Video: New Banking Trojan Caught Breaking CAPTCHA

by Christopher Brook

A new banking Trojan variant can bypass CAPTCHA, as demonstrated by a video posted today by security firm Websense on their Security Labs blog.

Once downloaded to the machine, Cridex, a data-stealing Trojan, will track content from various web forms. Cridex also downloads a ‘spamming module’ to the infected machine that enables the botmaster to send malicious e-mails to boost infection rates. This module, as shown in the video, utilizes a CAPTCHA-breaking server that helps the botmaster circumvent any CAPTCHA after a few tries, allowing the attacker to create a new Yahoo e-mail account.

The CAPTCHA attempts are sourced from a series of challenge images (embedded in HTTP) that have been gathered from the e-mail registration form and uploaded to the remote CAPTCHA-breaking server.

For more on the methods used by Cridex and the exact steps of the CAPTCHA-breaking process, head to Websense.

Recommended Reads

• Malware Writers Use Block Cipher in Latin America
• Ramnit Worm Evolves Into Financial Malware
• Financial Services Industry Report Urges Rethink on Malware

Source: http://bit.ly/AB6Bcg via @threatpost

Protecting Data Is Not a Black and White Issue

Data protection is more nuanced than simply allowing or denying access. The ages-old concept of group and individual permissions for file and folder access are based on the fact that one person may have no business opening a given file, while the next person may need to read and review that same file as a function of their role. This same type of control is needed when it comes to allowing data to be printed, or stored on an external drive or USB flash drive.

Because protecting data is not a black and white issue, the solution needs to be more flexible than simply blocking or allowing access. Zecurion’s Zlock gives IT admins the ability to apply fine-tuned controls that prevent the unauthorized copying and storing of data without impeding legitimate, authorized use of removable media at the same time. Just as one person may have no business opening a file that another person needs to do their job, one person may have no legitimate business purpose for storing data on removable media, while the next person may need that capability to perform their job function. A solution that simply locks down USB ports is like killing a housefly with a hand grenade, and applies too broadly to provide functional data protection.

Zlock takes it a step farther, though. Jim may have a business need to store sensitive data on a removable drive, but you don’t need to grant blanket permission to Jim. You can still set up controls in Zlock that let Jim store data on a USB flash drive, but only if the data is encrypted. In fact, IT admins can configure Zlock to only allow Jim to store data on a specific brand of company-issued flash drives, or even a specific hardware ID of an individual USB flash drive issued to Jim. That way, data is protected, and the flow of sensitive data is controlled, but Jim is still able to do his job without having to jump through any additional hurdles.

Article Source: http://goo.gl/5czex

Phishing Attacks Can Happen On Your Mobile Phone Too

A few years ago most of the general public had never even heard of a phishing attack. These days it is better known. While still not a general knowledge question it has been exposed a little bit more by the media and web safety outfits. But just because the problem has seen a little bit more daylight does not mean that it has gone away. No, the problem of phishing attacks is still with us. And while that is still very much a problem, the bigger problem is that now it is starting to move to a new medium.

The mobile phone is becoming more and more the popular choice to surf the web. What better way to waste time than to surf the web while you are on the go. It is because of this activity that you are starting to see more web sites optimize for smaller screens. But it is not only the legitimate web sites that are focusing on the phone. The criminal web sites are as well.

Surfing the web on your mobile phone is no longer a time when you can have your defenses down. In the past when people would surf the web on their mobile phones they pretty much knew that the attacks that were directed at users of Windows and Apple computers could not hurt them. That is no longer the case. Hackers know how to code for the phones now. But it is the web based attacks like phishing that can hurt you no matter what platform you are on.

What is a phishing attack?

A phishing attack is when one web site pretends that it is another. A victim will go to that web site, thinking that they are safe but instead they are really giving up all of the information that they type in that site.

And that is why a phishing attack works on any platform no matter if it is your desktop or your phone. It is strictly a web based attack to obtain information. No matter how you give them the information it is still going to work. The platform of how you give them the information is secondary.

If you want to be able to avoid a phishing attack then the easiest way is to make sure that you pay attention to the web address of the site that you are on. Also, if you get an email and it says to click a link to go to the web site, instead just type the name of the web site in. Then you know exactly what site you are going to.

Source Article: Security-faqs

Seven Ways to Get Yourself Hacked

As targeted scams become more common, it's vital to protect yourself.

By Simson Garfinkel

In recent months, I've met at least three people who have been the victim of hackers who've taken over their Gmail accounts and sent out e-mails to everyone in the address book.

The e-mails, which appear legitimate, claim that the person has been robbed while traveling and begs that money be wired so that the person can get home. What makes the scam even more effective is that it tends to happen to people who are actually traveling abroad—making it more likely that friends and families will be duped.

Although it's widely believed that a strong password is one of the best defenses against online fraud, hackers increasingly employ highly effective ways for compromising accounts that do not require guessing passwords.

This means that it is more important than ever to practice "defensive computing"—and to have a plan in place for what to do if your account is compromised.

Malware. Sometimes called the "advanced persistent threat," a broad range of software that was programmed with evil intent is running on tens of millions of computers throughout the world.

