STE WILLIAMS

Facebook has turned to the courts for help in scraping off a pesky spammer who allegedly keeps coming back to do things like hijack victims’ accounts and automatically post celebrity porn, including a fake Justin Bieber-Selena Gomez sex tape.

According to a complaint Facebook filed on Friday in the US District Court of the Northern District of California, the defendant – Christopher Peter Tarquini, of the US state of New Jersey – is allegedly a “recidivist” spammer who’s inundated the site with messages purporting to link to pornographic celebrity images.

Facebook says that when users clicked on the posts or their racy images, the messages were then automatically shared with the victims’ Facebook friends.

Meanwhile, Facebook users’ browsers were being redirected to marketing websites that paid Tarquini and his associates for the traffic.

From the complaint:

In short, Facebook users who clicked on Tarquini’s deceptive messages immediately, and without their knowledge or consent, became unknowing participants in and victims of Tarquini’s scam.

Facebook says it spent thousands to track Tarquini down and stop the alleged scam.

But even after Facebook notified Tarquini that he was breaking Facebook’s rights, and even after it yanked his Facebook account and told him he was no longer authorized to access the site and services, he kept right on doing what he was doing, Facebook said in the complaint.

Facebook terms prohibit a slew of things that Tarquini is accused of doing, including:

• Posting pornographic content,
• Collecting users’ information without their consent,
• Using Facebook to do anything unlawful or misleading,
• Creating a new account after a prior account has been disabled, and
• Soliciting login information or accessing somebody else’s account.

According to Facebook, Tarquini designed software scripts to trick users into handing over their access tokens.

With those access tokens, Facebook says that Tarquini and his associates could take over others’ Facebook accounts and post content that, when clicked, redirected users’ browsers to third-party websites.

In February 2013, one such script, called “Jacked”, automatically posted messages, images and links to the bogus sex tape featuring Bieber and Gomez.

Users who clicked got sent to a site off Facebook that featured a doctored, blurred image of what looked to be the celebrities, designed to look like a still shot from a video that might be clicked on to watch a supposedly leaked sex tape.

But when users clicked, what they got was a prompt to grant access to the user’s Facebook account.

Jacked presented users with a “Verification Code” that purportedly verified whether the user was human but actually tricked them into copying and pasting in their access tokens.

With that, Facebook alleges, Tarquini was able to hijack users’ accounts and to further spread the scam by posting links to the bogus sex video.

Facebook sent Tarquini a cease-and-desist letter in March 2013, revoking his permission to use the site, services or platform, and disabled his Facebook account and applications.

According to Facebook, Tarquini responded, confirming that he had indeed created the devious software script:

Tarquini responded to the March 11 letter and admitted that he had created the Jacked script that was used in the Bieber/Gomez spam campaign; admitted that he had distributed the script to a number of associates; and admitted that the Bieber/Gomez spam campaign redirected users to a non-Facebook website.

As news of Tarquini’s work splashed across headlines, Facebook says, the news besmirched the social media network as it “tainted and continue[s] to taint the Facebook experience for Facebook users.”

Still, Tarquini turned around and created a new Facebook application, Facebook charges – one called the Fly Photo Editor. That one violated Facebook terms by serving unauthorized third-party ads, Facebook says, so it shut it down.

So Tarquini made another Fly Photo Editor, Facebook alleges, and that one does the same thing that the first one did.

Facebook is asking the court to get a jury trial going so as to swat this irksome fly. Facebook also wants to be reimbursed for its botheration, and it wants Tarquini to hand over proceeds from his alleged scams.

Tarquini faces charges of breach of contract and violations of state and federal computer laws.

Note that Tarquini’s alleged scam differs a bit from the one Naked Security reported on in February.

That scam also used a purported Gomez/Bieber sex tape to lure Facebook users, but it wound up leading to a survey scam.

It’s not clear if the two scams have the same author, but either way, the lesson is the same: Don’t trust your Facebook friends.

They may be sharing links and stories that simply aren’t true, including the phony “Justin Bieber died in a car crash” Facebook scam from March.

Then again, they may have rashly clicked on a supposed sex tape, had their accounts hijacked, and not even be aware what rubbish their newsfeeds are showing you.

Be careful clicking out there – scammers know which of our buttons it pays to push, and obviously, many of us have very large buttons labeled “Justin,” “Selena,” “sex” and “porn.”

If you use Facebook and need help fine-tuning those buttons, you can stay on top of the latest attacks by joining Sophos’s Naked Security Facebook page.

Follow @LisaVaas

Follow @NakedSecurity

Image courtesy of Helga Esteb / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/X1tf-kiZR8k/

You probably didn’t miss the news – and the fallout that followed – about Adobe’s October 2013 data breach.

Not only was it one of the largest breaches of username databases ever, with 150,000,000 records exposed, it was also one of the most embarrassing.

The leaked data revealed that Adobe had been storing its users’ passwords ineptly – something that was surprising, because storing passwords much more safely would have been no more difficult.

Following our popular article explaining what Adobe did wrong, a number of readers asked us, “Why not publish an article showing the rest of us how to do it right?”

Here you are!

Just to clarify: this article isn’t a programming tutorial with example code you can copy to use on your own server.

