STE WILLIAMS

Popular sysadmin tool Up.Time from Idera software needs patching, with bugs exposing it to denial-of-service attacks and possible remote code execution.

The bugs in the server monitoring tool (now known as Uptime Infrastructure Monitor), outlined by the Carnegie-Mellon CERT here, cover three CVEs: CVE-2015-2894, CVE-2015-2895 and CVE-2015-2896.

The first of these is an uncontrolled format string, in Up.Time 6.0 and 7.2, allowing an attacker to crash the application by sending %n or %s as format strings.

The second is your old friend, the buffer overflow. On version 7.4, an unauthenticated attacker on the network can send commands with inputs bigger than 1024 bytes to crash the application.

The third is an information exposure bug present on versions up to 7.6: an unauthenticated attacker can send commands to the port Up.Time is using. “These commands are not authenticated, and therefore the attacker can learn information such as the version of Up.time running, details about the underlying operating system running Up.time, details about other running processes on the system, and Windows operating system event log information.”

Idera says Version 7.6 fixes the first two bugs, and it’s working on a fix for CVE-2015-2896. In the meantime, the advisory provides mitigation instructions covering agents operating in read-only mode; setting passwords for agents to use custom scripts; encryption for agent communications; and managing connections to agents. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/09/downtime_for_uptime/

A vulnerability discovered earlier this year in AVG software also spotted in Intel McAfee, Kaspersky Lab AV products.

Turns out a vulnerability discovered earlier this year in antivirus software from AVG also was present in AV software products from Intel McAfee and Kaspersky Lab.

The security bug —  which researchers at enSilo in March reported in AVG’s Internet Security 2015 build 5736 and virus database 8919  — centers around how the AV products in question allocate memory for read, write, and execute purposes.

The AV products use “predictable” addresses that in turn could allow malware to exploit vulnerable, out-of-date third-party Windows applications for nefarious purposes. That effectively bypasses the AV system and makes it easier for bad guys to exploit vulnerable browsers or Adobe Reader, for example, to hack a Windows machine. enSilo today disclosed that this fall, it found the flaw in Kaspersky Lab’sKaspersky Total Security 2015 – 15.0.2.361 – kts15.0.2.361en_7342 and McAfee’s Virus Scan Enterprise version 8.8, including in its Anti Malware + Add-on Modules, Scan Engine version (32 bit) 5700.7163, DAT version 7827.0000, Buffer Overflow and Access Protection DAT version 659, after building its own tool to test AV products for the flaw.

Both Kaspersky Lab and Intel McAfee have patched the flaw in their respective products — AVG fixed its bug just days after enSilo alerted the company — but enSilo says the vulnerability could well exist in other software such as data leak prevention and performance monitoring products.

The flaw can only be exploited in Windows XP, Vista, and 7 machines. “The problem exists in Windows 8, but Microsoft saves them from the vulnerability because the … address is randomized,” says Tomer Bitton, co-founder and vice president of research at enSilo.

Bitton says the critical bug basically converts AV  into a tool for an attacker. enSilo today also released a free tool for companies and vendors to test whether their security products contain the bug.

“The problem is injection of code from the kernel to user mode,” Bitton says. Fixing the bug entails the AV vendors changing permissions in the memory space, he says, limiting it to read and eliminating the “write” capability.

“The attacker doesn’t need to bypass it [AV with this bug]. They have the address inside memory, and copying code inside the memory base in AV that it has allocated. It’s very easy” to exploit, he says.

Intel issued a patch for its products in August. “Intel Security takes the integrity of our products very seriously. Upon learning of this particular issue, we quickly evaluated the researchers’ claims and took action to develop and distribute a solution addressing it. This solution was distributed to customers  in a patch on August 20, 2015,” an Intel McAfee spokesperson said in emailed comments.

Kaspersky Lab fixed the bug in September, and says the vulnerability can’t be exploited without the presence of a vulnerable third-party Windows application as well, such as a stack-based buffer overflow bug. “The allocation of Read/Write/Execute (RWX) memory by Kaspersky Lab solutions at predictable addresses could be used by exploits to facilitate ROP attack technique,” according to a Kaspersky Lab spokesperson in an email exchange. “The vulnerability couldn’t be exploited by itself with code execution and privilege escalation, but could have simplified the exploitation of third party application vulnerabilities, such as stack based buffer-overflow.

So far, neither enSilo nor the other security firms have seen signs of the bug being exploited in the wild.

