STE WILLIAMS

Email delivery: Hate phishing emails? You’ll love DMARC

A British police investigation into the massive DDoS attack against internet watchdog Spamhaus has led to the arrest of a 16-year-old London schoolboy who, it is claimed, is part of an international gang of cyber-crooks.

“The suspect was found with his computer systems open and logged on to various virtual systems and forums,” says the police document shown to the London Evening Standard. “The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies.”

The young miscreant was arrested in April at the same time as a 35 year-old Dutchman (thought to be Sven Kamphuis – the owner of hosting firm Cyberbunker) as part of an investigation into the Spamhaus attack by British police dubbed Operation Rashlike. The arrest was kept secret, and the boy has been released on bail pend a trial later in the year.

The police document states that the Spamhaus attack in March was the “largest DDoS attack ever seen,” and claims the performance of the London Internet Exchange was hard hit. The attack caused “worldwide disruption of the functionality” of the internet, it states.

Certainly the attack was a biggie. On March 18, Spamhaus and its networking partner CloudFlare started getting DDoSed at around 90Gbps. When that failed to take the site offline, the attackers went upstream to ISPs and internet exchanges in Amsterdam and London (even El Reg‘s own Trevor Potts inadvertently took part), and by March 22 over 300Gbps was hitting the Spamhaus servers.

But despite the hype, the attack didn’t seriously interrupt the flow of internet data. The London Internet Exchange reported “minor amount of collateral congestion in a small portion of our network,” and Spamhaus’ services weren’t seriously disrupted.

“Only the website and our email server were affected,” Steve Linford, chief executive for Spamhaus, told El Reg. “All Spamhaus DNSBL [DNS Block List] services continued to run unaffected throughout the attack. In fact Spamhaus DNSBLs have never once been down since we started them in 2001.”

Spamhaus is more targeted than most because of the work it does. The organization compiles lists of ISPs, domains, and email servers that are known spammers so service providers can block off huge chunks of incoming emails offering fake Viagra tablets, dodgy dating, and malware.

In 2011 Spamhaus temporarily blacklisted Dutch hosting firm Cyberbunker, which allows customers to use its services for absolutely anything “except child porn and anything related to terrorism.” Cyberbunker denied responsibility and claimed Spamhaus was acting as a internet vigilante, although it appears Cyberlocker’s owner may have taken a more direct approach against the watchdog.

Quite how a 16-year-old schoolboy got mixed up in all this remains to be seen. Certainly shifting large amounts of cash through a teenager’s bank account isn’t the smartest move in the criminal playbook, but it wouldn’t be the first time such basic mistakes have led to arrests.

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/27/london_schoolboy_arrested_for_biggest_ddos_attack_in_history/

CHICAGO, IL — (ISC)2 Security Congress 2013 — Top-level executives are increasingly faced with IT security decisions that force choices between conflicting goals or the lesser of two evils, according to a new study released this week.

The study, called “A View From the Top – The (ISC)2 Global Information Security Workforce Study CXO Report,” was conducted by Frost Sullivan and Booz Allen Hamilton on behalf of (ISC)2; it offers a detailed look at the security attitudes of some 1,634 C-level executives from enterprises around the globe. The report indicates that top management increasingly is finding itself caught between choices and practices that are at odds with each other.

Among the study findings:

* Application vulnerabilities were the top-rated threat to the security of enterprise data (72 percent of executives rated it as a chief concern), yet many executives also reported that the demands of their organizations make it difficult to develop and implement secure application development processes.

* Similarly, 70 percent of executives rated mobile devices as a top threat to their organizations, but many reported that they had not successfully implemented mobile security policies and programs.

* The vast majority of security executives (77 percent in government and 63 percent in private industry) believe they have too few people on their IT security staffs, yet 61 percent cited business conditions as an obstacle preventing them from hiring more personnel.

* Despite the concerns they registered over a shortage of trained personnel, more security executives plan to increase their spending on technology in the next year (39 percent) than on staffing (35 percent).

“The environment is becoming increasingly turbulent,” said Julie Peeler, director of (ISC)2. “Executives are increasingly finding themselves moving back and forth between security-related tasks and administrative and managerial tasks. They’re moving from an environment of symmetric decision-making into an environment where the situation is more asymmetric.”

“The threat environment has evolved that has become more complex, but we need to be more efficient in our basic management of security,” said Tomasz Chowanski, a senior vice president and security line of business leader at Wells Fargo. “We need to understand which pebbles might be important to protecting the big rocks in our data defense strategy.”

