60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Adobe, anonymous, Backdoor, BlackHole, blue hat, bluehat, bounty, breach, bypass, code, commit, DDoS, Exploit, Exploit Kit, Microsoft, mitigation, Patch Tuesday, Paunch, Silk Road
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ETYBY40ocTE/
5 ways to reduce advertising network latency
An elaborate scam saw shares in Swedish biometrics firm Fingerprint Cards rise by over 50 per cent after a false press release was circulated saying the company was being bought by Samsung.
On Friday press release distributor Cision put out the fabrication, claiming the Swedish firm had been bought for $650m in a cash deal with the monster chaebol.
The previous day the scammers behind the announcement had registered a phony domain for the firm using the email address [email protected] and Cision say they checked the phone number provided and spoke to someone claiming to be Fingerprint Cards’ CEO.
“When it comes to fraud, you cannot protect yourself 100 percent,” Cision’s chief executive Magnus Thell told Reuters.
Not surprisingly the news caused a surge in the stock price for Fingerprint Cards before the press release was rescinded. The Swedish financial authorities have since cancelled 160 million Swedish crowns ($24.6 million) of stock trades in the company and the police are conducting a criminal investigation.
“Of course we are going to investigate what has happened and we are going to do that with the company in question, the FSA (market regulator) and Cision,” Carl Norell, a spokesman for the exchange told Reuters.
Ever since Apple unveiled its fingerprint recognition technology on the iPhone 5S shares in biometrics firms have been enjoying something of a boom. Fingerprint Cards’ stock price has risen five-fold in the last year alone and it’s suspected the fraudsters will have used the phony press release to both drive up its price and those of similar companies. ®
5 ways to reduce advertising network latency
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/12/cops_called_after_fake_samsung_biometrics_buy_fiddles_with_stock_prices/
When it works normally, the Automatic Identification System (AIS) used by ships can be a captain’s best friend, helping him or her avoid collisions on the high seas. Under the control of a hacker however, AIS could become a captain’s worst enemy.
At the upcoming Hack in the Box Security Conference in Malaysia, a team of security researchers are preparing to demonstrate how an attacker could hijack AIS traffic and perform man-in-the middle attacks that enable them to turn the tracking system into a liability.
AIS is an automatic tracking system intended to help identify and locate vessels electronically to help avoid collisions on the water. AIS transponders on the ships include a GPS receiver and a VHF transmitter, which transmits information to other vessels or base stations. AIS is required on many vessels, including international voyage ships weighing 300 tons or more and all passenger ships regardless of size.
According to Trend Micro’s Kyle Wilhoit, one of the researchers who worked on the project, says the attacks can be broken up into two categories: those that target the AIS Internet providers that collect and distribute AIS information, and those targeting flaws in the actual specification of the AIS protocol used by hardware receivers in all the vessels. Without getting too deep into the vulnerabilities ahead of the presentation, which is slated for Oct. 16, Wilhoit explains that the upstream providers fail to authenticate AIS sentences coming from ships.
“I could go out and I could pretend to be a boat, and they don’t even fact check it,” he says. “They don’t look at, OK… is this AIS sentence actually a boat? They don’t check any of that. So it’s all accepted as is. It’s accepted as true.”
According to Wilhoit, these conditions could allow an attacker to tamper with valid AIS data and do everything from modify a ship’s position to creating a fake vessel with the same details to fool anyone monitoring ships at sea.
The researchers are also prepared to demonstrate how the other set of attacks could be used to perform a variety of malicious actions, including a fake “man-in-the-water” distress beacons – which would trigger alarms on any vessels using AIS within approximately 50 KM – as well as fake a CPA (closest point of approach) alert and trigger a collision warning alert.
“The complexity of the attack is what I would consider ‘somewhat complex,'” Wilhoit says. “This is because the AIS protocol(s) are typically not…researched by security researchers. Therefore, there’s a learning curve with the protocols, uses [and] implementations of AIS. However, once you gain access to the AIVDM sentences, it’s in clear text, which makes it somewhat easy to modify. Also, you have to reverse engineer the AIVDM sentences, and be able to put them back together in order to correctly perform attacks- which proved to be somewhat difficult.”
The cost of performing the attack is relatively cheap: the necessary equipment can be purchased for between $100 and $300 depending on the attack.
The researchers are working with upstream providers and others on addressing the vulnerabilities, Wilhoit says.