But enSilo points out that Google’s Tavis Ormandy in September was able to exploit a similar bug in Kaspersky’s software using the flaw enSilo uncovered.

“These types of vulnerabilities clearly demonstrate the problems in the security eco-system. On the one hand, Microsoft invests loads of resources in defenses, mitigations and enhancements to strengthen its system against compromise. On the other hand, there’ll always be some oversight in applications. Unfortunately, it’s precisely vulnerable third party applications which can lead to the compromise of these same defenses,” enSilo wrote in a blog post today.

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/endpoint/known-security-flaw-found-in-more-antivirus-products/d/d-id/1323480?_mc=RSS_DR_EDT

OMG!!

Did you hear that new dad Mark Zuckerberg is giving away $45 billion of Facebook stock and that for some reason none of the news articles about it have mentioned the fact that 10% of it is being given to Jane and Joe Schmoes like you and me if we just copy and paste this message about it which has a smiley face that makes me feel all warm and fuzzy and trusting?

Can’t hurt just incase 
THANK YOU, MARK ZUCKERBERG, for your forward-thinking generosity! And congrats on becoming a dad!
Mark Zuckerberg has announced that he is giving away $45 billion of Facebook stock. What you may not have heard is that he plans to give 10% of it away to people like YOU and ME! All you have to do is copy and paste this message into a post IMMEDIATELY. At midnight PST, Facebook will search through the day’s posts and award 1000 people with $4.5 million EACH as a way of saying thank you for making Facebook such a powerful vehicle for connection and philanthropy.

I would so lunge to my Facebook account and share the shinola out of that sucker.

But given the fact that Angela the Terrifying Talking Cartoon cat turned out to be a hoax and that Bill Gates, sadly enough, never did give people $5000 for sharing his photo on Facebook, well, maybe we should run it through the hoax-o-meter before sharing willy-nilly.

We’ve given tips for avoiding Facebook hoaxes like this in the past.

Here are some clues that this is one is bogus:

First, it might remind you of a hoax about Facebook donating money for a boy’s life-saving surgery after he got shot while saving his sister from a rapist…

… Money to be donated based on the number of times the message was shared, that is.

Seriously? As Naked Security noted about that 2013 hoax, it would be extraordinarily crass to base a decision to assist in saving a boy’s life on how many shares a post gets.

Likewise, while Priscilla Chan and her husband, Mark Zuckerberg, did in fact recently pledge to give away nearly all their $45 billion over the course of their lifetimes, nobody said anything about giving it away to random, click-happy strangers.

Rather, they’re interested in seeing the money go to “advancing human potential and promoting equality.” That includes fighting disease, improving education and “building strong communities.”

Another clue that points to the post being a hoax: the post doesn’t include a link to an official Facebook blog entry, nor does it link to a news story from a legitimate news outlet.

But as the person who wrote that post said, why NOT share it?

How many times have you, or your coworkers, friends, or family, echoed that post’s line about the lack of harm in sharing a post, even if common sense says it’s obviously a hoax?

Why wouldn’t you accept what could be a free lottery ticket with a $4.5 million payout?

“Can’t hurt!”, right? “Just in case!”, yes?

But it can hurt. Remember the boy who cried, “Wolf!” unnecessarily, until his fellow villagers simply wouldn’t believe him any more?

When a real wolf showed up, they ignored him.

We all need to remember, and remind our connections, about the importance of not spreading chain letters.

And please, do us all a favor: if people in your circle are sharing posts like this, you might want to suggest that they follow up by informing all of their friends that they were mistaken.

After all, even though hoax posts seem to be impervious to extinction, there’s always hope that our “BOGUS!!!” messages will go viral.

You can always share this article on Facebook, or tell your friends to join up to Naked Security’s Facebook page instead.

That’s not a hoax! That’s where hoaxes and chain letters like this one go to die! Insert smiley emoticon here!

Follow @NakedSecurity

Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Divj0Jv-ka0/

Adobe has released another update to address dozens of flaws in its Flash Player browser plug-in.

The December update fixes 78 CVE-classified security vulnerabilities in Flash Player for OS X, Windows, Linux, and Android. The patch includes 75 separate vulnerabilities that could be exploited by an attacker to remotely execute code on a vulnerable system.

In addition to the 75 remote code execution flaws, the update addresses three CVE-listed vulnerabilities that could allow for security bypasses. Adobe said it has not yet received any reports of the flaws being targeted in the wild.