Firstly, we don’t know whether your’re using PHP, MySQL, C#, Java, Perl, Python or whatever, and secondly, there are lots of articles already available that tell you what to do with passwords.

We thought that we’d explain, instead.

Attempt One – store the passwords unencrypted

On the grounds that you intend – and, indeed, you ought – to prevent your users’ passwords from being stolen in the first place, it’s tempting just to keep your user database in directly usable form, like this:

If you are running a small network, with just a few users whom you known well, and whom you support in person, you might even consider it an advantage to store passwords unencrypted.

That way, if someone forgets their password, you can just look it up and tell them what it is.

Don’t do this, for the simple reason that anyone who gets to peek at the file immediately knows how to login as any user.

Worse still, they get a glimpse into the sort of password that each user seems to favour, which could help them guess their way into other accounts belonging to that user.

Alfred, for example, went for his name followed by a short sequence number; David used a date that probably has some personal significance; Eric Cleese followed a Monty Python theme; while Charlie and Duck didn’t seem to care at all.

The point is that neither you, nor any of your fellow system administrators, should be able to look up a user’s password.

It’s not about trust, it’s about definition: a password ought to be like a PIN, treated as a personal identification detail that is no-one else’s business.

Attempt Two – encrypt the passwords in the database

Encrypting the passwords sounds much better.

You could even arrange to have the decryption key for the database stored on another server, get your password verification server to retrieve it only when needed, and only ever keep it in memory.

That way, users’ passwords never need to be written to disk in unencrypted form; you can’t accidentally view them in the database; and if the password data should get stolen, it would just be shredded cabbage to the crooks.

This is the approach Adobe took, ending up with something similar to this:

→ For the sample data above we chose the key DESPAIR and encrypted each of the passwords with straight DES. Using DES for anything in the real world is a bad idea, because it only uses 56-bit keys, or seven characters’ worth. Even though 56 bits gives close to 100,000 million million possible passwords, modern cracking tools can get through that many DES passwords within a day.

You might consider this sort of symmetric encryption an advantage because you can automatically re-encrypt every password in the database if ever you decide to change the key (you may even have policies that require that), or to shift to a more secure algorithm to keep ahead of cracking tools.

But don’t encrypt your password databases reversibly like this.

You haven’t solved the problem we mentioned in Attempt One, namely that neither you, nor any of your fellow system administrators, should be able to recover a user’s password.

Worse still, if crooks manage to steal your database and to acquire the password at the same time, for example by logging into your server remotely, then Attempt Two just turns into Attempt One.

By the way, the password data above has yet another problem, namely that we used DES in such a way that the same password produces the same data every time.

We can therefore tell automatically that Charlie and Duck have the same password, even without the decryption key, which is a needless information leak – as is the fact that the length of the encrypted data gives us a clue about the length of the unencrypted password.

We will therefore insist on the following requirements:

1. Users’ passwords should not be recoverable from the database.
2. Identical, or even similar, passwords should have different hashes.
3. The database should give no hints as to password lengths.

Attempt Three – hash the passwords

Requirement One above specifies that “users’ passwords should not be recoverable from the database.”

At first glance, this seems to demand some sort of “non-reversible” encryption, which sounds somewhere between impossible and pointless.

But it can be done with what’s known as a cryptographic hash, which takes an input of arbitrary length, and mixes up the input bits into a sort of digital soup.

As it runs, the algorithms strains off a fixed amount of random-looking output data, finishing up with a hash that acts as a digital fingerprint for its input.

Mathematically, a hash is a one-way function: you can work out the hash of any message, but you can’t go backwards from the final hash to the input data.

A cryptographic hash is carefully designed to resist even deliberate attempts to subvert it, by mixing, mincing, shredding and liquidising its input so thoroughly that:

• You can’t create a file that comes out with a predefined hash by any method better than chance.
• You can’t find two files that “collide”, i.e. have the same hash (whatever it might be), by any method better than chance.
• You can’t work out anything about the structure of the input, including its length, from the hash alone.

Well-known and commonly-used hashing algorithms are MD5, SHA-1 and SHA-256.

Of these, MD5 has been found not to have enough “mix-mince-shred-and-liquidise” in its algorithm, with the result that you can find two files with the same hash very much faster than by chance.

This means it does not meet its original cryptographic promise – so do not use it in any new project.

SHA-1 is computationally quite similar to MD5, and many experts consider that it might soon be found to have similar problems to MD5 – so you may as well avoid it.

We’ll use SHA-256, which gives us this if we apply it directly to our sample data (the hash has been truncated to make it fit neatly in the diagram):

The hashes are all the same length, so we aren’t leaking any data about the size of the password.

Also, because we can predict in advance how much password data we will need to store for each password, there is now no excuse for limiting the length of a user’s password. (All SHA-256 values have 256 bits, or 32 bytes.)

To verify a user’s password at login, we keep the user’s submitted password in memory – so it never needs to touch the disk – and compute its hash.

If the computed hash matches the stored hash, the user has fronted up with the right password, and we can let him login.

But Attempt Three still isn’t good enough, because Charlie and Duck still have the same hash, leaking that they chose the same password.

Indeed, the text password will always come out as 5E884898DA28..EF721D1542D8, whenever anyone chooses it.

