STE WILLIAMS

Email delivery: 4 steps to get more email to the inbox

UK-based Windows XP users were six more likely to actually be infected than their counterparts who use more recent versions of Windows, according to figures from Microsoft.

The company is likely trying to highlight the infection rates of the 12-year-old OS as a way to get customers to upgrade. It says that 9.1 of 1,000 XP (SP3) boxes scanned – which is just under one per cent – had been found to be infected.

The software giant’s latest annual “Security Intelligence Report” reports that, on average, 17 per cent of computers worldwide encountered malware during the first half of 2013.

Top threats facing the UK include HTML/IframeRef: – “specially formed” iFrame tags that point to remote websites containing malicious code; Sirefef: – a rogue security software family called Antivirus 2010 among other names; and BlacoleRef: – malicious JavaScript inserted into compromised websites that redirects browsers to the infamous Blackhole Exploit Kit.

From Microsoft’s report

The Microsoft Security Intelligence Report takes data from over one billion sources across the Windows landscape – data was drawn from Redmond real estate such as its Malicious Software Removal Tool, Exchange Online, Windows Defender and more (see page 134) – providing an overview into the threat landscape across Windows boxes around the world. The information was collected during the first six months of 2013.

The research also looks at software vulnerabilities, software vulnerability exploits, malicious and potentially unwanted software and security vulnerabilities in both Microsoft and third-party software.

“Vulnerability disclosures across the industry decreased 1.3 per cent from 2H 2012, and 10.1 percent from 1H 2012. An increase in operating system vulnerability disclosures in 1H 2013 largely offset a corresponding decrease in application vulnerability disclosures during the same period, resulting in little overall change,” according to Microsoft.

“Overall, however, vulnerability disclosures remain significantly lower than they were prior to 2009, when totals of 3,500 disclosures or more per half-year period were not uncommon.”

Microsoft doesn’t provide a reason but El Reg‘s security desk suspects that some combination of improved security practices among vendors and the growth in the exploit marketplaces (which naturally result in lower vulnerability disclosures) is behind the change.

Application vulnerability disclosures accounted for 63.5 per cent of total disclosures for the first half of 2013. Operating system vulnerabilities accounted for 22.2 per cent of total disclosures, while browser bug reports made up the remaining 14.3 per cent.

Redmond is urging laggard Win XP users to upgrade their machines before security updates for the OS end on 8 April 2014. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/31/security_intelligence_report_microsoft/

Email delivery: 4 steps to get more email to the inbox

UK-based Windows XP users were six more likely to actually be infected than their counterparts who use more recent versions of Windows, according to figures from Microsoft.

The company is likely trying to highlight the infection rates of the 12-year-old OS as a way to get customers to upgrade. It says that 9.1 of 1,000 XP (SP3) boxes scanned – which is just under one per cent – had been found to be infected.

The software giant’s latest annual “Security Intelligence Report” reports that, on average, 17 per cent of computers worldwide encountered malware during the first half of 2013.

Top threats facing the UK include HTML/IframeRef: – “specially formed” iFrame tags that point to remote websites containing malicious code; Sirefef: – a rogue security software family called Antivirus 2010 among other names; and BlacoleRef: – malicious JavaScript inserted into compromised websites that redirects browsers to the infamous Blackhole Exploit Kit.

From Microsoft’s report

The Microsoft Security Intelligence Report takes data from over one billion sources across the Windows landscape – data was drawn from Redmond real estate such as its Malicious Software Removal Tool, Exchange Online, Windows Defender and more (see page 134) – providing an overview into the threat landscape across Windows boxes around the world. The information was collected during the first six months of 2013.

The research also looks at software vulnerabilities, software vulnerability exploits, malicious and potentially unwanted software and security vulnerabilities in both Microsoft and third-party software.

“Vulnerability disclosures across the industry decreased 1.3 per cent from 2H 2012, and 10.1 percent from 1H 2012. An increase in operating system vulnerability disclosures in 1H 2013 largely offset a corresponding decrease in application vulnerability disclosures during the same period, resulting in little overall change,” according to Microsoft.