Staffing is another paradox, according to William Stewart, senior vice president at Booz Allen Hamilton. “Enterprises need people with sophisticated skills, but because those skills are in short supply, it’s becoming harder and harder to maintain them internally,” he says. “I believe we are going to see companies relying more and more on managed security services to get that expertise.”

Like riding a cow, security decision making increasingly leaves executives in situations that are incongruous, experts said. For example, most executives said they were most concerned about new threats and damage to the brand, yet they spend a major portion of their time and budget on compliance projects that contribute very little to enterprise security.

“Instead of focusing on a single issue, executives are looking at all of them at the same time,” Peeler said. “They can’t afford to be focused in any one area.”

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/compliance/conflicting-challenges-put-top-execs-bet/240161942

LAS VEGAS, 26 September 2013 — Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards, announced the close and recap of its seventh Annual North American PCI Community Meeting. The forum provides PCI Participating Organizations and assessors the opportunity to come together and discuss the latest updates and challenges in payment card security.

In preparation for release of version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS) in November, this year’s meeting convened more than 1300 global payment security professionals from 25 countries who play an active role in PCI Standards development.

A key focus for the meeting was to drive understanding and discussion of the standards updates in the context of the current payment card security landscape. Attendees received draft versions of the standards in advance of the meeting, and the two-day agenda provided a variety of opportunities to engage on the planned updates with PCI SSC staff, payment brand representatives and colleagues.

Other key focus areas at the meeting included:

 EMV chip adoption in the U.S. and implications for payment card security

 Current PCI technology initiatives around mobile payment acceptance, Point-to-Point Encryption (P2PE) and tokenization

 PCI challenges and lessons learned from peers

 Updates from PCI Special Interest Groups (SIGs) on Third Party Security Assurance and Best Practices for Maintaining PCI DSS Compliance

 Leveraging PCI training to drive greater education and awareness

“PCI Standards provide a strong framework for card security, and as we look to the future, this community will have an important role in continuing to drive card data protection globally,” said Bob Russo, general manager, PCI Security Standards Council. “The record attendance at this event, the quality and caliber of the dialogue here this week and the standards that will be published in November all point to an active and engaged community that will together shap the future of payment card security.”

The meeting in Las Vegas is the first of three PCI Community Meetings this year. PCI Participating Organizations and assessors in Europe and Asia-Pacific will also have the opportunity to discuss PCI Standards updates and initiatives at the following events:

Europe, 29-31, October 2013

Nice Acropolis

Nice, France

To register: https://www.pcisecuritystandards.org/communitymeeting/2013/europe/register.html

Asia-Pacific, 20 November 2013

Shangri-La Hotel

Kuala Lumpur, Malaysia

To register:

https://www.pcisecuritystandards.org/communitymeeting/2013/asiapacific/register.html

About the PCI Security Standards Council

The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has more than 700 Participating
Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit:

pcisecuritystandards.org.

Article source: http://www.darkreading.com/privacy/pci-community-prepares-for-new-standards/240161910

(Dallas – Sept. 25, 2013) — FireHost, the secure cloud hosting company, is further protecting payments processing cloud applications with its Payment Island solution. By decoupling credit card databases and transactional applications from monolithic IT environments, institutions responsible for storing, processing or transmitting credit card data can reduce their scope of compliance, provide better security, and achieve audits faster by reducing the risk profile associated with cardholder data. Presently, FireHost processes more than $20 billion dollars in transactions per year in its Payment Island on behalf of eCommerce and retail companies (merchants), payments processors, card issuers and other financial institutions.

Kurt Hagerman, director of information security for FireHost, said that by improving performance within the cloud environment, a Payment Island provides responsible organizations with a safe haven for regulated payment card data. This kind of advanced protection requires specialized tools and expertise, and navigating these cyber threats and the regulatory landscape should only be trusted to a secure, managed cloud IaaS. FireHost Payment Islands were created to mitigate its customers’ compliance burden by decoupling their regulated data from their own IT environments, thus reducing risk.

By isolating the payment engine through network segmentation, Payment Island essentially provides a data vault for businesses that process transactions in the cloud. By cross-connecting into a customer’s own infrastructure within a data center and storing data outside typical administrative permission controls, the service eliminates latency and scales to provide resources on demand.

