STE WILLIAMS

Over the past couple months, ransomware known as CryptoLocker has made its impact felt in homes and businesses around the world. While ransomware is not a new concept, the pervasiveness of CryptoLocker, combined with its strong encryption, make it a particularly nefarious ongoing threat.

CryptoLocker is Windows-based ransomware that encrypts files on local drives and network shares, and then demands payment to unlock them. Funds are requested via untraceable payment methods like Bitcoin and MoneyPak. CryptoLocker uses asymmetric encryption, with the private key held by the author or distributor of the malware. Unfortunately, it uses a strong algorithm that makes it practically impossible to decrypt the data without knowing the key. Here’s a video showing CryptoLocker in action.

CryptoLocker has, to date, been spread predominantly through email attachments and through other malware that has already infected PCs via other means. It has also been seen as a payload in drive-by downloads.

While CryptoLocker itself can be removed, the strong encryption prevents data encrypted by the malware from being unlocked. Thus, the best remedy for an infection is often to wipe the PC, reinstall Windows, and restore data from a backup that was made pre-infection.

Fortunately, CryptoLocker is generally preventable. The best endpoint security products not only detect and block known versions of the malware, but also have techniques for identifying new variants and for blocking exploits and known malicious URLs. Perimeter and anti-spam protection can also be employed to reduce the risk of infection.

The irreversible damage to data reminds us of the importance of having an ironclad backup strategy for users’ data. This has to extend beyond simple syncing of local files to a network drive or cloud storage; it must include the ability to recover older versions of files from tape, snapshots, etc. If you haven’t recently assessed what information your users are storing locally, and how much it would cost in time and lost productivity if that information became inaccessible, it may be time to revisit your backup strategy.

CryptoLocker represents an evolutionary step in ransomware: the first really widespread attack that uses strong, irreversible encryption. You can expect that additional evolution will occur. Perhaps the next iteration of CryptoLocker will self-replicate or lock users out of their online accounts, for example. The best security against any future iteration is a layered approach that patches vulnerabilities, detects and blocks exploits, risky URLs, and malicious code throughout your environment, and ensures you can recover systems and data in the event that an attack succeeds. And, of course, a bit of user education always helps, too.

Thanks to Paul Ducklin and my colleagues in SophosLabs, whose research I drew on heavily for this column.

Article source: http://www.darkreading.com/sophoslabs-insights/what-you-need-to-know-about-cryptolocker/240164183

Online cybercrime sometimes concludes with phone fraud, a multimillion-dollar underground enterprise that often targets financial institution call centers to cash in on bank account and other personal information pilfered online. Phone fraud racked up an average of $42,546 in losses per financial account in the first half of 2013, according to new data released today.

One in every 2,500 phone calls to a financial institution call center is a fraud, and each phone fraud call incurs a loss of 57 cents, the report by Pindrop Security says.

“Fifty-seven cents per call surprised us significantly,” says Vijay Balasubramaniyan, CEO at Pindrop Security. “If you’re a call center getting 1 million calls, that’s $570,000 in phone-based account takeovers. We didn’t realize it would be that high.

“We’re seeing fraudsters stepping up their games, calling these call centers so well-prepared, and going after accounts with a lot of money in them.”

Organized crime rings that perpetrate phone fraud use a blend of social engineering and account manipulation to steal money via wire transfers, account clearinghouse (ACH) transactions, and payment cards. Most of these attackers — 57 percent — work in groups of two to 12 people, and about half place calls from mobile devices, one third from voice-over-IP lines, and nearly 15 percent from landline phones.

The typical phone fraudster goes after anywhere from a handful of accounts to hundreds of them, Pindrop says. Many of these actors also have a strong online presence and operate across both the Internet and phone channels of attack.

“They may take over an account online, but they can also get as much information from an online channel and when they have to … steal money, they actually move to the phone channel,” Balasubramaniyan says.

Financial institutions are an obvious target for the attackers, who often conduct online reconnaissance before placing the calls to cash in.

Pindrop says one of the most active phone fraud rings it has seen, nicknamed “West Africa One,” includes 12 callers who spoof U.S. phone numbers and conduct fraudulent wire transfers and ACH transactions. The gang has been known to have stolen more than $1 million from one financial institution, and are infamous for placing a high volume of calls to their targets.

Meanwhile, consumers also are getting hit by phone fraud. Pindrop says there were 2.3 million consumer complaints about these calls in the first half of this year — up from 2.4 million complaints in all of 2012. Nine of the top 10 financial institutions were spoofed in 73,000 complaints filed by consumers of their financial institutions being impersonated.

