STE WILLIAMS

Linux sysadmins are being specifically targeted by hackers demanding one Bitcoin to gain access to their own data.

Usually, it’s Windows systems that get hit by ransomware, but a new strain targets Linux systems to extort cash.

“Judging from the directories in which the Trojan encrypts files, one can draw a conclusion that the main target of cybercriminals is website administrators whose machines have web servers deployed,” said Russian antivirus firm Dr Web in an advisory.

Dubbed Linux.Encoder.1, the software sorts through files on a target system and encrypts all files in the home, root, MySQL, Apache, and Nginx directories using 128-bit AES.

It then goes through the rest of the system data and encrypts the contents of directories with the following strings in their names: public_html, www, webapp, backup, .git, and .svn. For each directory, the trojan writes the file README_FOR_DECRYPT.txt to disk, which carries the attacker’s demands.

“To obtain the private key and php script for this computer, which will automatically decrypt files, you need to pay one Bitcoin(s) (~420 USD),” the message reads. “Without this key, you will never be able to get your original files back.”

The actual value of a Bitcoin is currently around $380 (it was $420 early last week) but that’s unlikely to be much consolation to afflicted users who may have little choice other than to pay up if they haven’t backed up their data. If they have, it still means the system needs to be wiped and everything re-installed.

The new malware has its weaknesses – it requires admin level access to run – but Dr Web warns that the code is spreading at the moment using a critical flaw in the CMS Magento. A patch was released for this on October 31, but with just over a week gone, many systems may still have the flaw that would allow Linux.Encoder.1 room to operate. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/09/ransomware_targeting_linux_charging_bitcoin/

An Australian insurance company has jumped on the fitness-tracker bandwagon, and is going to give away Intel Basis walk-snitches to anyone who wants a discount for populating its databases.

It’s probably a handy fillip for Intel, which bought Basis Science last year in a bid to create a presence in the wearables market. So far, it hasn’t managed to rise out of the ocean of “other” vendors in IDC’s data on the wearables market.

Chipzilla’s fitness and sleep tracker will be tested on 1,500 MLC Insurance customers, according to the Sydney Morning Herald.

The data will be sent upstream to US startup Big Cloud Analytics to get a sprinkling of fairy dust and SQL queries, so MLC can see whether users’ health has improved over 90 to 160 days wearing the trackers. Those whose health improves will get an offer of health insurance discounts.

Intel Basis can connect to iOS and Android apps (what could possibly go wrong?), and so far has escaped the kind of hacker attention given to more established wrist-jobs like Fitbit.

Electronic Frontiers Australia told The Australian there’s not much of a gap between offering something for free and making it compulsory.

Vulture South is just as interested in the security and privacy angles. History suggests wearables and smartphones in combination offer plenty of attack vectors, and it’s probably only Intel’s trivial presence in the market that has protected Basis from the attentions of black, grey and white hats.

The move will doubtless also spark a political debate in Australia. Its health insurance system is based on a concept called “community rating”, with premiums aggregated over large numbers of people. This is partly designed to make sure that everybody can afford private health insurance, as part of a system that imperfectly tries to ensure universal access to doctors and hospitals. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/09/oz_insurer_offers_basis_breathing_bangle_for_your_data_swap/

Onapsis releases 21 SAP HANA security advisories, including some Trexnet vulnerabilities that require upgrades and reconfigurations.

Researchers at Onapsis today released an unprecedented 21 security advisories for all SAP HANA-based applications, including eight critical vulnerabilities, six of which cannot be fixed by simple patches.

Collectively, the critical vulnerabilities can be exploited remotely and enable attackers to execute code, move files, delete data, completely compromise the system, access and manage business-relevant data and processes, and render all SAP systems unavailable.

SAP HANA is the in-memory processing technology that powers some of the biggest big-data analytics projects, as well as SAP’s other business products, including customer relationship management (CRM), enterprise resource planning (ERP), and product lifecycle management (PLM) systems.

Onapsis CTO Juan Pablo Perez-Etchegoyen says most enterprises are “not just running one SAP product. Typically, they’re running the whole suite. … What happens if one of these systems goes down, when you have so many processes going to this system?”

The impact of an SAP outage or compromise will vary by company and by what SAP applications they use, says Etchegoyen, but one Onapsis customer told him last year that a SAP outage could cost its company $22 million per minute.