“Overall, however, vulnerability disclosures remain significantly lower than they were prior to 2009, when totals of 3,500 disclosures or more per half-year period were not uncommon.”

Microsoft doesn’t provide a reason but El Reg‘s security desk suspects that some combination of improved security practices among vendors and the growth in the exploit marketplaces (which naturally result in lower vulnerability disclosures) is behind the change.

Application vulnerability disclosures accounted for 63.5 per cent of total disclosures for the first half of 2013. Operating system vulnerabilities accounted for 22.2 per cent of total disclosures, while browser bug reports made up the remaining 14.3 per cent.

Redmond is urging laggard Win XP users to upgrade their machines before security updates for the OS end on 8 April 2014. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/31/security_intelligence_report_microsoft/

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Adobe, Apple, cloud, data breach, DDoS, dictation, DOS, Facebook, giraffe, Hoax, JPEG, JPG, NSA, OS X, password, vulnerability, website

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/43d1XwLG9MU/

House Intelligence Committee Chairman Mike Rogers suggested during a hearing at the US National Security Agency (NSA) on Tuesday that it’s impossible to have your privacy violated if you don’t know that your privacy is being violated.

The Republican Congressman was interrogating American University College of Law professor Stephen Vladeck over his concerns about NSA surveillance programs.

Rogers put his argument this way:

Maybe the fact that we haven’t had any complaints come forward with any specificity arguing that their privacy has been violated clearly indicates – in 10 years – clearly indicates that something must be doing right. Somebody must be doing something exactly right.

Vladeck replied with this question:

But who would be complaining?

Which is when Rogers laid out his “if I peek into the windows at the sorority house and they don’t find out, the police can’t arrest me, right?” rationale. (Hat tip to Mediaite.com commenter Tenth Justice.)
.
To wit:

Somebody whose privacy was violated. You can’t have your privacy violated if you don’t know your privacy is violated, right?

So does the logic here apply elsewhere then? What about, say, hijacking webcams?

If your victim isn’t aware that they’ve been leered at and photographed/videotaped while undressing, and you haven’t gotten around to sextorting them yet, no crime was committed, right?

Furthermore, I would ask, if a tree falls in the forest and nobody hears it, a) has it made a sound, and b) does the NSA have their people on it to pick up on advances in coniferous intelligence operations?

Follow @LisaVaas

Follow @NakedSecurity

Video courtesy of Breaking News 24×7.

Image of listening ear courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9yZaAUx39Zk/

An anonymous person, claiming to be Anonymous, recently fired off a hacking threat against Singapore’s financial systems.

The threat was detailed in a video posted on YouTube, apparently under a real user’s name, and came with a full transcript – a wordy one, if the truth be told – detailing what was planned and why it should be taken seriously.

The video has now been removed, as you’d probably expect if a compromised account had been used:

As I didn’t save the transcript when it was available (the internet has a Murphy’s Law way of retaining things you would rather remove, and vice versa, doesn’t it just?), I shall have to go from memory here:

Anonymous here … Warning to Singapore about censoring the internet … Stop it or we’ll attack your financial systems to pay you back … You think you’ll keep us out? Ha! … Also, wear clothes in [redacted] colours on the Fifth of November to show solidarity, and change your Facebook profile picture to a giraffe! [*] … We never forget, and the rest of our motto.

Of course, anyone can claim to be “Anonymous,” and many have done so.

And there’s often some sort of action proposed under the Anonymous banner for 05 November.

Anonymous uses an image of Guy Fawkes on its mask logo. Fawkes was caught underneath the parliament buildings in England, along with a huge stash of gunpowder with which he and his co-conspirators apparently planned to blow the government to smithereens, back on 05 November 1605.

That’s the connection. (“Remember, remember, the Fifth of November. Gunpowder, treason and plot!”)

We’ve already been asked, “Should this threat be taken seriously?”