Adobe is advising users running OS X and Windows to update their copy of Flash Player to version 20 or later, while Chrome, IE 11, and Microsoft Edge users will receive their updates through the browser. Adobe classifies the fix as a top priority for all Windows, OS X, and Linux browser versions.

Users running Adobe AIR and AIR SDK for Windows, OS X, Android, or iOS are also advised to update their software to address the vulnerabilities.

Many will point to this latest update as yet another reason for developers, users, and site operators to minimize or outright eliminate the use of Flash. With more-secure platforms such as HTML5 gaining adoption, alternatives to the bug-riddled Flash are only growing more attractive.

Researchers have found that even when the browser-facing components of Flash are disabled, code can be injected into other documents that launches and then exploits vulnerabilities, leaving an outright removal the only option.

Even Adobe is nudging customers away from Flash, renaming its most-recent version of Flash Tools “Animator” and encouraging a move over to HTML5. ®

Sponsored:
Improve app performance in the hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/08/78_flash_bug_patches/

Microsoft is closing out the year with a fix for 71 security vulnerabilities in Windows, Office, Internet Explorer, and Edge.

Among the patches are two vulnerabilities that are already being exploited in the wild for elevation of privilege and remote code execution.

The December Patch Tuesday load contains the following updates:

• MS15-135 Addressing four flaws in the Windows kernel-mode drivers, one of which (CVE-2015-6175) is being targeted in the wild for an elevation of privilege exploit.
• MS15-131 A fix for multiple flaws in Office, including the CVE-2015-6124 flaw currently being targeted in the wild for remote code execution. The update patches Microsoft Office 2007 and later, including Office 2011 for Mac.
• MS15-128 A fix for three CVE-listed memory corruption flaws (CVE-2015-6106, CVE-2015-6107, CVE-2015-6108) in Windows that could be exploited by visiting a specially crafted webpage or document containing a corrupted font. All systems from Windows Vista through Windows 10 and Server 2008 through Server 2012 are vulnerable.
• MS15-124 A cumulative Internet Explorer update addressing 30 security flaws including remote code execution, information disclosure, and elevation of privilege flaws in Internet Explorer versions 7 through 11 on Windows Vista through Windows 10.
• MS15-125 A cumulative update for Microsoft Edge browsers on Windows 10 addressing a total of 16 CVE-listed flaws allowing for remote code execution, elevation of privilege, information disclosure, and security bypass.
• MS15-126 Addresses an information disclosure flaw and a remote code execution vulnerability in Microsoft JScript and VBscript for Internet Explorer versions 7 through 11.
• MS15-127 Addresses a use-after-free vulnerability in Windows DNS (CVE-2015-6125) that would allow remote code execution attacks on Windows Server 2008, Windows Server 2012, and Server Core installations.
• MS15-129 An update for Silverlight to patch one CVE-listed flaw (CVE-2015-6166) allowing remote code execution and two (CVE-2015-6114, CVE-2015-6165) allowing for information disclosure in Silverlight for both Windows and OS X. No exploits reported.
• MS15-130 Addresses one flaw (CVE-2015-6130) allowing remote code execution via a webpage with a corrupted font on Windows 7, Server 2008 R2, and Server Core.
• MS15-132 Addressing three remote code execution vulnerabilities (CVE-2015-6128, CVE-2015-6132, CVE-2015-6133) that could be exploited by opening a malicious application in Windows. All versions from Vista through Windows 10 and Server through Server 2012 are vulnerable.
• MS15-133 An elevation of privilege vulnerability (CVE-2015-6126) found in the Windows PGM protocol that could be exploited by running an application. All Windows builds Vista and later and Server 2008 and later are vulnerable.
• MS15-134 One remote code execution (CVE-2015-6131) and one elevation of privilege flaw (CVE-2015-6127) in Windows Media Center for Windows Vista, Windows 7, and Windows 8/8.1.

The Microsoft update comes on the heels of a massive Flash update from Adobe. Together, the patches cover more than 150 CVE-listed security flaws. As such, users and administrators are being advised to update their systems as soon as possible. ®

Sponsored:
Improve app performance in the hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/08/patch_tuesday_december2015/

Retailers recognize temps are higher-risk, but have lower visibility into their activity.

Retailers recognize that temporary staff on the store floor pose a greater security risk than permanent staff, but those same retailers may believe they are better secured against the risks than they are, according to a report released today by Osterman Research, commissioned by Bay Dynamics.