That means the crooks can pre-calculate a table of hashes for popular passwords – or even, given enough disk space, of all passwords up to a certain length – and thus crack any password already on their list with a single database lookup.

Attempt Four – salt and hash

We can adapt the hash that comes out for each password by mixing in some additional data known as a salt, so called because it “seasons” the hash output.

A salt is also known as a nonce, which is short for “number used once.”

Simply put, we generate a random string of bytes that we include in our hash calculation along with the actual password.

The easiest way is to put the salt in front of the password and hash the combined text string.

The salt is not an encryption key, so it can be stored in the password database along with the username – it serves merely to prevent two users with the same password getting the same hash.

For that to happen they would need the same password and the same salt, so if we use 16 bytes or more of salt, the chance of that happening is small enough to be ignored.

Our database now looks like this (the 16-byte salts and the hashes have been truncated to fit neatly):

The hashes in this list, being the last field in each line, are calculated by creating a text string consisting of the salt followed by the password, and calculating its SHA-256 hash – so Charlie and Duck now get completely different password data.

Make sure you choose random salts – never use a counter such as 000001, 000002, and so forth, and don’t use a low-quality random number generator like C’s random().

If you do, your salts may match those in other password databases you keep, and could in any case be predicted by an attacker.

By using sufficiently many bytes from a decent source of random numbers – if you can, use CryptoAPI on Windows or /dev/urandom on Unix-like systems – you as good as guarantee that each salt is unique, and thus that it really is a “number used once.”

Are we there yet?

Nearly, but not quite.

Although we have satisfied our three requirements (non-reversibility, no repeated hashes, and no hint of password length), the hash we have chosen – a single SHA-256 of salt+password – can be calculated very rapidly.

In fact, modern hash-cracking servers costing under $20,000 can compute 100,000,000,000 or more SHA-256 hashes each second.

We need to slow things down a bit to stymie the crackers.

Attempt Five – hash stretching

The nature of a cryptographic hash means that attackers can’t go backwards, but with a bit of luck – and some poor password choices – they can often achieve the same result simply by trying to go forwards over and over again.

Indeed, if the crooks manage to steal your password database and can work offline, there is no limit other than CPU power to how fast they can guess passwords and see how they hash.

By this, we mean that they can try combining every word in a dictionary (or every password from AA..AA to ZZ..ZZ) with every salt in your database, calculating the hashes and seeing if they get any hits.

And password dictionaries, or algorithms to generate passwords for cracking, tend to be organised so that the most commonly-chosen passwords come out as early as possible.

That means that users who have chosen uninventively will tend to get cracked sooner.

→ Note that even at one million million password hash tests per second, a well-chosen password will stay out of reach pretty much indefinitely. There are more than one thousand million million million 12-character passwords based on the character set A-Za-z0-9.

It therefore makes sense to slow down offline attacks by running our password hashing algorithm as a loop that requires thousands of individual hash calculations.

That won’t make it so slow to check an individual user’s password during login that the user will complain, or even notice.

But it will reduce the rate at which a crook can carry out an offline attack, in direct proportion to the number of iterations you choose.

However, don’t try to invent your own algorithm for repeated hashing.

Choose one of these three well-known ones: PBKDF2, bcrypt or scrypt.

We’ll recommend PBKDF2 here because it is based on hashing primitives that satisfy many national and international standards.

We’ll recommend using it with the HMAC-SHA-256 hashing algorithm, repeated 10,000 times or more.

HMAC-SHA-256 is a special way of using the SHA-256 algorithm that isn’t just a straight hash, but allows the hash to be combined comprehensively with a key or salt:

• Take a random key or salt K, and flip some bits, giving K1.
• Compute the SHA-256 hash of K1 plus your data, giving H1.
• Flip a different set of bits in K, giving K2.
• Compute the SHA-256 hash of K2 plus H1, giving the final hash, H2.

In short, you hash a key plus your message, and then rehash a permuted version of the key plus the first hash.

In PBKDF2 with 10,000 iterations, we feed the user’s password and our salt into HMAC-SHA-256 and make the first of the 10,000 loops.

Then we feed the password and the previously-computed HMAC hash back into HMAC-SHA-256 for the remaining 9999 times round the loop.

Every time round the loop, the latest output is XORed with the previous one to keep a running “hash accumulator”; when we are done, the accumulator becomes the final PBKDF2 hash.

Now we need to add the iteration count, the salt and the final PBKDF2 hash to our password database:

As the computing power available to attackers increases, you can increase the number of iterations you use – for example, by doubling the count every year.

When users with old-style hashes log in successfully, you simply regenerate and update their hashes using the new iteration count. (During successful login is the only time you can tell what a user’s password actually is.)

For users who haven’t logged in for some time, and whose old hashes you now considered insecure, you can disable the accounts and force the users through a password reset procedure if ever they do log on again.

The last word

In summary, here is our minimum recommendation for safe storage of your users’ passwords:

• Use a strong random number generator to create a salt of 16 bytes or longer.
• Feed the salt and the password into the PBKDF2 algorithm.
• Use HMAC-SHA-256 as the core hash inside PBKDF2.
• Perform 10,000 iterations or more.
• Take 32 bytes (256 bits) of output from PBKDF2 as the final password hash.
• Store the iteration count, the salt and the final hash in your password database.