Well, hackers under the guise of Anonymous have managed some admittedly fairly modest cyberattacks in the past, including:

• The 12-year-old boy who had got swept up in the excitment of it all.
• DDoSes (distributed denial of service attacks) mounted against online payment companies.
• Defacement to post protest messages on the websites of the US Department of Justice and of MIT.

So, if you’re not secure against this sort of modest attack, you probably don’t stand much chance against more determined cybercriminals – attackers who don’t usually announce their attentions in advance with a YouTube video.

What that means is that if computer security is worth doing, it is worth doing well, with or without the posturings of unknown proponents of so-called hacktivism.

In short: I don’t see any need to do anything differently because of this latest, short-lived Anonymous video, unless you weren’t taking computer security seriously beforehand.

So perhaps Singaporeans should treat this video not as a threat, but simply as a handy reminder – coming as it does on the very last day of Cyber Security Awareness Month! – that computer security matters.

If you haven’t done them yet, why not DO THESE 3?

That’s our advice by which anyone, anywhere, can do their bit to help everyone, everywhere.

Follow @duckblog

* I made up the bit about the giraffe picture. That’s another story altogether, caused by a hoax about booby-trapped JPEG images of giraffes. (I don’t know why giraffes and not, say, Gambian pouched rats.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jybG0biKsNw/

Your mission, should you choose to accept it, is to intercept contactless payment data at distances of up to 90cm using a backpack, shopping trolley, and a small antenna.

Mission: Impossible?

Apparently not, according to a paper published by the Institute of Engineering and Technology on Tuesday.

University of Surrey researcher, Thomas P Diakos, created an inexpensive receiver, small enough to fit into a backpack, using the above items along with other off-the-shelf electronics. Using this equipment he was able to eavesdrop on cards at distances of 20 – 90 centimetres, maintaining good reception at up to 45cm – despite the fact that one of the main security features of contactless cards is a requirement not to transfer payment data in excess of 10cm from a reader.

Lead academic supervisor Dr Johann Briffa said:

The results we found have an impact on how much we can rely on physical proximity as a security feature. The intended short range of the channel is no defence against a determined eavesdropper.

Contactless payments, utilising Near Field Communication (NFC) technology, are becoming increasingly popular in many parts of the world.

They allow consumers to make low-value purchases (up to £20 in the UK, for example) merely by holding their card near to a reader.

By eliminating the need for a PIN number to be entered, such a payment method allows for extremely quick purchases, something that those with hectic lifestyles undoubtedly appreciate.

There are, however, some security concerns about contactless payments, with ‘skimming‘ being an obvious mode of attack.

In April a survey showed that 45% of the respondents were either totally against the introduction of NFC or, at the least, unsure about using it as a payment method.

Of those who did not want the technology to be introduced, 59% cited security concerns. Such results may have been influenced by a Channel 4 report in March which showed a standard mobile phone could be easily adapted to acquire a limited data set by simply coming into close proximity with a bank card.

Even with this small amount of data – the cardholder’s name, the long card number and expiry date – a criminal could still make fraudulent purchases from some companies, though a UK Cards Association spokesman did tell Naked Security that:

There are already additional layers of security in place to prevent the use of a card number and expiry date, such as PIN and the card security code (the three-digit number found on the back of cards), which cannot be harvested electronically. The vast majority of online retailers require the card security code, along with the cardholder’s address, and all have robust security checks in place to protect both their business and their customers from fraud.

Fraud related to contactless card payments appears to be small in comparison to their non-contact counterparts though. The UK Cards Association said that at the end of 2012 the levels of fraud on contactless cards were negligible at just £13,700. This compares with non-contactless losses of £55m.

The association also highlighted how cardholders are protected should the worst happen:

In the case of any fraud using a contactless card, consumers are protected against loss – they will not be liable for any fraudulent use.

The trade association for the card payments industry in the UK also played down the University of Surrey’s findings, saying that:

Instances of fraud on contactless cards are extremely rare. Although the sort of contactless card reader built by the University of Surrey might be able to interrogate a card, any data obtained would be limited to the card number and expiry date that can be seen on the front of the card. A fraudster would find it very difficult to make a fraudulent transaction using this information – and it certainly could not be used to make a cloned card.

