STE WILLIAMS

The State of Victoria is cementing its place as Australia’s security hub with the launch of an Oxford University national infosec risk centre in Melbourne.

The Global Cyber Security Capacity Centre will perform “audits of national cyber security risks and capabilities” to help Australia plan investments and strategies.

It aims to work on the biggest and hardest security issues.

The office will be co-located with a centre bringing in security talent from eight Victorian universities making it something of an academic security think tank.

Local academics under the Oceania Cyber Security Centre will focus on education, research, and entrepreneurship.

The Australian state also signed a memorandum of understanding with the nation’s lauded research house the CSIRO (Commonwealth Scientific and Industrial Research Organisation) that it would move its security headquarters to the city, currently best known for its coffee, culture and slavish devotion to odd forms of football.

It follows the planned opening of the nation’s national broadband network computer operations centre in Melbourne with some 400 tech roles to be created.

Victorian small business minister Philip Dalidakis says the Oxford opening is a credit to the state’s tech talent.

“Their decision to locate their first Global Cyber Security Capacity Centre international office in Melbourne is a huge vote of confidence for Victoria’s tech sector,” Minister Dalidakis says.

“Cyber security is crucial to safeguarding our fast growing digital economy, it is now worth A$71 billion a year globally, and the Andrews Labor Government is working hard to keep Victoria at the forefront.” ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/15/oxford_uni_opens_infosec_ivory_tower_in_melbourne/

Joomla has slung a patch to crush a critical eight-year-old remote code execution vulnerability under active exploitation by attackers.

Sucuri threat man Daniel Cid says hundreds of attacks are now taking place having ramped up from a mere handful Saturday.

“This is a serious vulnerability that can be easily exploited and is already in the wild,” Cid ahrfe .

“If you are using Joomla, you have to update it right now.

“The wave of attacks is even bigger, with basically every site and honeypot we have being attacked [which] means that probably every other Joomla site out there is being targeted as well.”

The then zero day must have been a treat for attackers; Joomla is the web’s most popular content management system having been downloaded more than 50 million times and used by the likes of eBay, the United Nations, Barnes and Noble, and Peugeot.

Joomla warns in an advisory that all versions above 1.5 are affected meaning web admins must upgrade to the patched version 3.4.6.

“Browser information is not filtered properly while saving the session values into the database which leads to a remote code execution vulnerability,” it says.

Cid says the attackers are running object injection through the HTTP user agent with exploits coming from the IP address 74.3.170.33, 146.0.72.83, and 194.28.174.106.

He urges admins to check logs. And patch, ASAP. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/15/joomla_vuln/

Social media giant warns a small number of users that attackers appear to have been after their information.

Dozens of activists, researchers, nonprofits, and journalists have been warned by Twitter that their accounts on the social media site have been targeted by nation-state hackers.

In an unprecedented move, Twitter has alerted some users that nation-state sponsored attackers may have attempted to steal their account information — such as email address, IP address, and phone numbers. None of the small number of Twitter user accounts targeted appear to have been successfully breached, however, according to the alert.

Canadian nonprofit Coldhak said it was alerted by Twitter on Friday of the attack attempts, and its CEO told Reuters the organization hasn’t experienced any effects of the attack attempts on its @coldhacka account.

The email from Twitter said, in part: “At this time, we have no evidence they obtained your account information, but we’re actively investigating this matter. We wish we had more we could share, but we don’t have any additional information we can provide at this time.”

Coldhak is keeping a running list of Twitter users reporting that they were alerted of the attacks.

Twitter apparently is following a similar strategy and policy by Google and Facebook to warn their users of any state-sponsored hacking attempts.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/endpoint/twitter-says-nation-state-hackers-targeted-some-accounts/d/d-id/1323556?_mc=RSS_DR_EDT

Here’s how CISOs, security researchers, and all security-minded folks in between can channel their healthy paranoia into helpful ways of protecting friends and family from IoT gifts.

