STE WILLIAMS

ATLANTA, Nov. 12, 2013 – ControlScan and Merchant Warehouse have jointly released the results of their fifth annual survey of Level 4 merchants’ awareness, sentiment and progress toward securing cardholder data in compliance with payment card industry (PCI) standards.

The Level 4 merchant group represents 98% of all U.S. retailers, is primarily comprised of small to mid-sized businesses (SMBs), and numbers in the millions. The newly-released research report “Payment Security and the SMB: The Fifth Annual Survey of Level 4 Merchant PCI Compliance Trends” reveals that as a group these merchants are making progress, yet key concerns remain.

“Nearly three-quarters of survey respondents believe complying with PCI standards improves the security of their business, and that’s encouraging,” said Joan Herbig, CEO of ControlScan. “As a whole, though, these merchants are showing a lack of corresponding activity for prevention and detection. In addition, they are not prepared should a data breach occur.”

A total of 615 Level 4 merchants responded to the 2013 survey, providing many critical insights for independent sales organizations (ISOs), acquirers and other merchant service providers (MSPs), including:

43% are personally responsible for information security in their organization, while 35% say no one is assigned the responsibility;

51% do not require their third-party service providers to achieve and maintain PCI compliance; and

Only 36% have developed an incident response plan (IRP) for their business.

“SMB merchants have a distinct need when it comes to payment security and compliance,” said Henry Helgeson, CEO, Merchant Warehouse. “Very few have the time or resources to think through what it takes to better their security posture, and most don’t even realize the significant risk their business faces. It’s up to us as their MSP to give them a cost-effective, simplified way to succeed in this regard.”

To access a copy of the survey research report, which includes an in-depth discussion of the implications Level 4 merchants’ responses have for their own breach risk as well as the risk the MSPs serving them face, please click on the following link:https://www.controlscan.com/whitepapers/merchant-study-2013.php.

In addition, ControlScan and Merchant Warehouse are hosting a joint webinar on November 20, 2013to present the study’s findings. Click here for more information and to register:https://www2.gotomeeting.com/register/397376026.

About ControlScan

Headquartered in Atlanta, Georgia, ControlScan delivers payment security and compliance solutions to a global network of merchant service providers and the small businesses they serve. The company’s innovative approach to secure hosted payment and PCI compliance solutions leverages technology, education and services to provide flexible options for its customers. Known for its thought leadership, ControlScan gives its customers a clear view of marketplace issues and trends so they can remain competitive. For more information, please visit www.controlscan.com or call 1-800-825-3301.

About Merchant Warehouse

Merchant Warehouse is a leading provider of payment technologies and merchant services. The company’s solutions enable merchants to more effectively connect and engage with their customers regardless of how, where or when they choose to shop. Merchant Warehouse’s flagship technology solution, the Geniustrade Customer Engagement Platformtrade, supports both traditional and new payment types, including mobile commerce, from a single countertop acceptance device. For more information about Merchant Warehouse, please visit merchantwarehouse.com or follow the company on Twitter at@MWarehouse

Article source: http://www.darkreading.com/privacy/controlscan-and-merchant-warehouse-repor/240163841

CHICAGO, Nov. 12, 2013 /PRNewswire/ — Small businesses remain prime targets for cybercrime. For small businesses, particularly entering the holiday season, the fallout from an attack is significant: hacked websites’ traffic slows to a crawl, especially if they are quarantined (“blacklisted”) by Google. That equates to thousands of dollars in lost revenue, as well as lost credibility with customers.

IT professionals would be the first to note that no website is 100% secure, but that fact does not insulate vendors from the fallout from such an attack. TechInsurance, the nation’s leading online provider of insurance for small and micro IT businesses, today issued guidelines to help network admins, web hosting companies, and site developers effectively communicate and protect themselves if and when these hacks occur.

“A small business’s website is at least as important as its storefront, often regardless of the product or service the business is selling,” said Ted Devine, CEO of TechInsurance. “Because IT professionals tend to be far more tech-savvy than their clients, they are frequently the first, last, and only line of defense against attacks that can sideline a business for weeks.”