Pindrop’s full report is available here here for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/financial-institution-call-centers-targe/240164184

Acton, Mass., November 20, 2013 – EiQ Networks, a pioneer in simplified security and compliance solutions, today announced the release of the SecureVue Continuous Security Intelligence Platform, enabling a broad range of continuous security and compliance monitoring solutions for any security conscious organization. This new offering delivers multiple add-on modules that include log management SIEM, SANS Critical Security Control (CSC) assessment, and automated security configuration audit.

“Continuous security and compliance monitoring has become a fundamental requirement for organizations across every size and industry but often cannot mature the program because of budget constraints and a lack of IT security staff,” said Brian Mehlman, senior director product management at EiQ Networks. “We’re helping organizations navigate the resource and budget pitfalls of deploying a continuous security and compliance monitoring solution through the delivery of flexible products and service offerings that can easily grow to meet a customer’s unique set of requirements over time.”

The SecureVue platform scales with an organization’s information security and compliance requirements and addresses the three critical pillars of a sound security program – people, process and technology. The flexible platform can help a large enterprise with a full-time IT security staff down to a small business with much more limited resources deal with ever evolving cyber threats, such as APTs, Insider threats while meeting regulatory mandates. In addition, SecureVue enables broad security intelligence capabilities without the need to deploy multiple products.

Another key solution in the EiQ Networks portfolio is SOCVue, a security monitoring software as a service (SaaS) offering that provides comprehensive critical security controls automation, security monitoring, log management, SIEM, and compliance reporting to assist organizations that require security monitoring but lack resources or on-staff expertise to implement an effective program. The service complements any existing IT and/or security team with highly trained EiQ security and product specialist to ensure the appropriate monitoring is occurring 24×7.

SecureVue along with SOCVue are part of EiQ Networks commitment to help any organization start or complete their journey towards building an effective security program while overcoming challenges around traditional SIEM and log management acquisition, operational complexities and trained cyber security professional shortages. As such, further announcements will be forthcoming that address the complexity and management burdens associated with SIEM products and provide organizations of any size a comprehensive set of free information security products and services that assist meeting a broad range of security monitoring needs. To learn more about EiQ Networks and its offerings, please visit: www.eiqnetworks.com

About EiQ Networks:

EiQ Networks, a pioneer in simplified security and compliance solutions, is transforming how organizations identify threats, mitigate risks and enable compliance. Our solution, SecureVue, is a unified situational awareness platform that proactively detects incidents, minimizes “false positives” and delivers timely and actionable intelligence by simplifying often-complex interactions between security, risk and compliance. Through a single console, SecureVue provides a unified view of your entire IT infrastructure for proactive security and risk analysis, continuous monitoring, configuration auditing, compliance automation and context relevant search. For more information, visit: http://www.eiqnetworks.com.

Article source: http://www.darkreading.com/privacy/eiq-networks-releases-continuous-securit/240164189

SEATTLE, Nov. 21, 2013 /PRNewswire/ — Mozyby EMC today announced the next generation of its cloud data protection service providing enterprises with integrated endpoint data protection, productivity and administration tools for the public cloud, and enhancing EMC’s portfolio of backup and archive solutions.

Mozy launches the newest version of its service in response to two changing

dynamics: the growing trend for employees to bring their own devices and applications into the workplace and the need for enterprise IT departments to secure sensitive corporate data created and accessed on those devices without inhibiting productivity.

The next-generation Mozy service enables businesses to avoid the ‘accidental architectures’ that can be spawned when employees, departments or branch offices take matters into their own hands and adopt quick-fix cloud solutions that lack the security, management and interoperability that enterprises demand. With the introduction of new tools, Mozy bridges the needs of employees and IT departments by offering end users the functionality they want, while empowering the IT team with the controls the business requires.

The new features are the latest developments in the Mozy product set following its earlier transition into EMC’s backup and recovery portfolio and are built on the new technology platform – announced in the summer – which allowed Mozy to transition from device-centric data protection to people-centric data protection.

They include:

— Greater cloud administrative tools for Enterprise IT: Enhanced storage

management saves time and money involved in provisioning and managing

backup at a device level. Further developments in integration with

enterprise software tools allows for faster, more-scalable deployments.

— Enhanced End User Experience: An integrated Mozy Sync folder keeps files

updated and available across multiple computers and mobile devices. Mozy

also introduces new functionality that ensures faster initial backup

times and greater bandwidth efficiency when backing up large files.