Whatever you do, don’t try to knit your own password storage algorithm.

It didn’t end well for Adobe, and it is unlikely to end well for you.

Follow @duckblog

Image of magnifying glass outline courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NWJ8a1CO37I/

5 ways to prepare your advertising infrastructure for disaster

Yahoo! is going to start encrypting its intra-data-center traffic and will offer a similar service as an option to webmail users next year, CEO Marissa Meyer has pledged.

“I want to reiterate what we have said in the past: Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever,” she said on her Tumblr page – which is now the preferred method of corporate communications following Yahoo!‘s $1bn acquisition of the site.

“There is nothing more important to us than protecting our users’ privacy. To that end, we recently announced that we will make Yahoo Mail even more secure by introducing https (SSL – Secure Sockets Layer) encryption with a 2048-bit key across our network by January 8, 2014.”

Last month documents released by NSA whistleblower Edward Snowden claimed that the NSA and Britain’s GCHQ have been tapping into the fiber used by Google and Yahoo! to connect their data-center traffic. The scheme, dubbed MUSCULAR, operated outside the US, to stay within the remit of the national laws.

The leaked documents sent two Google engineers into an apoplexy, and the search giant has already started adding encryption to its interlinks and now Yahoo! will follow suit, albeit at a more leisurely pace. Microsoft has said it is “reviewing” such a move, but doesn’t encrypt as yet.

The Yahoo! data center streams, which carry huge amounts of user and corporate information, will be encrypted by the first quarter of next year, and Yahoo! Mail users will have the option to encrypt, although it doesn’t look at this stage as though this will be the default setting.

Furthermore, Yahoo! is going to work with co-branded partners to set up HTTPS communications links overseas. Eventually Yahoo wants to encrypt all of its services, but hasn’t given a precise timescale.

“As we have said before, we will continue to evaluate how we can protect our users’ privacy and their data. We appreciate, and certainly do not take for granted, the trust our users place in us,” Mayer concluded. ®

ioControl – hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/18/give_us_some_time_and_well_encrypt_promises_yahoo/

5 ways to prepare your advertising infrastructure for disaster

Reactionary hacktivists have brewed up a strain of Android malware targeted against the Alsharif campaign, which encourages Saudi Arabian women to defy their county’s ban on female drivers.

Women have long been effectively banned from driving in the Middle Eastern kingdom, thanks to local interpretations of Islamic customs not shared elsewhere in the Muslim world. There is no law on women driving, as such, but anybody who wants to drive in the country needs to obtain a local driving licence – and women are not allowed to take the test.^*

A grassroots movement, dubbed the Oct 26th Driving Campaign, is fighting for the right for women to drive in Saudi Arabia. Local police have arrested women who allegedly drove around the country before uploading videos of their activities to YouTube.

In addition, the driving campaign website has been under constant attack – including defacements – from forces who would wish to see the ban kept in place.

This turn of events is perhaps not too surprising given that Saudi Arabia is a “region of the world where the penalty for hacking a website is less than the penalty for female found defying the ban on driving a vehicle,” according to mobile security researcher Irfan Asrar.

More recently, hackers who share the same patriarchal point of view have upped their attempts to mess with the car-driving-for-women movement by cooking up an Android trojan.

The malware, dubbed Hackdrive, comes disguised as an Android app to support the campaign, even featuring the icon that has come to symbolise the movement of the Oct 26th Driving Campaign – a pink car. In reality, the app is designed to spew the same hate-filled propaganda that accompanied the earlier defacement campaign, Asrar reports.

“Firstly, audio is jammed by the app repeatedly playing the audio from the YouTube video hit “No woman, no drive”[embedded below for our readers’ delight], making it impossible to listen to anything else on the device or carry out a phone conversation,” he writes.

“Additionally, a message in Arabic text is displayed similar to the defacement messages used on the hacked website.”

Routines in the malware contain the ability to scour through the contact database of compromised smartphones, harvesting names and numbers before uploading the information to a remote server. However the functionality is not turned on, something that might change with possible follow-up versions of the malware.

Asrar – whose write-up of the threat, complete with screenshots, can be found in a guest post on security researcher Graham Cluley’s blog – writes that it would be a mistake to interpret the malware as a childish prank.

“On the surface the antics used in the app and the website defacing may seem juvenile. But make no mistake, this is hate and prejudice manifested into an Android app,” he concludes. ®

”No Woman No Drive” Bob Marley cover

Bootnote

^*At the time your correspondent, then a young trainee telecoms engineer, spent five months on secondment to Bahrain in the late ’80s, the Saudi driving test purportedly involved driving five metres forward and five metres in reverse – together with the payment of a modest bribe (baksheesh). It’s unclear how far things have moved along in the 25+ years since.

ioControl – hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/20/android_malware_targets_saudi_woman_drivers/

5 ways to prepare your advertising infrastructure for disaster

A hack against online dating site Cupid Media that led to the exposure of the personal details and plain text passwords of 42 million consumers appears to have been pulled off by the same group of hackers who pulled off an even bigger pwnage against Adobe.

