STE WILLIAMS

It’s the first calendar quarter of the year.

With February and March on the visible horizon, we’re seeing the annual reappearance of “Facebook is closing” hoaxes.

The hoaxes look something like this:

Dear Facebook members, Facebook is supposed to be closing down March 15th because it is becoming very overpopulated. There have been many members complaining that Facebook is becoming very slow. Records show that there are many active Facebook members and also many new members. We will be sending this message around to see if members are active or not. If you are active please send to 15 other users using copy+paste to show that you are still active. Those who do not send this message within 2 weeks will be deleted without hesitation to make more space. Send this message to all of your friends to show that you are still active and you will not be deleted. Founder of Facebook. Remember to send this to 15 other people so your account wont be deleted.

It certainly sounds unlikely, doesn’t it?

Facebook closing down because it has too many members?

Facebook trying to reduce traffic by kicking off members who do nothing (and who thus produce no traffic), yet keeping members who participate in a chain letter that produces only a giant flurry of wasted traffic?

Mark Zuckerberg, who was born, bred and educated as an Anglophone American, writing in such stilted English?

And the reason it sounds unlikely is because it is unlikely, and it’s unlikely because it’s a pile of garbage.

Invitations to participate in chain letters should always be avoided, because getting involved is almost like joining in a DDoS attack: you’re generating loads of wasteful traffic, and actively urging others to do the same.

The problem with chain letters is that if they succeed, their distribution grows exponentially, at least for a while.

To see why, let’s do the arithmetic.

We’ll assume perfect propagation, where each recipient sends the message to 15 brand new recipients. (That’s admittedly very unlikely, but we’re looking at the principle here.)

In other words, by participating you become part of the problem, not part of the solution.

Other popular “Facebook closure” memes in previous years have warned you about Facebook closing from 29-31 February, a hoax that is rather more obvious (at least in non-leap years, when February has only 28 days), but still seems to attract plenty of interest.

Frictionlessness

One of the problems with modern social networking is the concept of frictionlessness, which is a measure of how easy it is to interact with the system.

This is one of the reasons that Facebook and other online services like Twitter are happy for you to be logged in all the time: the buttons they provide for liking, sharing, retweeting, endorsing, approving, and so on, work with a single click if you are logged in.

If you make a habit of logging out of Facebook, Twitter and other services when you are not actively engaged with them, you will add a tiny bit of hassle to your digital life.

But you will stop yourself being sucked into hoaxes, scams, bait-and-switches, and much more, if you are logged out more than you are logged in.

That’s because an ill-considered or an unexpected click on a social networking button will bring up a “You need to login” dialog whenever you are logged out.

This gives you a second chance to consider if you really intended the action you just performed, as well as keeping you safe from malicious behaviour such as clickjacking.

Clickjacking is visual trickery that makes you think you are clicking on something of your own choice, but behind the scenes you are clicking – and thus endorsing – something else entirely, such as a Like.

Stray clicks, fallacious likes and bogus tweets are all easy to propagate when you stay logged in to social networking services as a matter of routine.

Further information

If you’re in any doubt as to how this can contribute to the problem, sucking in yet more victims, take a look at this Bait-And-Switch video, where we look at how fake Tweets can put other people in harm’s way:

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BbQOLwrDwv4/

A New York judge on Thursday ruled that a Florida woman could sue rapper 50 Cent for posting onto his website a sex video that showed the woman’s face.

50 Cent, aka Curtis James Jackson III, was sued by the woman, Lastonia Leviston, in 2010 for emotional distress.

The X-rated video featured the woman having sex with Maurice Murray, her former boyfriend.

Leviston is the mother of a child fathered by one of 50 Cent’s rivals, Rick Ross.

According to the New York Post, 50 Cent allegedly purchased the homemade porn from Murray, although she claims he promised to destroy the footage.

The rapper then edited himself into the footage as a wig-wearing narrator named Pimpin’ Curly.

Murray’s face was blurred out, but Leviston’s was not.

50 Cent says he wasn’t responsible for the video’s 2009 release, according to Fox News, but says it was legally fair to use the images.

The rapper’s site gets millions of views. The video was also picked up by multiple sites and viewed almost 4 million times, according to the New York Post.

Leviston charged that the publicity caused her to suffer major depression and anxiety and nearly drove her to suicide.