Unfortunately, as Devine noted, that role can translate to liability if and when an attack occurs. “Though the hacker is directly liable, the network admin, webmaster, or developer can be held responsible for lost sales and costs because they failed to prevent an attack,” Devine added. To reduce that liability and prevent Errors Omissions lawsuits, TechInsurance recommends that IT professionals take the following precautions:

1. Educate clients about site security. Including basic instructions for how clients can keep their site secure with strong passwords, antivirus software, security patches, Google’s webmaster tools, and caution with third-party content providers can greatly reduce the likelihood of a hacking incident. Clients without a technical background are often intimidated by online security or unaware that they can play an active role in protecting their sites.

2. Update contract language to reduce liability. For those involved in building, hosting, or granting permissions to client websites, contracts should explicitly outline how liability for hacks will be handled. While contracts can be overturned in court, strong language can improve the odds that a defendant won’t be found liable for EO damages.

3. Offer security monitoring. IT professionals who do not already offer security-monitoring services should consider adding them. Doing so can provide an additional source of revenue, boost client confidence, and prevent the big headaches of addressing hacking incidents after they’ve caused significant damage to a site.

IT contractors unsure which liabilities their contracts expose them to can use TechInsurance’s Contract Decoder.

About TechInsurance, an insureon Company

TechInsurance, the nation’s leading online agent for small and micro businesses, provides an online destination where IT and technology business owners can find essential insurance, including EO policies. For details, visit www.techinsurance.com.

Article source: http://www.darkreading.com/end-user/googles-blacklist-opens-it-vendors-to-po/240163842

Marlborough, MA — November 12, 2013 — Content Raven, a content security company that helps enterprises achieve greater control over their intellectual property as it is being shared externally, today announced the availability of a new freemium product designed to make safe sending of content easy and accessible for all types of users. The release of the freemium application follows on several market successes the company has achieved since it pioneered its award-winning approach to content security solution in 2012.

With the availability of the free application, anyone, from enterprises to individuals, can quickly and effortlessly integrate a powerful “trusted viewing” solution into their daily workflows. Content Raven’s product requires no download and enables users to immediately begin to securely share and track critical files across any device, including mobile, without risk of loss or abuse. To date, investment firms, government agencies, manufacturers, athletic teams, and healthcare companies have adopted Content Raven’s solution to secure their valuable intellectual assets.

Content Raven’s cloud-based technology protects any type of file, including rich media, video, audio, and others, and gives senders complete control over how and where those files are accessed by the recipient. The solution does not require users to store files on a Content Raven server, but rather uses the cloud to stream content from wherever it resides. Additionally, the Content Raven application provides detailed analytics that show senders who is viewing their content and how it is being used. They can also track the geographic location of viewers, the frequency of views, duration of each view, and even the type of device it is viewed on.

Content Raven’s freemium application, which allows users to securely share Word documents, PDFs, PowerPoint slides, Excel files and images, is available for download here. Users seeking additional functionality, including the ability to secure video, HTML, and other multimedia content, can upgrade to one of several subscription options available on the Content Raven website. For enterprise customers who seek to leverage all of the powerful features of Content Raven in their existing enterprise applications, premium versions of the product offer a proven set of APIs for integration into a wide range of applications such as Microsoft Office, Sharepoint, PowerPoint, Dropbox, and more.

“At Content Raven, we have long believed in the concept of providing a robust content security solution that is simple to use, easy to integrate, and operates seamlessly in the background,” said Ron Matros, CEO of Content Raven. “This new application represents the realization of that concept. We hope that users of all kinds will use Content Raven and see how easy and effective secure sharing can be.”

About Content Raven

Content Raven empowers enterprises of all sizes to control intellectual property and other valuable content as it is shared externally. The company provides content distribution and control through the cloud, with usage analytics, to mobile and other devices focused on rich media. Content Raven’s end-to-end content control and analytics solution enables users to securely and easily share and track rich media, video, and other critical documents without risk of loss or abuse. Easy to use, with no software installation required, Content Raven is the first and only cloud-based content control solution that supports multiple devices, including mobile, and any type of content format. Companies around the world use Content Raven to control how their outbound content is consumed and managed. Content Raven is headquartered in Marlborough, MA.

Article source: http://www.darkreading.com/applications/content-raven-launches-freemium-content/240163846

Nominum [http://www.nominum.com ][TM], the provider of integrated subscriber, network and security solutions for Service Providers, and F-Secure, the leading provider of consumer security solutions, have today announced a strategic partnership to deliver a comprehensive solution to protect subscribers from botnet threats. Botnet infections vary regionally and can be as high as 25% of the subscriber base. This growing threat typically executes malicious behaviour either by exploiting the target directly, interfering with internet business models or amassing zombie-devices to make attacks against unsuspecting organisations.