The Internet of Christmas is in full effect. With the holiday shopping shifted into full gear, consumers are filling their carts and their wish lists with a dizzying array of super connected Internet of Things devices. Among those legions are undoubtedly plenty of friends and family members of security professionals.  

It is enough to give just about any security professional more than a few grey hairs. There’s nothing more discouraging after a work week nagging colleagues to follow security policies and good security hygiene than to visit a relative who is exposing their home network through their newfangled smart TV.

But it’s happening, and after this shopping season, it’s bound to get worse. The experts with the Online Trust Alliance (OTA) estimate that 50 million connected devices will be sold over the holidays this year. That includes fitness devices, televisions, and kids’ toys under the tree. It also includes those thermostats and appliances people pick up before relatives come visit.  

“That’s 50 million opportunities for data and home network compromises as well as privacy abuses,” said Craig Spiezle, executive director and president of OTA. “Consumers should not have to pay twice—once with their credit card and then again in perpetuity with their personal data, identity and safety.”

Last week, the OTA released some guidance in the form of a checklist meant to help consumers before and after they’ve picked up IoT devices over the holidays. We’ve cherry-picked a few of the most relevant tips for security executives looking for a cheat sheet when offering advice and troubleshooting for friends and fam over the holidays. If you’re looking for a boilerplate speech to give to people who way, “Hey, you know about this security stuff, what do you think of this device?” then this is it:

 

Make Sure It’s Returnable

If you get your hooks into friends and family early on, you can help them from making IoT gaffes in the first place. OTA suggests consumers check out a device’s warranty and support policies to make sure the manufacturer actually patches its products. Additionally, it suggests consumers confirm tha they can return devices for a refund after they’ve unboxed it and realized that it doesn’t offer enough security for their needs.

 

Patches Aren’t Just For Clothes–Unless They’re Wearables

When manufacturers do update devices, consumers need to be ready to patch. This means that gift recipients need to register devices so they know when updates are available.

 

App Stores Are Best

Advise your friends to download devices directly from the manufacturer’s official site whenever possible, the OTA says. And be sure to check the permissions on those apps, so they’re not hoovering up data!

 

TV Stations Can Be Promiscuous, Smart TVs Shouldn’t Be

Permissions and connectivity are the two big privacy killers for IoT devices. OTA reccomends that devices are connected directly through a wired connection, preferably through a guest network if the consumer’s router supports that. They should be guarded by a firewall and remote access should probably be disabled when not needed. Perhaps even more importatnly, it’s important to harden permissions settings for data collection and sharing policies with third parties.

 

Mic Drop

Speaking of permissions–perhaps some of the most sensitive data colleciton can be done using on-board microphones and cameras. This can be circumvented by disabling these features when not in use. It might be best to even removing the camera or flipping it to face a wall if it is not used regularly.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/endpoint/internet-of-things-christmas-security-survival-guide/d/d-id/1323563?_mc=RSS_DR_EDT

Microsoft Word Intruder, or MWI for short, is a toolkit for sneaking malware onto your computer using booby-trapped Word files.

The idea is that instead of sending you an email with a link you have to click, crooks can send you an innocent-looking document with a believable backstory, such as a courier parcel that couldn’t be delivered, or a bogus invoice, or a fake quotation.

Documents are supposed to be data, not programs, so it ought to be safe to open them to see what’s inside.

But exploit kits like MWI can create documents that are unsafe to open, at least if you haven’t patched Word recently, because they deliberately trigger a bug, or vulnerability, which causes hidden program code inside the booby-trapped file to run without any prompts or warnings.

MWI can build booby-trapped files on demand, primed with malware that will be installed silently when the document is opened.

The author of MWI, known as Objekt, offers a service to other cybercriminals, packaging their malware into exploit files, so they don’t need to become experts in Word files or exploits themselves.

We’ve been following Objekt’s business operation for a while, and we have already written about both the MWI tool and some of the malware campaigns it has serviced.

