STE WILLIAMS

Were you one of the guys whose heart was pureed by Ava, the doe-eyed artificial intelligence bot put on Tinder as a movie marketing stunt at SXSW?

That was two years ago. You’ve probably scraped your pulp back together by now.

But don’t let your guard down just yet: an actual human woman has come up with a Tinder scam that’s so much simpler than that whole “What makes you human” AI chitchat.

In fact, the new scam is so much simpler that, honestly, you can’t even call it a scam.

Maggie Archer, a 20-year-old student from St Louis, Missouri, has found what she considers the best possible use for Tinder: just asking guys to send her money. That would be $5, to be precise.

At one point, she was pulling in up to $100/week. Archer told BuzzFeed that a friend had suggested that she put her pitch into her profile, so it wasn’t even a direct ask.

That pitch:

Send me $5 and see what happens

Oh, the curiosity! Oh, the potential! What happens, indeed?!

Well, what happened, to lusty lad after lusty lad, after they had sent $5 to Archer via PayPal, was that she’d unmatch them. Goodbye, sucker, *SWIPE!*

It was too good not to share, she said:

The best possible use for tinder pic.twitter.com/bYs49yEds6

— Maggie (@maggiearch3r) March 22, 2017

Plus, she figured she was inspiring sisters, which she probably was, given feedback like this:

@maggiearch3r I hope this doesn’t go viral too quick I’m tryna scam my way into a car

— Chelsea (@chelswds) March 25, 2017

Is it a scam? Well, no. After all, Archer didn’t promise anybody anything. All she did was stoke their imaginations. Therefore, there was nothing fraudulent about her pitch.

I think you don’t know what the definition of a scam is. @jodecicarter @lilfruitbb @FancySkunk @kisjdmls @maggiearch3r pic.twitter.com/acwJh71XSj

— MATTWER (@mattwer3) March 28, 2017

Archer said that she decided to give it a go, mostly as a joke. But then, hey, the money started to flow “almost immediately”.

Archer told BuzzFeed that it worked with about one out of every five guys who asked about her profile. One match sent her $10. And then there were the men who wanted to offer her a whole lot more:

Some men get creepy and assume if they offer a lot more, like hundreds, something will actually happen, which of course it doesn’t.

While it wasn’t a scam, technically, it turns out to be against Tinder terms of service. Tinder told BuzzFeed that “requesting money from other Tinder users violates our terms of service”.

Any users doing so would be removed from the platform, added Tinder, noting that Archer’s account has been shut down.

In fact, Archer had already deleted the app, given that “the whole purpose for doing this was defeated”, presumably because her story went viral. At this point, the “see what will happen if you send me $5” mystery has been solved: you’ll lose $5.

Is that the end of the story? Oh, no. It’s just one element in a much bigger picture. Tinder has plenty of other scam flavors to tempt people’s hearts. … Or other bits of their anatomy.

For instance: as the Bangkok Post reports, Tinder scammers are posing as attractive young women Thai cabin crew to trick men into wiring cash.

Thai police have narrowed their search for the likely culprits, whom, they believe, are neither flesh and blood nor sexy Ex Machina robotic women, but rather two plain old guys who’ve stolen the Facebook profile photos from at least three Thai Air cabin crew. One of the suspects is wanted under nine arrest warrants on charges of swindling and fraud.

Two of the cabin crew have filed complaints, claiming that their photos had been posted online without their knowledge to swindle money from at least 30 men. The swindlers allegedly kept up online relationships with their marks, avoiding meeting one victim by claiming to be busy with overseas flight duties.

One day, “she” told the victim that she’d lost her credit card and asked him for a loan of 15,000 baht ($436, £350). After he transferred the funds, “her” tone grew distant, and he realized he’d been had. Police have reportedly also found victims who’ve been snookered into transferring millions of baht to the suspects between 2014 and last year.

A lover and his money are soon parted

Between the Thai Airways not-cabin crew, Maggie Archer’s $5 flimflam, and the Ex Machina AI heartbreaker, you’d think that Tinder is a tinderbox for fraud. You’d be right, but it’s no different from other online dating sites and services that crooks use to squeeze money out of the lonely and/or the horny.

It’s tough to resist the allure, but there are a few tools that can help us avoid falling into these traps:

1. Skepticism. We can’t say it often enough: people you don’t know are strangers, and they’re not always who they say they are. There are so many cases where imposters have targeted kids, such as the paedophile who posed as Justin Bieber, or the 22-year-old from New Jersey who posed as a teenager to stalk girls online.