The comprehensive security solution protects the subscriber, and the network, on a number of different levels. A botnet infection is detected at the network level without compromising subscriber privacy. The infected subscriber then receives a notification and instructions for remediation and is protected from further infections by the system. The integrated solution allows unparalleled visibility to identify the infected device from a typical household network, behind a NAT-based router (Network Address Translation).

Nominum’s Subscriber Safety solution offers comprehensive malware protection to service providers’ subscribers, including detection of botnet infections. It leverages Nominum’s Global Intelligence Xchange which provides a database of threats that is continuously updated, enabling service providers to identify emerging threats and stay one step ahead of cyber criminals. Notifications are delivered using Nominum’s world-class in-browser messaging capability, which is compatible with any device supporting a browser, including PCs, smartphones and tablets.

The remediation is performed using F-Secure’s Antibot client product which is able to identify a wide range of botnet families including rootkit infections.

During the process the client sends anonymous telemetry data back to the service provider and connects to common customer care systems, allowing performance review of a full closed-loop service.

Head of F-Secure Labs, Mika Stahlberg, says: “Malware is increasingly prevalent, sophisticated, and difficult to remove. Internet users need their service providers’ help in dealing with the threats. Service providers are shifting from cost-based thinking in anti-abuse to a differentiating value-add approach.

Instead of considering each infected subscriber as a potential cost in customer support, with automation and the right messaging, these can be turned into strategic customer engagements.”

Nominum Vice President Business Development, Brian McElroy, says: “Consumers and professionals alike want to be able to access the internet safe in the knowledge their experience won’t be disrupted by malware. Our Subscriber Safety application leverages our heritage in DNS, enabling our customers to identify and pinpoint malicious activity on a network, providing greater protection to their subscribers. The in-browser messaging capability we deliver provides a timely and non-intrusive means of alerting subscribers to potential dangers.

With F-Secure we are now able to deliver linked remediation and offer our customers a more comprehensive solution that will create a safer internet experience for subscribers.”

F-Secure VP of Consumer Security, Maria Nordgren, says: “It is in the common interest of all parties that service providers are able to keep their subscribers safe from threats. Safe in the knowledge that their online activities are being protected, subscribers will access the internet more frequently and be less inclined to switch provider. The criminals of cyberspace hide in the shadows stealing personal details and abusing devices at their will.

The opportunities for criminal gangs will be dramatically reduced as more and more carriers implement advanced anti-abuse solutions.”

About Nominum

Nominum provides innovative software that leverages DNS data to deliver a reliable, safe and personalised Internet experience for Communication Service Providers and their subscribers. The company’s Vantio(TM) DNS Software, and N2 applications, arm CSPs to avert insider threats that could impact network availability and reputation. Nominum enables CSPs to engage with customers to deliver unique services and revenue opportunities and to build brand loyalty.

Today, Nominum’s carrier-grade software processes over 1.3 trillion queries daily and is deployed by the largest fixed and mobile operators worldwide.

Nominum is a global organisation headquartered in Redwood City, CA.

About F-Secure – Protecting the irreplaceable

While you concentrate on what is important to you, we make sure you are protected and safe online whether you are using a computer or a smartphone. We also backup and enable you to share your important files. Our services are available through over 200 operators around the world and trusted in millions of homes and businesses. Founded in 1988, F-Secure is listed on NASDAQ OMX Helsinki Ltd.

Article source: http://www.darkreading.com/end-user/nominum-and-f-secure-a-partnership-to-wi/240163847

Chinese cyberespionage actors have been discovered sharing malware development and logistics resources, suggesting that some seemingly separate attacks instead may actually be part of a broader targeted operation.

Researchers at FireEye closely studied 11 Chinese advanced persistent threat (APT) campaigns targeting different industries and found that many of them employed the same malware tools, code, binaries, and digital certificates for the binaries. The findings appear to suggest that these cyberespionage campaigns are likely more centralized and organized that was once thought, a theory that has been bandied about among different researchers for some time.

This service provider/developer group or layer of the operation appears to play different role and mission than the hackers behind the keyboards, according to FireEye. “There certainly does seem to be a discrete difference in what this group or layer’s role and responsibility is than the guys at the keyboard who exfiltrate data and move around laterally” in the targeted organization, says Ned Moran, senior malware researcher with FireEye, who co-authored FireEye’s new research.