Now, in version 3.0, the FireHost Payment Island is updated regularly to ensure alignment with current Payment Card Industry Data Security Standard (PCI DSS) standards, but that’s really just a starting point.

“This is a game changing, managed cloud compliance solution,” Hagerman said. “FireHost’s Payment Island provides customers a private cloud experience that protects transactional applications by removing regulated data from local or regular hosting facilities and storage and masking and cloaking it in the most sophisticated cloud infrastructure available. The Payment Island provides administrative controls by segregating data from the corporate active directory (AD) permissions, so that customers can more tightly lock down and protect the information from internal threats.”

This concept was covered in a Dec. 2012 Gartner Research Note, “Become PCI Compliant by Choosing the Right Hosting Service Provider.”

According to Tiny Haynes, research director for Gartner and author of the research note, “Any site that handles credit card information needs to put in place the correct, far-reaching security processes and infrastructure to be PCI DSS compliant.”

He also recommends isolating the payment engine from the rest of the hosted infrastructure via network segmentation to reduce the scope of the PCI DSS requirements, and to “choose service providers that have already certified their operations as being PCI compliant. This will help you save time and resources, since you are obligated to use only PCI-certified providers.”

Jed Danner, head of IT development at gotoBilling, agreed. The company, which has built its business model around offering a secure, compliant and easy payment platform, uses FireHost’s Payment Island to protect its customers’ personal and financial information in the cloud.

“FireHost understands PCI compliance unlike any other cloud services provider, and that makes a huge difference to our business,” Danner said. “The network design of FireHost’s Payment Island makes it easy for us to keep our clients secure and meeting compliance, which is mandatory for our success.”

The PCI DSS 3.0 standard is currently in its final phases of development. The final standard will be published in November and will then become effective Jan. 1, 2014. Although PCI DSS 3.0 becomes effective in January, compliance with 3.0 is not mandatory until January 2015.

About FireHost
FireHost offers the most secure, manage cloud IaaS available, protecting sensitive data and brand reputations of some of the largest companies in the world. With private, cloud infrastructure built for security, compliance, performance and managed service, responsible businesses choose FireHost to reduce risk and improve the collection, storage and transmission of their most confidential data. FireHost’s secure, managed cloud IaaS is available in Dallas, Phoenix, London and Amsterdam, offer robust, geographically redundant business continuity options across all sites. Based in Dallas, FireHost is the chosen secure private cloud service provider for brands that won’t compromise on the security of their payment card, healthcare, and other regulated data.

Follow FireHost on:
http://www.firehost.com
http://www.twitter.com/firehost
http://www.linkedin.com/company/firehost-inc.
http://www.facebook.com/FireHost

Company Contact: Editorial Contact:

Cathi Lane Sarah Hawley
FireHost Ubiquity Public Relations
[email protected] [email protected]
+1.877.262.3473 x. 8133 +1.480.292.4640

UK Editorial Contact:

Mike Marquiss and Jonathan Mathias
Johnson King PR
[email protected]
+ 44 (0) 20 7401 7968

###

Article source: http://www.darkreading.com/government-vertical/firehost-announces-the-payment-island-si/240161944

External data breaches from groups like Anonymous and internal data leaks from insiders such as Edward Snowden have enterprises questioning and rethinking their security programs. Are they doing enough to protect their data? Are there security controls effective? Would they be able to respond appropriately to a data breach and contain it quickly?

Much of the questions and confusion has to do with executives not understanding where their critical assets are and how they need to be protected. Their sense of security is skewed by the fact that they’ve passed their compliance requirements causing them to think they are safe. For most companies, if they were truly targeted by a sophisticated and determined attacker, they would fail miserably.

Why would they fail? Traditionally, security was focused on protecting the perimeter. Based on my experience with penetration testing organizations from all different industries, companies are doing a great job of locking down there externally exposed assets, with the exception of Web servers. There are fewer devices exposed and even less ports open that could provide an avenue for attack.

That sounds great, right? So, why would these companies fail at protecting their critically important data and business systems?

The first problem area is not knowing where all the critical assets are located inside the network and protecting them appropriately. All to often, when I ask during a penetration test what are the critical systems, I get several different answers depending on the person answering the question. The CIO will have a different answer than the security team leader and this will differ from the various business unit owners.

Then once the testing begins, we find that there is little to no true network segmentation between various organizational units, the servers, and general network devices. Most logical network separation is done because of physical separation between holding floors and geographic locations. It is not done from a security standpoint and there are usually very few, if any, firewall rules between those networks.