Adults have their own flavors of lying sleazebag fraudsters: cybercrooks who prey on vulnerable love-seekers on dating sites; who convince them they’re sending money to needy soldiers; who send bogus emails claiming you’ll get a payment just as soon as you first pay a “shipping agent” (what’s known as “advance fee fraud“); or by voluptuous women who, strangely enough, are forced to find love online – presumably because Russia is fresh out of men who like those buxom blondes.

2. The ability to perform an internet search. You don’t have to be a genius to do a simple search to educate yourself on online scams, or online dating scams, or romance scams, like Rebecca Lewis did when her fiancée fell for “Kristen”: the 26-year-old daughter (ha!) of a Californian millionaire (double HA!). Bear in mind that you’re well-advised to run a reverse image lookup search on the photo of somebody who seems to good to be true.

You could well find a faker’s photo posted on sites devoted to exposing the fraudsters who use the same images over and over – typically, images that were stolen from elsewhere.

If you’ve got a friend/relative/whoever who’s blinded by love or lust, try quizzing them on whether their online lover has any of these attributes of sweetheart swindlers, provided by the FBI:

• Presses you to leave the dating website you met through and to communicate using personal e-mail or instant messaging
• Professes instant feelings of love
• Sends you a photograph of himself or herself that looks like something from a glamour magazine
• Claims to be from the US and is traveling or working overseas
• Makes plans to visit you but is then unable to do so because of a tragic event
• Asks for money for a variety of reasons (travel, medical emergencies, hotel bills, hospitals bills for child or other relative, visas or other official documents, losses from a financial setback or crime victimization).

Try to pierce that hubba hubba haze, and let the cold shower of reality come raining on down!

 

Follow @NakedSecurity
Follow @LisaVaas

Image courtesy of Prathan Chorruangsak / Shutterstock

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FGcwYkwCcCI/

The modus operandi for phishing attacks is straightforward: thieves spam out legitimate-looking messages with malicious links that, when clicked, dupe the victim into giving up passwords, credit card numbers and the like.

When they set up their sites, crooks need SSL certificates, and for the most part there’s no stopping them from getting one. Just as people fall for fake sites that look like something from their bank or HR department, the certificate provider can fail to tell the difference between the legitimate and fraudulent cert seeker.

Such is the case with Let’s Encrypt, a free, automated certificate authority that has issued 15,270 “PayPal” certificates to sites used for phishing.

PayPal a big target

SSL Store encryption expert Vincent Lynch has been watching it happen and asked Let’s Encrypt to stop issuing certificates containing the term “PayPal”. But in a blog post, he said the problem persists:

PayPal is a high-value target and Let’s Encrypt had already issued nearly 1,000 certificates containing the term PayPal, more than 99% of which were intended for phishing sites. With expanded research, we found our previous claim was a major underestimate. Let’s Encrypt has actually issued 15,270 PayPal certificates. This reveals the previously unknown extent of the Let’s Encrypt phishing phenomenon.

Assuming that current trends continue, he said Let’s Encrypt will issue 20,000 additional “PayPal” certificates by year’s end. Since its inception, Let’s Encrypt has taken a hands-off approach when it comes to issuing and revoking certificates because doing so runs counter to its goal of encrypting every website it can.

Lynch acknowledged that, and said his reason for writing the warning was to show how popular the use of SSL is on phishing sites:

If Let’s Encrypt will issue upwards of 35,000 “PayPal” certificates by the end of 2017, there are likely tens of thousands more targeting other popular sites and services. The security community, and internet users at large, should be aware of the extent of this activity.

Whose responsibility is it, anyway?

The big question in this situation is who bears responsibility for thwarting phishers. Let’s Encrypt’s policy is clear. From the website:

Deciding what to do here has been tough. On the one hand, we don’t like these sites any more than anyone else does, and our mission is to help build a safer and more secure Web. On the other hand, we’re not sure that certificate issuance (at least for Domain Validation) is the right level on which to be policing phishing and malware sites in 2015. This post explains our thinking in order to encourage a conversation about the CA ecosystem’s role in fighting these malicious sites.