Meanwhile, those at the University of Surrey are set to continue their work, saying that future experiments will look into how ‘wave-and-go’ cards can be cracked and how the uncovered data could be used by criminals.

Follow @Security_FAQs

Follow @NakedSecurity

Image of credit card courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/C5CHJSQ2W-E/

Two encrypted-email companies that shut down while struggling to keep metadata out of the US government’s hands have announced that they’re teaming up to create a new, open-source email protocol based on security and privacy and that they plan to help the world to hopefully ditch the old one: Simple Mail Transfer Protocol (SMTP).

The collaboration, dubbed the Dark Mail Alliance, between founding companies Lavabit and Silent Circle, will be focused on maintaining and organizing the open-source code for the new email protocol.

The companies announced the alliance at Wednesday’s Inbox Love conference, held at Microsoft’s Silicon Valley campus, saying that they hope to “change the world of email completely by putting privacy and security at its core.”

The two founding companies also plan to bring other members into the alliance and to assist future recruits to implement the new protocol.

Specifically, Lavabit and Silent Circle will work jointly to help email software developers and service providers proliferate what they’re calling Email 3.0, a “private, next-generation, end-to-end encrypted alternative.”

As it is, email is now “fundamentally broken from a privacy perspective”, Lavabit said in its press release:

What we call ‘Email 3.0.’ is an urgent replacement for today’s decades old email protocols (‘1.0’) and mail that is encrypted but still relies on vulnerable protocols leaking metadata (‘2.0’).

Our goal is to open source the protocol and architecture and help others implement this new technology to address the privacy concerns over surveillance and back door threats of any kind.

Ars Technica’s Cyrus Farivar reports that the new protocol is set for a mid-2014 release.

Silent Circle CTO Jon Callas told Ars that it’s high time to boot the antiquated SMTP out the door:

This is just another transport – what we’re getting rid of is SMTP. We like to laugh at it, but there are reasons why it was a good system. We’re replacing the transport with a new transport. E-mail was designed 40 years ago when everybody on the Internet knew each other and were friends.

The new protocol will be based on Extensible Messaging and Presence Protocol (XMPP), a set of open Extensible Markup Language (XML) technologies for real-time online communication, including instant messaging, presence, multiparty chat, voice and video calls, online collaboration, gaming, file transfer, Internet of Things applications including the smart grid, and social networking services.

As Cisco describes it, the core technology behind XMPP was refined in the Jabber open-source community in 2000 and formalized by the Internet Engineering Task Force (IETF) in 2002 and 2003.

Silent Circle’s Callas told the conference that the company’s existing Silent Circle Instant Messaging Protocol (PDF) was a rough “alpha” of the new Dark Mail protocol.

Dark Mail will be available as an add-on or an option to existing email providers, which means that companies such as Google could opt to use it with Gmail, for example.

That’s not an entirely unimaginable outcome, I would say, given how furious Google reportedly is over new documents from NSA whistleblower Edward Snowden that point to the US’s National Security Agency (NSA) having infiltrated links to Yahoo and Google data centers worldwide.

Lavabit founder Ladar Levison told Ars that he will soon launch – possibly as soon as Tuesday – a Kickstarter campaign to fundraise for the Dark Mail Alliance to open-source Lavabit’s code “with support for Dark Mail built-in.”

Farivar reports that the first 32 companies to donate $10,000 will get a pre-release 60 days before the public gets it and thus will be able to be the first companies to integrate it into their systems.

Lavabit, Snowden’s former email provider, shuttered its service in August following court orders demanding metadata about an unnamed user who many assume was Snowden.

Levison did, actually, end up giving the government Lavabit’s crytopgraphic key in digital form, after having first printed out and handed over a copy of the key in 4-point type that didn’t quite fly with the government’s judge.

Shuttering Lavabit’s service meant that even though the government had the key, they didn’t have anything to open with it.