Six of the critical vulnerabilities of gravest concern are due to a configuration problem, and therefore cannot be fixed just by patching, he says. They affect the TREXnet protocol, used by the HANA Database’s TREX servers — NameServer, Preprocessor, IndexServer, StatisticsServer, WebDispatcher, XSEngine, or CompileServer — to communicate with one another. If the TREXnet communication is not secured with authentication, attackers can exploit a variety of vulnerabilities by sending specially crafted packets to these TREX server ports. Those vulnerabilities are:

• Trexnet remote file write — override relevant info and render system unavailable due to corrupted data
• Trexnet remote directory deletion — delete info and render system unavailable
• Trexnet remote file deletion — delete data, affect integrity, and potentially render system unavailable
• Trexnet file move — relocate info stored in system so it’s easy to access; it could also potentially render the system unavailable due to a non-integral file system
• Trexnet remote command execution — completely compromise the system and would be able to access and manage any business-relevant information or processes, execute commands with admin privileges
• Trexnet remote Python execution — completely compromise the system and would be able to access and manage any business-relevant information or processes; executing arbitrary Python modules in SAP HANA with admin privileges

To close those holes, users need to upgrade to the latest version of the software and reconfigure their settings to enable strong authentication and encryption measures on TREXnet.

There are another two critical vulnerabilities in the HANA Database due to incorrect calculation of buffer size:

• HTTP remote code execution. By sending specially crafted HTTP packets to SAP HANA XSServer, a remote, unauthenticated attacker could completely compromise the system, access and manage business-relevant information and processes. This could be achieved remotely and potentially through the Internet, affecting on-premise and cloud-based HANA solutions.
• SQL remote code execution. By sending specially crafted packets to SQL interfaces, attackers could compromise the platform, executing arbitrary code or performing a denial of service attack, completely compromise system, access and manage business-relevant information and processes.

In addition to the critical ones, Onapsis’ release also contains six high-severity and seven medium-severity vulnerabilities.

Exacerbating the problem is the fact that while many of businesses’ core processes run on SAP systems, information security teams have very little visibility into these systems and how they’re secured, according to Etchegoyen. 

“We still have these two teams separated,” says Etchegoyen. “That’s something we’re trying to evangelize. They need to have more communication between those two teams.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/6-critical-sap-hana-vulns-cant-be-fixed-with-patches/d/d-id/1323060?_mc=RSS_DR_EDT

New track at Black Hat Europe explores the special challenges of managing an information security career for both job hunters and job hirers.

The vaunted security skills gap may seem like a slam dunk for experienced and credentialed security professionals seeking to advance their career. But, as my father often said, “If it seems too good to be true, it probably is.” Yes, the security market is a hot one. But whether you are an employer or a job seeker, finding the right fit for the right job comes with its own set of special challenges.

At Black Hat Europe this week, Dark Reading will be hosting two panel discussions we hope will shed new light on the current employment environment in IT security: including what the attitudes of both security professionals and those who hire them are, how security pros are approaching today’s job market, and what skills and qualifications are most in demand.

We kick off the discussion Friday morning with Richard Nealon, board member of the International Information System Security Certification Consortium. Nealon will discuss the (ISC)2 Global Information Security Workforce Study (GISWS), which surveys security professionals on career plans and attitudes.

Following Nealon, Dark Reading editors Tim Wilson and Marilyn Cohodas will present results of the 2015 Black Hat Attendee Survey of 460 infosec professionals and the Dark Reading/Information Week Strategic Security Survey. The two studies examine enterprise security department buying and budgeting strategies, as well as technologies and tactics for handling breaches and incident response.

Later in the day, the focus will shift to the job-seeker, with Accenture Managing Director Floris Van Den Dool and cybersecurity recruiter Owanate Bestman from Barclay Simpson headlining a 45-minute panel on Advancing Your Career As A Security Pro and question-and-answer period with the audience. Key topics include: how to get more training and experience; how to increase your salary potential; how to job hunt; strategies for working within your existing organization to improve your standing; and improving leadership skills.

Coming soon: more better infosec career advice

In recognition of the growing skills gap and the need for in-depth career advice targeted to a broad-based security audience, from beginner to CISO, Dark Reading will soon be introducing a career trends newsletter as a companion to our Security Jobs Board launched in August at Black Hat USA. The newsletter and the related content available in our “Careers and People” section will offer news and information on issues such as training, certification, staffing, hiring trends, salaries, and job hunting.