Names, email addresses, unencrypted passwords and birthdays from the Australian service were found on the same server used as a dump site by hackers who broke into the systems of Adobe, PR Newswire and the National White Collar Crime Center, investigative journalist Brian Krebs reports.

Andrew Bolton, Cupid Media’s managing director, told Krebs that the leaked data appears to be genuine and related to a breach that took place in January 2013. Affected users have already been told to reset their passwords following that incident, according to Bolton.

“In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts,” Bolton said. “We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”

Bolton suggested that many of the leaked records refer to “old, inactive or deleted accounts”, adding that it has taken measures to improve its password security since the breach (which up until this week has received little or not publicity).

“Subsequently to the events of January we hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords. We have also implemented the need for consumers to use stronger passwords and made various other improvements.”

31 million Cupid Media users registered with either Yahoo!, Hotmail or Gmail address. Many in general picked easily guessable passwords (1.9 million used “123456”, 1.2 million picked “111111” and 91,000 selected “iloveyou”, according to Krebs).

The main danger from the breach is that a substantial proportion of lovelorn users re-used these passwords on other more sensitive sites, meaning that the compromise at Cupid Media opened the door to all sorts of nefarious activities elsewhere. Possibilities include fraud against compromised e-commerce and banking accounts, spamming and malware distribution, among other online scams.

In response to just this sort of threat, Facebook mined leaked Adobe data to warn users of the social networking site who had ill-advisedly used the same password, a state of affairs that left their accounts wide open to hijacking before Team Zuck applied a password reset.

Facebook won plaudits from security watchers for its actions but the schemes like this can only mitigate against the problem without dealing with its root causes, lamentably awful password security practices by many netizens. ®

ioControl – hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/20/dating_site_mega_password_breach/

Just in time for the holidays, the price of a stolen identity has dropped as much as 37 percent in the cybercrime underground: to $25 for a U.S. identity, and $40 for an overseas identity.

Researcher Joe Stewart of Dell SecureWorks teamed with independent researcher David Shear to get an insider’s look at what a plethora of hacking services and stolen data cost these days in the underground. Among their findings: For $300 or less, you can acquire credentials for a bank account with a balance of $70,000 to $150,000, and $400 is all it takes to get a rival or targeted business knocked offline with a distributed denial-of-service (DDoS)-for-hire attack. Meanwhile, ID theft and bank account credentials are getting cheaper because there is just so much inventory (a.k.a. stolen personal information) out there.

“Fullz,” or personal identities, went for $40 per U.S. stolen ID and $60 for a stolen overseas ID in 2011 when Dell SecureWorks last studied pricing in the underground marketplace. Now those IDs are 33 to 37 percent cheaper.

With the high volume of data breaches and leaks over the past couple of years, it’s no surprise the price of a stolen identity would have declined, says Stewart, who is director of malware research for Dell SecureWorks. “I expected to see the drop,” he says. “The best thing we could hope for was for these prices to be very high. It would be a more encouraging trend if the prices increased.”

It’s also getting easier to cash in on cybercrime. “This report shows that cybercrime is becoming more and more commoditized, turnkey, and the bar to entry had become lower and lower as more people develop kits” that simplify data theft, he says. Competition among the cybergangs also has intensified as more people join in the scams, he says. “It’s created a situation where it’s getting very easy for anyone to get into that business. I think these numbers confirm it,” Stewart says.

Pricing trends are interesting, says Raj Samani, CTO of McAfee. But they also can be misleading, he says, because prices are all over the map. “You can have varying prices depending on the sources you go to.”

McAfee in its June cybercrime study found a DDoS-for-hire service for $2 per hour, and another for $3 per hour, for instance, he says.

Dell SecureWorks found DDoS services anywhere from $3- to $5 per hour, $90- to $100 per day, and $400 to $600 a month.

The big takeaway for all of this, Samani says, is that cybercrime-as-a-service has arrived. “It doesn’t require any technical knowledge, and you don’t even have to own a computer,” Samani says. “You just need to pay” and you can outsource anything, he says.

[Criminals have expanded use of the cloud-service model to make their illegal enterprises more efficient and accessible. See Dark-Side Services Continue To Grow And Prosper.]

To gather pricing information, researcher Shear infiltrated 15 different underground forums to gather the pricing information, four of which were Russian forums. Shear concentrated his efforts mainly on well-organized forums, according to SecureWorks.

Stewart and Shear found more cybercriminals selling a cardholder victim’s birth date and Social Security Number as well as the card data itself to ensure the stolen card data can be used and the buyer won’t get tripped up by any security questions or controls. “The hackers have come to realize that merely having a credit card number and corresponding CVV code (Card Verification Value–the 3 or 4 digit number on one’s credit or debit card) is not always enough to meet the security protocols of some retailers,” SecureWorks said in its report. “Hackers are also selling cardholders’ Date of Birth and/or Social Security Number. Having this additional information would allow a hacker to answer additional security questions or produce a fake identification, to go along with a duplicate credit card.”

The cost of getting a website hacked runs from $100 to $300, with more experienced black hat hackers charging more for their services. In an interesting twist, the researchers found that these attackers stipulated that they don’t hack government or military websites.

Doxing services—where a hacker steals as much information as they can about a victim or target via social media, social engineering, or Trojan infection—ranges from $25 to $100.