According to research from the Hay Group, turnover for part-time sales associates in retail averaged 66 percent in 2014. The latest figures from the Bureau of Labor Statistics show that in October alone, even leading into the holiday shopping season, there was a 4.4 percent “separation rate” in the retail labor force, including a 2.8 percent “quit rate.” This contributes to the fact that, as Osterman researchers explain “employee loyalty is relatively low.”

Thirty-two percent of respondents to the report — which surveyed U.S. retailers with 2,000 or more employees — said that temporary employees are “high-risk,” while only 18 percent consider permanent employees high-risk. 

Yet, their visibility into temporary employees’ data access and behavior is worse than it is for permanent employees.

While 62 percent survey respondents stated that they “know everything” permanent employees are doing on their corporate systems, only 50 percent said the same of temps. While 92 percent said they can identify what specific systems their permanent employees accesssed, only 63 percent said the same of temps. While 14 percent said they are not sure if permanent employees accessed or sent data they should not have, 26 percent were similarly unsure about temporary staff.

Osterman researchers believe the real figures might be even worse than they think, because 61 percent also said that their temporary workers shared login credentials. (Twenty-one percent said permanent workers shared credentials.) From the report:

Since employees are using shared accounts as shown in Figure 1, the in-house IT and security teams do not have visibility into each individual’s behavior, either for permanent or temporary employees, and cannot determine what that individual is doing on their network (completely contradicting the response from the majority of survey respondents that said they know everything permanent and temporary employees are doing on their corporate systems).

… This highlights a critical problem in the retail industry: much of what employees do from a security perspective is “under the radar” and more or less invisible to IT and security management. For example, an employee with unique or shared login credentials to a point-of-sale (POS) system can process bogus voids, deletes or refunds, and a large proportion of organizations will not be able to determine that fraud has occurred. Similarly, employees can mistakenly click on a phishing link in a corporate email and thereby infect the entire corporate network, often unbeknownst to IT/security management.

The lion’s share of respondent’s believe they are being proactive at detecting data theft/leakage (86%), identifying data assets that must be protected (86%), controlling employee access to critical data assets (81%), and providing awareness training (71%). Only 39 percent of respondents conduct awareness training more than once a year.

As the report states, “digging deeper into the survey results, it becomes clear that retailers are resting on a false sense of confidence in their security programs and do not realize, or perhaps do not want to acknowledge, that there are significant holes. Consequently, retailers are elevating their risk of getting breached.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/risk/retailers-inadequately-secured-against-risks-from-temporary-workers-/d/d-id/1323469?_mc=RSS_DR_EDT

“There was no accident,” Cathy Bernstein stressed to the emergency response dispatcher who had called her.

Her car begged to differ.

“Attention!” the automated call from the black Ford Escort’s vehicle emergency system had said after detecting a crash and calling emergency number 911.

“A crash has occurred in a Ford vehicle. Press 1 at any time for location information or press 0 to speak with vehicle occupants.”

A recording of the call obtained by local station WPBF features Bernstein, a 57-year-old from Port Lucie, Florida, telling the dispatcher (repeatedly) that there hadn’t been any accident and that no, she hadn’t been drinking.

Nor had she hit a guardrail, she said; another car had pulled out in front of her, but she had no idea why her car would call in a nonexistent accident.

The dispatcher was a bit skeptical.

From WPBF’s recording of the call:

Your car wouldn’t call us if someone pulled out in front of you, unless there had been an accident.

Although Bernstein initially denied it, there had, in fact, been two accidents.

The first was a hit-and-run on Monday afternoon last week (30 November).

The victim, Anna Preston, said she was struck from behind by a black vehicle that took off.

As the New York Daily News reports, after her car ratted her out, police went by Bernstein’s house to have a chat with her.

There, they saw the black Ford with a wrecked front-end, with silver paint from Preston’s car still on it.

Police say that when Bernstein allegedly slammed into Preston’s van, she’d actually been fleeing the scene of an earlier alleged hit and run 5 miles up the road: Bernstein had allegedly plowed into a truck and then kept right on rolling, the car’s airbag deployed and in her lap.

She initially told the cops that she’d hit a tree.

Bernstein finally admitted to the hit and runs.

The Ford that blew the whistle on her was what’s known as a connected car: one of many late-model cars equipped with internet access, and usually also with a wireless local area network (LAN).

Thanks to security researchers Charlie Miller and Chris Valasek, we already know that such cars are vulnerable to cyberattacks that can range from the annoying – say, an uncontrollably blasting horn – to the potentially lethal: slamming on a Prius’s brakes at high speeds, killing power steering with commands sent from a laptop, spoofing GPS, and tinkering with speedometer and odometer displays.