In the past, MWI used a combination of older Office exploits known as CVE-2012-0158, CVE-2013-3906 and CVE-2014-1761.

But we reported recently that a new exploit, dubbed CVE-2015-1641, had found its way into the daily routine of cybercrime groups.

A new exploit is always of interest to malware authors, because it extends their reach: they can now attack users who have patched recently, even if they can’t infect users who are completely up-to-date.

So it was just a question of time as to when Objekt would integrate the CVE-2015-1641 exploit into his MWI “cybercrime service”.

That moment has now arrived.

In fact, the document we analysed for this article used only the new CVE-2015-1641 exploit, with the the three older exploits removed altogether.

The implementation of the exploit uses a very similar approach to the one we described in our earlier writeup, in which the malicious code triggered by the exploit is deliberately scrambled inside the booby-trapped file, thus making its presence less obvious.

We have seen one sample using this method:

SHA1: 0f09717cd8a1b64de47e4b54913c2953a0a6f55c
Name: Прайс.doc

The filename is in Russian, and translates as Price.doc, a good filename to go with an email that claims to be a quotation.

If you open the above sample in an unpatched version of Word, the exploit will covertly install software called LiteManager on your PC.

LiteManager is a remote administration tool, the sort of program that is often used purposefully by IT departments and support staff for legitimate remote support.

But tools of this sort, if installed illegally and covertly by crooks, aren’t there to help you if you get stuck or have technical problems.

They’re there to allow unlawful access for criminal purposes, anywhere from sending spam and attacking other websites to stealing personal or company documents and passwords.

To make the software less obvious, and to give it an air of legitimacy if you should notice it, MWI installs it into the folder:

%PROFILE%AppDataRoamingMicrocoftUpdate

WHAT NEXT?

Microsoft Word Intruder is an exploit generator under constant development.

Office exploits are added to it irregularly, when older exploits became less effective as unpatched computers either get patched at last, or get infected and end upreinstalled with more recent software.

Even the old exploits in MWI had a 15-50% success rate, so with the new exploit in place, we can expect higher infection rates for malware campaigns using MWI.

MWI was not the first exploit generator to adopt the CVE-2015-1641 exploit, but is nevertheless a reminder that cybercriminals are not resting.

We should not rest either in our defensive efforts – and that includes patching!

If you haven’t been reading Naked Security’s Advent Tips series for December 2015, why not start with our reminder about the importance of updates…

💡 LEARN MORE – The CVE-2015-1641 vulnerability ►

Sophos products detect MWI-generated documents that use this exploit as Troj/20151641-A. Note that LiteManager is a legitimate application, ripped off and used unlawfully in this attack. Even though it is not malware, however, it can be blocked by Sophos Application Control, along with many other potentially risky tools. Sophos identifies it as AppC/LiManS-A.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/D0w8VIaI204/

Twitter has sent warning messages to a small number of users it suspects have come under attack from state-sponsored hackers.

We received a warning from @twitter today stating we may be “targeted by state-sponsored actors” pic.twitter.com/oZm83eVFC5

— coldhak (@coldhakca) December 11, 2015

Canadian non-profit Coldhak was one of the first to receive the notice from Twitter. The group, which specializes in improving privacy online and includes staff from the Tor project, told The Register that this is the first such warning the organization has received.

Twitter confirmed to El Reg that it had sent out the warnings, but declined to comment further. It’s not the first tech company to do so – Facebook said it would alert customers to nation-state attacks in October and Google has been doing so since 2012.

In Google’s case, the firm was reacting to a series of attacks against Western firms, including the Chocolate factory, carried out at the turn of the decade. This caused a major falling out with the Chinese government, whom Eric Schmidt blamed for the raids.

That state-sponsored actors are surveilling its citizens comes as no surprise. As we’ve seen with The Hacking Team and Gamma, there are plenty of governments who want to use technology to spy on their citizens, and Western companies willing to help them – for a fee. ®

Sponsored:
Simpler, smarter authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/14/twitter_warns_users_statesponsored_snoops/

When it comes to virtual loot, gamers like bling.