In the final analysis, the organization says, certificate authorities are not well positioned to run anti­-phishing and anti-malware operations:

They simply do not have sufficient ongoing visibility into sites’ content. The best CAs can do is check with organizations that have much greater content awareness, such as Microsoft and Google. Google and Microsoft consume vast quantities of data about the Web from massive crawling and reporting infrastructures.

In an email exchange, Let’s Encrypt executive director Josh Aas said a blanket block on the word “paypal” would prevent legitimate use while doing little or nothing to stop phishing and malware sites.

Naked Security has written about phishing at length, and the conclusion is usually that the fight rests with individual companies, employees and consumers.

To that end…

What companies should be doing

Since phishing is one of the easier ways for an attacker to steal a company’s sensitive information, the defense must start there.

To help raise awareness, security vendors have offered a number of products and services companies can use to launch simulations – essentially phishing fire drills — which can show employees up close how easy it is to be duped by social engineering. For Sophos customers, that product is Phish Threat.

Security awareness programs are not new, and some security experts have questioned their effectiveness, since users continue to make the same mistakes. Sophos’ response has been that simulations give awareness programs more teeth. The more employees get caught on the phishing hook during a simulation, the less likely they are to forget the lesson.

Though such simulations are an effective way to raise awareness, companies need to follow that up with concrete instructions to help employees stay above the fray.

What consumers should be doing

For consumers, we’ve repeatedly suggested the following:

• Be careful what you click. This one is painfully obvious, but users need a constant reminder.
• Check the address bar for the correct URL. The address bar in your web browser uses a URL to find the website you are looking for. The web address usually starts with either HTTP or HTTPS, followed by the domain name. The real websites of banks and many others use a secure connection that encrypts web traffic, called SSL or HTTPS. If you are expecting a secure HTTPS website for your bank, for example, make sure you see a URL beginning with https://before entering your private information.
• Look for the padlock for secure HTTPS websites. A secure HTTPS website has a padlock icon to the left of the web address.
• Consider using two-factor authentication for more security. When you try to log into a website with two-factor authentication (2FA), there’s an extra layer of security to make sure it’s you signing into your account.

Aas added this suggestion as well:

Use Google Safe Browsing, Microsoft SmartScreen, or some other safe browsing program. Those programs have vast resources devoted to consuming and evaluating content, and they can issue warnings and blocks very effectively.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XsYyY3nJNwU/

Your daily round-up of some of the other stories in the news

Tech firms ‘must do more’ on terrorism

Amber Rudd, the UK home secretary, was due to meet some of the biggest tech companies on Thursday to tell them they must do more to tackle extremism and terrorism – including, according to TechCrunch, saying that law enforcement must be able to “get into situations like encrypted WhatsApp”.

Her meeting with the big tech players, including Microsoft, Google, Twitter and Facebook, comes in the wake of last week’s terrorist attack in London in which four people died and many more were injured. After Rudd appeared on TV last weekend calling for access to encrypted message services, Naked Security joined the chorus of experts pointing out that what she was calling for won’t work.

Rudd’s meeting with the big four comes a day after EU justice commissioner Věra Jourová said that the European Commission in June will propose new measures to make it easier for law enforcement to access data on platforms such as WhatsApp. Jourová told Euractiv that she would announce “three or four options”, and added: “I am in a very intensive debate with the big four IT providers.”

Data breaches up 566% in 2016

Last year was not a good year for data protection, with more than 4bn records leaked around the world, according to IBM Security, up 566% (no, there isn’t a missing decimal point) on 2015 from 400m in 2015.

IBM said that healthcare was one of the the most targeted industries with 12m records compromised, said IBM in its report, although it fell back to third place last year as attackers refocused their efforts on the financial services sector.

Ransomware has shifted from being “a nuisance to an epidemic”, said Caleb Barlow of IBM, who added that the lost records were largely unstructured data such as email archives, business documents and source code, rather than credit card details and passwords.

The future of the internet is gloomy

Trolls, hate speech and general unpleasantness are souring the internet, according to the Pew Research Center. Its latest report on the future of free speech online gloomily predicts that “cyberattacks, doxing and trolling will continue, while social platforms, security experts, ethicists and others will wrangle over the best ways to balance security and privacy, freedom of speech and user protections”.

More than 1,500 experts, scholars and thought leaders responded to the Pew Center’s survey, with a significant minority fearing that the online future will be “more shaped” by negative activities such as harassment and trolling.

The report notes that there are “tangible and intangible economic and political incentives” to trolling, and that participation means both power and profits, with the technology companies providing the platforms having little incentive to rein in the nastiness.