“From the online web providers such as Marinetraffic.com implementing authentication from every vessel submitting sentences would help mitigate the problem fairly quickly,” he notes. “However, the fundamental problem(s) with the AIS protocols would require a complete overhaul – which is difficult because it’s implemented worldwide in thousands of devices.”
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.
Article source: http://www.darkreading.com/attacks-breaches/researchers-highlight-security-vulnerabi/240162568
5 ways to prepare your advertising infrastructure for disaster
Lax security at Mexican banks has allowed cybercriminals to put their own malware-ridden CDs into ATM machines in order to gain control of the easily-compromised cash machines.
The Ploutus malware was installed after “criminals acquired access to the ATM’s CD-ROM drive and inserted a new boot CD into it”. The ruse was possible because many ATMs in Mexico use a simple lock that is easily picked, allowing the attackers to gain physical access to the machines.
Attacks involving getting malware onto ATMs are rare but far from unprecedented. Normally all sorts of trickery is necessary before being able to get a trojan onto a target machine.
Malware-based ATM scams have previously involved using corrupt insiders to infect hole-in-the-wall machines. Learning how an ATM machine works by posing as an repair technician is also unnecessary thanks to Ploutus. You don’t need a genius security researcher to develop a fiendishly cunning ATM attack, either.
Schoolboy errors made the self-service ATM-pwning tactic all too easy for Mexican crooks. The extent of the resulting scam – either in terms of how much money was lost or how many machines were infected – remains unclear. However details of how the malware itself works are fairly well understood.
Information security firm Trustwave has completed an analysis of the malware after obtaining samples of the malicious code. Infected machines still carry out their normal functions of dispensing cash. But if a particular key combination is input into the compromised device, the attacker will be presented with a hidden GUI, written in Spanish, complete with drop-down menus apparently designed for a touch screen.
Once crooks input a passcode – derived from a fixed four digit PIN combined with the figures for the date and month – they obtain the ability to dispense money from the compromised ATM.
“If you are a bank or the owner/operator of ATMs in Mexico, you will want to examine your machines for evidence of tampering,” advises Josh Grunzweig, an ethical hacker in TrustWave’s SpiderLabs team. “Banks and ATM owner/operators outside of Mexico could also benefit from an inspection of their ATMs.”
“Examples of targeted malware like Ploutus serve as a reminder of the importance of a thorough security review of ATMs and the back-end systems connected to them,” he added.
Grunzweig has put together a blog post explaining how the malware works – containing code snippets and a screenshot of the GUI cybercrooks are able to feast their eyes upon once the malware is installed on compromised cash machines – here.
This is ATM fraud without recourse to skimmers to harvest the card details of consumers or other more complex approaches. So far Ploutus-based attacks were targeted against ATMs at off-premise locations, according to self-service device information security software developer SafenSoft.
“The emergence of new malware with ability to directly extract cash from ATMs is a very alarming sign for self-service device security,” Stanislav Shevchenko, chief technology officer at SafenSoft, warns. “Malware like this allows the cybercriminals to skip the whole process of cash withdrawal they have to take part in after using traditional ATM trojans and skimmer-like devices to steal the plastic card information.
“Additionally, by spreading malware like that criminals can easily bypass the traditional antivirus-based protection on the ATMs. If that trojan gets massively distributed any bank without specialised protection software on its ATMs will have hard times ahead,” he added. ®
Email delivery: Hate phishing emails? You’ll love DMARC
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/11/mexico_atm_malware_scam/
Simplexo, a British pioneer of security search technology has been shortlisted in two categories of the SVC awards – Cloud Company of the Year and SaaS Solution of the Year, demonstrating its commitment to driving secure search technology to the forefront of the cloud, virtualisation and storage markets.
Taking place at a gala award ceremony on Thursday 21st November at the prestigious Jumeirah Carlton Tower, in Knightsbridge, London, the SVC awards recognise the achievements of end-users, channel partners and vendors who are powering innovation across the cloud and storage sectors over the past 12 months.
Simplexo technology provides secure universal access to electronic content – whether in the form of documents, emails, corporate systems, databases or web content. The technology is developed entirely in-house and is based on a methodology, which has been successfully deployed in bespoke business solutions for over the last 10 years.
Its recognition at the SVC awards is in light of the launch of SearchYourCloud, a new application that enables people to securely find and access information stored in Dropbox, Microsoft Exchange, SharePoint or Outlook.com with a single search, while also protecting their data and privacy in the cloud.