The Jobs Board enables hiring companies — including government, commercial companies, and security vendors — to post positions for hire directly to one of the Web’s largest audiences of security professionals: Dark Reading readers. And readers can respond directly to those employers in a safe, private online environment, enabling them to find out about the many job openings in the industry.

Look for expanded news coverage and commentary from recruiting and hiring experts who work with security staffing issues every day, along with the inside view of security executives and operations managers about industry trends in how security teams use technology and collaborate and communicate with each other, business partners, customers, and users.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 13, 2015. Click here for more information on the career trends program.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting … View Full Bio

Article source: http://www.darkreading.com/operations/cybersecurity-skills-gap-too-good-to-be-true-for-job-seekers--/a/d-id/1323069?_mc=RSS_DR_EDT

The unflappable and suave James Bond is known for impeccable taste in clothes, cars and cocktails.

The Bond brand has been attractive to luxury goods companies including car makers Aston Martin and Jaguar, which produced special editions for the latest film in the franchise, “Spectre.”

Sony even made a Bond Edition smartphone, the Xperia Z5, complete with 007 themed packaging.

Bond has used Sony smartphones in previous films: Bond used a Sony Ericsson in at least three Bond films, including “Casino Royale” and “Quantum of Solace,” according to one James Bond fan site.

This got us thinking: what kind of smartphone should Bond use, not just for style but for security as well?

For the cool factor, he could do worse than an iPhone 6s; or maybe he should have a 18 karat gold-case Apple Watch (starting at $10,000).

As an MI6 agent, however, shouldn’t Bond try to be less conspicuous, and put a premium on security over style?

In that case, an iPhone 6s is again a good choice, but as we’ve learned recently, Apple’s iOS is not bulletproof.

In fact, the exploit brokering firm Zerodium says it paid out $1 million for an iOS 9 zero-day, one that a rival spy could maybe use against Bond to get malware on his device that could track his location or perhaps listen to his calls, read his texts and dig through his files.

Android is definitely vulnerable to this kind of spyware, too.

If Bond had one of Google’s Nexus phones, he’d at least be getting all the latest Android security patches within weeks and not months or years.

Most Android users are at the mercy of device manufacturers and carriers to give them security updates, and one study found that 87% of all Android devices have at least one critical security bug an attacker could exploit.

On the other hand, some of the most secure smartphones (ones that are marketed as such, anyway), are built using custom versions of Android.

The so-called Blackphone uses a “fortified Android operating system,” and proprietary apps “designed to provide you with absolute privacy,” according to manufacturer Silent Circle.

Of course, even the Blackphone isn’t totally immune to security bugs, so maybe Bond should consider the latest BlackBerry, the PRIV, which is also built on Android.

What do you think readers – what kind of smartphone should Bond use? Perhaps he should just go back to basics and get a regular, non-smartphone? Let us know in our poll!

Follow @NakedSecurity
Follow @JohnZorabedian

Image of Daniel Craig courtesy of
carrie-nelson / Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/p0k12hKr1z0/

Mobile apps are regularly leaking information to third parties, according to research from the Massachusetts Institute of Technology (MIT), Harvard, and Carnegie-Mellon.

The researchers tested 110 popular, free apps – half of them Android and half iOS – to find out which ones share personal, behavioral, and location data with third-party websites.

Make that very popular indeed: they looked at the top five most popular apps from the Google Play Store in the categories of Business, Games, Health Fitness, and Travel Local. Same thing for Apple’s App Store, where they tested the top five from Business, Games, Health Fitness, and Navigation.

The list included mobile app staples such as Candy Crush, Facebook, Facebook Messenger, Facebook Pages, Skype, Fitbit, Amazon, eBay, Groupon, Instagram, Pinterest, Snapchat, MapQuest, Google Maps, YouTube and Yelp.

The researchers recorded the HTTP and HTTPS traffic that occurred while using the apps, keeping an eye out for transmissions that included personally identifiable information (PII), behavioral data such as search terms, and location data.

The researchers found that Android users in particular are getting drained, though Apple users’ devices aren’t exactly what you’d call hermetically sealed.

As they detail in their study – Who Knows What About Me? – 73% of Android apps shared personal information such as email address with third parties, and 47% of iOS apps shared geo-coordinates and other location data with third parties.

They also found that almost all – 51 out of 55 – of Android apps connect to a mysterious domain, safemovedm.com, the purpose of which they couldn’t figure out but is “likely due to a background process of the Android phone.”