50 Cent had tried to get the case dismissed by arguing that she was bluffing, given that she was still able to get her high school equivalency diploma and hold down two jobs after the video was posted.

But Manhattan Judge Paul Wooten wrote in his decision that Leviston’s diary could lead to other conclusions, according to news outlets that viewed the court papers.

From the judge’s decision, as transcribed by the New York Post:

[Leviston’s diary] reveals that Leviston entertained suicidal ideation as a result of the release of the video tape, and that she was unable to function normally in her daily life.

In the video, 50 Cent called Leviston a “call girl” named Brooke. In her suit, Leviston denied being a prostitute.

The court papers quote the rapper as saying that his sole motive was to respond to Ross “disrespecting” him.

In rebuffing 50 Cent’s attempt to get the suit dismissed, Wooten wrote that it’s up to a jury to decide whether Leviston’s suffering was “genuine and extreme.”

Follow @LisaVaas

Follow @NakedSecurity

Image of 50 Cent courtesy of Wikimedia Commons.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ufvZUYjuQo8/

A guide to transactional email

Cash machines have been emptied using USB sticks in a series of real world attacks that hark back to exploits first demonstrated by security researcher Barnaby Jack three years ago.

Crybercrooks have created a strain of malware that creates a backdoor on compromised ATMs using a bootable USB stick. The crooks cut a hole into the plastic chassis of the ATM in order to access the USB port before patching the system up to avoid their tampering being detected.

Once the USB device was in place, the ATMs could be rebooted and the malware would be automatically installed. The malicious code was used to screw with functions normally restricted to engineering diagnostics.

The thieves then used a 12-digit code to access an alternative interface on compromised ATMs. The masterminds behind the scam, not wanting their street crews to go rogue, have built a challenge-response access control into their malicious software so that low-level fraudsters need to contact more senior members of the gang to get the one-time code necessary to withdraw money from compromised machines. The precaution also prevents rival gangs from looting knocked-up cash machines.

Details of the malware-based attack on an unnamed Brazilian bank’s cash dispensers* were presented by two security researchers at the Chaos Communication Congress in Hamburg last month. In response to audience questions, Tillman Werner from ‪security upstart CrowdStrike‬ explained that the malware used in the scam was not designed to intercept credit or debit card data.

Video of the fascinating hour-long talk can be found here. The scenario of the attack recalls the ATM Jackpotting exploit against cash machines, as first demonstrated by famed security researcher Barnaby Jack at Black Hat USA 2010.

Werner and his research partner said they were explaining details of the relatively trivial attack against ATMs running versions of Windows for embedded devices in order to encourage vendors and banks to introduce basic security safeguards. Disabling the “boot from USB” functionality on ATMs alone would be enough to frustrate this particular scam.

Cash machine thefts based on the technique surfaced last year and have remained isolated, at least for now. Werner’s research is largely based on the analysis of malware found on a USB stick confiscated from a suspected fraudster.

Gunter Ollmann, CTO of computer security services firm IOActive, said in a article for Dark Reading that the ability to write malicious code for ATMs is far from unknown among the denizens of the digital underground.

“While the attack vector – booting from an infected USB stick – will have many security veterans rolling their eyes in disbelief that the targeted bank hadn’t already mitigated the threat,” Ollmann writes, “I’ve heard several people argue that writing code (malicious or otherwise) for ATMs is difficult. Unfortunately, it’s simpler than most realise. Anyone with an understanding of CEN/XFS, or the time to peruse the online manuals, will quickly master the fundamentals.”

“This USB infector process is the low-hanging fruit for criminals targeting ATM machines. Banks that haven’t already mitigated the attack vector are, for lack of a better word, negligent. There can be no excuses for not disabling the ‘boot from USB’ functionality, especially now with the public disclosure of criminal abuse,” he adds. ®

Bootnote

* Not stated during the demo but a Portuguese menu plus R$ (Reals) as the currency unit leaves little doubt that the scam hit banks in Brazil.

Master list of DNS terminology

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/06/atm_malware_stick_up/

A guide to transactional email

Thousands of Yahoo! users have been exposed to malware through malicious advertisements over the past few days, according to research by Dutch security firm Fox-IT.

Malware-tainted ads served from ads.yahoo.com were shown to victims in Romania, Great Britain and France, infecting tens of thousands every hour. The first infection was spotted on 30 December, said the security firm.