Simon Bain, founder of Simplexo states that the recognition received in being shortlisted is a testament to the work of Simplexo in bringing the issues of search security to the mainstream of IT security:
“Many people believe that there is a trade off between ease of access to information and security. In reality, finding information from mobile devices has been both extremely convoluted and not secure. We have solved the access and security problem in an easy to use service – SearchYourCloud.
“The Simplexo team has worked long and hard to deliver a remote access solution that does not require users or businesses to compromise productivity, privacy or security and it’s great to receive our efforts being acknowledged.”
– ENDS –
About Simplexo
Simplexo Ltd is focused on delivering a new experience in federated search, and is founded on a solid history in electronic document management and retrieval. Today, Simplexo technology is delivering value to individuals and organisations in many industry sectors, including financial services, healthcare and local government. For more information, please see: http://www.simplexo.com/
Article source: http://www.darkreading.com/simplexo-recognized-for-driving-secure-s/240162553
11 October 2013: Research by independent security consultancy Context Information Security has revealed limitations in current Mobile Device Management (MDM) solutions for Bring Your Own Device (BYOD) implementations. The report published today also concludes that BYOD will always be a trade-off between convenience and security as devices can only be locked down so much before users chose not to opt-in to the scheme.
Context researchers looked at three leading MDM solutions, Airwatch, Blackberry Universal Device Service and Good for Enterprise, when used with Android and iOS mobile devices. While they were all found to provide good levels of BYOD security, like all MDMs they are limited in what they can achieve by the underlying operating systems.
For example, MDM solutions in a BYOD environment cannot prevent unknown malicious applications from recording sound via the phone’s microphone or tracking user location using the built in GPS. And while Jailbreak/Root detection is implemented by all the MDM solutions reviewed, they work in very much the same way as antivirus, only detecting known Jailbreak/Root methods and applications, which are often trivial to bypass by technical users or malicious hackers. Implementation weaknesses of MDM solutions may also inadvertently leak sensitive information and users can compromise security by downloading apps and disregarding operating system permissions requested by the applications.
“There is no realistic way to guarantee the security of a workable BYOD environment, but organisations can take significant steps towards mitigation of security risks if they combine technical security controls with clearly defined acceptable use policies,” said Alex Chapman, Senior Consultant at Context. “To fully lock down these devices, a combination of fully restrictive MDM policies and network controls such as corporate firewalls and web proxies need to be implemented and enforced. But MDM solutions can only lock down mobile devices to the extent that underlying operating systems will permit and BYOD implementations can only lock down devices to a level that users are willing to accept.”
The Context White Paper, available to download at www.contextis.co.uk/research/white-papers details the assessment of the three MDMs investigated and summarised below:
Airwatch
The Airwatch MDM solution provides access to corporate email via Exchange Active Sync and corporate documents, and MDM management via a dedicated MDM server within an organisation.
Pros: Provides advanced security settings on Android devices which support manufacturer extended APIs along with MDM management features over and above the built-in operating system features
Cons: No dedicated corporate email application on iOS devices; separate document viewer, email client and MDM applications; and relies heavily on external applications for viewing documents which can lead to data leakage
A number of encryption implementation and data leakage weaknesses were identified by Context during the review of the Airwatch MDM solution, which have been reported to Airwatch for remediation.
Blackberry Universal Device Service
The Blackberry Universal Device Service (UDS) solution provides MDM management and data access via dedicated Blackberry servers within an organisation. Blackberry UDS can extend existing Blackberry Enterprise Service infrastructure in order to manage Android and iOS devices.
Pros: Integrates into existing Blackberry Enterprise Service infrastructure and provides good authentication settings for enterprise data
Cons: Provides only basic MDM management features available in the operating systems built-in to the devices
Good for Enterprise
Good For Enterprise provides enterprise data and email access via a Good Network Operations Centre (NOC), which communicates with a dedicated Good server within an organisation. All MDM devices communicate with the Good NOC which relays data between a managed mobile device and the organisation.
Pros: Dedicated email and document viewer for office and PDF files and good authentication settings for enterprise data
Cons: All traffic must traverse a Good NOC, which could expose enterprise data to regulatory requirements of the country of residence of the NOC
The Airwatch and Good for Enterprise solutions were chosen based on Magic Quadrant market data available from Gartner, while the Blackberry solution was assessed because of the large number of organisations with a current Blackberry environment being repurposed for mobile device management.