— New Partner Resources: New API support allows partners and resellers to

integrate with their preferred Remote Monitoring and Management (RMM) or

Professional Services Automation (PSA) systems.

The next-generation Mozy service has also been added to the EMC Data Protection Suite, providing a flexible approach to unlocking the value of EMC backup and archive solutions that can evolve to meet customers’ changing needs. The EMC Data Protection Suite offers an adaptable licensing model that allows customers and partners to mix and match the usage of individual products to best fit their requirements, while lowering their total cost of ownership and providing investment protection.

MozyEnterprise now becomes the public cloud component within the EMC Data Protection Suite, enabling EMC customers and partners to extend their individual Protection Storage Architectures to include cloud data protection and access tools for desktops, laptops, mobile devices and remote offices.

“Enterprises today are increasingly looking to hybrid cloud strategies that leverage both private and public cloud solutions to drive maximum flexibility, cost efficiencies and scale,” said Russ Stockdale, General Manager of Mozy by EMC. “The next-generation Mozy service, as part of the EMC Data Protection Suite, allows them to do that as part of a comprehensive strategy for data protection from the world’s leading data protection company.”

The need for a comprehensive backup approach that includes endpoints and remote/branch offices, which can be achieved with Mozy in combination with the other elements of the EMC Data Protection Suite, was highlighted by EMC’s IT Trust Curve research, launched this week. Just 44% of companies that had not adopted leading technologies, and fell in the lowest maturity group, stated that they could recover all of their information should they experience data loss.

“It’s been a big year for Mozy — continuing to broaden from consumer to enterprise offerings, and completing its transition into EMC’s backup division,”

said Jason Buffington, Senior Data Protection Analyst, Enterprise Strategy Group. “The addition of MozyEnterprise into the EMC Data Protection Suite adds an additional dimension to the EMC solution lineup and a broader range of choices for EMC customers. IT organizations are getting wiser about choosing their data protection tools; and the trend from device-centric to people-centric protection is allowing the IT department to finally be part of the solution (instead of perpetuating the problem) by enabling them to manage all of the organizations’ data backups — regardless of platform, method or final repository. With these trends in full swing, offerings such as MozyEnterprise and the wider EMC Data Protection Suite are looking more and more attractive.”

“Month after month, Mozy saves one of our customers from a data disaster of one type or another,” said Dave Chase, COO, CAP5 Technology Solutions, a reseller partner in the Mozy channel program. “Mozy continues to innovate and add the features that we need to support our Managed IT Services offering as it evolves with new cloud-based services. Today, Mozy is a significant revenue center in our business as more and more of our end-user customers realize the benefits of the cloud. Now, with the new features in its next-generation data protection service, we’re more glad than ever that we found Mozy for our customers!”

Note on availability

The next generation of the Mozy service will be generally available for all Mozy-branded products in all regions in Q4. Services ‘powered by Mozy’ are subject to schedules to be agreed with the service providers.

About Mozy

Mozy by EMC is the world’s most trusted provider of cloud-based data protection solutions, including online backup, access and personal sync. It has more than 6 million customers, including more than 100,000 businesses and 1,000 enterprises, backing up 90 petabytes of information to Mozy’s multiple data centers around the globe. Wholly owned by EMC Corporation since 2007, Mozy is an essential component in the EMC backup and recovery solutions portfolio. More information can be found at www.mozy.com.

EMC is a registered trademark of EMC Corporation. Mozy and MozyEnterprise are registered trademarks of Mozy, Inc. All other trademarks are the property of their respective owners.

Article source: http://www.darkreading.com/management/mozy-launches-next-generation-of-cloud-d/240164152

MOUNTAIN VIEW, Calif., November 20, 2013 – Zettaset, the leader in secure Big Data management, announced today that it has added data-at-rest encryption capabilities to Zettaset Orchestrator, its distribution-agnostic Hadoop cluster management platform. Organizations with strict corporate and/or industry compliance requirements, such as those in the financial, retail, and healthcare verticals can now confidently deploy Hadoop in environments where personal information data must be tightly safeguarded.

Encryption is the latest in a series of security features that make Zettaset Orchestrator the first choice for organizations looking for a true enterprise-class Hadoop management solution for their Big Data deployments. Orchestrator also features fine-grained role-based access control and LDAP/AD integration, which enables it to easily fit into existing security policy frameworks.

Encryption can be optionally installed during the automated Orchestrator installation process.