These programs can capture usernames and passwords as you type them, send the data to remote websites, and even open up a "proxy" so that attackers can type commands into a Web browser running on your very computer. This makes today's state-of-the-art security measures—like strong passwords and key fobs—more or less useless, since the bad guys type their commands on your computer after you've authenticated.

Today, the primary defense against malware is antivirus software, but increasingly, the best malware doesn't get caught for days, weeks, or even months after it's been released into the wild. Because antivirus software is failing, many organizations now recommend antediluvian security precautions, such as not clicking on links and not opening files you receive by e-mail unless you know that the mail is legitimate. Unfortunately, there is no tool for assessing legitimacy.

Windows XP. According to the website w3schools, roughly 33 percent of the computers browsing the Internet are running Windows XP. That's a problem, because unlike Windows 7, XP is uniquely susceptible to many of today's most pernicious malware threats. Windows 7, and especially Windows 7 running on 64-bit computers, has security features built in to the operating system such as address space randomization and a non-executable data area. These protections will never be added to Windows XP. Thus, as a general rule, you should not use Windows XP on a computer that's connected to the Internet. Tell that to the 33 percent.

Kiosk computers. You should avoid using public computers at hotels, airports, libraries, and "business centers" to access webmail accounts, because there is simply no way to tell if these computers are infected with malware or not. And many of them are running Windows XP. So avoid them.

Source Article: http://techre.vu/x1Yq35 (via @TechReview)

How to Boost Your Phishing Scam Detection Skills

Phishing scams—the ones that try to get you to provide private information by masquerading as a legitimate company—can be easy to uncover with a skeptical eye, but some can easily get you when you let your guard down for just a second. Here's how you can boost your phishing detection skills and protect yourself during those times when you're not at full attention.


Want to test your phishing IQ and find out what kind of scams you're most likely to miss? Take this test.

What You Can Do

The way most phishing scams find victims is through email, but sometimes you'll come across a phishing site in the wild as well. Either way, here are the basic principles you want to follow to keep a cautious eye out for these malicious traps.

Check the URL

Phishing scams are designed to look like official emails and web sites from actual companies, but they aren't actually those things—they're just imitations. Because the emails and web sites are imitations they'll probably look a little different from what you'd expect in general, but more importantly those sites can't have the same URL as the web site they're pretending to because they are different sites. To check the URL, just hover of the link you're thinking of clicking. At the bottom of your window you should see the URL displayed. Once you do that, you have to figure out if it is a good URL or a bad URL.

Using PayPal as an example, you'll generally see http://www.paypal.com as part of the URL.

Sometimes you'll see something like http://subdomain.paypal.com as well. Both of these URLs are okay, because they end in paypal.com. A phishing URL, however, might look something like this: http://paypal.someotherdomain.com. In this case, "paypal" is attached to another domain name (someotherdomain.com). URLs like this are the ones you want to avoid.

Always Go Direct

The best thing you can do to avoid phishing scams is always go directly to the web site you want to visit rather than clicking a link. This way you don't have to figure out if the URL is safe or not because you'll be using a URL in your bookmarks (or your brain) that you already know is safe. Doing this can also help protect you from phishing scams when you let your guard down because you'll be in the habit of visiting sites directly rather than clicking links.
I fell for a phishing scam once when I read the email right after I woke up in the morning. It was from my bank and they'd sent me a lot of verification notices lately since I'd been traveling and using my debit card all over the place. When I got another one, I didn't even think about it because I'd just woken up. I went to the site, filled in my info, and then immediately realized I'd just provided that information to a phishing scam site. I called the bank to let them know right away and got a new card, but had I changed my default behavior to calling the bank of visiting the bank's web site this probably wouldn't have happened. Of course, that's what I do now and it hasn't been a problem since.

What Your Browser Can Do For You

Detecting phishing scams on your own mainly require the mild paranoia and the behavioral adjustment described above, but there are a few other things you can do to make your everyday browsing safer.

Turn Off Form Autofill

One great feature of many web browsers is the autofill feature. It makes it really easy to fill out forms using information already stored in the browser. It also makes it easy for you to ignore the form you're filling out and just submit it, causing you to potentially miss a phishing scam when you're rushing through the process. While this precaution isn't necessary, and you might prefer the convenience of autofill to the safety benefits that deactivating it can provide, turning it off will provide a little added protection.

Utilize Your Browser's Built-In Tools

Most browsers come with some phishing protection built-in to help protect you, but it isn't always enable by default. Google Chrome keeps track of common phishing sites and can alert you when you visit one, but you may need to go through the short setup process to make it work. Firefox also offers phishing and malware protection in a similar way, and you can enable it in the Security section of Firefox's preferences.

Bump Up Your Phishing Protection with Web of Trust

Web of Trust is one of our favorite browser extensions because it automatically lets you know if a web site is trustworthy or not. While it can't possible verify every single site on the internet, it can make you aware of potentially harmful sites and phishing scams. All you have to do is install the extension for your browser and it will display a trust rating in your browser's toolbar. (You can read more about this here.) Web of Trust is available to download for Google Chrome, Firefox, Internet Explorer, Opera, Safari, and as a bookmarklet for other browsers.