In order to combat the problem, you risk assessment and full inventory of all systems including the types of data handled by each system need to be completed. That information can then guide the proper network segmentation. Of course it can be done completely without looking at the business processes and how users use and access the data. When the previous 2 processes are then combined, access control for users can then be properly architected and implemented, which leads us to the next problem area.

The second issue that plagues many enterprises is that they don’t have a solid concept of what the “principle of least privilege” and “need to know” mean. Users regularly have a great deal more access and privilege than necessary to complete their job — this goes for secretaries and systems administrators alike (i.e. like Snowden the snooping sysadmin). A company may take the proactive step of removing local administrator rights from their users on their desktops, but they don’t bother with the level of access in various internal applications and network file shares.

Properly designing those access controls can be difficult without already having the inventory and understanding of the business as mentioned above.

The third major area is security training and awareness for users. Having developed a security awareness program for a large university and working with many different enterprise organizations, I’ve found the best way for traction is to make it personal. Teach users easy and practical concepts that relate between home and work. Many of the same protective behaviors they should be doing at home can also help protect their corporate desktops and laptops.

The fourth issue, and one that is compounded by several of the others, is the presence of shared credentials and password reuse. Password reuse across local system accounts is one of the biggest problems we encounter during penetration tests. It allows us, and the bad guys, to easily move laterally within a company’s network once we compromise one system.

Or, once we compromise a user’s password, it is often the gateway to getting access to other systems and applications because users commonly reuse passwords across multiple company systems. You think single-sign-on sounds great? It’s even more useful to an attacker with a valid username and password because they can now get into everything with that one set of credentials.

User education and technical controls are needed to address both of these problems. The education piece needs to explain the problem and the impact to help instill a sense of responsibility and ownership. Being able to explain to a user exactly what could happen if their username and password were compromised, such as theft of corporate trade secrets that could result in their losing their job or the company going out of business, opens a few eyes.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/insider-threat/tech-insight-top-4-problem-areas-that-le/240161952

BEIJING and DALLAS, Sept. 27, 2013 /PRNewswire/ — NQ Mobile(TM) (NYSE: NQ) a leading global provider of mobile Internet services, announced that its security center has captured and inoculated against three new malware strains that affected thousands of Chinese mobile users.

The three quarantined malware threats used SMS messages to deliver their malicious payloads, demonstrating the growing need for protection beyond controlling the app store environment.

— Fake Bank (privacy.SmsServices.a): The most potentially dangerous of the three, Fake Bank masquerades as a banking application, only to steal users’ accounts and passwords, block or upload their text messages, send fraudulent messages, and block incoming calls.

— Group Scammer (privacy.Cckun.a): After users clicked a malicious link in an SMS message, the infected device could be remotely controlled to spread the infection through group messages. At the same time, a third-party application with the ability to send premium messages without the user’s consent could be installed on the device, leading to additional bill charges.

— Fee Server (payment.ZooTiger.a): This threat delivered multiple malicious payloads, uploading users’ private contact lists to the server, delivering unwanted advertising to users’ inboxes and connecting to fee-based services via SMS and WAP resulting in unexpected bill charges.

The early detection of these threats confined infection to fewer than 20,000 devices.

The newly discovered threats follow just days after discover of a.privacy.SmsManager.a (Privacy Leaker) and a.payment.Sexyapp.a (SMS Fraudster), which risked mobile users’ privacy and caused fraudulent bill charges.

NQ Mobile Security(TM) for Android is available for download at http://www.nq.com/mobilesecurity and on Google Play.

About NQ Mobile

NQ Mobile Inc. (NYSE: NQ) is a leading global provider of mobile Internet services. NQ Mobile is a mobile security pioneer with proven competency to acquire, engage, and monetize customers globally. NQ Mobile’s portfolio includes mobile security and mobile games as well as advertising for the consumer market and consulting, mobile platforms and mobility services for the enterprise market. As of June 30, 2013, NQ Mobile maintained a large, global user base of

372 million registered user accounts and 122 million monthly active user accounts through its consumer mobile security business, 87 million registered user accounts and 16 million monthly active user accounts through its mobile games and advertising business and over 1,250 enterprise customers. NQ Mobile maintains dual headquarters in Dallas, Texas, USA and Beijing, China. For more information on NQ Mobile, please visit http://www.nq.com/.