Yahoo! said it is aware of the attack, and is blocking the ads. The web firm confirmed that Blighty, France and Romania got the worst of it, and claimed the attack did not affect Asia Pacific, North America and Latin America.

Only a tiny percentage of ads were tainted, but those that were attempted to harness the Magnitude Exploit Kit to fling Java-based exploits against the computers of visiting surfers.

The end goal of the attack was to plant banking Trojans such as ZeuS onto compromised Windows machines, as explained in greater depth on HitManPro’s blog here.

Security watchers have long advised that running Java in the browser is far more trouble than it’s worth.

If nothing else, the Yahoo! tainted ad attack illustrates the wisdom of disabling Java in the browser; technology rarely needed to surf most websites. ®

Master list of DNS terminology

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/06/yahoo_tainted_ads_malware/

The Syrian Electronic Army is taking credit for last week’s hack of Skype, and claims to have stolen information from Skype’s parent company, Microsoft.

In a post on its Facebook page, the hacktivist group states that it has hacked Skype’s Twitter and Facebook accounts, as well as a Skype blog.

“In continuation of our electronic war that we started in defense of the borders of our homeland … the command of the SEA declares its success in hacking Microsoft,” the SEA says on its Arabic-language Facebook page. The group also says that its hack on Microsoft also found “many documents that prove Microsoft’s selling of information and passwords for Hotmail and Outlook and other accounts to government in exchange for large sums of money.”

After it took back control of the accounts later the same day, Skype acknowledged the hacks in a Twitter post. “You may have noticed our social media properties were targeted today,” the tweet says. “No user info was compromised. We’re sorry for the inconvenience.”

Microsoft was among the companies alleged to have cooperated with the NSA in a U.S. surveillance program by former contractor Edward Snowden. Some observers speculated that those allegations may have made Microsoft a target for the SEA.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/perimeter/syrian-electronic-army-takes-credit-for/240165141

Famed security expert Bruce Schneier has left BT and is now CTO of incident response management startup Co3 Systems.

Schneier, who previously had served on Co3 Systems’ advisory board and has helped shape the look and feel of the software-as-a-service firm’s architecture, says the time had come for him to make a change and leave BT. He had been the security futurologist for BT since it purchased his network monitoring services firm Counterpane Internet Security in October of 2006.

Word that Schneier was leaving BT leaked publicly last month, and speculation arose that it had to do with his outspoken criticism of surveillance by the NSA and Britain’s GCHQ.

But Schneier says BT never tried to censor his high-profile analysis of the Snowden leaks. “BT never tried to force me to toe the party line. And while my opinions on the NSA might not have been the same as their opinions, they never once stopped me from saying or publishing something,” Schneier told Dark Reading in an interview. “Independent thinking was one of the things BT valued of me.”

He says the timing was right for him to try something new, and Co3 Systems was “the cool ‘something new’ that I found.” His new role is mainly as “an external-facing evangelist,” he says.

The Guardian in August reported that BT was a major partner with the GCHQ in its surveillance programs, as were Vodafone and Verizon Business, providing the spy agency with passing information on their customers’ phone calls, emails, and Facebook posts, according to documents leaked by former NSA contractor Edward Snowden. Schneier, who worked with former Guardian writer Glenn Greenwald to analyze the Snowden documents, concluded that the NSA in its controversial surveillance operations was breaking most encryption on the Internet, and that it was time for the Internet to retool its security architecture with “open protocols, open implementations, open systems – these will be harder for the NSA to subvert,” he wrote.

[Renowned security icon Bruce Schneier shares food for thought on security, fine dining, and disclosing and eating bugs. See Schneier On Schneier.]

Schneier says he was eager to return to the startup scene. “Being in a startup is fun. It’s really fun in ways that being with a big company is not,” Schneier says. “Being in a big company has advantages … I was just about ready to swap back” to the startup model, he says.

Co3 offers a software-as-a-service platform for automating incident response that assigns tasks, logs, tracks, and monitors elements of responding to an attack, including regulatory requirements. The platform replaces manual tracking via spreadsheets or other less coordinated, error-prone manual approaches today.

Schneier has close ties with John Bruce, Co3’s CEO: the two worked together at Counterpane 15 years ago when Bruce was CMO and executive vice president of marketing there. “I’m really pleased” that Schneier is joining the firm, Co3’s Bruce says. “I’ve known Bruce for quite a while. What we represent is what he’s been professing for the longest time … you’re going to get attacked at some point, so what do you do when you become subject to that?”