Source Article:  http://goo.gl/nhzSY

Bait Your Users with the Simple Phishing Toolkit

By Joe Brockmeier

 By now, most folks have heard of phishing scams, and know to be on the lookout for fake PayPal and bank sign-ons. But what happens when your co-workers get a link to a site that looks just like the corporate intranet? Using the Simple Phishing Toolkit (SPT) you can find out.
The concept behind SPT is pretty simple: Most companies spend a fair amount of money on trying to secure their environment. How much do they spend on educating users? Very little, and in many cases nothing at all. As the saying goes, an ounce of prevention is much better than a pound of cure.

Working with SPT

Basically, SPT is a PHP/MySQL package that is designed to create and run phishing campaigns. It should install on any current LAMP or WAMP stack in just a few minutes. If you've installed Drupal or WordPress or any other PHP/MySQL package, it shouldn't take more than a coffee break to set up. (Creating the database and MySQL user is the longest part of the process.)
From there, you can create campaigns to try to "hook" users and see if they're gullible enough to hand out credentials to a phishing site. You supply templates to SPT for the target site, and the list of users and the body of the email. It will send out the phishing emails and collect data when users respond.
Note that there are two ways to provide a template to SPT – provide a template that you've created, or scrape another site. In my tests of SPT, the scraping didn't work. You can find a Microsoft Outlook Web template on the SPT site, though. This might get you started right away if your organization uses Outlook.

You can also provide an "education package" so that users get schooled as soon as they fall for the phishing link. This can be triggered as soon as users click on the link, or after they provide data.

Could be Used for Good or Evil

The project is open source, available under the GPLv3. It's also extensible, so if it doesn't do everything you want there is the option of writing modules for it. The project is still relatively young, I tested the 0.4 release. Now might be a good time for IT departments to talk to their users about phishing, then plan a SPT campaign for later in the year.

It's worth noting that SPT could be used to run actual phishing campaigns, but those are going on already anyway. Yes, SPT promises to be a really easy way to set up a phishing attack, but that's all the more reason to start educating users.
Does SPT look like something you'd use in your business? Are you doing anything to educate users about phishing already? Would love to hear more ideas in the comments about educating users rather than just spending money on security measures.

Source Article: http://goo.gl/YxAvn

Beware of fake Megaupload “comeback” phishing scams

By: Will Shanklin



Megaupload is supposedly back, albeit without any functionality. An IP address which is dressed to look like Megaupload is being promoted, but evidence points to this as being 100% bogus. If this is legitimate, then Megaupload is one resilient company. The only problem is that this is almost certainly a phishing scam, which you’ll want to avoid like the plague.
Yesterday Megaupload’s domain and assets were seized by the Feds, with the company’s executives being placed under arrest.
As of now, nothing on this site claiming to be the “new Megaupload” works. Every link greets you with the same message, telling you that “this is the new Megaupload site.” The message (probably from a phisher) promises that the company is working to get back up again.
The site’s appearance looks legitimate enough. The familiar Megaupload logo, customary orange and white colors, fonts, and tabs are all there. These could all be easily faked, though — phishers do this with other sites every day. There is also a glaring typo (“beware to the pishing sites”).
Perhaps the biggest evidence against this site is that its IP address was recently directing to another company — which was already flagged as a phishing scammer. We’ll update if we get more information, but we’d advise you to stay far away from this. As long as Megaupload’s employees are in prison with their equipment under Federal control, we don’t expect to see any comebacks.
Source Article: http://goo.gl/2cQTz

Ensuring Online Banking Security

Phishing Attacks Target Chase and Barclays Accounts
By Tracy Kitten, January 15, 2012.


Accountholders at Chase in the United States and Barclays in Britain have been the targets of a rash of targeted phishing schemes.

Researchers at security firm GFI Software last month discovered customers at Chase had been targeted by phishing e-mails that provided links to spoofed Web pages that requested users submit sensitive online banking details.

The firm also discovered phishing hits aimed at Barclays, though the nature of the attacks differed a bit. In Barclays' case, GFI reported that fraudulent warning e-mails about account suspensions had been sent to Barclays' users. The e-mails, feigning to be security alerts from the bank, claimed that attempts to access online accounts had exceeded limits set by the bank, suggesting hackers had been attempting to break in. Attachments contained in the e-mails asked recipients to provide confidential data to reactivate their online accounts.

The attacks against Chase and Barclays were not rare. Targeted schemes, better known as spear phishing, are common. Similar attacks have been waged against NACHA - The Electronic Payments Association and the Federal Deposit Insurance Corp., just to name two. [See FBI Warns of New Fraud Scam.]

Banks: Cyberfraudsters' Aim
Targeted attacks aimed directly at banks and banking accounts are becoming more standard as well. Last month, the Federal Bureau of Investigation and the U.S. Attorney for the District of Connecticut indicted 14 Romanians for their involvement in an identity-theft scheme that relied on phishing attacks to steal online banking credentials from customers at Connecticut-based People's Bank. Customers at Citibank, Capital One, Bank of America, JPMorgan Chase, Comerica Bank, Regions Bank, LaSalle Bank, U.S. Bank, Wells Fargo, eBay and PayPal also were targeted. [See 14 Indicted in Phishing Scheme.]

Recommendations and the Need for Layered Security
Fraudsters have proven they can get around basic authentication techniques, including two-factor authentication. [See Ramnit Worm Threatens Online Accounts.]