It’s not all gloom, however: one respondent predicted “the rise of social robots, technological tools that can help us act as polite, decent social beings”, with another adding: “Free speech will remain possible, although AI filtering will make a major dent on how views are expressed, and hate speech will be blocked.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
[twitter-follow screen_name=’katebevan’ show_count=’yes’

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZrDzDWr9dL0/

UK Prime Minister Theresa May is warning that failure to negotiate an agreement on Britain’s exit from the European Union could damage security cooperation. The tough line – contained in Wednesday’s historic letter triggering Article 50 – has re-focused minds on the possible security implications of Brexit.

“In security terms a failure to reach agreement would mean our cooperation in the fight against crime and terrorism would be weakened,” the prime minister warned.

The warning strikes a tougher line than that previously pushed by diplomats and security experts whose consensus view is that some form of security co-operation post Brexit will be achieved because it is mutually beneficial.

For example, during a UK Home Affairs select committee hearing late last month, Sir Julian King, EU Commissioner for the Security Union, was clear in saying that national security intelligence sharing is *not* going to be affected by Brexit. The UK will still work with the French, Germans and Sweden etc. on counter-terrorism as before post Brexit, according to the senior British diplomat.

May’s warning might be read as a sign that the political position has changed but it’s more likely a negotiating gambit designed to focus minds across the continent. It’s a reminder of Britain’s capabilities in signals intelligence and other areas. Whatever happens with Brexit the idea that Britain would withhold intel on the travel plans or communication of suspected terrorists from its neighbours is implausible – not to say counter-productive and dangerous.

The UK’s main national security and intelligence sharing partners are fellow members of NATO and members of the Five Eyes alliance (US, Canada, Australia, NZ), respectively. Neither of those arrangements is going to be affected by Brexit. In addition, France and Britain co-operate on defence outside the EU under the Lancaster House Treaty.

How co-operation on cybercrime across Europe might work post Brexit is less settled. Europol, the pan-EU policing agency headquartered in The Hague, is an EU institution. That means the UK won’t be on the board at Europol post-Brexit, for one thing. Some affiliate status with Europol is possible however the risk exists that the UK will be “cut off” from the “full intelligence picture” after ‪Brexit‬.

EuroPol already co-operates with non-EU countries. A framework is already in place and practically applied, in the form of close co-operation with US law enforcement authorities.

Brian Honan, an advisor on internet security to Europol’s European Cybercrime Centre but speaking in a personal capacity, told El Reg that he remains confident terms of a working relationship between UK cops and their Euro counterparts post Brexit can be thrashed out.

“Cybercrime is an international problem with criminals not respecting borders or worrying about what treaties are in place or not,” Honan explained. “Europol has played an important part in coordinating international cooperation between EU Member States and those outside of the EU. While the UK may not have as direct and active role within Europol after Brexit as they do now, I hope common sense will prevail and appropriate arrangements put in place to enable the ongoing fight against cybercrime to continue post Brexit,” he added.

Co-operation is some form post Brexit between law enforcement investigators would therefore seem to be fairly straightforward to negotiate. The future of the European Arrest Warrant is a trickier and more politically contentious issue, already the subject of a Lords select committee inquiry. The UK government wants “bring an end to the jurisdiction of the Court of Justice of the European Union in the UK” which points towards phasing out the EAW. The last thing the UK government wants is to become a no-extradition haven for European criminals. It will also want a mechanism for fetching UK crooks from the Spanish Costas and elsewhere, of course. Peers are holding hearing on options for replacing the European Arrest Warrant (EAW) after the UK leaves the EU.

Rob Wainwright, the director general of Europol, explained the importance of the EU institution to UK policing agencies in fighting organised crime and terrorism.

“To help keep Britain safe from these threats, its law enforcement community has become dependent on the unique operational benefits offered by key EU instruments: over 3,000 cross-border investigations of organised crime and terrorism were initiated last year at Europol by UK agencies, a rate 25 per cent up on the year before,” Wainwright said, the BBC reports.

Continued post-Brexit co-operation on security is necessary to avoid the risk of both sides losing out, policy analysts warn. Despite this mutual interest reaching an agreement is likely to be far from straightforward.

“Brexit may pose more immediate day-to-day challenges to UK and European security rather than defence,” a recent study by the Rand Corporation concluded. “However, both are likely to be subject to long-term uncertainty and change.”