Co3’s Bruce says Schneier’s joining the firm is a validation of the company’s SaaS offering. “What we’re doing is equipping people with the tool to execute processes to efficiently grapple with” attacks, he says. The platform provides a “playbook” for what to do when a breach occurs, according to Cambridge, Mass.-based Co3.

Schneier says Co3 was the next logical step from Counterpane. “After detection comes response,” he says. He describes Co3’s platform as a social networking tool for IR. Co3’s system assigns tasks and coordinates any regulatory requirements for disclosure, for example. It can be linked to threat intelligence feeds and to IR services a firm would employ in the event of a breach. “You get on, put your people on it, what their jobs are,” for example, he says. “It’s taking manual incident response and automating and documenting it.”

“We don’t change how incident response happens; we make sure it happens according to the way it’s supposed to,” he says. And it’s an external site, so incident response isn’t performed on your network, which is a risky approach, he says.

Schneier says the security industry has invested a lot of money in prevention and detection of breaches. “There are response [providers] … you can call in Mandiant and they can parachute people in and make it better,” for example, he says. But there’s a lack of incident response product investment in the industry today, he says.

“Everyone agrees in this post-breach society that you’re breached whether you know it or not,” says Ted Julian, chief marketing officer at Co3 Systems. “So [incident] response is more important than ever.”

Schneier is also a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation’s Open Technology Institute, a board member of the Electronic Frontier Foundation, and an Advisory Board Member of the Electronic Privacy Information Center. He has authored 12 books, including “Applied Cryptography” and “Liars and Outliers,” and his Schneier on Security blog is well-known in the industry.

Bruce Schneier

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/bruce-schneier-departs-bt-for-startup-co/240165137

A guide to transactional email

A French contract to supply intelligence satellites to the United Arab Emirates could be cancelled, with the UAE claiming it’s discovered backdoors in US-supplied components of the birds.

Defence News, which broke the story, claims that the $US930 million contract could be scrapped, according to high-level UAE sources, if the issue can’t be resolved. That would be a blow for prime contractor Airbus Defence and Space, and payload maker Thales Alenia Space.

Defence News says the backdoors would “provide a back door to the highly secure data transmitted to the ground station”. An unnamed UAE source says the discovery of the components has been reported to Sheikh Mohammed Bin Zayed, deputy supreme commander of the UAE’s armed forces.

Along with a ground station, the Pleiades-type satellites, known as Falcon Eye, are due for delivery 2018.

The original contract was sealed in July 2013. The two high-resolution observation satellites included operational support from France, along with training for 20 engineers.

Since the backdoor was discovered, delegates have been shuffling between Russia and Abu Dhabi, presumably to seek alternative sources if the contract is canned. However, Defence News also speculates that the questioning of the contract may be an attempt to improve Abu Dhabi’s negotiating position for another contract, for Dassault Aviation Rafale fighters. ®

Master list of DNS terminology

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/06/us_backdoored_our_satellites_claim_uae/

A guide to transactional email

The new year begins as the old year ended: with yet more vulnerabilities turning up in consumer-grade DSL modems.

A broad hint for any broadband user would be, it seems, to never, ever enable any kind of remote access to the device that connects you to the Internet. However, the hack published by Eloi Vanderbeken at github, here, resets devices to factory default, enabling a remote attack without the password.

Vanderbeken says the backdoor is confirmed in devices from Cisco (under both Cisco and Linksys brands, the latter since offloaded to Belkin), Netgear, Diamond, LevelOne and OpenWAG. According to a post on HackerNews, the common link between the vulnerable devices is that they were manufactured under contract by Sercomm.

Trying to access a Linksys WAG200G device for which he’d forgotten the password, Vanderbeken noticed the device was listening on Port 32764, an undocumented service noted by other users. Reverse engineering the MIPS code the device’s firmware is written in, he says he located a way to send commands to the router without being authenticated as an administrator.

In particular, the backdoor allowed him to brute-force a factory reset without providing a password – meaning that on his next login, he had access to everything.

Vanderbeken’s proof-of-concept python code includes reporting on whether the device it’s running against is vulnerable or not.