Article source: http://www.darkreading.com/applications/nq-mobile-security-center-eradicates-thr/240161943

A Vancouver man has lost $500,000 (CAD) to online scammers after being pulled into a complex, long-term fake romance con by a man he met on a dating site.

The crooks behind the scam are thought to have been operating out of London, with one suspect believed to have been arrested by UK police. The money, which includes a chunk of retirement savings cashed in by the victim, is unlikely to be recovered though.

The man, referred to only by the pseudonym “Tony” in the report from Canada’s CBC News which investigated the story, met a man on a dating site and then moved their discussions over to Yahoo! Messenger, where “romance blossomed” over the next six weeks.

Having laid the groundwork, the scam then got into gear when Tony’s new love claimed he had been stranded in Malaysia with no access to cash to pay the necessary bribes. Tony was then persuaded to pony up multiple “loans” to help out, the total eventually mounting up to an epic half a million dollars.

Somewhat unusually, Tony finally cottoned on to the scam and decided to fight back, hiring investigators to look into his tormentors, who were tracked down to a company operating on the edge of London. Police in both Vancouver and London were brought in, and charges are thought to be imminent.

Tony apparently resorted to online dating as he found meeting potential partners in the real world difficult – a situation which seems to be ever more common, given the explosive rise in popularity of online romance sites, which have gone from social stigma to accepted norm over the last few years.

The human need for companionship has always been a standard weapon in the cybercrook’s arsenal, with emails offering the chance of companionship (or at least sex) a common sight for many years.

The rise of online dating has of course been spotted by the same cybercrooks, looking to exploit every weakness of the web-using world.

The detailed personal information people post to dating sites makes ideal fodder for identity theft and spear-phishing, while scamming contacts met on dating sites has become big business, with one rather unprepossessing gang recently jailed after netting over $1 million posing as military staff overseas.

The trick of being stuck in dubious foreign lands with difficult local authorities is also a standard tool, commonly used in the venerable 419 scam and in more personal cons, like the one where a contact tries to persuade you they’ve been robbed on holiday and need funds to get home – even big-name politicians have been targeted in this way.

Romance scams have become an industry of their own, netting huge amounts annually from unwary victims, although few are taken for quite as much as poor “Tony”.

So, to avoid being the next in a long line of dupes, keep on your toes.

Don’t go giving money to online contacts you don’t really know, even if they sound like Mr or Ms Perfect.

Don’t fall for the old “if you can stump up a few grand for plane tickets and a new wardrobe, I’ll be right over there to love you forever” line, any more than you would be taken in by the one that goes “we just need a few hundred to free up the few million we can get for you”.

Even if people you do know ask for money in odd circumstances, be wary and make sure you check it’s really your buddy who’s asking for cash to bribe those dodgy foreign officials.

Above all, try to keep your online activities controlled by your logical brain, rather than those baser urges. A sceptical mind is often the best defence.

Follow @VirusBtn
Follow @NakedSecurity

Image of online dating warning sign and man and woman online courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_4-QDm87-ns/

I’ve been a video games player for longer than I care to remember, having been initiated to the world of computers via Clive Sinclair’s awesome ZX81.

Back then, when the world (and the computer’s video output) were all in black and white, it was a cheaper hobby than it is today. If I wanted a new game I could go to the shop and get one for a week’s pocket money. If I hadn’t been good enough to earn any I could always show off my own BASIC programming skills and make an adventure or snake-type game.

Later, when my kids reached a certain age, computers had made way for consoles and the games are altogether far more expensive, though it goes without saying that the addition of colour, sound and network play does make for a far more compelling experience.

Thankfully, there are still a few other options for children to get their gaming fix though. The rise of smartphones and social sites has led to hundreds of developers creating games that are free or relatively cheap to play.

There is a danger with these browser games and phone apps though, as highlighted by the UK’s Office of Fair Trading (OFT), who recently concluded an April 2013 investigation into how such games complied with consumer protection law.

The OFT examined the commercial practices of 38 unnamed web and app-based games which it felt specifically targeted children. They said some of the concerns their investigation had discovered included:

• Misleading commercial practices, including failing to identify the practice’s commercial intent,
• Exploiting children’s inexperience, vulnerability and credulity, including by aggressive commercial practices, and
• Payments taken from account holders without their knowledge, express authorisation or informed consent.

As a result, the OFT has established eight principles, which will apply to both apps and internet browser video games.