Bots are cheap, too: 1,000 bots go for $20, and 15,000, for $250.

Meanwhile, stolen credit cards for U.S. accounts (with CVV numbers) remained about the same since SecureWorks last studied pricing on them in 2011. The ranged from $4 to $8 per account, while European accounts dropped from $21 to $18 today. It’s all about inventory of such a commodity item, according to the researchers.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/glut-in-stolen-identities-forces-price-c/240164089

HOPKINTON, MASS, NOVEMBER 19, 2013 –

EMC Corporation (NYSE:EMC) today announced results of an independent survey revealing fresh insights about IT strategies and infrastructures deployed within companies and governments throughout the world. Most notably, respondents cite a startling lack of senior executive confidence that permeates organizations globally, specifically concerning readiness around the critical IT requirements of continuous availability; advanced security; and integrated backup and recovery. Reduced investment in these critical areas threatens the ability of IT infrastructures to withstand and quickly recover from disruptive incidents such as unplanned downtime, security breaches and data loss and underscores the need to adopt progressive strategies to achieve Trusted IT infrastructures.

View complete survey details here.

The Global IT Trust Curve survey, administered by independent market research firm Vanson Bourne, spans 3,200 interviews across 16 countries and 10 industry sectors.

China received the top maturity ranking: Chinese IT decision makers reported implementing the highest concentration of sophisticated continuous availability, advanced security, and integrated backup and recovery technologies. The United States ranked second in maturity on the IT Trust Curve. Underscoring swift and aggressive technology investments to solidify their world influence, three of the four most mature countries — China, South Africa and Brazil — are BRICS nations. Japan ranked last on the IT Trust Curve in the16-nation survey.

David Goulden, EMC President and Chief Operating Officer, said, “The four big megatrends in information technology today are cloud computing, Big Data, social networking and mobile devices. Adoption and maturity of these trends must float upon a sea of trust — trust that my information is secure in the cloud, trust that my data won’t be lost or stolen, trust that my IT will be operational when it needs to be — which, these days, is all the time. The more trust that can be earned and guaranteed, the bigger and faster the impact of these trends. Conversely, the less trust that is established, the more limited these trends will be. Where countries fall on the IT Trust maturity curve could affect their overall ability to compete.”

Chief among the findings are:

Lower levels of maturity permeate the globe:

More than half (57%) of all respondents fall into the lower maturity categories, while only 8% place in the Leader category.

The higher organizations land on the maturity curve, the more likely they are to have already implemented more strategic and leading-edge technology projects such as Big Data Analytics.

Lack of confidence in technology infrastructure:

Nearly half (45%) of all respondents globally report that their senior executives are not confident that their organizations have adequate availability, security, and backup and recovery capabilities.

When asked about executive confidence levels, the percentage of all respondents within each maturity level who said their senior executives are confident that their organizations have adequate availability, security, and backup and recovery are: Laggard (39%), Evaluator (51%), Adopter (65%) and Leader (81%).

Japan has the smallest percentage of respondents (31%) reporting that their senior teams have confidence in these key aspects of IT; Germany has the highest percentage (66%).

19% (nearly one in five) of respondents worldwide cite an overall lack of confidence in their technology infrastructure.

Significant disparity exists between how IT and business leaders perceive improvements:

While 70% of IT decision makers consider the IT department to be the motivation/drive for future resilient and secure IT infrastructure, the number drops to 50% for business decisions makers when asked the same question.

A similar perception gap extends in key disciplines such as security. While 27% of IT respondents report being victims of a data breach in the past 12 months, only 19% of business decision makers globally report being victims, indicating they are not aware of all technology incidents that impact the business.

Organizations with higher levels of maturity avoid — and recover more quickly from — disruptive incidents and with reduced consequence. For example, globally:

53% of organizations in the Leader segment of the IT Trust Curve reported data recovery time measured in minutes or less for their most mission critical applications. The percentage drops to 27% across all maturity tiers.

76% of companies in the Leader segment believe they are able to recover 100% of their lost data in every instance versus only 44% in the lowest maturity segment.

Organizations in the lowest maturity segment (Laggard) lost one and a half times more money over the last 12 months as a result of downtime than those in the highest maturity segment (Leader).

Security breaches were the most costly events suffered by respondents, who reported an average annual financial loss of $860,273 due to breaches, followed by $585,892 and $497,037 respectively for data loss and downtime.

Widespread unplanned downtime, security breaches and data loss:

61% of all respondents’ companies have suffered at least one of the following incidents: unplanned downtime (37%), security breach (23%) or data loss (29%) in the last 12 months.

Top 4 consequences across organizations experiencing at least one of the above incidents within the last 12 months were loss of employee productivity (45%), loss of revenue (39%), loss of customer confidence/loyalty (32%) and loss of incremental business opportunity (27%).

Budget constraints (52%) reigned as the #1 obstacle to implementing continuous availability, advanced security, and integrated backup and recovery solutions. Resources and/or workload constraints (35%), poor planning (33%) and knowledge skills (32%) rounded out the top four. China was the only country that did not report budget as the #1 obstacle.