Take weapon skins: as Rock, Paper, Shotgun’s Emily Richardson explains, when it comes to top-notch tactical fashion, for many players, drab, mud-hued camouflage doesn’t cut it.

Richardson:

[Weapon skins are] bright, they’re weird, they’re occasionally very expensive. Some of us don’t care for them, but many more do. They’ve been a phenomenal success, so much so that the rarest knives sell for more than the Steam wallet’s cap of $500, and betting and trading sites are springing up all over the web.

In other words, virtual loot is worth very real money, and it’s attracting gaming account hijackers like flies to honey.

Valve, the developers of the Steam online gaming platform that Richardson mentioned, said on Wednesday that account hijacking has become an epidemic, with “around 77,000 accounts hijacked and pillaged each month.”

Valve said that account theft has exploded since the service launched item-trading back in 2011:

With the introduction of Steam Trading, the problem has increased twenty-fold as the number one complaint from our users.

It’s not just a few random attackers. At this point, it’s a flourishing criminal enterprise, the company said:

What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items.

The victims aren’t gaming newbies or naïve users, Valve said.

All users, regardless of how savvy or experienced they are, are up against a relentless force of hijackers who target every account, not just the ones whose owners don’t understand how to stay safe online, Valve said:

These are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.

To help gamers fend off scammers, Valve last month introduced a waiting period for gamers who wanted to trade items.

The idea was to slow down the thieves, preventing quick transfer or liquidation of the items while also giving users some time to discover that their account’s been compromised.

Granted, two-factor authentication (2FA) should help.

To that end, Valve created the Steam Guard Mobile Authenticator: a feature of the Steam mobile app that generates a new, random code every 30 seconds.

It works like other 2FA generators: users have to enter the random code at login, along with their password.

That should help to fend off would-be account hijackers, given that even if they’ve gotten their hands on a password, they won’t have the constantly updated, ever-changing code.

But although 2FA makes tons of sense, not all users can use it – for example, those who don’t have a mobile phone.

So while Valve thought that 2FA would protect anyone who could use it, it came up with these other changes for trades, all of which the company implemented on Wednesday:

• Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to 3 days before delivery.
• If you’ve been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.
• Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.

The upshot: if you’re using 2FA, you can keep trading as always.

If not, you’ll have to wait up to 3 days for trades to go through, which will give you time to figure out if you’ve been hacked and to get your account back before intruders can steal your stuff.

At Naked Security, we talk about 2FA a lot.

We applaud companies that give this powerful tool to users, and we encourage users to plug it in when possible.

So kudos to Valve for these moves, which its post clearly shows were well thought out.

But remember, there are other steps to take to keep accounts from getting hijacked, including picking a strong, unique password – in other words, don’t reuse passwords.

Also, be wary of clicking on what could be phishy links in emails. And, of course, always stay on top of security patches.

Follow @NakedSecurity

Follow @LisaVaas

Image of steam courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Ei1KF9yXrfk/

Google says that its Safe Browsing service already protects about 1 billion desktop users from all sorts of online nastiness, be it malware, unsavory software, or social engineering (particularly phishing) sites.

Make that 1 billion plus all its free-range users: Google last Monday (7 December) announced that it’s extending Safe Browsing inoculation to Chrome users on Android.

Google added unwanted software download warnings to its Safe Browsing warnings in August 2014 to give users a heads-up when software was doing something sneaky – like switching your homepage or other browser settings to ones you don’t want, piggybacking on another app’s installation, or collecting or transmitting private information without letting a user know, among other things.

Noé Lutz, Nathan Parker, and Stephan Somogyi, from Google’s Chrome and Safe Browsing teams, said on Google’s online security blog that the Android platform and Google’s Play Store have long had protection against potentially harmful apps.