Car companies are looking for help with such issues, which have also included a recent finding that self-driving cars can be stopped with a laser pointer.

In fact, Canada’s defense research agency recently published a help-wanted ad looking for car hackers, and Uber went and hired Miller and Valasek.

But on the upside, internet-connected cars can automatically trigger calls to emergency responders, such as Bernstein’s Ford Escort did, even if a driver has been incapacitated by an accident.

Or by, say, a large airbag flopping around in their lap.

Ford, for example, offers an optional feature called 911 Assist that relies on Bluetooth pairing to connect a phone with an emergency line, even if the car driver can’t reach the necessary controls or, as the case may be, is in such a hurry to get to the next crash that he or she can’t take the time to call.

Bernstein was charged with a hit-and-run, and later released from St. Lucie County Jail.

Follow @NakedSecurity

Follow @LisaVaas

Image of Kitt Knight Rider car courtesy of betto rodrigues / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rIi7uOuj4fs/

A few weeks ago, security researchers found that “lazy” makers of routers and Internet of Things (IoT) devices have been reusing a few hardcoded security keys, rather than giving each device a unique key, thereby leaving them susceptible to en masse hijacking.

How did researchers find the 4,000 vulnerable embedded devices in question?

It turns out that they used Censys: a new, little-known search engine that tracks all the devices hooked up to the internet.

Censys was released in October by researchers from the University of Michigan, who describe it as a “community effort” that’s similar to an open-source project.

Computer scientists at the University of Illinois Champaign Urbana are helping to run it, and Google’s providing the infrastructure that powers the free search engine.

Censys collects data on hosts and websites through daily scans of the IPv4 address space – the internet protocol that routes most internet traffic today, despite the ongoing deployment of a successor protocol, IPv6.

The search engine uses two companion tools: an open-source network scanner, known as ZMap, that probes every computer online in mere minutes, and the application layer scanner ZGrab.

Censys maintains a database of how hosts and websites are configured.

Researchers can query the data through a search interface, report builder, and SQL engine.

Zakir Durumeric, the University of Michigan researcher who leads the Censys project and who invented ZMap, told MIT Technology Review that the team’s trying to catalog everything on the internet – warts and all:

We’re trying to maintain a complete database of everything on the internet.

According to Durumeric, ZMap can determine not only what machines are online at any given moment, but also whether they have security flaws that should be fixed before they get exploited.

It can find not only obvious software bugs but also more subtle issues, such as those caused by an IT administrator failing to properly implement a cryptography standard.

Durumeric says that the things that people attach to the internet are “absolutely astounding”:

We have found everything from ATM machines and bank safes to industrial control systems for power plants. It’s kind of scary.

Astounding, but not surprising to those who’ve been reading about the Internet of Things spreading far and wide and bringing with it all sorts of security issues, including:

• Cars that have been remotely hacked
• Planes found to be vulnerable to remote takeover
• Connected-home gadgets
• Vending machines.

Beyond the router fiasco, Censys was also used by the researchers who found a major security problem with security certificates on Dell PCs that the company acknowledged a few weeks ago.

More details about Censys are available in the team’s research paper.

If you’d like to give the search engine a try, the developers have made this tutorial.

Follow @NakedSecurity

Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UE3Gj3I2sjU/

The US last week arrested the man suspected of being “Variety Jones”: the pseudonym of the architect behind the Silk Road drug marketplace.

The US Attorney’s Office on Friday put out a release announcing the unsealing of a complaint against Roger Thomas Clark that alleges he was the mentor to Ross Ulbricht, the mastermind behind Silk Road, also known as Dread Pirate Roberts or DPR.

Clark was arrested in Thailand on Wednesday and is awaiting extradition.

According to the attorney’s office, Ulbricht described Clark – who went by not only the “Variety Jones” handle but also “VJ,” “Cimon,” and “Plural of Mongoose” – as a trusted mentor who allegedly counseled him on improving and expanding Silk Road’s technical infrastructure.