The need for enhanced user authentication served as the catalyst for updated online authentication guidance from the Federal Financial Institutions Examination Council, which took effect this month. Federal banking regulators say banks and credit unions need to ensure they layer security measures, meaning user authentication must go beyond mere logins and passwords.

But a greater concern is online user behavior, since most consumers use the same login names and passwords for multiple accounts, including bank accounts. [See The Real Source of Fraud.]

That universal use of logins and passwords allows cybercriminals to piece together information that can later be used to compromise online credentials. "User names for social websites are often searchable using typical search engines and often the corresponding e-mail addresses are in plain view for casual Internet users and thieves alike to see," says John Buzzard, who monitors phishing attacks and skimming trends for FICO's Card Alert Service.

Fortunately, most phishing schemes are relatively easy to thwart, if practical precautions are taken. "It's rather surprising to keep reading stories about phishing vulnerabilities since phishing varietals have been around since at least 2005," Buzzard says.


Banking institutions can mitigate risks associated with phishing schemes by implementing tried and true best practices that limit exposure to a variety of Internet fraud types. Buzzard recommends institutions:

Provide timestamps for online-banking sessions. Accountholders can look at timestamps to see when the last, and potentially, unauthorized log-in occurred.

Deliver daily account alerts. "Consumers love the ability to establish their own rules so that they can be alerted to ATM withdrawals and daily balances," Buzzard says.

Leverage online banking websites for the delivery of important consumer messages. "A simple email alerting the accountholder that a critical communication is waiting for them inside of their online banking account really is an effective means to ensure that the consumer cannot only view but trust the communication's content," he says.

Avoid e-mailing links. Financial institutions want to discourage consumers from clicking links. When e-mailing correspondence, just inform them to visit the official online-banking site. "Your customer knows how to find their online banking website and they already know how to reach you by phone," Buzzard says.

Source Article: Banking Info Security http://goo.gl/PH0vD

Email and web scams: How to help protect yourself

When you read email or surf the Internet, you should be wary of scams that try to steal your personal information (identity theft), your money, or both. Many of these scams are known as "phishing scams" because they "fish" for your information.


How to recognize scams
New scams seem to appear every day. We try to keep up with them in our Security Tips & Talk blog. To see the latest scams, browse through our fraud section. In addition, you can learn to recognize a scam by familiarizing yourself with some of the telltale signs.

Scams can contain the following:

Alarmist messages and threats of account closures.

Promises of money for little or no effort.

Deals that sound too good to be true.

Requests to donate to a charitable organization after a disaster that has been in the news.

Bad grammar and misspellings.

For more information, see How to recognize phishing emails and links.

Popular scams
Here are some popular scams that you should be aware of:

Scams that use the Microsoft name or names of other well-known companies. These scams include fake email messages or websites that use the Microsoft name. The email message might claim that you have won a Microsoft contest, that Microsoft needs your logon information or password, or that a Microsoft representative is contacting you to help you with your computer. (These fake tech-support scams are often delivered by phone.) For more information, see Avoid scams that use the Microsoft name fraudulently.

Lottery scams. You might receive messages that claim that you have won the Microsoft lottery or sweepstakes. These messages might even look like they come from a Microsoft executive. There is no Microsoft Lottery. Delete the message. For more information, see What is the Microsoft Lottery Scam?

Rogue security software scams. Rogue security software, also known as "scareware," is software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure you into participating in fraudulent transactions. These scams can appear in email, online advertisements, your social networking site, search engine results, or even in pop-up windows on your computer that might appear to be part of your operating system, but are not. For more information, see Watch out for fake virus alerts.

How to report a scam
You can use Microsoft tools to report a suspected scam.

Internet Explorer. While you are on a suspicious site, click the gear icon and then point to Safety. Then click Report Unsafe Website and use the web page that is displayed to report the website.

Hotmail. If you receive a suspicious email message that asks for personal information, click the check box next to the message in your Hotmail inbox. Click Mark as and then point to Phishing scam.

Microsoft Office Outlook. Attach the suspicious email message to a new email message and forward it to reportphishing@antiphishing.org. To learn how to attach an email message to an email message, see Attach a file or other item to an email message.

You can also download the Microsoft Junk E-mail Reporting Add-in for Microsoft Office Outlook.

What to do if you think you have been a victim of a scam
If you suspect that you've responded to a phishing scam with personal or financial information, take these steps to minimize any damage and protect your identity.

Change the passwords or PINs on all your online accounts that you think might be compromised.

Place a fraud alert on your credit reports. Check with your bank or financial advisor if you're not sure how to do this.

Contact the bank or the online merchant directly. Do not follow the link in the fraudulent email message.

If you know of any accounts that were accessed or opened fraudulently, close those accounts.

Routinely review your bank and credit card statements monthly for unexplained charges or inquiries that you didn't initiate.

Identity theft protection tools to help you avoid scams
Microsoft offers several tools to help you avoid phishing scams when you browse the web or read your email.

Windows Internet Explorer. In Internet Explorer, the domain name in the address bar is emphasized with black type and the remainder of the address appears gray to make it easy to identify a website's true identity.



The SmartScreen Filter in Internet Explorer also gives you warnings about potentially unsafe websites as you browse. For more information, see SmartScreen Filter: frequently asked questions.