Taking a standards-based approach, Zettaset Orchestrator uses the 256-bit Advanced Encryption Standard (AES-256) to ensure the highest levels of encryption and data security. Orchestrator encryption is based on the KMIP protocol, and can easily integrate with a company’s existing key manager in any Hadoop environment. The Orchestrator encryption feature has been carefully engineered to eliminate any noticeable impact on Hadoop cluster performance.

“Encryption is a very specialized capability, and there are few viable options available today for Hadoop users,” said Jim Vogt, Zettaset CEO. “When it comes to risk management, Zettaset Orchestrator with data-at-rest encryption gives customers the upper hand, supporting compliance mandates such as HIPAA, BSA/AML and PCI-DSS, for example, and provides assurance that their Hadoop cluster data is protected against malicious attacks.”

“Securing Hadoop data has been a work in progress,” said Tony Baer, principal analyst for Ovum. “Zettaset’s support of encryption as part of its Orchestrator cluster management product is an important step toward making data protection in Hadoop policy-driven.”

Zettaset Orchestrator is an independent commercial software application that is fully compatible with open source distributions. Zettaset Orchestrator encryption benefits and features include:

Helps regulated companies meet strict electronic data security and compliance requirements

Uses 256-bit AES encryption, the highest standard available

Easily integrates with existing key managers using standard KMIP protocol

Contributes negligible impact on Hadoop cluster performance, an important consideration as Hadoop users scale up their enterprise deployments

For more information on Zettaset Orchestrator, please visit http://www.zettaset.com/platform.php.

Article source: http://www.darkreading.com/authentication/zettaset-brings-data-at-rest-encryption/240164190

The financial services industry has come up with a proposed strategy for deploying third-party software—including open source—and services securely in financial institutions.

Members of a working group of the FS-ISAC (Financial Services Information Sharing and Analysis Center) this week proposed three basic security controls for ensuring the security of third-party software used by financial services firms: a vendor-focused Building Security In Maturity Model (BSIMM) assessment; binary static analysis; and policy management for open source software libraries and components.

“What we’re doing here is adding some controls that are based on knowledge [larger financial institutions] have obtained in software security maturity … and adding those to third party software governance,” says Jim Routh, CISO at Aetna, and a member of the FS-ISAC Product Services Committee who worked on the proposed controls.

The growing threats to Web-based applications and emerging mobile apps were factors in the development of the software security requirements for third-party software used in the financial services industry, he says. And vulnerabilities and weaknesses in third-party software and open-source software have increasingly become a concern for enterprises adopting those elements into their applications and systems.

“Software security controls are an integral part of building high quality software,” the FS-ISAC’s “Appropriate Software Security Control Types for Third Party Service and Product Providers” white paper says. A working group made up of executives from Fidelity, Morgan Stanley, Goldman Sachs, Capital One, Thomson Reuters and Citi, worked on the controls.

[While there is certainly room for improvement, the software vendor and financial services communities are making a steadily improving progression in maturing their software security practices. See Software Security Maturity Plods Along .].

Aetna’s Routh says the Vendor BSIMM, vBSIMM, is basically a subset of BSIMM, a study of actual secure software development programs at companies so other companies can measure their efforts with their counterparts. vBSIMM is a way to measure the maturity of software security of vendors selling to the financial industry. “This is a better indicator of risk,” Routh says.

Scanning binary code in software provides a vulnerability density score for a particular version of software at a specific point in time, Routh says. So software firms selling to the financial services industry would theoretically have their binary code scanned by HP Fortify or Veracode, which provide that type of software vulnerability scanning, for example.

“The results of the scans would be shared with the financial industry,” Routh says. “Today, the model is the financial [firms] paying for that,” but Veracode, for instance, has a program that in the future would shift that cost to the vendors, he says.

Third-party software and services vendors would then share the cost of one assessment for multiple financial services clients, he says. The same goes for vBSIMM: “If I am a software vendor and do a BSIMM assessment, that same assessment is shared with many of my clients.”

The open-source policy management control, meanwhile, helps financial industry firms to ensure their developers are employing the newest versions of open-source software, as well as more reliable and resilient libraries.

“Today, 80- to 90 percent of custom development uses open-source libraries to build an application,” Routh says. “And 26 percent of the most commonly downloaded open-source libraries are riddled with high-risk vulnerabilities.”

Policies would enforce using reliable sources for open-source software and ensuring that only the most current versions are used.

