat, among others which are highlighted within the report.
“As cybercriminals expand their focus, organizations are challenged to keep their security capabilities from backsliding as they adopt new technologies,” said Mark Harris, vice president of SophosLabs, Sophos. “And as we continue to access information in different ways, from different devices in different locations, security tools must be able to ‘protect everywhere’ - from desktops to mobile and smart devices and the cloud. But more importantly and oft-disregarded, cybercriminals will continue to stalk the easiest prey - security basics like patching and password management will remain a significant challenge.”
Source: http://bit.ly/yjrHYu
01 February 2012
Twitter users beware: Homeland Security isn’t laughing
Planning to make a joke on Twitter about bombing something? You might want to reconsider: according to a report from Britain, two British tourists were detained and then denied entry into the U.S. recently after they joked
about destroying America and digging up Marilyn Monroe. The fact that
the Department of Homeland Security and other authorities — including
the FBI — are monitoring social media like Twitter and Facebook isn’t
that surprising. But the fact that Homeland Security is willing to detain people based on what is clearly a harmless joke raises questions about what the impact of all that monitoring will be.
Leigh Van Bryan, a 26-year-old bar manager from Coventry, told The Sun that he
and friend Emily Bunting were stopped by border guards when they
arrived at Los Angeles International Airport and questioned for five
hours about messages that Van Bryan had posted on Twitter saying he
planned to “destroy America.” After the questioning, during which the
Irish traveller said that Homeland Security threatened the two, they
were put in a van and taken to a holding cell overnight, along with some
illegal immigrants. After being held overnight, they said they were
forced to take a plane back to England.
According to a report in The Daily Mail, the Homeland Security officers gave Van Bryan a document that detailed why he was refused admission to the United States, and it reads like a bad joke itself, saying:
He had posted on his Tweeter website account that he was coming to the United States to dig up the grave of Marilyn Monroe… Also on his tweeter account Mr Bryan posted that he was coming to destroy America.
Van Bryan told the newspaper that he tried to explain to Homeland
Security officials that the term “destroy” was British slang referring
to a party, and that his comments about “digging up Marilyn Monroe” were
an attempt at humor, but that the officers didn’t listen. The
authorities even searched their luggage looking for shovels and other
tools, he said.
Monitoring social media makes sense — within reason
This isn’t the first time that someone has gotten in trouble for
making a joke on Twitter: a British businessman named Paul Chambers was arrested under the Terrorism Act and questioned for more than seven hours in 2010 after making a joke on Twitter
about blowing up an airport, a joke he said he made because he was
frustrated about the airport being closed due to bad weather. He was
tried and found guilty and fined a thousand pounds, and eventually lost
his job as a result of the publicity.
The fact that Homeland Security is monitoring social networks like
Twitter and Facebook for certain keywords isn’t that surprising: the
department said during a security review earlier this year that it has been monitoring those networks and a list of blogs
and other sources (including WikiLeaks) for information about potential
security hazards and what it called “situational awareness.” The
Federal Bureau of Investigation also recently revealed that it is trying to develop a service that can monitor social-media sources and automatically create alerts based on the information it finds there.
To me, it makes perfect sense for security officials to be monitoring
social networks and even blogs. This is all public information that could contain useful signals about real terrorism or threats to national security of some kind,
and it should obviously be part of the normal intelligence process. But
doing this properly also requires some sense of proportion about what
constitutes a real threat and what is clearly a joke. Did Homeland
Security really think that a 26-year-old bar manager was a serious
threat?
We all know that we are likely being monitored in even more ways now
than we have ever been, whether it’s by security cameras or algorithms
that comb through tweets and Facebook posts. But that’s not the scary
part — the scary part is what can happen when that information gets
misinterpreted and it escalates into a major crisis for no reason.
5 reasons to enforce email monitoring
Managing storage continues to be one of the most significant challenges
for email management, but the right tools can change this from a daily
headache to an easy win. Email monitoring gives administrators those
tools; providing detailed information on how email is being used, both
internally and externally. Here’s a list of the top five ways email
monitoring will empower you to optimize your email management.
1. Identify heavy users
Knowing who the heaviest users are can help you plan storage, reallocate mailboxes amongst databases to streamline backups, and also learn about who is emailing whom, both within and outside the company. Knowing your communications channels can help you better understand the business and the needs of your customers while helping you with email management, email management tools can provide you with detailed reports on who sends and/or receives the most email, and who they are communicating with.