Silent Circle, for its part, in short order followed Lavabit’s example, pre-emptively shutting down its Silent Mail service in anticipation of the government getting its hands on the metadata that is, for now, inevitably associated with email.

The goal of ditching SMTP is ambitious: it’s now used for almost all email that travels on the Internet.

But as Ars reader Major General Thanatos commented, the NSA’s vigorous surveillance propensities well might have provided the world with a good reason to put its shoulder to the task and make the switch.

Would switching to XMPP stop spying once and for all? If so, how painful would such a switch be? Can you imagine the world actually doing it?

Let us know your thoughts in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JGi6y70VJF8/

Facebook is testing data mining methods that would silently follow users’ mouse movements to see not only where we click but even where we pause, where we hover and for how long.

And holy mackerel, did somebody say something about there being the potential ability to track how long a user’s cursor hovers over an o-so-tasty, revenue-generating ad?

Why yes, and that somebody was Ken Rudin, Facebook’s analytics chief.

At the Strata and Hadoop World Conference in New York on Tuesday, Rudin told the Wall Street Journal that the already data-stuffed social network would have to purchase data pants with a stretchy waistband if it does decide to gorge itself on data about users’ cursor movements.

Rudin told the WSJ that the ongoing tests are part of a broader technology testing program.

Facebook should know in the coming months whether incorporating the new data collection makes sense for a slew of uses, be it product development or more precise targeting of ads, he said.

Facebook is looking at collecting data such as “did your cursor hover over that ad … and was the newsfeed in a viewable area,” he said.

You well might question whether cursor tracking isn’t in fact already a standard part of web analytics.

Back in 2011, Microsoft researchers looked at how to use cursor movement to understand and improve search results.

They came up with an easy way to track users’ gaze direction on a website using nothing but a standard web browser and a practically imperceptible Javascript of less than 1kb that could be run invisibly on any page without slowing its load time or a browser’s performance, as MIT Review described at the time.

It turns out that where we place our mouse cursor closely correlates with eye gaze – i.e., what we look at on pages – especially when looking at search results, the researchers found.

The researchers came up with (PDF) the ultralightweight gaze-tracking tool by examining mouse cursor behavior on search engine results pages, including not only clicks but also cursor movements and hovering over different page regions.

On page 5 of the Microsoft paper, images of heat maps of click positions vs. recorded cursor positions show that cursor movements provide far richer data about how frequently a user interacts with a given page.

Two years later, is Facebook ahead of the curve in planning cursor tracking, or is it playing catchup?

It turns out that Facebook well might be in the vanguard, given that advances in cursor tracking haven’t yet replaced, to any extensive degree, simple maps such as those for Google Analytics that merely show where we’ve clicked on a page.

In fact, such click maps, typical of most website analytics, don’t actually show where a user has clicked; rather, they show only which page the user ended up on and which links can go there.

Exceptions to the web analytics status quo of simple click maps include third-party services that do, in fact, offer cursor and hover tracking.

The WSJ reported on one such, Shutterstock, in March.

At the time, Shutterstock founder and CEO Jon Oringer said that his company – which is a marketplace for digital images – was looking at “every move a user makes,” including where site visitors place their cursors and how long they hover over an image before making a purchase.

Rudin, being Facebook’s data chief, is preparing the company’s infrastructure for the massive data binge that would come out of such cursor/hover tracking.

But as Rudin himself pointed out, the deluge of information isn’t going to help anybody unless Facebook can figure out how to make use of it:

Instead of a warehouse of data, you can end up with a junkyard of data.

He told the WSJ that he’s led a project to index the data in Facebook’s analytics warehouse, which is actually separate from its user data.

Javascript processing has relieved the strain on the browser for this type of tracking. Now, the only problem that remains is how to store and process all the resulting data.

What do you think: if Facebook does decide to collect the new behavioral data and actually does manage to to cinch its belt around its resulting bloated data belly, will users’ privacy be that much more pinched?

Or have we already been chewed up and digested to the point that it really doesn’t matter any more?

Let us know in the comments section below.