Windows Live Hotmail. Microsoft's free webmail program also uses SmartScreen technology to screen email. SmartScreen helps identify and separate phishing threats and other junk email from legitimate email. For more information, see SmartScreen helps keep spam out.

Microsoft Office Outlook. The Junk E-mail Filter in Outlook 2010, Outlook 2007, and other Microsoft email programs evaluates each incoming message to see if it includes suspicious characteristics common to phishing scams. For more information, see How Outlook helps protect you from viruses, spam, and phishing.

Source Article: Microsoft http://goo.gl/3VjyL

Our bad habits put us at risk

AUSTRALIA has a heightened chance of slipping into a recession this year after using up most of its ammunition to dodge the global downturn caused by the 2009 recession, economists warn.

JP Morgan chief economist Stephen Walters said our good fortune had left us with bad habits making us more vulnerable.

While Europe and the US had been forced to make long-term economic changes in recent years, Australia still has high levels of household debt and inflated house prices.

He also warned our present positive exposure to China could quickly turn if the Asian economy stumbled.

"The problem is that Australia still carries the same vulnerabilities as it did four years ago," Mr Walters said. "Most other countries went through a recession, which flushes out weaknesses.

"The vulnerabilities we have don't make a recession more likely, but it means a recession would be more painful than if we had shaken off our excesses now."

After 22 years of growth, Mr Walters warned a cyclical recession was expected within the next decade.

He said the RBA should use its monetary policies to target the disparity between house prices and income and push households to continue paying down their debts.

Mr Walters said Australia was right to reap the benefits of exports to China while it could, but should not view Asia as a permanent cash cow.

Source Article: Herald Sun http://bit.ly/y8xX7B

Stratfor reopens website

By Kirk Ladendorf | Wednesday, January 11, 2012, 09:39 AM 


Stratfor, the Austin company that took its website down on Christmas Day after a hacking attack, has reopened the site with bolstered security.
A hacker group called Anonymous claimed credit for the attack and took credit card information belonging to thousands of customers. Some of those credit cards were used to make donations to non-profit groups, including the Red Cross.
Stratfor, which provides geopolitical analysis, said its servers had been damaged in the attack. The company retailed Sec Theory, an Internet security firm, to rebuild its website, email system and internal infrastructure. It also hired CSID, an Austin company that protects against identity theft, to work with its customers at Stratfor’s expense.
The company also has built a new section of its website to tell its story of the hacking attack. The company said it will move its entire e-commerce process to a highly secure third-party system, which will eliminate the need for Stratfor to store credit card information in-house.
The company also hired Verizon Business to conduct a forensic review of the hack and it continues to cooperate with an FBI investigation.
“We did not encrypt credit card files,” said Stratfor CEO George Friedman of the company’s practice before the attack. “That was our failure. As the CEO of Stratfor, I take responsibility. I deeply regret that this occurred and created hardship for our customers and friends.”
By some estimates about 75,000 customers names, addresses and credit card numbers were exposed. One cyber security analyst, John Bumgarner, told the Los Angeles Times that thousands of those names exposed included military personnel, while 212 email addresses were from the FBI and dozens more from the National Security Agency and the Central Intelligence Agency.
The company said its website will be free and accessible for all on a temporary basis, but it will contain only the company’s most recent reports. All archived files will be gradually restored.
Over the next few weeks, the company will communicate with subscribers about how to obtain new, secure passwords and safely engage in credit card transactions.

Source Article: http://goo.gl/AKoI2

Man gets a year in prison for hacking, wiping medical competitor's computer

By Fran Jeffries
The Atlanta Journal-Constitution

An Atlanta man has been sentenced to serve a year and a month in prison for hacking into a competing medical practice's computer to try to lure away patients.

Eric McNeal, 38, was charged with accessing a computer without authorization, including taking patients' personal information in order to send them marketing materials. He pleaded guilty to the charge on Sept. 28.

According to prosecutors, McNeal, an information technology specialist, worked for Atlanta Perinatal Associates, a medical practice in Atlanta. He left that company in November 2009 and went to work for a competing perinatal medical practice in the same building.

In April 2010, McNeal used his home computer to hack into his former employer's patient database. He downloaded the names, phone numbers and addresses of its patients, and then deleted patient the information from his former employer's system.

McNeal then used the patient names and contact information to launch a direct-mail marketing campaign to benefit his new employer. There is no evidence that McNeal downloaded or misused specific patient medical information, prosecutors said.

“Anyone who gives their personal information to a doctor or medical facility does not expect that their information will be hacked and used to make money," said U.S. Attorney Sally Quillian Yates. "This is cybercrime. Electronic information is bought, sold and stolen, often by someone who knows a system and, with a few keystrokes, makes our community vulnerable.”

Source Article: http://goo.gl/axgwz

5 reasons cybersecurity matters to small businesses

By Heather Clancy | December 28, 2011, 4:09am PST

Summary: Small businesses often think they are ‘too small’ to be worth hackers’ notice, but that assumption could be devastating.


On Christmas Day, perfectly timed for the traditionally slow news week that leads into New Year’s Eve, the cyber hacktivist group Anonymous apparently hacked the Web site and internal servers of security consulting and risk management advisory firm Stratfor.