Top security concerns identified across all respondents were third party application access (43%) and protection of intellectual property (42%), pointing to the need for more advanced technology and intelligence-driven models:

There remains a heavy reliance on “prevention-oriented” security tools, with more than 80% of respondents using anti-virus and firewalls as the 2 most popular security solutions.

Just 18% have adopted Security Information and Event Management (SIEM) and even fewer, 11%, have adopted Governance Risk and Compliance (GRC) solutions, which provide the necessary monitoring and response capabilities needed to defend against more advanced threats.

Highly-regulated industries throughout the world displayed proportionally higher maturity levels:

In addition to the IT and Technology (#3) industries, the remaining Top 5 most mature industries globally are the highly-regulated Financial Services (#1), Life Sciences (#2), Healthcare (#4) and Public Sector (#5).

EXECUTIVE AND ANALYST QUOTES

Irina Simmons, Chief Risk Officer, EMC

“Most IT practitioners do everything within their power and control to protect the enterprise. Where breakdowns can occur is in communicating up to business leaders, executives, Boards and audit committees. We hear it from Boards all the time. Practitioners need to be able to demonstrate to leadership that they have a governance process whereby they can adequately instil confidence that risks are being addressed in line with the organization’s overall risk appetite and profile. Success against a particular threat is not just an accident or good luck, but the result of a solid process that continually monitors and addresses new risks and threats to the enterprise.”

Dave Martin, Chief Security Officer, EMC

“The time has come for the industry to double down. It’s impossible to deliver advanced security if we lack foundational maturity. Without a predictable environment, or understanding of where our assets are, or an ability to pick up on nuances and detect behavioural anomalies, we will be unable to defend the organization. That baseline of foundational maturity is an absolute enabler of effective security and establishing overall trust.”

Christian Christiansen, Program Vice President for IDC’s Security Products and Services Group

“Among the many powerful insights that flow from this global study, the rampant lack of senior executive confidence stands out as both alarming and, unfortunately, a sign of the times. Nearly half of respondents say their senior management has zero confidence that their organizations are prepared with adequate availability, security, and backup and recovery. That one startling fact stands as a wakeup call for company boards to make the necessary investments to brace against both external and self-imposed disruptions and threats to their IT systems and data.”

ADDITIONAL RESOURCES

View full survey results at the IT Trust Curve interactive microsite

Video: Irina Simmons, Chief Risk Officer, EMC

Video: Dave Martin, Chief Security Officer, EMC

Reflections Blog: Why 45% of Executives Lack Confidence in Their IT

Connect with EMC via Twitter, Facebook, YouTube, and LinkedIn

METHODOLOGY

Survey data is the result of 3200 interviews of 1600 IT and 1600 business decision makers from the United States, the United Kingdom, Canada, Brazil, France, Germany, Italy, Spain, Russia, India, South Africa, Australia, Japan, China and the Nordic and Benelux regions. Respondents were employed at companies within ten industry sectors, with 50% working for organizations with 100-1000 employees and the other 50% at organizations with more than 1000 employees.

To create the maturity curve, IT decision-makers were asked specific questions relating to IT infrastructure in each of the three pillar sections, continuous availability, advanced security and integrated backup and recovery. Within each section, respondents scored points for the sophistication of their organization’s existing technology, but not for anything in the planning stages. Each section was scored out of a total of a maximum of 18 points and combined to give a total overall maturity score out of 54. This score was then multiplied by a scaling factor to normalize the curve and give a total score out of 100 points. Once scored, these IT decision-makers were divided into four even segments from a low to high score; Laggards (scoring 1–25), Evaluators (scoring 26-50), Adopters (scoring 51-75) and Leaders (scoring 76-100).

Article source: http://www.darkreading.com/management/emc-study-china-rates-itself-as-worlds-1/240164103

Downers Grove, Ill., November 19, 2013 – Organizations are overwhelmingly confident in their readiness to combat security threats, but may not be prepared for dangers linked to new technology models and increasingly sophisticated threats, according to a new study released today by CompTIA, the non-profit association for the information technology (IT) industry.

The overwhelming majority of companies (82 percent) surveyed for CompTIA’s 11th Annual Information Security Trends study view their current level of security as completely or mostly satisfactory.

But just 13% of firms say they’ve made drastic changes to their security approach over the past two years. This at a time when organizations have embraced cloud computing; enabled employee BYOD practices; and expanded their use of social tools.

“The use of new technologies necessitates a change in security approach,” said Seth Robinson, director, technology analysis, CompTIA. “It’s clear why companies view security as a top priority; but what’s less clear is whether they are fully aware of which actions to take to build an appropriate security posture for a new era of IT.”

Levels of concern for a wide range of threats remains virtually unchanged from past years, too. Most companies still view hacking and malware as the preeminent threats. But a host of new dangers are quickly becoming more prevalent, including Advanced Persistent Threats, Denial of Service attacks, IPv6 attacks and mobile malware.

“Many organizations may be assuming a satisfactory level of security without truly performing the due diligence to understand their exposure and build an appropriate security posture for a new era of IT,” Robinson continued. “To truly ‘move the needle’ on security readiness, the overall approach must be re-evaluated from the top level of the business down through all departments.”