“BYOD implementations carry an inherent risk and while fully restrictive security policies are possible to configure with corporately owned and maintained devices, ultimately these restrictions are unrealistic in a BYOD environment,” said Context’s Alex Chapman. “A successful BYOD implementation requires a fine balance of usability and security to ensure an appropriate level of user buy-in. Insecure settings, device use and software update frequency can all affect the security of the device and in turn, corporate data in a BYOD environment.”
About Context
Context was launched in 1998 and has a client base that includes some of the world’s most high profile blue chip companies, alongside government organisations. An exceptional level of technical expertise underpins all Context services, while a detailed and comprehensive approach helps clients to attain a deeper understanding of security vulnerabilities, threats or incidents. The company’s strong track record is based above all, on the technical skills, professionalism, independence and integrity of its consultants.
Many of the world’s most successful organisations turn to Context for technical assurance, incident response and investigation services. Context is also at the forefront of research and development in security technology. As well as publishing white papers and blogs addressing current and emerging security threats and trends, Context consultants are frequently invited to present at open and closed industry events around the world. Context delivers a comprehensive portfolio of advanced technical services and with offices in the UK, Germany and Australia, is ideally placed to work with clients worldwide.
Article source: http://www.darkreading.com/management/byod-will-always-be-trade-off-between-co/240162565
As you are probably aware, Microsoft’s October 2013 Patch Tuesday includes an update for Internet Explorer that closes no fewer than ten RCEs, or Remote Code Execution holes.
This sort of vulnerability means that merely looking at a booby-trapped web page could infect you with malware, even if you don’t click on anything on the page.
Unfortunately, an exploit that takes advantage of one those ten holes, CVE-2013-3893, is known to be in the wild.
Cybercriminals have been using it; a proof-of-concept HTML page has been published that you can tweak for your own attacks; and the popular penetration tool Metasploit now includes it.
So rather than just leave you to apply the patch and be done with it, we thought we’d look at this exploit in some detail.
We hope that this will help you understand the lengths that cybercriminals will go to in order to attack your computer, despite the layers of protection that modern versions of Windows and Internet Explorer include.
Don’t worry if you aren’t technical: we’ve tried to keep the assembler code and the programming jargon to a minimum.
Just glide over anything you don’t understand and get a feeling for how cyberattackers think – “know thine enemy” is a handy part of any defence.
And, no, we haven’t given away so much that you can turn this article into an attack of your own: it’s an explanatory guide, not a how-to tutorial.
Our attackers will be exploiting a bug in Internet Explorer’s mouse capture functionality.
In JavaScript, an object on an Internet Explorer web page can take or relinquish control over the mouse events that happen in the brower window, such as clicking and double-clicking.
This is done using the functions setCapture() and releaseCapture().
An object can also declare an onclosecapture function, which will automatically be called if ever it loses control of the mouse, for example because another object calls setCapture() to take over.
Our attackers seem to have discovered that these functions can be used to trick Internet Explorer, by orchestrating an unusual sequence of operations, something like this:
Here’s what you see if you run the trigger code that does this under a debugger, using Windows 7 with Internet Explorer 9:
If you aren’t familiar with debuggers, this window tells you that the program has crashed at the address 0x6AA33859 in the system library MSHTML.DLL, trying to run the instruction:
MOV EDX,DS:[ECX]
(In Intel assember notation, data flows from right to left, so this means “move the value of [ECX] into the register EDX”. And the square brackets mean “fetch the value at the memory address stored in ECX, not the value of ECX itself.” The DS: just denotes that the value comes from the processor’s data segment.)
To explain further, the code at and after the offending instruction above does the following:
MOV EDX,[ECX] ; Fetch the contents of the
; memory address in ECX,
; where ECX is controlled
; by the string in [1] and [4]
; on the attacker's web page.
MOV EAX,[EDX+C4] ; Fetch the contents of the
; address C4 bytes past that.
CALL EAX ; And call it as a subroutine.
The exception occurs because ECX = 0x33333333 (the ASCII code for the text string “3333”), but there is no memory allocated at that address for the processor to read.
It looks as though memory that was freed up in [2] was then re-used by Internet Explorer to store data that controls the flow of execution in MSHTML.DLL (Microsoft’s rendering engine), and then wrongly re-used against for saving the text strings created in [4].