Soon thereafter, the alleged attackers began publishing all sorts of confidential information, including the names of the company’s clients. What’s more, someone started using the credit card information obtained during the breach to make charitable donations in a vaguely Robin Hood-esque tradition.

Although the subsequent attacks that were threatened apparently have not come to pass, or least haven’t yet been disclosed publicly, the incident caps a year of pretty serious cyberhacking. Sony and RSA were just two of the big companies embarrassed by extremely public incidents. As I was reading up on this topic, I discovered that there were 760 attacks in the past decade by just one Chinese firm. That’s just one nasty organization. That should give you pause, because I can assure you there is more than one person out there in the world who would love to create trouble for your business.

So, even though I’ve already written about essential technologies for investment by small businesses in 2012, security is absolutely positively the most important infrastructure that small companies need to make.

Here are 5 reasons why:

Smaller companies are more likely to be attacked than bigger ones. Don’t believe me? Symantec.com, which keeps statistics on this sort of thing, suggests that 40 percent of attacks are against organizations with fewer than 500 employees, versus 28 percent against bigger companies. Remember, there are lots of people who could make trouble this way. Not just big groups with something to provide like Anonymous or LuluSec, but disgruntled former employees or business partners.

Breaches are potentially business-ending events. Depending on the statistics you believe, the average cost of a breach or cybersecurity incident is about $190,000. Do you have that sort of money to lose? Even more serious: about half of small businesses still don’t back up their data, so what is lost is lost forever. Which means your business might be lost forever. The Federal Communications Commission has published a useful cybersecurity guide you might want to consult.

Can you be sure you are properly controlling the access of your employees and business partners? This will only be a bigger factor, as personal tablets and smartphones become more commonly used as business tools. Improperly managed client-side software is one of the biggest known cybersecurity threat, allowing people to see information that they really shouldn’t be able to see AND allowing rogue malware to enter your infrastructure. I am dealing with an problem like this right now. Even though certain files I post to my non-profit’s web site are “gated,” for some reason, they can be accessed publicly if the right link shows up in a Google search.

Attacks could ruin your company’s reputation. I know that they say all publicity is good publicity, but think about how embarrassed Stratfor must be this week. After all, this is a security consulting company. According to the reports about the incident, the reason that the hackers were able to steal so much data — up to 200 gigabytes — and make use of it was because certain information was not encrypted. Stratfor should have known better, and so should your company.

Your company could be putting its best customers at risk. In assessing the security risks for their business, some owners and managers fail to consider that it isn’t just your own data you need to worry about, it is that of your customers. Anyone involved in healthcare already has this mantra beaten into their brain, but any company that engages in business-to-business activity with much larger businesses needs to consider their needs as the driver for their own security plans.

Article Source: ZDNet... http://t.co/vemfIXLt via @HeathClancy

5 top cyber threats for 2012

CBC News Posted: Jan 3, 2012 1:31 PM ET 

As cybercriminals improve their toolkits and malware, they’re moving away from hacking personal computers to mobile devices, as well as plotting other more sophisticated attacks, according to a report on the top cyber threats for 2012.

“Many of the threats that will become prominent in 2012 have already been looming under the radar in 2011,” Vincent Weafer, senior vice president of McAfee Labs, a technology company and subsidiary of Intel Corp., said in a release

The five top cyber threats as seen by McAfee are:

Attacking mobile devices: Techniques used in the past for online banking, such as stealing from victims while they are still logged on, will now target mobile banking users.

Embedded hardware: Embedded systems, which are designed for a specific control function within a larger system, are commonly used in vehicles, GPS systems, medical devices, routers, digital cameras and printers. Hackers with access to malware that attacks the hardware layer of such systems will gain control and long-term access to the system and its data.

Industrial attacks: Many of the environments where SCADA (supervisory control and data acquisition) systems are deployed — such as water, electricity, oil and gas utilities — don’t have sufficiently stringent security practices, leaving them vulnerable to blackmail or extortion.

"Legalized" spam: While global spam volumes have dropped in recent years, legitimate advertisers are now using the same techniques, such as purchasing email lists of users who have consented to receive advertising, or purchasing consumer databases from companies going out of business. “Legal” spam is expected to grow at a faster rate than illegal phishing and confidence scams on the internet.

Online/frontline hacktivisim: McAffee predicts the true Anonymous group will reinvent itself or die out, and those leading digital disruptions will join forces with physical protesters to target public figures such as politicians and business leaders.

Biggest security threats in 2012 are cyber espionage, privacy violations

By P b, Jan 02, 2012 03:32 PM

Cyber espionage, along with privacy violations and social networking attacks facilitated by the increased use of mobile and tablet devices, will be the source of increased security threats over the coming months. This was revealed by PandaLabs, Panda Security's anti-malware laboratory in its predictions for top security trends to watch out this year.

Cyber espionage targeting companies and government agencies around the world will dominate corporate and national information security landscapes, and jeopardise the integrity of classified and other protected information. Trojans are expected to be the weapon of choice for hackers focused on these highly-sensitive targets.

"We live in a world where all information is in digital form and is easily accessible if you know how. Today's spies no longer need to infiltrate a building to steal information. As long as they have the necessary computer skills, they can wreak havoc and access even the best-kept secrets of organizations without ever leaving their homes," said Luis Corrons, Technical Director of PandaLabs.