Google isn’t saying what the site is or why the Android OS would connect to it.

The researchers’ thoughts:

The purpose of this domain connection is unclear at this time; however, its ubiquity is curious. When we used the phone without running any app, connections to this domain continued.

It may be a background connection being made by the Android operating system; thus we excluded it from the tables and figures in order to avoid mis-attributing this connection to the apps we tested. The relative emptiness of the information flows sent to safemovedm.com indicate the possibility of communication via other ports outside of HTTP not captured by mitmproxy.

The researchers also found that a significant proportion of apps share data from user inputs – such as personal information or search terms – with third parties, without Android or iOS requiring a notification to the user.

More results:

• The average Android app sends potentially sensitive data to 3.1 third-party domains, and the average iOS app connects to 2.6 third-party domains.
• Android apps are more likely than iOS apps to share PII with a third party, such as name (73% of Android apps vs. 16% of iOS apps) and email address (73% vs. 16%).
• More iOS apps (47%) than Android apps (33%) share location data.
• 10% of Medical and Health Fitness apps share medically related search terms and user inputs.
• The third-party domains that receive sensitive data from the most apps are Google.com (36% of apps), Googleapis.com (18%), Apple.com (17%), and Facebook.com (14%).

Christopher Weatherhead, a technologist at Privacy International, told the BBC that the report “highlights the many ways that the devices we use can betray us”:

The analysis in the paper suggests that a large proportion of apps tested share sensitive information like location, names and email addresses with third parties with minimal consent.

Data shared without the knowledge or consent of mobile phone users could further fatten the already huge store of web browsing history collection proposed in the new UK draft legislation for data retention, he said:

With the recently announced draft Investigatory Powers Bill, many of these connections to third-party websites would be retained as internet connection records.

So, even if you have never visited these websites, they would be indistinguishable from your actual web-browsing activity.

This would allow the security services to make assumptions about browsing habits which are not correct.

Why should we care?

The researchers listed a host of reasons why users should care about their PII being shared without notification – reasons that Naked Security often offers up.

From the paper:

An app may share a unique [ID] related to a device such as a System ID, SIM card ID, IMEI, MEID, MAC address, UDID, etc. The ID can be used to track an individual. Second, an app can request user permission to access device functions and potentially personal or sensitive data, with the most popular requests being access to network communications, storage, phone calls, location, hardware controls, system tools, contact lists, and photos videos.

Some apps practice over-privileging, where the app requests permissions to access more data and device functions than it needs for advertising and data collection. Third, any data collected by the app may be sent to a third party, such as an advertiser. Fourth, a user may have a hard time understanding permission screens and other privacy tools in a device’s operating system.

How do we thwart the data vampires?

For one thing, app stores and future mobile operating systems should follow the example of apps meant for use by children, the researchers suggested.

For example, in the US, the federal Children’s Online Privacy Protection Act (COPPA) is designed to control the amount of geolocation data, photos, videos, audio recordings, and persistent identifiers collected and shared by apps without parental consent.

As far as individuals go, there are tools to protect user privacy that work by sending false data to satisfy permission requests from apps: three examples are MockDroid, TISSA, and AppFence.

The researchers suggest that such tools might be modified to also send fake user data inputs as well when the recipient is a third-party domain, though that may compromise an app’s ability to target advertising or offer other functions that depend on accurate user data.

Follow @NakedSecurity

Follow @LisaVaas

Image of data flowing from mobile phone courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gCmN9OYbrK0/

A Scottish citizen was indicted on Thursday by a federal grand jury in San Francisco for allegedly using Twitter to spread disinformation, causing the stock prices of two companies to plummet.

The Department of Justice (DOJ) said that James Alan Craig, 62, of Dunragit, Scotland, allegedly set up Twitter accounts using names similar to real market research firms so as to manipulate stock prices.

Then, he allegedly tweeted about fictitious investigations into the two companies.

The publicly traded securities of the two companies – Audience, a Bay Area sound technology, and Sarepta, a biopharmaceutical firm based in Washington – went into a tailspin.

According to the indictment, Craig bought up securities of the targeted companies through his girlfriend’s brokerage account and later sold them for a profit.

Craig’s actions are alleged to have cost shareholders more than $1.6 million (about £1.06 million) in losses.