These new guidelines include:

• Detailing the initial cost of a game before consumers sign up or download it
• Making clear any additional costs that would be unavoidable if the user wishes to continue playing
• Requiring explicit consent to take a payment
• Disclosing any in-game marketing, either from the developer or third parties
• Clearly identifying how the gamer may cancel any agreements they may have entered into in respect of the game
• Making it clear how and why any personal data is collected by the program
• Providing clear contact details should the consumer wish to lodge a complaint

The Office of Fair Trading also made it clear that developers should realise that their games appeal to children and so any language they use should assume that the ‘average consumer’ is a minor. As such, developers are warned not to use practices that could exploit a child’s inexperience or to suggest that a decision not to spend money in-game could lead to a character or other player feeling let down in some way.

In some of the worst examples of the above, the OFT discovered that players were denied promised rewards if they didn’t spend money. In one case a child was told their virtual animal was “ill” but could be cured via an in-game payment.

OFT executive director Cavendish Elithorn said,

This is a new and innovative industry that has grown very rapidly in recent years, but it needs to ensure it is treating consumers fairly and that children are protected.

These principles provide a clear benchmark for how games makers should be operating. Once they are finalised, we will expect the industry to follow them, or risk enforcement action.

The OFT has given interested parties up until 21 November to respond to the guidelines and will then publish a final revision in February 2014 ahead of enforcement action commencing from April onwards.

Whether those behind such gaming apps will take heed of the guidelines immediately remains to be seen and I suspect there will be as much resistance as consumer protection laws allow.

With there now being thousands of free and cheap apps and games many people are becoming reticent about paying for something they may play just once. Developers are aware of this and so they look to maximise their profits in any way they can, including putting pressure on kids to ask parents to fund in-game purchases.

Ultimately, I believe the best solution to the problem of in-game spending lies not with the OFT or games makers, but with parents who need to take the responsibility of both educating their children and monitoring their use of the multiple devices they now use to connect to the worldwide shark pool.

Follow @Security_FAQs

Follow @NakedSecurity

Image of child and father on phone courtesy of Shutterstock. Image of phone and game by Flickr user Sergey Galyonkin

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SFzGjN9ypKI/

After a five-year on-and-off court battle, Facebook has won $3 million in damages from social networking integration firm Power Ventures, and its CEO Steve Vachani.

Power Ventures lured Facebook users into handing over access to their contact lists, then spammed everyone they knew with emails urging them to join their site, the now-defunct power.com, which aimed to merge content from users’ various social networks in one central system.

The mails they spammed out to over 60,000 targets had spoofed header details so they appeared to come from facebookmail.com, and claimed to come from “The Facebook Team”, in clear violation of openness requirements in the US CAN-SPAM act.

The case was initially brought in December of 2008, and has dragged on for some time. Some additional charges including copyright infringement claims brought by Facebook were dismissed in early 2011, but the spammers were found to have violated both the CAN-SPAM act and part of California’s Computer Fraud and Abuse Act (CFAA) at another stage of the case in February 2012.

Later the same year Vachani tried to dodge a fine by filing for bankruptcy, which put the case on hold. This claim fell through earlier this year; the case came live again and has finally been put to rest with Facebook the victor to the tune of $50 per spammed email.

The cash will be unlikely to strain Facebook’s coffers much, but the CFAA violation makes an interesting precedent. The defence lawyers argued that the California statute covers accessing computers without the proper authorization and causing “damage or loss”, terms which are defined specifically for the context. They claimed the defendant’s actions hadn’t caused damage or any significant loss.

Another section of the act, however, includes prohibition of merely obtaining information, with no requirement that the information is of value. Although lawyers will doubtless go on arguing the point, this could perhaps be used to cover just about any hacking case, as “obtaining information” could include simply catching sight of something you shouldn’t have access to, let alone copying or downloading any “tangible” data.

Of course, this is only a California law, but as so many internet firms are based or do business there the local laws have some serious weight. Full details of the case can be found in the court documents covering all the proceedings.

The case highlights the problem of the huge amounts of data that social networking sites hold on their members and the complexity of who can do what with that information. Facebook itself is frequently criticised for iffy privacy rules and making inappropriate use of user data.

A study released a few weeks ago found that social networks are rife with spamming and general nastiness, with Facebook one of the most badly hit.