“Both sides risk becoming weaker and less secure if Brexit negotiations provoke a ‘zero-sum’ approach to defence and security and a ‘messy divorce’,” it added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/30/security_co_operation_post_brexit_europe/

UK cops have arrested a man they suspect of extortion and Computer Misuse Act offences – and according to reports, “someone in control of the Turkish Crime Family email account” claimed that arrest was to do with $100,000 Apple iTunes gift card debacle.

Motherboard reports that someone purporting to be from the self-styled Turkish Crime Family had contacted it alleging the unnamed man was nabbed in relation to the group’s supposed hack of million of Apple iCloud accounts and devices and subsequent extortion threats.

The NCA confirmed the arrest but did not confirm any connection with that case. In an email to El Reg, a representative of the UK’s National Crime Agency (NCA) confirmed the arrest of a 20-year-old man at a North London address on Tuesday without providing any information on his alleged offence. “The NCA doesn’t routinely confirm or deny specific investigations,” we were told.

The man has been bailed pending further enquiries.

The group boasted of masterminding the iTunes gift card caper without providing much by way of proof that it was in a position to wreak the havoc it threatens to unleash on 7 April if its cash/gift cards demands are not met.

Motherboard reported that someone using an email address previously associated with the Turkish Crime Family had alerted it about the arrest by supplying what appeared to be an arrest warrant. The group used its established Twitter account to allege late on Wednesday that the arrest was of a peripheral figure or somebody who wasn’t one of the main members of the group. It has previously said the group was seven-strong. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/30/hack_suspect_arrest/

Financial fraud losses in the UK totalled £768.8m in 2016, up 2 per cent on 2015, according to Financial Fraud Action UK.

The figures, released on Thursday, cover losses from scams involving payment cards, remote (internet and telephone) banking and cheques. They also show that £1.38bn – equivalent to £6.40 in every £10 – of fraud last year was prevented.

Impersonation and deception scams, as well as hacking and malware, remained the main vectors in financial fraud last year. Payment card fraud caused by far the majority of losses at £618m, an increase of 9 per cent from £567.5m in 2015. Much of this (£432.3m) was down to fraudulent e-commerce purchases.

Card fraud as a proportion of spending equates to 8.3p for every £100 spent, according to FFA UK.

Remote banking fraud losses totalled £137.1m, a 19 per cent decrease from £168.6m in 2015. Cheque fraud losses fell by 28 per cent to £13.7m, the lowest ever annual total. The big reduction here is likely due to cheques in general becoming obsolete and making up a smaller slice of the payment pie.

There were a total 1,857,506 cases of financial fraud last year. The banking industry and consumers both need to up their game in order to contain losses that are taking an unhealthy slice out of the economy, according to experts.

Katy Worobec, director of Financial Fraud Action UK, said: “The payments industry can’t stop all fraud on its own, so it’s essential that every organisation with a role to play unites to tackle it. We are particularly working with law enforcement and government, through the Joint Fraud Taskforce. It’s also vital for any organisation holding personal data to ensure they have robust systems in place to prevent data breaches.

“Across the industry, and with partners, we are developing new processes to help police intervene when potential victims visit a bank branch, and we are exploring new ways to track stolen funds moved between multiple bank accounts.”

Phishing scams and other forms of social engineering, such as crooks phoning up victims and pretending to be from their bank’s security department, remain among the main ways to harvest payment card details prior to making fraudulent purchases or transfers.

Tony Blake, senior fraud prevention officer at the Dedicated Card and Payment Crime Unit, said: “Fraudsters are often extremely professional, so it’s important that you stay alert and guard your personal and financial details. Always take a moment to consider carefully any requests for your information and never disclose your security details, such as your PIN or full banking password. Criminals will do all they can to scare and pressure you into acting quickly without thinking. Don’t let anyone rush you.”

Financial Fraud Action UK leads the collective fight against financial fraud on behalf of the UK payments industry. Its membership includes banks, credit, debit and charge card issuers, and card payment processing firms.

John Marsden, head of ID and fraud at credit reference agency Equifax, commented: “Impersonation and deception scams, as well as online attacks to compromise data, dominated the fraud landscape during 2016.