2. Manage those attachments
A single word document can take up more space than a hundred plain text emails. And how many different versions of a project plan are floating around inside your mailstores because each revision gets mailed out to everyone on the project team? Email is a convenient, but inefficient file server, and most attachments should really be on stored on SharePoint or a network drive. Moving file transfers to the proper resource will make email management a much easier task. Email monitoring software allows you to receive reports on total space used by attachments, the types of attachments, and real space wasters like duplicates.
1. Identify heavy users
Knowing who the heaviest users are can help you plan storage, reallocate mailboxes amongst databases to streamline backups, and also learn about who is emailing whom, both within and outside the company. Knowing your communications channels can help you better understand the business and the needs of your customers while helping you with email management, email management tools can provide you with detailed reports on who sends and/or receives the most email, and who they are communicating with.
2. Manage those attachments
A single word document can take up more space than a hundred plain text emails. And how many different versions of a project plan are floating around inside your mailstores because each revision gets mailed out to everyone on the project team? Email is a convenient, but inefficient file server, and most attachments should really be on stored on SharePoint or a network drive. Moving file transfers to the proper resource will make email management a much easier task. Email monitoring software allows you to receive reports on total space used by attachments, the types of attachments, and real space wasters like duplicates.
3. Find policy violations
When it comes to attachments, non-work related attachments can also chew up huge amounts of storage. Finding the MP3s and AVIs, and reminding users of the company policy can free up lots of disk space rapidly. While you are at it, using email monitoring will enable you to make sure no one is forwarding all their company email to their personal account, or worse, the competition. Good email management includes safeguarding the company’s assets.
4. Storage
Of course, older emails can take up a ton of storage space, and users won’t delete anything unless you stand next to them and press the keys for them. An email monitoring solution can help you to understand how much better it would be if of all that email was moved to the storage managed by an email archiving solution. Using easy to setup rules, your email management of storage becomes an easy task, as messages are moved to the archive automatically. Your users will have no more run-ins with quotas, and no more need for PST files.
When it comes to attachments, non-work related attachments can also chew up huge amounts of storage. Finding the MP3s and AVIs, and reminding users of the company policy can free up lots of disk space rapidly. While you are at it, using email monitoring will enable you to make sure no one is forwarding all their company email to their personal account, or worse, the competition. Good email management includes safeguarding the company’s assets.
4. Storage
Of course, older emails can take up a ton of storage space, and users won’t delete anything unless you stand next to them and press the keys for them. An email monitoring solution can help you to understand how much better it would be if of all that email was moved to the storage managed by an email archiving solution. Using easy to setup rules, your email management of storage becomes an easy task, as messages are moved to the archive automatically. Your users will have no more run-ins with quotas, and no more need for PST files.
5. Retention
Sometimes, email management means knowing when to say goodbye to those older emails. If your company has a document retention policy, it probably defines not only how long to save certain information, but when it needs to be destroyed. An email archiving solution that offers email monitoring features can automatically age out and purge email that exceeds the defined retention policy, automating the housekeeping that you never have time to get to yourself.
As you can see, the winning combination of email archiving and email monitoring makes email management a much easier task, providing in-depth information about how your users communicate, and supports the company’s document retention and other policies. With these tools you can take your Exchange infrastructure to the next level, providing better service with lower storage costs.
Sometimes, email management means knowing when to say goodbye to those older emails. If your company has a document retention policy, it probably defines not only how long to save certain information, but when it needs to be destroyed. An email archiving solution that offers email monitoring features can automatically age out and purge email that exceeds the defined retention policy, automating the housekeeping that you never have time to get to yourself.
As you can see, the winning combination of email archiving and email monitoring makes email management a much easier task, providing in-depth information about how your users communicate, and supports the company’s document retention and other policies. With these tools you can take your Exchange infrastructure to the next level, providing better service with lower storage costs.
This post was provided by Christina Goggi on behalf of GFI Software Ltd.
31 January 2012
Video: New Banking Trojan Caught Breaking CAPTCHA
A new banking Trojan variant can bypass CAPTCHA, as demonstrated by a video posted today by security firm Websense on their Security Labs blog.