Moran says he and his team had their suspicions that there was another layer that could link various APT operations, and that their theory was confirmed when they discovered the malware builder tool, which is written in Chinese and contains dialog and menu options in Chinese as well. “This tool is clearly used to create artifacts and malware that were thrown at the targets,” he says. And unlike pervasive tools such as Poison Ivy, this one isn’t available in the underground. “This tool appears to be for private use only,” he says.

The discovery, detailed in a new report published by FireEye, lends more evidence that Chinese APT operations are well-resourced and organized.

Researchers at Mandiant, meanwhile, concur that some APT groups indeed appear to share resources, but say they aren’t convinced there’s an actual “offensive organization” that provides the tools to the attackers.

“Mandiant has long assumed that there is some sort of sharing, formal or informal, between various threat groups. We frequently see malware families, code-signing certificates, and malware droppers overlap between distinct APT threat groups based on many of the same indicators discussed by FireEye,” says Barry Vengerik of Mandiant’s Intel Team. “However, to date we’ve seen no evidence that makes a top-down operation where finished tools are handed to individual threat groups by an overarching offensive organization or apparatus any more likely than these same tools and techniques being shared through less formal channels across the cybercriminal community.”

Moran says it’s unclear whether this back-end malware development and logistics operation is an actual separate group or another layer of an operation, but it could be a game-changer in how to address APTs. “Rather than treating each attack separately and as different, we need to examine all of these attacks and find commonalities and understand what they mean,” he says.

If common modus operandi and other characteristics are found among different attack campaigns, then organizations can better defend against them, he says. “If you apply the proper techniques and understand how to find these commonalities you might be able to develop your defense to look for these commonalities instead of individual unique samples for a command and control” infrastructure, the typical approach to detecting APTs today, he says.

[Taiwanese researchers peer into the operations center of a group behind one large espionage campaign. See Cyberespionage Operators Work In Groups, Process Enormous Data Workloads.]

The researchers first stumbled upon the theory that more APTs may be connected while studying the so-called Sunshop APT attack, which infected websites and redirected victims to a malicious site. After first reporting on that attack in May, they saw it resurface three months later. “We discovered additional related attacks about a week after that. During the intervening time, we examined the underlying infrastructure supporting these attacks and found that the Sunshop campaign utilized resources shared across a number of other APT campaigns not initially tied to Sunshop,” FireEye says in its report.

“What we initially believed to be 11 different APT campaigns used the same malware tools, the same elements of code, binaries with the same timestamps, and signed binaries with the same digital certificates. Through this discovery, we believe that we have identified a shared development and logistics operation used to support a number of different APT actors engaged in distinctive but overlapping campaigns,” the report says. “This development and logistics operation is best described as a digital quartermaster whose mission is to supply and maintain malware tools and weapons used in support of cyber espionage operations. This digital quartermaster is a possible cyber arms dealer, supplying the operators responsible for conducting attacks and establishing footholds within targeted organizations.”

This discovery is likely just the tip of the iceberg. “This is just a snapshot. We are currently engaged in other research projects now … our goal is to find other examples of this,” Moran says.

The full FireEye report, “Supply Chain Analysis: From Quartermaster to Sunshop,” is available here (PDF) for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/chinese-apt-campaigns-may-be-more-connec/240163858

November’s Patch Tuesday is coming up this week, and Microsoft’s usual “announcement that doesn’t say an awful lot” is out to help us prepare.

There are eight bulletins, three of them are critical, and you will need to reboot.

Pretty much what you expected, in fact.

Of course, this month’s big question is, “Will the recently-announced Windows zero-day get fixed?”

That’s not just a big question, but an important one, so Microsoft has addressed it explicitly.

The answer, I am sorry to have to tell you, is, “No.”

However, the unusually loose-lipped advisory blog posting (by Microsoft Patch Tuesday standards) that goes along with this month’s Security Bulletin Advance Notification is very useful.

So, if you will forgive us taking a small side-trip into what isn’t handled in Patch Tuesday, we’ll take a quick look at it.

What’s not fixed

The recent zero-day, which allows crooks to attack your computer using booby-trapped TIFF images, has created lot of confusion amongst users and administrators trying to work out which of their computers are at direct risk.

Microsoft’s original notification didn’t help, listing Windows XP, 7 and 8, for example, as “non-affected platforms,” but Office 2003 to 2010 as “affected.”