Security and the Human Factor

Throughout the 11 years of the CompTIA study the human element has been a major factor in both security readiness and shortcomings. This year is no different. Human error accounts for the majority of root cause in security breaches; and 51% of companies say human error has become more of a factor over the past two years. This may be due in part to the introduction of cloud computing, mobility and social media into the enterprise.

Yet it’s striking that few companies (21 percent) view human error as a serious concern.

“End users control powerful devices and business-class systems, often without the oversight of the IT team,” said Robinson. “While they may be able to use these devices and systems, they typically do not have the background knowledge and experience with security that allows them to recognize potential threats.”

Another consistent, historic theme in this study is the difficulty companies have in finding security professionals with the right skill mix. Cloud security, mobile security, data loss prevention and risk analysis are the four areas where skills are seen as most lacking in 2013.

One solution may be more security certifications for IT professionals. Two-thirds of companies say IT workers with security certifications are more valuable to the organization; while 86% say certified security workers deliver a moderate to high return on investment.

CompTIA’s 11th Annual Information Security Trends study is based on online surveys of 500 business and IT professionals in the United States involved in IT decision-making for their organizations; and 500 executives at U.S. IT channel companies.

More details from the study are available at http://www.slideshare.net/comptia/comptia-11th-annual-information-security-trends. The complete report is avialable at no cost to CompTIA members, who can access the study at www.CompTIA.org or by contacting [email protected].

About CompTIA

CompTIA is the voice of the world’s information technology (IT) industry. Its members are the companies at the forefront of innovation; and the professionals responsible for maximizing the benefits organizations receive from their investments in technology. CompTIA is dedicated to advancing industry growth through its educational programs, market research, networking events, professional certifications, and public policy advocacy. To learn more, visit www.comptia.org, http://www.facebook.com/CompTIA and http://twitter.com/comptia.

Article source: http://www.darkreading.com/management/comptia-false-sense-of-security-executiv/240164104

Tel Aviv, November 19, 2013 – DBmaestro (www.DBmaestro.com), the pioneer and leading provider of DevOps for Database solutions, announced today its analysis of new companies adopting DevOps for Database with DBmaestro. Over the past year, financial sector companies had the highest increased demand for Database Enforced Change Management (DECM) tools. Over 40% of new DBmaestro customers originated from this industry.

Within the financial sector, 60% of DBmasetro’s new clients are banks and insurance companies which find themselves more exposed to risk. In addition, DevOps for Database is becoming widespread in other markets. DBmaestro’s findings show that new customers from the government sector made up about 20% of the new DECM demand. Security and telecom sectors each made up approximately 10% of new DevOps for Database demand in 2013. The software and retail sectors each made up about 5% of new companies committed to DevOps.

“A loss of database control in the banking and financial sector can be catastrophic”, said Yariv Tabac, Co-CEO of DBmaestro. “The increase of new customers from financial institutions demonstrate that financial companies, which must have absolute confidence in the integrity and quality of their database code, recognize the benefits which DevOps for Database provides. We expect these trends to continue in the government and security sectors as well as other industries which are seeking automation, control and enforced change management over their Database.”

To learn more about TeamWork from DBmaestro, visit our blog or Request a Free Evaluation.

About DBmaestro

DBmaestro is the pioneer and leading provider of DevOps for Database solutions which enable control of databases. Its flagship product, DBmaestro Teamwork, is the leading Database Enforced Change Management (DECM) solution that empowers Agile team collaboration through enforcing change policy and best practices. DBmaestro Teamwork enables continuous development, continuous release and continuous deployment processes which eliminate the number of potential risks threatening database development and deployment by 60% and reduces deployment costs by 95%.

DBmaestro’s solutions are deployed at major international companies including VISA, MasterCard, Knight Capital, Thomson Holidays, Bank Leumi and others.

Article source: http://www.darkreading.com/government-vertical/financial-sector-shows-highest-demand-fo/240164107

Disaster recovery protection level self-assessment

Mobile phone operators in Pakistan have been told they have around a month to ensure all of their outlets are equipped with biometric thumb scanners, in a renewed bid to eliminate illegal SIMs.

The scanners must be installed by December 1st in Karachi and December 20th nationwide, the authorities decided last week, according to local telecoms site Propakistani.

The scanned thumbprint of the national ID card (CNIC) holder will apparently be matched with that held by the National Database and Registration Authority (NADRA) for immediate identity verification prior to purchase.

The government-backed Universal Service Fund (USF) is thought to be part-subsidising the cost of the roll-out, although it could be a tall order to get machines into the 250,000+ retail outlets, service centres and franchises selling SIMs nationwide in time.

However, commentators have apparently argued that the plans will only succeed in cleaning up Pakistan’s illegal SIM card problem if existing as well as new SIMs are verified and linked biometrically.

With mobile subscribers pushing 130 million in Pakistan, this would be a huge undertaking, however the Pakistan Telecommunication Authority (PTA) usually gets its way when it comes to industry regulation.

It has forced the blocking of tens of thousands of web sites at a time in the past for religious and moral reasons and a year ago threatened to ban mobile packages offering cheap late night calls because they went against “social norms”.

The current biometric push, however, springs from a fear that untraceable SIMs are a national security threat because they can be used by terrorists to communicate and trigger bombs anonymously. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/20/pakistan_biometric_sim_registration/