The indictment says that on 25 January 2013, Craig set up a Twitter account with the handle @Mudd1Waters – a handle that suggested affiliation with the market research firm Muddy Waters Research.

He also allegedly used the firm’s logo as the Twitter account’s profile picture. On top of that, his handle, “Shun Ho”, is a name associated with Muddy Water’s founder.

Four days later, Craig allegedly used the @Mudd1Waters account to push out a bundle of bogus tweets about Audience, including that the company was being investigated by the DOJ in connection with rumored fraud charges.

Audience’s security price fell significantly on the NASDAQ stock exchange. Trading was halted before the fraud was revealed and the company’s stock price recovered.

On that same day, Craig used his girlfriend’s TradeMonster account to purchase 300 shares of Audience stock.

He then, allegedly, did it again the following day, buying another 100 shares.

Next, he sold all 400 securities, making an unspecified profit.

Then, on 30 January 2013, Craig allegedly did the very same thing to Sarepta.

Using another account crafted to look like it belonged to securities research firm Citron Research, with the real firm’s logo and the lookalike handle @citreonresearc, Craig allegedly sent tweets about a drug in clinical trials being “tainted” and that the Food and Drug Administration (FDA) was steping in to investigate Sarepta.

Sarepta’s share price dropped 16% before recovering when the fraud was exposed.

The SEC said that Craig’s effort to profit from the big price swings proved “largely unsuccessful”.

Both Muddy Waters and Citron disavowed any connection with the suspect tweets.

A Securities and Exchange Commission (SEC) complaint charges that Craig committed securities fraud.

The DOJ also charged Craig with a separate, single count of securities fraud.

Follow @NakedSecurity

Follow @LisaVaas

Image of stressed man and falling stocks courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nVmP_M9PzUg/

It’s about six weeks since we first wrote about XcodeGhost.

That’s the Apple Mac malware that was specially created by crooks in China to create iOS malware.

You read that correctly.

Just as the infamous Stuxnet virus tried to infect PCs with the ultimate goal (allegedly) of indirectly infecting uranium centrifuge controllers, so XcodeGhost aims sneakily and indirectly for for the App Store.

XcodeGhost was pretty successful, with many infected apps getting past Apple’s approval process.

Memories of Induc

The same sort of “infected toolkit” problem hit the Windows world back in 2009, when the Induc virus was found.

Induc targeted software developers who used the Delphi programming system.

The virus deliberately infected their Delphi installations, so that every Delphi program they compiled thereafter…

…contained a copy of Induc.

Fortunately, all Induc did was to spread – it didn’t steal data or try to phish passwords along the way.

But Delphi was widely used in IT departments around the world, because it was a slick and convenient tool for putting a modern-looking user interface in front of legacy back-end business software.

So Induc turned up in lots of official corporate software, often to the surprise (and occasionally the disbelieving denial) of the companies concerned.

Amusingly, if malware writing can ever be funny, numerous malware samples turned up with Induc infections, too.

That’s because Delphi was also popular in the cybercriminal community at the time, especially amongst the creators of password-stealing programs targeting online banking.

Enter XcodeGhost

XcodeGhost does something similar, though it isn’t strictly a virus.

It doesn’t spread by itself, but instead relies on the developer community to do the spreading on its behalf, typically following this sequence:

• Chinese cybercriminals produce a cooked remix of Apple’s Xcode development toolkit, a multi-gigabyte download that you usually get from the App Store. Xcode is free, so a pirated version sounds pointless, but the theory seems to be that the cooked versions are available locally from Chinese servers and are therefore promoted as faster and easier to download.
• The cooked version is, in fact, downright crooked, because the hackers mix in some “secret sauce” with their locally-sourced download.
• The Trojanised Xcode version indirectly infects iOS apps when they are compiled.
• The resulting infected iOS apps contain malware, buried in parts that look like Apple-supplied components.

Apple initially let many of these apps through App Store validation and into the App Store, presumably because the parts compiled from the vendor’s own source code were fine.

When the news first broke, Apple responded quickly, removing afflicted apps from the App Store, and vocally telling its developer community how to get a “real deal” version of Xcode downloaded and installed.

Not necessarily enough

But just refreshing your Xcode installation (from a non-dodgy source, of course!) and validating its digital signature isn’t necessarily enough.

Your build process may very well include third-party components, such as programming libraries or sub-programs, downloaded from other suppliers.