Still, the FS-ISAC won’t be enforcing the recommended security policies for third-party software and services. “The working group is saying this has been a problem for some time and there are no easy answers or quick fixes. But these controls should be considered to be adding to third-party [software] governance,” Routh says.

“We’re looking at standardizing on a set of controls that improve risk management across the [financial services] industry, and also make it easier on vendors at the same time,” he says.

The FS-ISAC working group’s white paper, “Appropriate Software Security Control Types for Third Party Service and Product Providers,” is available here (PDF) for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/financial-services-industry-proposes-sec/240164193

Four cyber security experts have delivered to the US Congress a unanimous opinion: Americans shouldn’t use HealthCare.gov, given its security issues.

David Kennedy, CEO of information security firm TrustedSEC and former CSO of Diebold, was one of those who testified on Tuesday before a House Science, Space, and Technology committee hearing on security concerns surrounding the woebegone, very large attack target that is the government’s new healthcare website.

The committee wanted answers to this question: “Is my data on HealthCare.gov secure?”

As FoxNews.com reported, Kennedy testified that the answer is No, given that the site’s pwnage is inevitable:

Hackers are definitely after it. … And if I had to guess, based on what I can see … I would say the website is either hacked already or will be soon.

Kennedy told FoxNews.com that his firm has detected a large number of SQL injection attacks against the site, which indicates “a large amount” of hacking attempts:

Based on the exposures that I identified, and many that I haven’t published due to the criticality of exposures, if a hacker wanted access to the site or sensitive information, they could get it.

Also testifying was Fred Chang, a computer science professor at Southern Methodist University and former research director for the NSA; Avi Rubin, a computer science professor at Johns Hopkins University; and Morgan Wright, CEO of Crowd Sourced Investigations, cybersecurity analyst for Fox News and Fox Business, and a former senior law enforcement advisor to the Republican National Convention.

Three of the four testified that they believe it’s best to shut HealthCare.gov down completely.

The lone voice of dissent on that point was Rubin, who said he doesn’t have enough information to decide, but that a security review of the site is definitely in order.

From Network World’s coverage:

I would need to know whether there are inherent flaws vs. superficial problems that can be fixed. If they can be fixed, that’s better than shutting it down.

Kennedy said that given what he’s been able to suss out from public record and reconnaissance of the site, he could break into its data stores within two days and steal the personal information of people who’ve used the site.

As Network World’s Tim Greene reports, Kennedy demonstrated that he could redirect people trying to access the site to a lookalike site that could push malware that would allow attackers to hijack people’s devices.

Kennedy’s explanation, via ABC News:

We can actually enable their web cam, monitor their web cam, listen to their microphone, steal passwords. … Anything that they do on their computer we now have full access to.

CBS News reports that Henry Chao, the project manager responsible for building HealthCare.gov, gave 9 hours of closed-door testimony to the House Oversight Committee in advance of this week’s hearing.

A CBS News video clip put up by Townhall.gov shows the heavily redacted security report that Chao claims he never saw.

Chao told the House Oversight Committee that his team told him that “there were no ‘high’ findings” – “high” referring to government classification of “high risk”, which designates that a vulnerability can be expected to have severe or catastrophic adverse effects on organisational operations, assets or individuals.

Vulnerabilities rated “high risk” could lead to identity theft, unauthorized access, and misrouted data.

It was Chao who recommended it was safe to launch the site at the start of October.

When asked if he found it surprising that he hadn’t seen the memo advising about high-risk vulnerabilities on HealthCare.gov – a highly redacted version of which was shown on CBS News’s report – he said that yes, of course he was surprised:

Wouldn’t you be surprised, if you were me?

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0n8IkoQSORY/

Tags: bletchley park, chet chat, cryptolocker, CVV, data breach, enigma, LoyaltyBuild, Microsoft, ransomware, RC4, sha-1, sophos security, sscc

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/z57NDo6pRiM/

Luke Roberts is National Coordinator of the Anti-Bullying Alliance and Anti-Bullying Week. Yesterday he spoke to us about Anti-Bullying Week and the rise and impact of cyber-bullying.

In the second of this two-part series, Luke talks to us about how to spot signs of cyber-bullying, what to do when your child is the bully, and how best to help your child if they are being bullied.

What are the signs that someone may be being cyber-bullied?

Every child is different so I would say the most important thing to keep an eye out for is a change in behaviour. For example:

• Are they becoming more quiet?
• Do they hold on to their device more than before?
• Are they getting more angry or being aggressive to siblings?

Children often have trouble articulating what is going on. That’s why it’s so important to keep an open dialogue with them.