(Mind you, that protection hasn’t always been foolproof: Nothing like a little Fake Flappy Birds sequel or fake anti-virus app to make that clear.)

At any rate, beyond Google’s attempts to protect Android and the Play Store from harmful apps, “not all dangers to mobile users come from apps,” as Google’s online security team members said.

Social engineering – phishing in particular – requires different protection, they said, and that requires Google to keep an up-to-date list of bad sites on the device to make sure the company can warn people before they browse into a trap.

Keeping that list from getting stale is one of many tricky things about protecting mobile users.

Beyond that complicating factor are the facts that…

• mobile data costs money for most users,
• mobile data speeds are slower than Wi-Fi in many places, and
• connectivity quality can be spotty depending on where a user is.

Every one of those conditions means that “data size matters a lot,” Google said.

To protect precious network bandwidth and battery usage, Google says it thought hard about how to best protect mobile users.

That means factoring in location, for one thing. From the announcement:

Some social engineering attacks only happen in certain parts of the world, so we only send information that protects devices in the geographic regions they’re in.

Google has also paid attention to prioritizing the warnings and squashing them into bite-sized tidbits:

We send information about the riskiest sites first: if we can only get a very short update through, as is often the case on lower-speed networks in emerging economies, the update really has to count. We also worked with Google’s compression team to make the little data that we do send as small as possible.

Google says it also made the software “extra stingy with memory and processor use, and careful about minimizing network traffic.”

All of these details matter to us; we must not waste our users’ data plans, or a single moment of their battery life.

If you’re an Android user, you probably already have the new Safe Browsing mode. It’s part of Google Play Services, starting with version 8.1.

Chrome is the first app to use it, starting with version 46, and Google’s now protecting all Android Chrome users by default.

You can verify that it’s enabled by looking at the Privacy menu under Chrome settings.

Follow @NakedSecurity

Follow @LisaVaas

Image of helmet courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cIIsDXpDmr4/

While he was tucked away in the US Embassy in London, a US State Department employee reached around the globe to torment hundreds of young women, running a sextortion scheme that involved email phishing, breaking into email accounts, and cyberstalking hundreds of victims in the US and abroad.

Now, he’s a former employee.

The US Department of Justice last week announced that Michael C. Ford, 36, of Atlanta, has pleaded guilty to nine counts of cyberstalking, seven counts of computer hacking to extort, and one count of wire fraud.

Ford admitted that between January 2013 and May 2015, he used aliases including “David Anderson” and “John Parsons” in a scheme to force victims to give him personal information and sexually explicit videos of others.

His preference was young females, some of whom were students at US colleges and universities, with a particular focus on members of sororities and aspiring models.

Ford, posing as a member of the fictitious “account deletion team” for a well-known email service provider, would send phishing emails to thousands of targets, warning them that their accounts were due to be deleted unless they gave him their passwords.

Using the phished passwords, he got into hundreds of email and social media accounts.

Then, he looked for sexually explicit photos.

Once he found them, he went looking for personal identifying information (PII) about his victims, including their home and work addresses, school and employment information, and names and contact information of family members, among other things.

With the stolen photos and PII, Ford commenced a cyberstalking campaign in which he demanded more sexually explicit material and personal information, emailing victims the photos he’d stolen and threatening to publish them if they didn’t give him what he demanded.

Specifically, Ford demanded that his victims record and send to him videos of “sexy girls” undressing in changing rooms at pools, gyms and clothing stores.

If the women didn’t comply, threatened to report him to police or begged him to leave them alone, Ford would issue more threats.

For example, in one email, he wrote “don’t worry, it’s not like I know where you live.”

Then, he followed up with an email containing the victim’s home address and threatened to post her photos to an “escort/hooker website” along with her phone number and home address.

Next, Ford described the victim’s home to her, dropping in this threatening detail:

I like your red fire escape ladder, easy to climb.

He wasn’t bluffing. The DOJ says that Ford followed through with his threats on several occasions, sending explicit photos to his victims’ family and friends.