Consumers will continue to be targeted by cyber criminals as they find ever more sophisticated ways to target social media sites for stealing personal data. Social engineering techniques exploiting users' naiveté have become the weapon of choice for hackers targeting personally-identifiable information.

"Social networking sites provide a space where users feel safe as they interact with friends and family. The problem is that attackers are creating malware that takes advantage of that false sense of security to spread their creations," said Corrons.

Article Source: http://flpbd.it/nrq3 #infosec #hack #cybersecurity via @ECCOUNCIL

What to Do If Your Online Account's Been Hacked.

Credit: Dreamstime

Dylan Valade owns a Web design and software business. As part of his business, he deals with Web and network security issues every day.

One day, Valade received a confirmation email from a brokerage account letting him know that a trade had been made. That would have been fine, except for one thing.

"In this case, a stock had been sold that I did not sell," Valade said.

Recognizing that the account had been compromised, Valade changed all of his passwords immediately.

"My brokerage account was closed and a new one was opened," he added. "The equities were transferred to the new account, with a new login and password."

Valade's experience happened on a brokerage site, but any online account can be a target.

"The most valuable targets are financial services like PayPal, online bank accounts and investment accounts," explained Morgan Slain of Los Gatos, Calif.-based SplashData. "Facebook, LinkedIn, and other social networking sites are increasingly common targets. Online email accounts, including Gmail and Yahoo! Mail, are often hacked too."

The most sophisticated hackers actually don't target individual accounts, but instead go after repositories of account data on servers owned by large organizations, which is why companies such as Sony and Epsilon, a major email forwarder, are targeted.

What the hackers are looking to steal depends on the type of account they are hacking into. When banks or financial services such as PayPal are targeted, the objective is to steal money.

"But often the hacker has a larger objective than attacking one individual," said Lance James, director of intelligence at New York's Vigilant. "In most cases, they're gaining access to email or social network accounts specifically to enable further distribution of their activity, or to steal information that will give them access to other places — potentially more valuable places. For example, a hacker might conduct a series of intrusions with the aim of getting into an employer's payroll system."

If one of your online accounts has been hacked, it compromises the overall integrity of your computer, James added. This comes with two primary manners of impact.

"First, if there [was] personal or confidential information on that system, the owner must assume it has been hijacked by criminals," he explained. "This could have long-lasting effects including identity theft, credit fraud, bank account theft and misplaced trust between friends and associates.

"Second — in some ways more detrimental in terms of reach — that compromised computer can be used to launch attacks against others, expanding the sphere of impact geometrically," James said. "It is therefore the responsibility of organizations and every individual to take precautions wherever they can."

The surest sign that your account has been compromised is unusual activity.

"For a financial account like PayPal, the most obvious sign that your account has been compromised are suspicious transactions," said Kevin McNamee, security architect at Kindsight of Mountain View, Calif. "You should regularly check your account to look for any unauthorized transactions and report them immediately.

"For social networking services like Facebook," McNamee added, "you may notice unusual activity on your wall, but the most likely indication that something is wrong is when your friends ask why you've been sending them unusual links and email messages."

Some things to look for, according to Chris Boyd, senior threat researcher at GFI Software of Cary, N.C., include:

— Friends are asking you about random requests for money or messages that you've apparently sent them, claiming that you're stranded somewhere – for example, messages saying you got mugged in London. Scammers use this tactic for financial fraud. This is an especially popular tactic where compromised Facebook accounts are concerned, due to exploiting the trust of friends and family.

— Strange messages are posted from your Twitter account promoting websites and offers that you're unaware of.

— You find you're selling items on eBay that you didn't list.

If you find that one of your accounts has been compromised, the first step is to ensure that no additional damage can be done, McNamee suggested.

If you still have access to the account, change the password immediately. And then change the passwords to other online accounts, especially for any accounts that share an email address and/or a password with the compromised account.

Also, said McNamee, contact the organization that operates the service and let them know that your account has been compromised.

"Their website will provide information on how to report a problem and regain control over your account," he said.

If the account that was compromised held any financial data or credit/debit card information, James said it's best to contact the financial institutions and cancel the cards.

Even the most vigilant computer user is at risk for an attack. But Asaf Greiner, vice president of products at Sunnyvale, Calif.'s Commtouch, provided the following tips that will keep your accounts less vulnerable to a hacker:

— Use different passwords for different accounts, so if you lose one, you don't lose them all.

— Use strong passwords (e.g. ones that are hard to guess), especially with more valuable resources, such as bank accounts. When possible, use multiple-factor authentication, as with a code-number-generating token. If you find passwords hard to remember, use a password vault application to remember them for you.

— Install all recommended software patches and updates – and anti-virus software – on machines you manage.

— Don't log into valuable accounts from public machines or from unencrypted Wi-Fi networks.

Article Source: http://www.securitynewsdaily.com/what-to-do-if-your-online-accounts-been-hacked-0897/ vía @Security_SND

Alfredo Cedeno
IT Security Advisor

+61 452 066 638
Sent from my iPad

Stratfor Hack Shows Even Experts Use Awful Passwords

Credit: Strategic Forecasting, Inc.

Anonymous' massive year-end attack on the global-security consulting firm Stratfor showed that even top-tier executives at the world's largest corporations don't have a clue about the importance of a strong password.