And not that we want to make you feel guilty or anything, but we think you should know that our feelings will be hurt unless you hover long and lovingly over everything posted on – where else? – Naked Security’s Facebook page.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/P1CXQvRknxo/

A number of readers have asked us, “What do you guys have to say about the BadBIOS story that’s unfolding at the moment?”

In a nutshell, it’s a story about a virus that is claimed to have some remarkable characteristics.

Sufficiently remarkable, in fact, to inspire Ars Technica’s Dan Goodin to describe it as not just “mysterious” but “omnipotent.”

What it does

Here are some of the claims that have been made about the BadBIOS virus:

• It is said to infect the low-level system firmware of your computer, so it can’t be removed or disabled simply by rebooting.
• It is said to include components that work at the operating system level, so it affects the high-level operation of your computer, too.
• It is said to be multi-platform, affecting at least Windows, OS X, and OpenBSD systems.
• It is said to prevent infected systems being booted from CD drives.
• It is said to spread itself to new victim computers using Software Defined Radio (SDR) program code, even with all wireless hardware removed.
• It is said to spread itself to new victim computers using the speakers on an infected device to talk to the microphone on an uninfected one.
• It is said to infect simply by plugging in a USB key, with no other action required.
• It is said to infect the firmware on USB sticks.
• It is said to render USB sticks unusable if they aren’t ejected cleanly; these sticks work properly again if inserted into an infected computer.
• It is said to use TTF (font) files, apparently in large numbers, as a vector when spreading.
• It is said to block access to Russian websites that deal with reflashing software.
• It is said to render any hardware used in researching the threat useless for further testing.
• It is said to have first been seen more than three years ago on a Macbook.

By now, you may be thinking that this sounds more like a science fiction movie than real life.

In fact, if you’re a certain age, you may well be waiting for Jeff Goldblum to burst forth with a Mac, some mysterious and onmipotent file transfer software, and a countervirus that will save the planet.

You’re probably also thinking that with as many symptoms, twists, turns and apparent tell-tales as are listed above, we ought to know a lot about it after three years.

The thing is, all the facts above come from one observer on Twitter, @dragosr, the guy who runs the CanSecWest, Eusec and PacSec security conferences.

The abovementioned details have only come out in the past short while, so we can collectively be excused for not knowing an awful lot just yet.

What we know

One BIOS sample file has been made available; SophosLabs took a brief look and largely concurred with an already-public analysis published on Reddit. (For the record, our analysts didn’t see the Reddit story until after they’d looked at the file.)

The BIOS we saw seems all but identical to an official Dell Alienware BIOS, so it would be no use on a Mac, for example.

And even if a byte-by-byte analysis of the whole BIOS were to reveal a pre-planted backdoor, that would nevertheless only be one small part of the whole story.

Furthermore, the software defined radio and speaker-to-microphone infection vectors mentioned above, as a vehicle for jumping airgaps, sound highly speculative.

Not impossible, of course – never say impossible where malware is concerned, not least since Stuxnet appeared – but certainly very unlikely.

Spreading via USB sticks, like Stuxnet did, would surely be a satisfactory explanation on its own (though the part assuming automatic code execution via USB on multiple operating systems sounds highly speculative, too).

Imagine that you could reliably get an infected system to beam out radio waves in the absence of any radio hardware, for example by relying on some serendipitously-located internal circuit parts to serve as your transmitter and antenna.

Imagine that you could somehow turn on the speaker and produce reliably-decodable but inaudible sounds.

How would you persuade the uninfected computer to receive them at all, let alone to treat them as shellcode that would ultimately let you reflash the BIOS?

Update. As several readers pointed out, @dragosr has tweeted, “To be explicit, no audio infection, just cc, only 2 unusual infection vectors IDed, USB and one other, waiting on patches before discussion.” CC means Command and Control, the name given to the data transfer mechanism by which a botnet is operated. [2013-11-01T20:00Z]

What we can predict

So the short answer to the question of what we have to say about BadBIOS is, “We can’t yet say.”