What are the first steps when you discover your child is being cyber-bullied?

1. Most importantly, save the evidence. If your child is being bullied online, make screenshots, and save messages and videos. It can be very tempting to delete harmful comments, but if you have to present it to the school it’s important to have the log of events.
2. Report negative comments or abusive material if you can. Lots of social networking sites have something in their terms and conditions about how to report or block abuse.
3. Give young people confidence that things will be resolved. There is no point in reporting abuse if the perpetrator just gets told off and the bullying carries on. A resolution is needed so that the child feels safe again.

What if you suspect your child is doing the bullying?

Try to understand from your child what has happened to make them treat that person in that way. Kids often believe the victim has done something to deserve such treatment, but remember, never collude with your child about the reason why they are picking on someone.

Explore with them other ways that they can resolve their conflict with the person.

Sometimes people bully others to impress their peer group in order to feel part of a group. But try to help your child to understand that what they say online will be stored there forever and could come back haunt to them in the future. Explore other ways that your child could feel part of the group.

Sometimes bullies are ‘keyboard warriors’. They might not be that powerful in the real world but have a lot of influence online or in their social network.

Youngsters don’t always see the instant impact of their cyber-behaviour on their victim – they don’t have empathy for the person they are bullying because they are removed from them. People are much more cruel when they are anonymous and don’t have to account for their actions.

How can parents help to prevent cyber-bullying?

One of the challenges parents face is that we don’t have a reference point. We sometimes find it hard to understand cyber-bullying because it wasn’t a part of our childhood.

Strategies like ‘just ignore them’ don’t work in the same way because there is no escape – the end of the school day doesn’t herald a respite as the bullying continues into the evening.

• Make sure children can come and talk to you. Check in with them about how they are, online and offline. Think of networking sites like Twitter and Facebook like you would a youth club – ask your children how things are going, ask probing questions and make sure the door is always open to them to come to talk to you.
• Try to find out what social networks your child is on. Educate yourself on each community so you can better understand where your child spends their time.
• Don’t think that just because your child is older, they are not at risk of being bullied. 16-17 year olds might think they are mature but they don’t necessarily have the life skills to deal with being bullied. Also, keep an eye on your youngsters as they transition from primary to secondary school – that tends to be when the pressure to join social networks starts.

Schools and parents sometimes blame each other for the lack of education and prevention of bullying. There are two parts to the problem – both technical and behavioural. We have to try to address both.

The sooner parents start talking to their children, the easier kids can deal with cyber-bullying if it happens. Everyone is different and something that upsets one person might not upset the next, which is why it’s important for parents to understand what their own children can cope with and how to help them through this difficult time.

Where can kids, parents and teachers go to get ongoing support?

The Anti-Bullying Alliance website should be the first step, acting as a gateway to further information. We have a broad membership, so there are resources for children and young people, and for their parents. For professionals there are video clips featuring experts giving advice.

If we can get it right in the UK, we think it is replicable across the world. We are being looked to as leaders in this area and have been asked for advice internationally.

Follow @NakedSecurity

Image of cyber-bullying courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Jgpon9zvqjA/

Email delivery: Hate phishing emails? You’ll love DMARC

Hackers have fired up a large army of remote-controlled computers to get around GitHub’s login rate-limiting policies, designed to thwart attempts to brute-force guess the passwords for its users’ accounts.

The bots, most likely unwitting PCs compromised by malware, have attacked the online source-code repository from “nearly 40,000 unique IP addresses”, each trying to crack programmers’ passwords, the company said this week.

“These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this,” the website’s team wrote.

While GitHub tries to develop new tech, it has rolled out a blocklist of commonly used weak passwords that people can no longer use on the service.

It has also reacted proactively “out of an abundance of caution,” and has reset some user accounts’ login credentials “even if a strong password was being used. Activity on these accounts showed logins from IP addresses involved in this incident.”

As usual, the company recommended users consider enable two-factor authentication to their accounts to provide another line of defense against nefarious hacker probes.

GitHub is a popular target of hackers thanks to the vast piles of source code and suchlike material stored on it, some of which are held in private repositories. It has been a repeated victim of distributed denial-of-service attacks, and fell offline in early October after being hit by a huge multi-day attack.

It strikes us that GitHub’s recent bout of probing may stem from crackers using the 38 million user details that were sucked out of Adobe recently to check for duplicate logins on other sites. Never use the same password and username combination on other sites, no matter how fringe. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/21/github_password_probing_reveal/