That’s a use after free bug, and in this case, it means our attackers can lead Internet Explorer astray: they can trick the browser into using untrusted data from their remote web page to tell your computer where to jump next in memory.
That means there is very likely to be a chance for RCE, or Remote Code Execution.
To make further headway, the attackers needed to to force ECX to contain the address of memory that is allocated, and that they can influence.
Adding a step [4.5] to the list above does the trick:
This is known as a heap spray, and it’s an operation that uses JavaScript’s powerful string-handling functions to force the operating system to allocate large blocks of memory in a controlled way.
If we run Internet Explorer again until it crashes, and then peek at the memory blocks allocated by Windows, we can see the results of the heap spray.
The size column shows that these blocks are all 0x00100000 bytes in length, or 1MB:
Each of those blocks is crammed with the bytes 0x1212….1212.
Notice particularly – and we shall soon see why this is terribly convenient – that the memory block containing the address 0x12121212 (and the address 0x121212D6, which is 0xC4 bytes further on), is one of the chunks filled with 0x1212….1212.
Finding the right size for each heap spray object, and the right number of memory allocations to perform in order to get a neat and exploitable result, doesn’t need to be done analytically.
Cybercriminals can save time and effort simply by using trial and error – a process that can be automated.
So, instead of using the text string “3333”, as in steps [1] and [4] above, our attackers can choose a value that corresponds to an address inside one of the blocks they know their heap spray will produce.
In the published exploit, they chose 0x12121202, though many others would have done just as well, so that steps [1] and [4] no longer have ECX set to “3333”.
Instead, ECX becomes 0x12121202, and the crooks get this:
; EDX gets the contents of 12121202 MOV EDX,[12121202] ; EDX is now 12121212, so ; EAX gets the contents of EDX+C4 (121212D6) MOV EAX, [12121212+C4] ; EAX is now 12121212, which we call CALL 12121212 ; Execution is now at an address we control!
On versions of Windows before XP SP3, the attackers would already have won the battle at this point, by adapting the text strings from [4.5] so that they contained shellcode (executable code hidden in chunks of data) starting at 0x12121212 , thus instantly getting control.
But these days (and we’re on Windows 7 in this article, remember), memory blocks dished out by the operating system – allocations “on the heap”, as they are known – are set to be NX, or No Execute, by default.
If you try to execute an instruction in a memory page marked NX, the processor steps in and stops you.
This is the basis of DEP, or Data Execution Prevention, and it means that even though our attackers can control exactly what is at address 0x12121212, and divert the processor to it, they can’t make it run:
On Windows XP, DEP slows the attackers down a bit, but not much: all they need to do is to tweak the heap spray so that the value at 0x121212D6 is an address in executable memory.
(0x121212D6, remember, is 0x12121212+0xC4: that’s where the CPU will jump as a side-effect of triggering this bug, due to the CALL EAX instruction shown above.)
The richest sources of ready-to-use executable memory are the numerous system DLLs that are almost always loaded, such as KERNEL32.DLL, USER32.DLL and GDI32.DLL.
On Windows 7, however, picking addresses in system DLLs is much harder than it sounds, because of ASLR, or Address Space Layout Randomisation.
For example, here’s a table from our test computer, showing where Internet Explorer and its first few DLLs are supposed to load, and where they actually loaded on three successive reboots:
In short:
→ On Windows XP, system DLLs load at the same place every time, on every computer, making XP much easier to hack. That alone is enough reason to ditch XP as soon as you can, regardless of the looming “no more patches” deadline of April 2014.
But our attackers have a way around this, because some common and popular DLLs still advertise themselves as incompatible with ASLR, and are therefore loaded without it.
So they added this line of JavaScript for attacking Windows 7 users:
try{location.href='ms-help://'} catch(e){}
If you have Office 2007 or Office 2010 installed, trying to open an ms-help:// URL causes Internet Explorer to load the support library hxds.dll:
Sadly, the address 0x51BD0000 is exactly where this DLL always loads, because it was compiled by Microsoft without the so-called DYNAMICBASE option, thus causing it to be left out of ASLR:
Admittedly, this restricts the attackers to infecting computers on which Office is installed – but in practice, that isn’t a major limitation: even if you don’t own Office, you may well have a demo version left over from when you bought your PC.
At this point, our attackers are on the brink of controlling your computer, having evaded all of the following:
The good news is that they still have a fair amount of work to do.