Judging by some of our readers’ comments, we weren’t alone in wondering which took precedence – the unaffected operating system version or the affected software.

Because the zero-day is not getting patched this month, Microsoft has done its best to clear up the confusion, so we can now tell you that:

• If you have Windows Vista or Server 2008, you are vulnerable to the TIFF zero-day no matter what additional software you have.
• If you have Office 2003 or 2007, you are vulnerable no matter what Windows version you have.
• If you have Microsoft Lync of any flavour, you are vulnerable no matter what Windows version you have.
• If you have Office 2010 you are vulnerable, but only if you are running on Windows XP or Server 2003.

Just to remind you: the TIFF zero-day can be avoided with Microsoft’s Fix it, or by manually setting this registry entry:

HKEY_LOCAL_MACHINESOFTWARE
   MicrosoftGdiplusDisableTIFFCodec = 1

Of course, as fellow Naked Security expert Chester Wisniewski pointed out in our recent podcast, this will probably stop you opening TIFF files that you do want to access, such as those produced by network-based fax and scanning software.

If, however, it’s years since you received a fax, and you have long made do with image support only for JPEG and PNG files – as have I – then the Fix it should do you no harm, and plenty of good.

What is fixed

As mentioned above, we can’t yet tell you exactly what’ll be fixed yet on Patch Tuesday – a marked contrast to the prompt and complete OpenSSH bug-fix bulletin we wrote about yesterday.

Of course, there are a lot more interacting components in Microsoft’s Patch Tuesdays – or moving parts, as skeuomorphically-minded software engineers like to call them, even though they don’t actually move at all (the parts, not the engineers).

What we can tell you is that Patch Tuesday will bring you:

• A critical fix relevant to all versions of Internet Explorer (IE) on all platforms, on all CPUs, at all bit sizes. That means IE 6 to 11 on XP to 8.1, 32 or 64 bit, on Intel and ARM. In short, if you have Windows clients in your business, you will be updating.
• A necessary restart, so you will be rebooting.
• Important fixes for all versions of Office, from 2003 to 2013, and for Outlook 2007 to 2013.

As usual, keep your eye on the SophosLabs Vulnerability page to read our own assessment of the risk posed by each bulletin.

If you can’t, won’t, or simply don’t like to update as soon as you can, our Vulnerability page is a handy aid to prioritising your patching activities.

Incidentally, we frequently recommend Server Core installs whenever you are commissioning a server that doesn’t need full-blown Windows, because Server Core has less code in it to attack.

Of course, “less code to attack” doesn’t mean “no code to attack,” so we need to to remind you that Server Core installs will need updating and rebooting this month.

Update. We originally concluded by saying that Server Core was not affected this month. As a commenter pointed out below, that’s not true. The article has been corrected. [2013-11-11T09:30Z]

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Lv3qZDJJXaQ/

A New York City police detective from the NYPD pleaded guilty on Friday to paying $4,000 for email hacking services that got him into at least one colleague’s email account and one mobile phone.

According to a statement put out by the Attorney General, the detective, Edwin Vargas, used PayPal to hire someone to hack login details for at least 43 personal email accounts and one mobile phone belonging to at least 30 individuals, including 20 current or former NYPD officers and one administrative employee.

Vargas, 42, of Bronxville, NY, was arrested in May for ordering up the hacking between March 2011 and October 2012.

He could be looking at up to a maximum of two years in prison: one year each for a count of conspiring to commit computer hacking and another count of computer hacking.

At the time of his arrest, the Attorney General said that when law enforcement checked out the hard drive on Vargas’s NYPD computer, they found that his Gmail account Contacts section included a list of at least 20 email addresses, along with what looked like telephone numbers, home addresses, vehicle information corresponding to those email addresses, and email account passwords.

Vargas also allegedly accessed the federal National Crime Information Center (NCIC) database to get information about at least two NYPD officers.

Manhattan US Attorney Preet Bharara said in the statement that being on the NYPD doesn’t give police any special dispensation to break the law that taxpayers pay them to uphold:

He accessed a law enforcement database without authorization and paid hackers to illegally obtain e-mail login information for his fellow officers and others. Vargas’s guilty plea today and his forthcoming punishment make clear that those who illegally invade others’ privacy, including members of law enforcement, will not escape prosecution.

Vagas was a bad apple, but his guilty plea brings to light more than one crooked cop.