It seems to The Register that at least this vulnerability doesn’t permit a silent attack: if an outsider ran the code against someone’s router, the crash and resulting reset to default passwords would at least alert the victim that something had happened. ®

Master list of DNS terminology

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/06/hacker_backdoors_linksys_netgear_cisco_and_other_routers/

While so much time in network security is spent discussing the discovery of anomalies that can indicate attack, one thing that sometimes gets forgotten in the mix how fundamental it is to first understand what “normal” looks like. Establishing baseline data for normal traffic activity and standard configuration for network devices can go a long way to helping security analysts spot potential problems, experts say.

“There are so many distinct activities in today’s networks with a high amount of variance that it is extremely difficult to discover security issues without understanding what normal looks like,” says Seth Goldhammer, director of product management for LogRhythm.

Wolfgang Kandek, CTO of Qualys, agrees, stating that when IT organizations establish baseline data, it makes it easier to track deviations from that baseline.

“For example, if one knows that the use of dynamic DNS services is at a low 0.5% of normal DNS traffic, an increase to 5% is an anomaly that should be investigated and might well lead to the detection of a malware infection,” Kandek says.

[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]

But according to Goldhammer, simply understanding normal can be a challenge in its own right. Baselining activities can mean tracking many different attributes across multiple dimensions, he says, which means understanding normal host behavior, network behavior, user behavior, and application behavior, along with other internal information like the function of the host and vulnerability state of the host. Additionally, external context—such as reputation of IP—play a factor.

“For example, on any given host, that means understanding which processes and services are running, which users access the host, how often, what files, databases, and/or applications do these users access,” he says. “On the network, which hosts communicate to which other hosts, what application traffic is generated, and how much traffic is generated.”

It’s a hard slog and, unfortunately, the open nature of Internet traffic and diverging user behavior make it hard to come up with cookie-cutter baseline recommendations for any organization, experts say.

“Networks, in essence, serve the needs of their users. Users are unique individuals and express their different tastes, preferences, and work styles in the way they interact with the network,” says Andrew Brandt, director of threat research for the advanced threat protection group for Blue Coat Systems. “The collection of metadata about those preferences can act like a fingerprint of that network. And each network fingerprint is going to be as unique as its users who generate the traffic.”

Another added dimension to developing baseline is time. The time range for sampling data for establishment of a benchmark will often depend upon what kind of abnormality the organization hopes to eventually discover.

“For example, if I am interested in detecting abnormal file access, I would want a longer benchmark period building a histogram of file accesses per user over the previous week to compare to current week, whereas if I want to monitor the number of authentication successes and failures to production systems, I may only need to benchmark the previous day compare to the current day,” Goldhammer says.

While baselines can be useful for detecting deviations, TK Keanini of Lancope warns that it may actually be useful to think in terms of pattern contrasts rather than “normal” and “abnormal.”

“The term anomaly is used a lot because people think of pattern A as Normal and patterns not A as the anomaly, but I prefer just thinking about it as a contrast between patterns,” says Keanini, CTO of Lancope. “Especially as we develop advanced analytics for big data, the general function of ‘data contrasts’ deliver emergent insights.”

This kind of analysis also makes it less easy to fall prey to adversaries that understand how baselines can be used to track deviations. Instead of a single, static baseline, advanced organizations will constantly tracking patterns and looking for contrasts across time.

“The adversary will always try to understand the target norms because this allows them to evade detection,” he says. “Think about how hard you make it for the adversary when you establish your own enterprise wide norms and change them on a regular basis.”

However it is done, when a contrast of patterns does flag those tell-tale anomalies, Kandek recommends that immediate analytical response should be organized.

“To deal with network anomalies, IT departments can lean on a scaled-down version their incident response process,” he says. “Have a team in place to investigate the anomalies, document the findings and take the appropriate actions, including adapting the baselines or escalating to a full blown incident response action plan.”

Foremost in that immediate action is information-sharing, Brandt recommends.

“When you identify the appropriate parameters needed to classify traffic from the “unknown” to the “known bad” column, it’s important to share that information, first internally to lock down your own network, and then more widely, so others might learn how they can detect anything similar on their own networks,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/perimeter/network-baseline-information-key-to-dete/240165124

Tags: 2013, 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Adobe, CERN, cryptolocker, data breach, Defacement, Google, Google Glass, Internet Worm, ISS, lost lake, morris, morris worm, PRISM, Privacy, ransomware, review, street view, surveillance, ubuntu forums

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bUNv-Z7RkN4/