Before he was caught, he managed to send thousands of phishing emails to potential victims, successfully broke into at least 450 online accounts belonging to at least 200 victims, and forwarded to himself at least 1300 stolen emails containing thousands of sexually explicit photographs.

He sent threatening and sextortionate messages to at least 75 victims.

Ford was working at the London embassy throughout this reign of terror, and he did most of it from his work computer.

Did he think that his vicious crimes were cloaked in some way by that gig?

If so, he was as wrong as a three-dollar bill.

FBI Special Agent in Charge J. Britt Johnson:

The allegations contained in this federal indictment portray an individual consumed with sexually themed cyber-stalking and exploitation as well as an individual who felt he was beyond detection and grasp of authorities.

Ford’s sentencing hearing is scheduled for 16 February 2016.

US Attorney John A. Horn of the Northern District of Georgia said that this case underscores the need to safeguard personal information and passwords, especially in response to suspicious emails.

It also points to how vitally important it is to avoid password reuse.

Giving a predator like Ford the passwords he demands is bad enough, but giving him a password that also unlocks a Facebook, Instagram or other social media account gives him ever more access to PII, to friends and contacts, and to ever more personal photos.

So don’t give them the keys to the kingdom. Instead, use one, unique, strong password for each account.

Here are more tips for protecting ourselves:

How to avoid becoming a victim of sextortion

• Carefully consider the people with whom you share explicit videos and pictures.
• Watch out for messages from strangers via email or social networking sites. Never click on any links in such messages.
• Cover your webcam – or any other internet-connected camera, be it on your phone, your tablet, or baby monitor – when you’re not using it. No need to get fancy: a sticky note will do fine.
• Protect your devices with appropriate security software.
• Keep all your software and applications up to date with the latest patches.
• If you, or somebody you know, gets contacted by a sextortionist, immediately tell a parent, a trusted adult, or law enforcement.
• Don’t give the cretins what they want. It will only make matters worse. The guy who extorted Miss Teen USA is a case in point: Jared James Abrahams told his victims he’d delete nude photos and videos if they did what he said, but he did nothing of the kind, even if his victims gave him what he wanted – which was, of course, more explicit material.

Follow @NakedSecurity

Follow @LisaVaas

Image of US state department website courtesy of Gil C / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/39ZGFN2b4uI/

You’ve heard of phishing.

It’s where crooks “fish” for personal details you wouldn’t give them if they asked outright – information such as date of birth, ID number, login name, password, bank account number, SSN, and so forth.

Most phishing happens by email, and the process is surprisingly simple and effective.

The crooks send you a lure, such as free stuff (like an iPhone), or a warning (like suspicious activity on your bank account), or a scare (like an invoice for an iTunes purchase you know you didn’t make).

The email’s goal is to get you to take action right away…

…and it handily provides a clickable link for the purpose, which takes you to a signup page (to register for the iPhone), or a login screen (for internet banking), or an account summary page (to contest the fraudulent purchase).

If the cybercriminals have done their homework, the web form that appears will look spot on, because the crooks usually rip off the layout, the logos and the JavaScript straight from your bank, or from iTunes, or wherever.

So you willingly, if imprudently, enter your personal details, your password, and so on, and click [Submit].

Only then do you find out that you just submitted the web form to a bunch of crooks instead of to the real site.

With a bit of care, you can usually spot a fake web page fairly easily, for example because the website name in the address bar will be wrong, or the web page will be unencrypted (no padlock), or simply because it “looks a bit dodgy.”

But here’s an even easier way to protect yourself: don’t click login links in emails in the first place!

💡 LEARN MORE – PHISH 1: iTunes ►

💡 LEARN MORE – PHISH 2: Online banking ►

💡 LEARN MORE – PHISH 3: Bitcoin ►

Follow @NakedSecurity

Follow @duckblog

Images of Christmas tree and Advent calendar courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0KhGaBu75kI/