“The UK is ahead of many other countries in improving fraud defences, but is also subject to a higher number of attacks and cannot afford to be complacent. As the tactics of fraudsters continue to evolve at an alarming rate, businesses need to focus on how they can keep up. The financial services industry in particular needs to continue working together to educate consumers and share information to help collectively tackle this activity, while also constantly improving their systems to both safeguard consumer personal data and implement appropriate steps to confirm transactions are being completed by genuine customers.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/30/uk_financial_fraud_loses_grow/

WatchGuard quarterly report, based on Firebox Feed data, lists five key findings on Internet security threats.

New data from network security firm WatchGuard Technologies shows that nearly one third of all malware attacks come via zero-day exploits.

WatchGuard’s first quarterly report on Internet security covers related threat issues spanning from Q4 2016 and their effect on businesses. The data comes via Firebox Feed, anonymized data from over 24,000 WatchGuard unified threat management (UTM) appliances worldwide.

The report points to five crucial findings. First, hackers are using old attack methods in new packaging and second, 30% of malware is still new or zero-day because it manages to avoid discovery due to lack of advanced detection techniques. WatchGuard’s data also showed that JavaScript is used extensively in malware delivery while Web browsers and services are targeted the most. And the top network attack is Wscript.shell Remote Code Execution, targeting Germany 99% of the time.

“Each quarter, our report will marry new Firebox Feed data with original research and analysis of major information security events to reveal key threat trends and provide defense best practices,” says Corey Nachreiner, CTO of WatchGuard Technologies.

Read full report here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/30--of-malware-attacks-are-zero-day-exploits/d/d-id/1328521?_mc=RSS_DR_EDT

Google engineer Halvar Flake told Black Hat Asia attendees that flaws in organizational structure and market power put enterprises at risk.

BLACK HAT ASIA – Singapore – Technical shortcomings aren’t the only flaws in today’s Internet. Organizational structure and the balance of market power are also poking holes in an already fragile system.

Google engineer Halvar Flake discussed the actors, incentives, and industry challenges impeding Internet security as part of his keynote “Why We Are Not Building A Defendable Internet” here this week at Black Hat Asia 2017. Protected devices are part of the solution, but there’s more to risk management, he said.

Flake began his discussion by describing the way businesses, security vendors, and customers should interact. Ideally, a business’ CISO and their team develop security requirements and communicate their needs to the organization. Leaders make requests of vendors to provide products they need.

But in reality, that’s not happening today. “This is not how purchasing works in any way, shape, or form,” he explained. “The reality is, software vendors and the entire supply side for IT is entirely scale-driven.”

The enterprise has little market power in shaping the design of security products they use, he noted. Few companies can give input to software or hardware vendors to influence the design process.

If businesses have little say in product features, CISOs have even less. Security leaders want to buy reliable products for their teams, but there aren’t many available. Vendors and cyber insurance companies realize security leaders can’t get exactly what they want, so they sell other products and services to fill the gap, he said.

Much of today’s security tech exists to protect the CISO, Flake said. Functionality comes second. The biggest risk to the CISO is being perceived as missing a threat to the business. It doesn’t matter whether the product performs; it simply has to seem like a reasonable choice. Purchasing security products often relies on marketing and manageability, he admitted.

“Security products may not help all that much, but they look like they could plausibly reduce the risk of the enterprise,” Flake explained. “If you’ve bought a product, and the product fails to stop the risk, at least it’s not your fault.”

This contributes to the rise of cyber insurance, which offers to mitigate the cost of a breach and ensuing cleanup, he said. Cyber insurance is a new and evolving field. Many companies don’t know policies often don’t insure loss of reputational risk, user trust, or critical intellectual property.

There are a few ways cyber insurance could change the game for security teams, according to Flake. Insurers may need to acquire new levels of expertise to help differentiate good security products, or offer lower premiums to companies buying legitimately secure products.

That said, there are many cyber insurance factors that could lead to negative outcomes. Evaluating cyber-risk is hard because there is little historical data, he said. Technology changes so quickly that data collected years ago may not accurately predict risk today. Further, risks can be great. If a large breach occurs, “replace all devices” could be a feasible — and expensive — outcome.

All of this leads us to a bigger question: How to manage risk until better products come along. Flake notes how security leaders have adopted a defeatist attitude: “‘Whatever we do, we’ll always have many, many bugs.'”

This isn’t actually true, though, he said. The ability to understand the attack surface and implement strong risk management are what sets apart experienced security pros.