Before they can go any further, for example, they need to choose which address in hxds.dll they will write at offset 0x121212D6, to be the target of the fateful CALL EAX that will give them their first unlawfully executed machine code instruction.
The bad news, of course, is we already know that our crooks are going to succeed in the end.
So, please join us next week for Part Two, where we’ll show you what they are going to do next, and why, and how you can detect and prevent their nefarious activities.
NB. Sophos Anti-Virus on all platforms detects and blocks this exploit as Exp/20133892-B.
Image of shattered glass courtesy of Shutterstock.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3fRxprOoLjg/
Last month I asked you which web browser you trust the most. This month I’d like to know how you feel about that little always-on super computer that goes everywhere with you – your phone.
I asked my original question about web browsers because of the highly privileged position they occupy in our online lives.
Everything we do on the web passes through them. They are vitally important and yet the most significant factor in choosing which is the best – determining which is most likely to keep our data private and secure – is a matter of opinion and judgement, not of fact.
I suspected that users were as likely to be swayed by the reputation of the companies producing the popular browsers as they were by the number of objectively verifiable vulnerabilities.
You didn’t disappoint.
The emphatic result and your impassioned comments got me thinking about something that occupies an even more exalted position in our lives (and not just our online, sitting at the keyboard lives, our actual honest-to-goodness go everywhere real lives); our smartphones.
Smartphones are, of course, very far from being simply ‘not dumb’ phones these days. In fact describing smartphones as phones does them about as much justice as describing SUVs as quite well protected chairs.
Modern phones are bona fide networked computers that bristle with sensors and broadcast their existence promiscuously.
They are stuffed with personal information and, thanks to easy connections to software stores, cloud storage and online backups, they are as hungry for a permanent internet connection as a 14 year old boy.
Compared to the laptops and desktops that preceded them smartphones are locked down tight.
Users don’t add ram, upgrade their graphics cards or put in extra hard drives. The operating systems that bring the hardware to life expose little of themselves and keep their apps isolated in restrictive sandboxes. Software distribution is tightly controlled and more often than not restricted to a single authorized source and subject to the rules and whims of its proprietor.
All of this buttoning up has given us the first generation of genuinely consumer-friendly computing devices and, while they haven’t solved the virus problem, distribution channels like Google Play and the App Store have made life much harder for malware authors.
Of course all this convenience and reassuring abstraction comes at the price of transparency. The gap between what our devices are doing and our understanding of them grows ever wider.
If you’re going to use a smartphone at all then you must trust that what exists in that gap – whatever your phone is doing or sharing without your knowledge – is benign, or at the very least is worth the cost.
The efforts of independent security researchers aside, we are ultimately dependent on some very, very large organisations like Google, Microsoft, Apple and BlackBerry to respect the trust we put in their software.
Which of those companies hasn’t given us pause for thought at some stage?
Do you trust their corporate interests, culture and track record? Are you absolutely clear on how they make money and from whom? Do you believe they are in bed with the NSA or other government agencies?
I’d like to know which of the big four smartphone platforms you trust the most.
Clearly there are many aspects to what makes a smartphone trustworthy or untrustworthy – not least apps – that I can’t capture with a simple question and multiple choice answer, so please use the comments to share your thoughts after you have taken the poll.
If you don’t use a smartphone or if you favour a platform outside of the top four then let us know in the comments.
Likewise if you have made judgements about what kind of apps you won’t allow on your phone, about different versions of the big four platforms or about the modifications that major manufacturers like HTC and Samsung make to Android then share them in our comments too.
And finally, this is National Cyber Security Awareness Month so once you’ve done sharing and opining please take a look at our 10 tips for securing your smartphone and take some positive action to safeguard you and your family today.
Take Our Poll
Follow @NakedSecurity
Follow @MarkStockley
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5swouFZF600/
Yesterday was World Mental Health Day, a day for mental health education, awareness and advocacy.
It coincided with the one year anniversary of Canadian teen Amanda Todd’s suicide. Todd’s story was highly publicized last year after it was discovered that she had previously posted a video on YouTube describing her torment and subsequent descent into depression.
What does this have to do with security? Well, it brings up another topic that is just as important – cyber bullying and online safety.
The proliferation of internet connected devices has meant that everything we potentially do in public, and sometimes in private, can be recorded and later posted online. Sometimes without our knowledge or consent.