And if any of your suppliers has an XcodeGhost problem, then the code they compiled and shipped to you might have XcodeGhost buried in it.

Indeed, even if they had XcodeGhost but have now fixed their own infection problems, until they recompile their products and you download the new versions, you might still be building XcodeGhost infections into your own iOS apps.

The Possible Mobile story

That’s what happened to mobile development house Possible Mobile.

The company openly admits that its core motto is SHIP IT, but recently reported that it was having trouble living up to that promise.

It submitted an app to the App Store, only to have it bounce back almost immediately with a rather unhelpful, message from Apple:

Invalid Executable – The app in [REDACTED].app has been built with an unsupported version of Xcode. Make sure Gatekeeper is enabled, download the latest version of Xcode from developer.­apple.­com, rebuild the app, and submit it again.

But the executable was valid in the technical sense of being well-formed and able to run, and the company’s own source code in the app had been built with the latest version of Xcode.

And, as you can imagine, following Apple’s advice didn’t solve the problem, thanks to components in the app that weren’t built from source, but compiled in from infected third party libraries.

What to do?

• Don’t blindly trust third party libraries. After a scare like XcodeGhost, you need to review your supply chain, as well as your own development tools.
• Consider using an OS X anti-virus. Many Mac users still pooh-pooh anti-malware software, considering malicious code to be “a Windows problem,” and assuming that the low amount of Mac malware means that the risk can largely be ignored.

Possible Mobile’s story has an extra twist that is a tricky issue for developers whose job includes integrating and shipping pre-compiled core components provided by paying customers.

Sometimes, you may need to go back to your paying customers and say, “We think the infection actually comes from you.”

Here at Sophos, we faced that very problem during the Induc outbreak on Windows, with some corporate IT teams complaining that we were falsely reporting the virus in their software, “because it was developed and built in-house and thus can’t possibly be infected.”

But, as we are seeing once again, the fact that a program came from a trusted developer, and was built from trusted source code, doesn’t necessarily mean that you will end up with a trusted product.

As we suggested when XcodeGhost first appeared:

Perhaps App Store submissions will require full source code in future? You compile it; Apple compiles it; if and only if the two packages agree, your App goes forward for further analysis.

We imagine there would be an outcry if Apple were to enforce this – What? Share everything with Apple, even my source code? But so-called double-compilation is a respectable approach to countering the problem of trusting trust.

It would certainly help to confirm that both third-party developers and Apple were singing from the same code generation hymn-sheet.

Sophos products detect and block XcodeGhost variants under the family name iPh/XcdGhost-*. At the time of writing [2015-11-09T12:00Z], variant letters -A to -F are known.

Follow @NakedSecurity

Follow @duckblog

Sophos Anti-Virus for Mac Home Edition

Want to keep an eye out for malware, malicious web links and other threats to your beloved Mac?

Whether you are a developer or not, Sophos Anti-Virus for Mac Home Edition is 100% free (email address required), with no expiry and no time limit on updates.

Sophos for Mac also stops threats for Windows too, so it even protects non-Mac users you share files with.

Choose from blocking viruses in real time (on-access protection), scanning at scheduled times, or running a check whenever you want.

Image of ghost and pumpkin courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XB0LfVFi4fc/

London-based postcard biz Touchnote has offered more details about a data breach it confessed to on Bonfire Night.

In a statement published on its site on 5 November, Touchnote claimed it had the previous day “received information confirming that Touchnote has been victim of criminal activity, resulting in the theft of some of our customer data.”

Although no numbers have been provided, the company confessed that thieves had nicked customers’ names, email addresses, postal addresses, and Touchnote order histories, as well as admitting that “there have also been some recorded instances of dates of birth being accessed.”

It also said that the names and addresses of the unwitting recipients of Touchnote postcards – who are not necessarily Touchnote customers – had been accessed.

Not least of all, the company confirmed:

[C]ard recipient[s’] name[s] and postal address[es] regrettably ha[ve] been stolen as part of this data theft. However there is no action required by the recipient as this information alone cannot cause identity breach.

Touchnote does not store your full credit card or debit card number, expiry date or security code with the exception of the last 4 digits of credit card numbers (e.g. XXXX XXXX XXXX 1234) which on its own cannot be used for making financial transactions.

Passwords stored on the site were hashed and salted, though the company informed its customers that “it is considered best practice to change your password after any data theft.”

Customers who have contacted Touchnote via Twitter have found a company keen to downplay their concerns.