Based on @dragosr’s tweets, it looks as though additional information, including access to affected USB sticks, will become available at the PacSec conference in Tokyo in just under two weeks’ time; until then, says Dragos, he’s got to knuckle down to prepare for the event.

And, talking of the event, there are various papers about firmware and BIOS level attacks at PacSec 2013, so let’s hope that one or more of them will shed some light on what’s true and false about BadBIOS.

Until then, it’s a bit like the dilemma we faced nearly five years ago when the Conficker virus came out and stood poised to do something new on 01 April 2009.

Everyone wanted to know what it would do, but all anyone could say with honesty was, “We shan’t know until 01 April.”

What to do about BadBIOS

I don’t think there is any need for alarm over the BadBIOS story.

There isn’t an obvious threat to everyone (like there was with Stuxnet, even before we knew its inner purpose); it doesn’t seem to be spreading in the wild (like Stuxnet was, despite having a specific target); and there are plenty of clear and present threats we can usefully concern ourselves with in the interim.

So that’s about that for now, I’m afraid – it’s a question of watching and waiting.

NB. It’s possible, of course, that this is an elaborate hoax, intended as a combined publicity exercise and social engineering experiment that will be wrapped up at PacSec. If so, expect it to be aimed at outing anyone who jumped to detailed conclusions without having the details to go on!

Follow @duckblog

Image of funky looking chip courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5tjRu89lYgU/

A woman from South Milwaukee, Wisconsin, faces stalking and identity theft charges after she allegedly hacked into her ex-boyfriend’s email and stole information not only on him, but also on his other love interests.

According to local reports, Phoebe Sayavong is alleged to have “hacked” the email account of her ex (read – guessed or figured out the password), locked him out of the account and accessed personal information on the him and other woman he had dated.

She is then thought to have set up accounts on social media sites, including Facebook, Pinterest and LinkedIn, using nude or partially-nude photos of the women – in some cases it’s thought the pictures were faked by merging the women’s faces with other photographs – and then sending friend requests to the families of the women targeted.

Most disturbingly, at least one of the women reported being visited at home by a man who thought he had met her online and had been invited over to have sex with her.

Sayavong’s stalking stretches back to as early as May this year, and is believed to have included repeated phone calls and drive-bys of her former lover’s home in Racine County, Wisconsin, spraying his car with soft drinks, and spreading garbage on his lawn.

She is also claimed to have found out her victim’s social security number, and read it out to him over the phone.

Another local report cites court documents which apparently claim police found clear evidence related to the email hacking and setting up the fake social media accounts on Sayavong’s computer.

She faces multiple identity theft charges as well as one each of stalking, recklessly endangering safety and “distributing a recording of nudity without the subject’s consent”. The latter is considered a felony under Wisconsin legal code.

It seems it’s not enough to be careful about keeping our own systems and accounts secure, we have to pay close attention to who we share information with and how well they maintain their security.

Of course, it’s probably never that wise to go sending intimate photos of yourself to anyone, however well you trust them. Remember, anything that’s on the internet is a) unlikely to remain entirely private, and b) never going to go away.

Email may feel safer than posting to a public website, but really it’s just another part of the internet and should be subject to the same rules.

Leaving aside the issue of personal pics, most people probably feel OK about letting their boyfriends know all manner of things about them that they wouldn’t want all and sundry to hear about, but it’s worth remembering just how useful our personal info can be to bad actors.

Even basic info like names and addresses seems to have been used for some pretty creepy purposes in this case.

It’s best to be as cautious as possible, and if you think someone you’re entwined with may be at risk of being a hacking target – if they have a rather worrying ex-girlfriend for example – be sure to remind them of the importance of good computer and password hygiene.

Even if they do no more than the basic essentials, that’s a start at least.

The same goes in the business world too. If you have to share data on yourself or your clients or customers with third parties, make sure you know what steps they are taking to keep your data secure before you hand anything over.

Follow @VirusBtn
Follow @NakedSecurity

Image of woman on computer and password courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dlSPhLz-k1A/