Once downloaded to the machine, Cridex, a data-stealing Trojan, will track content from various web forms. Cridex also downloads a ‘spamming module’ to the infected machine that enables the botmaster to send malicious e-mails to boost infection rates. This module, as shown in the video, utilizes a CAPTCHA-breaking server that helps the botmaster circumvent any CAPTCHA after a few tries, allowing the attacker to create a new Yahoo e-mail account.
The CAPTCHA attempts are sourced from a series of challenge images (embedded in HTTP) that have been gathered from the e-mail registration form and uploaded to the remote CAPTCHA-breaking server.
For more on the methods used by Cridex and the exact steps of the CAPTCHA-breaking process, head to Websense.
Recommended Reads
- Malware Writers Use Block Cipher in Latin America
- Ramnit Worm Evolves Into Financial Malware
- Financial Services Industry Report Urges Rethink on Malware
Source: http://bit.ly/AB6Bcg via @threatpost
Protecting Data Is Not a Black and White Issue
Data protection is more nuanced than simply allowing or denying
access. The ages-old concept of group and individual permissions for
file and folder access are based on the fact that one person may have no
business opening a given file, while the next person may need to read
and review that same file as a function of their role. This same type of
control is needed when it comes to allowing data to be printed, or
stored on an external drive or USB flash drive.
Because protecting data is not a black and white issue, the solution
needs to be more flexible than simply blocking or allowing access. Zecurion’s Zlock
gives IT admins the ability to apply fine-tuned controls that prevent
the unauthorized copying and storing of data without impeding
legitimate, authorized use of removable media at the same time. Just as
one person may have no business opening a file that another person needs
to do their job, one person may have no legitimate business purpose for
storing data on removable media, while the next person may need that
capability to perform their job function. A solution that simply locks
down USB ports is like killing a housefly with a hand grenade, and
applies too broadly to provide functional data protection.
Zlock takes it a step farther, though. Jim may have a business need
to store sensitive data on a removable drive, but you don’t need to
grant blanket permission to Jim. You can still set up controls in Zlock
that let Jim store data on a USB flash drive, but only if the data is
encrypted. In fact, IT admins can configure Zlock to only allow Jim to
store data on a specific brand of company-issued flash drives, or even a
specific hardware ID of an individual USB flash drive issued to Jim.
That way, data is protected, and the flow of sensitive data is
controlled, but Jim is still able to do his job without having to jump
through any additional hurdles.
Article Source: http://goo.gl/5czex
27 January 2012
Phishing Attacks Can Happen On Your Mobile Phone Too
A few years ago most of the general public had never even heard of a phishing attack. These days it is better known. While still not a general
knowledge question it has been exposed a little bit more by the media
and web safety outfits. But just because the problem has seen a little
bit more daylight does not mean that it has gone away. No, the problem
of phishing attacks is still with us. And while that is still very much a
problem, the bigger problem is that now it is starting to move to a new
medium.
The mobile phone is becoming more and more the popular choice to surf
the web. What better way to waste time than to surf the web while you
are on the go. It is because of this activity that you are starting to
see more web sites optimize for smaller screens. But it is not only the
legitimate web sites that are focusing on the phone. The criminal web
sites are as well.
Surfing the web on your mobile phone is no longer a time when you can have your defenses down.
In the past when people would surf the web on their mobile phones they
pretty much knew that the attacks that were directed at users of Windows
and Apple computers could not hurt them. That is no longer the case.
Hackers know how to code for the phones now. But it is the web based
attacks like phishing that can hurt you no matter what platform you are
on.
What is a phishing attack?
A phishing attack is when one web site pretends that it is another. A
victim will go to that web site, thinking that they are safe but
instead they are really giving up all of the information that they type
in that site.
And that is why a phishing attack works on any platform no matter if
it is your desktop or your phone. It is strictly a web based attack to
obtain information. No matter how you give them the information it is
still going to work. The platform of how you give them the information
is secondary.
If you want to be able to avoid a phishing attack then the easiest
way is to make sure that you pay attention to the web address of the
site that you are on. Also, if you get an email and it says to click a
link to go to the web site, instead just type the name of the web site
in. Then you know exactly what site you are going to.
Source Article: Security-faqs
Subscribe to:
Posts (Atom)