One way to do this is to view IT infrastructure like a financial balance sheet, Flake said. As a whole, it provides daily benefits, but each component of the infrastructure has a risk of blowing up and becoming a liability. Installing software means incurring risk on your “balance sheet.” Adding code to software is like adding risk to the balance sheet of each customer.

Most organizations don’t know how to incentivize security. Employees are quick to add new software features because it will yield praise and promotions, but additional code broadens the attack surface, according to Flake.

Few people offer to reduce privileged code because it doesn’t offer the same reward. The truth is, software has so many features and components that cutting code would be beneficial because it decreases the attack surface, he said.

“Too few people understand the equivalence between code and risk, or treat it as such,” Flake said. Businesses need to recognize the role of incentive structure and pay to cut code where it’s necessary.

Related Content:

• Insider Threat Fear Greater Than Ever, Survey Shows
• To Gain Influence, CISOs Must Get Security’s Human Element Right
• Cloud Security: New Research Says IT Pros Still Skittish

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/risk/internets-security-woes-are-not-all-technical-/d/d-id/1328523?_mc=RSS_DR_EDT

Microsoft recommends upgrade to latest operating system for more protection.

A zero-day vulnerability in Microsoft’s IIS 6.0 Web server software remains unfixed even after two Chinese researchers recently posted a proof-of-concept exploit for it, Threatpost reports. Microsoft recommends “that customers upgrade to our latest operating systems and benefit from robust, modern protection.”

The flaw is a buffer overflow in the ScStoragePathFromUrl function in the WebDAV service which allows an arbitrary code to be remotely executed in a PROPFIND request using a long header beginning with “If: http://.”  Microsoft says the current supported versions are not impacted. Disabling WebDAV helps mitigate attacks, Threatpost said.

IIS, or Internet Information Services, currently supports 11.4% of websites behind Apache and Nginx. Among all IIS versions, 11.3% run version 6, and many websites still run on unsupported versions of the software, the report said.

Read details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/patch-unlikely-for-widely-publicized-flaw-in-microsoft-iis-60-/d/d-id/1328522?_mc=RSS_DR_EDT

Cybercriminals managed to infect a PC in the design department of Contoso Ltd through a cleverly crafted spear-phishing campaign. Now they need a way to communicate with the compromised machine in secret.

Unfortunately, they know Contoso’s impenetrable network defenses will detect commands sent to their malware.

To avoid detection, they have to send data through a channel not monitored by the company’s IT security system, the Hyper IronGuard WallShield 2300, with its “military-grade” two-ply data leakage protection technology.

They consider several potential covert transmission techniques – inaudible sound, modulated light, even thermal manipulation of hardware – but none of these appear to be practical given their budgetary limitations and modest intellects.

Then one member of the three-person group recalls hearing about a security paper, “Oops!…I think I scanned a malware” [PDF], published earlier in March by researchers from two Israeli universities, Ben-Gurion University of the Negev and the Weizmann Institute of Science.

The other hackers are skeptical at first, but as they learn about the proposed technique, they become more open to trying it, particularly because it can be done with a drone. All of them love drones.

The researchers, Ben Nassi and Yuval Elovici from Ben-Gurion University and Adi Shamir from the Weizmann Institute, describe a method for creating a covert communication channel between a compromised computer inside an organization and a scanner on the same network that happens to be near an external window.

The technique involves shining an external light, such as a laser or an infrared beam, through the window (or hijacking a manipulable internal light source) so that the illumination alters the scanner output to produce a digital file containing the desired command sequence.

To do so, the light must be connected to a micro-controller that modulates the binary-encoded commands from the server into light flashes that register with the scanner’s sensors.

“Since the entire scanning process is influenced by the reflected light, interfering with the light that is illuminated on the pane will result in a different electrical charge which will therefore be parsed to a different binary representation of the scanned material,” the paper explains.

The researchers describe setting a drone to hover outside a third-floor office window at a time when installed malware in the target organization had been instructed to begin scanning. With a transmission rate of 50 milliseconds per bit, they infiltrated the command “d x.pdf” to delete a test PDF file. The command sequence took 3.2 seconds to transmit using a laser mounted on the drone.

The cyber thieves spend several days preparing to carry out their plan. But during the final rehearsal, one of them realizes it won’t work because the attack requires the scanner to be at least partially open to register incoming light.

Although Contoso’s precious secrets remain beyond their reach, all three soon get recruited by a Silicon Valley drone startup focused on pet transportation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/30/scanners_as_covert_command_control_conduit/