On Dec. 24, Anonymous announced it had hacked into the Austin, Texas, think tank Strategic Forecasting Inc. (Stratfor) and stolen thousands of private email addresses and credit-card details from the firm's clients and recipients of its emailed newsletters, which include Boeing, Bank of America, Chevron, AIG, Sony, HSBC, Wells Fargo, Google, the United Nations and all four branches of the U.S. military.

Five days later, Anonymous published the list of more than 859,311 email addresses, 860,160 hashed passwords, 68,063 credit cards and 50,569 phone numbers, Identity Finder reported.

Stratfor offers free subscriptions to some of its emailed newsletters. Most of its products must be paid for, including in-depth reports and custom consultations.

Cybersecurity expert Johm Bumgarner told the Los Angeles Times that among the email addresses and credit-card numbers were some belonging to former U.S. Secretary of State Henry Kissinger and former U.S. Vice President Dan Quayle. (SecurityNewsDaily could not verify that assertion.)

Using a computer-automated password-cracking tool called Hashcat, the tech-news site the Tech Herald sifted through the leaked logs to see what type of passwords Stratfor's clients and subscribers used to keep their sensitive accounts secure. The results, Tech Herald security editor Steve Ragan wrote, were "both expected and pitiful."

Stratfor clients used easy-to-guess passwords such as, "123456, "11111111," and "123123." Other terribly insecure passwords: "111222333444," "12345678901," "administration," "123456789abc," "12345stratfor," "hello123," "lawenforcement" and "intelligence."

A batch of weak passwords played off the word itself, including, "password1234," "password101," "password123," "password122" and "Password999." In just under five hours, Haschat was able to crack 81,883 of the 860,160 leaked passwords.

"In the time it took to watch a movie, Hashcat smashed more than 80,000 passwords," Ragan wrote. "How many of those cracked passwords and leaked email accounts can be used to stage a larger attack on the organizations contained within the list? We're not going to test that, obviously, but someone will."

Ragan said Stratfor's online registration process recommends users create passwords at least six characters long, including at least one number. Out of all the passwords successfully deciphered, 23,440 consisted of six characters, 15,394 had seven characters and 21,080 had eight characters.

Security experts recommend building long, complex, case-sensitive passwords with multiple characters. Stratfor clients clearly did not heed that advice; only 1,411 of the leaked Stratfor passwords had 11-character passwords. The number of passwords dropped off even more as the character length increased: There were 627 people with 12-character passwords, and only 165 had passwords with 13 characters.

If you're wondering whether your password, email address or credit card information was exposed in Anonymous' attack on Stratfor, Dazzlepod has created a free search tool that will scour the leaked info for you and let you know if you need to worry.

Source: http://www.securitynewsdaily.com/stratfor-hack-shows-even-experts-use-awful-passwords-1461/ vía @Security_SND

How strong is your privacy?

Check your password—is it strong?
Your online accounts, computer files, and personal information are more secure when you use strong passwords to help protect them.

What is a strong password?
The strength of a password depends on the different types of characters that you use, the overall length of the password, and whether the password can be found in a dictionary. It should be 8 or more characters long.

Protect yourself from #identitytheft by using strong passwords. Check the strength of your password: https://www.microsoft.com/security/pc-security/password-checker.aspx via @msftsecurity

OLYMPIC TRUST LOTTERY Scam

The following is an example email for this lottery scam. Please forward all lottery emails to scams@fraudwatchinternational.com



OLYMPIC TRUST LOTTERY
Ref. Number: 639/898/116
Batch Number: 430456543-FD22


Sir/Madam,

We are pleased to inform you of the result of the OLYPIC TRUST LOTTERY International programs held on the 6th April 2004. Your e-mail address attached to ticket number 44676546546-2243 with serial number 8645-645
drew lucky numbers 9-43-76-44-31-85 which consequently won in the 1st
category, you have therefore been approved for a lump sum pay of US$ 1,000,000.00
(One Million United States Dollars)
CONGRATULATIONS!!!

Due to mix up of some numbers and names, we ask that you keep your
winning information confidential until your claims has been processed and your
moneyRemitted to you. This is part of our security protocol to avoid double claiming and unwarranted abuse of this program by someparticipants. All participants were selected through a computer ballot system drawn from over 20,000 company and 30,000,000 individual email addresses and names from all over the world. This promotional program takes place every three year.This lottery was promoted and sponsored by Bill Gates, President of the World Largest software, and other notable businessmen, we hope with part of your winning you will take part in our next year USD50 million International lottery.

To file for your claim, please contact our fiducial agent MR. VAN TOM of the, Standard Trust Agency TEL +31-612-187-410
Email: standardtrust101@netscape.net
Remember, all winning must be claimed not later than 15th of May 2004.
After this date all unclaimed funds will be included in the next stake. Please note in order to avoid unnecessary delays and complications

Please remember to quote your reference number and batch numbers in all correspondence. Furthermore, should there be any change of addresses do inform our agent as soon as possible.

Congratulations once more from our members of staff and thank you for
being part of our promotional program.

Note: Anybody under the age of 18 is automatically disqualified.

Sincerely yours,
Mrs. Claudia Betty
Lottery Coordinator