The A.G. didn’t go into detail about how the email hacking services managed to steal login details, but phishing and social engineering are tried and true methods to go about this slimy work.

As it is, such services advertise techniques including brute-force attacks, keylogger installation, dictionary attacks, sniffing (if the hacker and the victim share the same wireless network, such as in a workplace or cyber cafe), and/or social engineering techniques.

An in-depth defence strategy can help lower the risk from those vectors within organizations.

For example, let’s hope that since Vargas’s arrest, the NYPD has laid down the law about not clicking on phishy links or opening phishy email attachments, and not using overly simple passwords and/or using passwords on multiple sites.

Let’s hope they’ve ramped up training on:

• Questioning and reporting suspicious behavior.
• Refraining from sharing work-related details on social networks.
• Not using work devices for personal activities.
• Protecting access to different types of data with strong and separate passwords.
• Segmenting the network so that if attackers compromise an employee with access to one network segment they can’t access more sensitive ones.
• Not letting attackers go undetected as they work their way through the organizational phone book until they hit pay dirt. Employees should have one point of contact to whom they can send all reports of phishing expeditions, whether those attempts come via phone or email.

For more thoughts on hardening an organization’s defences, whether you’re talking about a widget maker or a police department, check out Sophos’s Practical IT guide to planning against threats to your business.

Follow @LisaVaas

Follow @NakedSecurity

Image of NYPD detective badge by Flickr user Scoutnurse.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xLwb6YrAfkA/

South East Asia has had its fair share of Anonymous excitement lately.

An anonymous hacker calling himself “The Messiah” made hacking threats against Singapore.

Anonymous Indonesia hacked an Australian dry cleaning company, amongst others, in protest against alleged espionage by Canberra.

Anonymous Australia threatened to hack Anonymous Indonesia back.

And “The Messiah” turned his words into actions by hacking a Singaporean journalist’s blog, offended that she had committed synecdoche.

→ Synecdoche is where you use generic words to mean something more specific, like saying “England beat Australia,” when all you really mean is that England’s rugby union players collectively scored more points that their Aussie counterparts during an official match.

Irene Tham of the Straits Times, who had used the word “Singapore” metaphorically, was on the receiving end of The Messiah’s hacking wrath.

It seems she failed to explain explicitly that the threatened hacks were against “the executive arm of the government of the Republic of Singapore,” or words to that more precise, if orotund, effect.

The hacker apparently included what looks like a SHA-256 hash as part of his hack.

As you probably know, hashes like this are often used to validate that you know a secret such as a password, without needing to store the secret itself.

22 66 5e 7b a8 68 c9 0d f3 f0 47 c9 d2 e5 4a 33 
02 be 20 f4 15 29 5e 7b 76 12 8d 5f 1f dd 59 44

So, if The Messiah ever wanted or needed to assert his hacking credibility to his Anonymous buddies, he could just produce a message with the hash shown above. (You can’t go backwards from the hash to the message, so owning the message that delivers the hash is a weak form of digital identity.)

He may be regretting leaving a calling card now, assuming he still has the original message somewhere on his computer.

That’s because a 35-year-old man called James Raj is alleged by the Singaporean police to be the hacker in the Straits Times incident, as well as to have hacked other local organisations.

Worse luck for Raj is that he is currently in custody in the city state on hacking charges.

So, if the cops have indeed got the right guy, and a message with the above hash is found somewhere among his digital possessions, it won’t look too good.

Raj was traced to Kuala Lumpur in neighbouring Malaysia – just 45 minutes by air or four hours of determined driving to the north of Singapore across the Straits of Johor.

According to the offical police report, Raj was arrested on 04 November 2013 and brought home – he’s a Singapore national – to face court the next day.

Mind you, things don’t look that good for Raj, with or without the incriminating hash, as he was also apparently wanted for drug-related offences.

As a reuslt, he now also faces three drugs charges in a country that is notoriously intolerant of so-called recreational drug use.

A number of Anonymous supporters and “hacktivists” have turned out not to be so anonymous after all, with convictions reported recently in several countries.

If Raj is convicted – and Singaporean conviction rates are reportedly very high – then he’ll be yet another unanonymous Anon.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QpHOwpWdUug/

Most smartphones can be secured to a degree, via the use of a PIN, pattern lock or, in the case of the latest iPhones, with a fingerprint.

The particular security feature that you choose for your smartphone may well be determined by the make and model that you own, but one of the most popular options is to use a PIN (if you have a choice we recommend you secure your phone with a password).