The report from social media brand protection firm Nexgate claims that 5% of all social media apps are “spammy”, that Facebook and YouTube see 100 times as much spam as other social systems, and that Facebook is hit by 4 times the number of phishing attacks seen elsewhere.

Overall, 1 in every 200 messages sent over social networks contains spam, and, of those, 15% contain URLs linking to other spammy content, porn or malware, according to the study.

With all this spamming going on, there’s clearly a burden of effort on everyone involved to minimise the harm it does.

Users need to make sure they’re cautious with their accounts, not deliberately granting access to their details and contact lists to third-party firms like Power Ventures.

They also need to be wary of the messages being spammed out, ignoring too-good-to-be-true offers and avoiding handing over the cash or personal details that makes spamming worthwhile.

Social networking firms need to ensure their rules are well-designed and firmly policed, covering their own use of information as well as how other firms may try to abuse it. They also need to make sure devious apps and scams can’t trick users into granting access to their information unintentionally.

Facebook has done well here, in showing that people can’t go around taking advantage of its members. It will need to go a good way further to prove to its users that it itself can be trusted though.

Follow @VirusBtn
Follow @NakedSecurity

Image of fireworks courtesy of Shutterstock.com. Facebook logo courtesy of PromesaArtStudio / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/khXgn8AV_dI/

5 ways to reduce advertising network latency

QuotW This was the week that Karsten Nohl, the security researcher who found a way to hack into SIM cards with a single text, told El Reg that he was upset that the mobile industry seemed so unconcerned about the vulnerabilities he had reported.

He told El Reg:

We thought our story was one of white-hat hacking preventing criminal activities, but as there is no crime, so no investigation.

Nohl said he was dismayed by the mobile industry’s lukewarm response to his revelations – and revealed to us, for the first time, exactly how he did it.

In other news, all that slab-fondling appears to have left behind a generation of clumsy lovers unable to speak the language of love, we heard this week. As if we didn’t already know.

Education Secretary Michael Gove took the opportunity to tell Britain that sending nude pictures wasn’t the way to the heart of the opposite sex (although many men would probably disagree). So what advice did Mr Lover Lover pass on to us unromantic digital natives? Write love poems, obviously. He recommended courting couples take a look at an app called Love Book, a portable collection of romantic poetry created by his chum Allie Esiri.

Gove said:

It [the Love book app] will allow children to make sense of their own feelings in a way that is more graceful, expressive and beautiful [than sexting].

Technology does not have to mean expression becomes clumsier.

And who knew more about love than Steve Jobs, who strummed the pain of fanbois with his fingers for a whole lifetime? We heard that his house was going to become a shrine for Apple fans who can flock there to think about the legacy of the iGod. But not everyone wants to be like the almighty Steve, and Amazon CEO Jeff Bezos is one of them. When asked if he was the next Jobs, Bezos said:

I think we have our own approaches and vision. Nobody would ever be the next Steve Jobs. He was a unique guy, and, you know… that’s not how I think about it. But it’s often meant as a compliment and I certainly receive it that way.

Fanbois who are desperate to see Jobs up there in heaven were given the perfect opportunity this week, when Apple Maps began directing people onto the runway of an Alaskan airport. Melissa Osborn, chief of operations at Fairbanks International Airport, said:

We asked them to disable the map for Fairbanks until they could correct it, thinking it would be better to have nothing show up than to take the chance that one more person would do this.

Don’t worry, no fanbois were hurt in the making of this article. So far just two cars have made it onto the runway – and both escaped unharmed.

We also witnessed a murder of sorts this week, after finding out that boffins wanted to kill the “leap second” added onto the end of each year to so that clocks accurately reflect the time it takes the Earth to rotate.

Sysadmins are the leap second’s most implacable enemies, due to the fact that they have to update their systems every time they see one. Here’s what Robert A Nelson, a delegate at the meeting between the International Telecommunications Union and the International Bureau of Weights and Measures, had to say:

If leap seconds are eliminated from UTC, there will be no perceptible impact on social activities and conventions, but there will be significant reduction in the risk to national and international infrastructure and significant cost reduction in their implementation.

Worried about how you’re going to afford that next fondleslab? You’re in luck, because pretty soon Tesco will release their own value tablet called Hudl. Tesco chief executive Phil Clarke said:

We feel the time is right for Tesco to help widen tablet ownership and bring the fun, convenience and excitement of tablets to even more customers.

Let’s hope they don’t sport the white-and-blue Tesco Value livery. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/27/quote_of_the_week/