@Kim_Kim0211 :-( Sadly names and postal addresses are already mostly readily available on electoral register and public domains ~Oded

— Touchnote (@touchnote) November 8, 2015

The company’s “no action required” statement is contradicted by its response to question 11, right at the bottom of its notice.

There is a risk, however, that criminals may seek to use some accessed data for identity fraud. If you are contacted by anyone asking you for personal data or passwords (such as your bank account), please take appropriate steps to check the true identity of the organisation.

Touchnote has said it is cooperating with the National Cyber Crime Unit and is in the process of “emailing all customers who are impacted by this theft notifying them of this criminal activity.”

The Register has asked the company how many customers have been affected by the breach and whether it employs any security staff.

We were informed that the company “decline[s] to publicly discuss security matters for obvious reasons” but is aware of the numbers of affected customers and has contacted them individually.

“We are continuing to engage with the National Cyber Crime Agency and the Information Commissioners Office,” a spokesperson told The Register. “We shall not be commenting further on the matter, beyond the detail we have posted on our FAQs on our website.” ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/09/touchnote_cops_to_data_breach_tells_customers_no_action_required/

Encrypted email provider ProtonMail is still being hit by a DDoS attack from what it claims is a nation state, as well as a secondary and separate lower-level assault from an identified assailant. However, the service is now operating normally, it seems.

Switzerland-based ProtonMail offers an encrypted webmail system able to withstand intelligence agency-level surveillance. However, since last Tuesday the company has continued to be hit by DDoS attacks from two attackers.

Talking to The Register, ProtonMail CEO Andy Yen explained: “We have been attacked every day since 3 November, so we’re now entering the sixth day of attacks.”

“There are two attackers,” said Yen. “Since 4 November, we have been mostly battling the second attacker. They are highly sophisticated and have a lot of resources. The first group that attacked us, the Armada Collective, is largely irrelevant compared with the power of the second attacker.”

ProtonMail has stated that the second-attacker’s malicious efforts had all the hallmarks of a state-sponsored attack, both in its complexity and in its willingness to cause large-scale damage to achieve its aims.

The CEO added that the “attack volume is high, but especially the mix of attacks being used, and the highly coordinated fashion in which they are employed point to an extremely sophisticated attacker”.

However, as of the time of publication ProtonMail has provided no concrete proof of a nation going after its servers, which it is still working to protect.

Yen told The Register that “many of the world’s largest tech companies have offered to assist in analysing and tracking the attack”.

Late last week the company paid a bitcoin ransom worth £3,500. A company statement explained:

We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom.

Again, explaining the situation to The Register, Yen said that “the second attackers impacted many other companies who lost access to mission critical infrastructure. From the start, ProtonMail has always been opposed to paying, but after discussions with other impacted companies, and considering the sheer amount of collateral damage, we respected the group decision to pay.”

The transfer had to come from our Bitcoin account as we were the ones that received the extortion email.

The people attacking us now are not the ones the ransom was paid to, but at the onset, it was not clear there were two attackers involved.

A donation campaign was established for ProtonMail with a goal of raising $100,000, although this was later reduced to $50,000, which has almost been reached as of the time of writing.

Yen explained that “the goal was reduced because once the magnitude of the attack became realised, and it became apparent who the target was, one of the world’s top DDoS protection companies offered to step in at significantly reduced prices in order to support our mission. They understand that ProtonMail being down means large numbers of activists, dissidents, journalists, and regular users will have lost the ability to communicate”.

We have launched a donation campaign to protect ProtonMail against future attacks. https://t.co/RnC8L99U0U pic.twitter.com/Z2BeCIbQBT

— ProtonMail (@ProtonMail) November 5, 2015

“In addition,” said Yen, “some of the world’s top networking experts volunteered their time to help us recover. Together with our team, they accomplished the impossible and brought us back online in three days with the capability to withstand the largest cyber attack which has ever hit Switzerland. The support from our users has also been amazing, they donated nearly $50,000 in just two days.”

ProtonMail, which published a transparency report, refers all foreign requests for information to the Swiss federal police, according to Yen.

“At that point, an inquiry may be opened and passed to the Swiss court system. It is only after receiving a valid Swiss court order that we are permitted to share any user information. Due to the end-to-end encryption that we employ, we can only hand over encrypted copies of user messages,” he added. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/09/enormous_protonmail_ddos_attack_continues/