That included:

• Helping Ulbricht to hire and manage a computer programmer to assist with projects.
• Helping Ulbricht to develop and enforce the rules governing how Silk Road vendors and users could do business on the site, which were designed to maximize the commissions that Ulbricht received from Silk Road sales.
• Instructing him on how to conceal his involvement in, and hide his profits from, the operation of Silk Road, including helping Ulbricht devise cover stories to tell others and making plans to obtain foreign citizenship and offshore bank accounts.
• Advising Ulbricht on tactics to thwart efforts by law enforcement to investigate Silk Road.
• Advocating the use of intimidation and violence to keep members of the Silk Road support staff from cooperating with law enforcement. The Attorney’s Office described one such alleged conversation in which Clark and Ulbricht discussed “track[ing] down” a certain Silk Road employee to ensure that he had not gone “[o]ff the rails.” Clark’s alleged response: “[D]ude, we’re criminal drug dealers – what line shouldn’t we cross?”

That’s how the Attorney’s Office tells it.

Here’s how Ulbricht himself described Variety Jones, in a private journal found on the computer that was whisked out from under him before the Feds had even made the arrest at a San Francisco library in October 2013:

This was the biggest and strongest willed character I had met through the site thus far. He quickly proved to me that he had value by pointing out a major security hole in the site I was unaware of… He has advised me on many technical aspect of what we are doing, helped me speed up the site and squeeze more out of my current servers. He also has helped me better interact with the community around Silk Road, delivering proclamations, handling troublesome characters, running a sale, changing my name, devising rules, and on and on. He also helped me get my head straight regarding legal protection, cover stories, devising a will, finding a successor, and so on. He’s been a real mentor.

Clark is a 54-year-old Canadian citizen. He’s charged with narcotics and money laundering conspiracy.

His arrest follows close on the heels of Motherboard having in September published the results of an investigation by journalist Joseph Cox.

At the time, Cox reported that a source had fed Motherboard emails sent and received by one of two “crucial but lesser-known players”, both of whom were still at large at the time, who kept the multi-million dollar site running.

That player was Variety Jones.

Besides acting as a mentor, financial advisor and penetration tester, Variety Jones was also the one who apparently egged Ulbricht on with the first of 6 attempted murders-for-hire.

Those attempts aren’t known to have resulted in victims: in fact, one of the “hitmen” hired by Ulbricht turned out to be an undercover agent.

According to the emails and to chat logs found on Ulbricht’s computer, Silk Road had ambition to spare: before the site was taken down, projects being worked on included an encrypted email service – “Silk Mail” – and a Bitcoin exchange.

In fact, the end goal was to set up an ecosystem as replete with products and services as Google.

DPR wrote about it in the email exchanges:

A big part of the value of this project will not be in direct revenues, but in brand recognition.

Google makes the vast majority of its revenues from ppc ads, but still maintains world-class free email for everyone because it brings them into their ecosystem. Silk Mail will hopefully do the same for Silk Road, which will likely continue to be our primary revenue source.

DPR wrote that his team could “throw $20k/month at this,” suggesting something more ambitious still: “Silk Phone anyone???”

That’s the vision that Variety Jones helped him to see, Ulbricht wrote:

A brand that people can come to trust and rally behind. Silk Road chat, Silk Road exchange, Silk Road credit union, Silk Road market, Silk Road everything! And it’s been amazing just talking to a guy who is so intelligent and in the same boat as me, to a certain degree at least.

According to the Attorney’s Office, Clark received “at least hundreds of thousands of dollars for his assistance in operating Silk Road.”

FBI Assistant Director Diego Rodriguez said in the release that Clark’s arrest shows that neither Tor nor Thailand will keep criminals away from the long arm of the law:

The arrest of Roger Thomas Clark shows again that conducting criminal activities on the Dark Web does not keep a criminal out of law enforcement’s reach. As alleged, Clark was paid at least hundreds of thousands of dollars to act as a counselor to Ross Ulbricht’s black-market bazaar, Silk Road. Clark may have thought residing in Thailand would keep him out of reach of U.S authorities, but our international partnerships have proven him wrong.

Follow @NakedSecurity

Follow @LisaVaas

Image of Silk Road courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jDPK8GNuqos/

Would you like free tickets to a One Direction concert? How about a free iPhone?

If you’re not interested in those, how about some free cash? Apparently, Bill Gates is giving $5000 away!

Except he isn’t, and these are all scams.

Time and time again we see scammers using implausible promises of free stuff to lure in people.

Perhaps they want you to spam your Facebook friends by sharing something, maybe they want to take you to an phishing page, or perhaps their goal is to get you to inadvertently download malware. Whatever the reason, it’s not worth taking the risk.

If something looks too good to be true, it probably is. So do yourself and your friends a favour and avoid sharing!

Follow @AnnaBrading

Follow @NakedSecurity

Images of Christmas tree and Advent calendar courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fj5Yz3keZ5s/