A new program, dubbed PIN Skimmer by its University of Cambridge creators, can correctly guess a high proportion of PINs using the device’s camera and microphone.

When selecting from a test set of 50 4-digit PINs, PIN Skimmer correctly infers more than 30% of PINs after 2 attempts, and more than 50% of PINs after 5 attempts on android-powered Nexus S and Galaxy S3 phones. When selecting from a set of 200 8-digit PINs, PIN Skimmer correctly infers about 45% of the PINs after 5 attempts and 60% after 10 attempts.

The university team discovered that PIN Skimmer could identify PIN codes entered on number-only softpads by using the camera on the device to monitor the user’s eye movements as they enter their code. Also, the microphone could be used to detect “touch events” – the clicking sound made as the user enters their PIN on the touch screen.

The paper, written in order to raise awareness of side-channel attacks on smartphones, took the approach that the device had already been infected with malware that was then attempting to snaffle the PIN.

The university team then set out to see how effective an attack could be and, also, how PIN length may affect the likelihood that the code could be correctly guessed.

Mimicking a typical piece of malware, stealth was a key feature in the design.

The researchers ran image processing algorithms remotely to minimise battery drain, something that could alert the user that an unauthorised program was running.

An API exposed by the Android operating system was used to disable the LED that switches on in some handsets when the camera is in use.

Photos and video taken by PIN Skimmer were saved to the phone but the file sizes were limited to 2.5MB to reduce detection. A real piece of malware could likely hide such files from view completely. Likewise, the research team hypothesised that the sending of data back to the remote server could also be hidden from the user.

Additional network charges is another problem connected with transmitting data. Many smartphone users are on tariffs that charge them additional fees should they use more than a pre-determined amount of data within any monthly period. To that end the report suggested that a real-life Trojan would probably report back to its control centre only when it detected a free WiFi connection within range.

The researchers discovered that, contrary to what you may have expected, longer PINs were actually easier to crack than shorter ones. This unexpected result was put down to the fact that longer PINs actually gave the program more information to work with which increased its accuracy.

One of the co-authors of the report, Professor Ross Anderson wrote:

Our work shows it’s not enough for your electronic wallet software to grab hold of the screen, the accelerometers and the gyro; you’d better lock down the video camera, and the still camera too while you’re at it. (Our attack can use the still camera in burst mode.)

As for mitigating the risks posed by such an attack, Anderson suggested that questions need to be asked as to which resources should remain accessible during PIN entry, though he did note how disabling some functions, i.e. the speakers, could cause extreme problems to the usability of the device:

For instance when a call comes in, the user needs to hear the ring tone while unlocking his phone; otherwise he may assume the caller has hung up.

Instead, he suggests that whitelists may be the answer – denying use of all resources during PIN entry, unless explicitly authorised.

Another option, according to Anderson, would be a more widespread adoption of biometrics in smartphones but that is not without its own issues.

For now at least this attack is an academic exercise. For advice on tackling the real world threats to your phone read our 10 tips for securing your smartphone.

Follow @Security_FAQs
Follow @NakedSecurity

Image of smartphone courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/aVNcGfub8as/

Email delivery: Hate phishing emails? You’ll love DMARC

Data security biz Trustwave has acquired fellow data security provider Application Security, a startup that specialises in automated database security scanning technologies.

Financial terms of the deal, announced on Monday, were undisclosed.

Privately-held Application Security develops security software for relational databases and big data stores that helps its enterprise customers uncover critical configuration mistakes and other toxic combinations of settings that could lead to denial-of-service attacks, unauthorised data modification or data breaches.

Trustwave said acquiring Application Security will allow it to enhance its existing range of corporate compliance services as well as developing technologies to protect high-value data, and reduce security risks.

Trustwave plans to integrate Application Security’s DbProtect and AppDetectivePRO products into its portfolio of information security, compliance management and threat intelligence products and services. Application Security’s technology will be used to augment Trustwave’s existing managed security services as well as providing the combined firm will the ability to extend protection of data and management of threats across endpoints, networks, applications and databases.

“By joining forces with Application Security, Trustwave can help customers strengthen security across their environment—from the network, applications, Web, and down to the data itself—so they can more effectively fight cybercrime, protect data and reduce security risks,” said Trustwave chairman and chief exec Robert J. McCullen in a canned statement. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/12/trustwave_buys_application_security/