Such was the case for Amanda, who was blackmailed and tormented online after an unknown man convinced her to expose herself, then posted the pictures online. She was then further bullied, harassed and humiliated online by some of her peers.
Unfortunately Amanda’s story isn’t the only one. Nova Scotia teen Rehtaeh Parsons, Californian Audrie Pott, and others have taken their own lives after episodes of online humiliation and cyber bullying.
Just as we may find it necessary to use web filtering technologies to shield our kids from the less savoury parts of the internet, we also need to take an active role in ensuring that they behave appropriately while online.
I have kids of my own, which means that I understand the latter is easier said than done. But my role as a security expert is not only to provide technologies that will make my children’s online activities more secure, but also to give them the tools to be both good online citizens and recognize harmful behaviour.
It also means teaching them that even though they may not be the target of cyber bullying, they can still actively try to prevent and/or report it.
Carol Todd, Amanda’s mother, has spent the last year building awareness about (among other things) cyber bullying and the impact of social media on teen’s lives. She is also encouraging others to get involved and join the fight against bullying in all its forms.
Following Amanda’s death, British Columbia Premier Christy Clark announced a provincial program dubbed ERASE aimed at addressing bullying and harmful behaviour in schools. The tech angle here is that it provides children and parents with an online resource for discussing and reporting cyber bullying.
This is also why the National Cyber Security Alliance’s ‘Stay Safe Online‘ campaign is so important. It provides a comprehensive set of resources for our personal online safety as well as resources for teaching others to be safer online.
Programs like these are invaluable and essential when we consider the increasing magnitude of our online presence.
The more awareness we can build around online safety, the better we equip the next generation of online citizens with the technological and social tools to be safer online and reduce the incidents of online bullying.
It’s important to remember that respect is both earned and learned. Let’s teach our kids to be safer and respect each other even when they’re not face-to-face.
If all else fails, remember Wheaton’s Law.
We owe Amanda, Rehtaeh, Audrie and countless others affected by cyber bullying at least that much.
Follow @John_Shier
Follow @NakedSecurity
Image of shared responsibility courtesy of Shutterstock.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EOgDRml9qEA/
Six men may have been involved in the installation of cash register skimmers at a Nordstrom store in Florida according to a report from Brian Krebs.
According to a police alert on October 5, the store was first visited by three men whose actions were captured by CCTV cameras. Two of the men, it is said, distracted sales staff whilst the third took photos of the outside of a register before removing the back panel whereupon he took more pictures.
A few hours later another three-man team entered the store and, once again, two of them gained the attention of sales staff. During this time, the third man opened up the back of the register and installed a keylogging device.
The Aventura Police Department said that Nordstrom discovered a total of six devices attached to its registers. They were connected in series between the keyboard and the computer and likely had 4MB or more of on-board storage to record data.
Krebs highlights how cheap skimming devices are, with standard versions being widely available and costing from just $40. Such devices may be hard for untrained staff to spot too – they look like a standard PS/2 keyboard connector, even down to the fact that they are purple in colour, which is seen as a standard for this type of pre-USB keyboard connector.
Krebs quotes a memo from the Aventura Police Department:
The connector was made to match the connections on the back of the register to include color match. Therefore, no one would have detected it unless there was a problem with the register.
Nordstrom spokesperson Kara Darrow said:
We did find some unauthorized devices on some of our cash registers. It’s not anything broader at this point.
As soon as we figured out this was happening, we had forensics experts looking at the situation, but it’s still very early in our investigation.
At this time it is unknown if the men ever returned to the store in order to retrieve the keyloggers and Nordstrom are unaware of any arrests being made.
Krebs pointed out that, while the devices look like they are designed to log keystrokes from an attached keyboard, they could also be used to steal credit card information.
This is because many retailers employ cash registers that connect directly to the computer’s keyboard or use readers that are themselves PS/2 based.
The Aventura Police Department memo did note this possible next step and motive:
The subjects then return at a later date to recover the devices and create fake credit cards for fraud.
That, of course, supposes they need to return to the store at all – the same search on Google that reports the $40 standard skimmer also shows that it is surprisingly easy to also source another model which comes with 2GB of storage, as well as the ability to connect to a wireless network.
For just $139, the alleged credit card thieves could have parked nearby and acquired all the data they wanted over the airwaves.
Image of Nordstrom courtesy of Shutterstock and keylogger hardware PS2 courtesy of weboctopus.nl.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/js6yxCtBQIk/
