STE WILLIAMS

CENTENNIAL, Colo., Sept. 25, 2013 /PRNewswire/ — Verio Inc., the leading provider of online business solutions to SMBs worldwide and StopTheHacker, one of the world’s fastest growing website security companies, today announced the two companies will be offering a free Website security report to their SMB customers. To support the campaign and educate SMBs on the importance of website security, Verio will host a free Webinar on October 9, 2013 on the topic of website security. To register for the Webinar visit:

www.verio.com/website-security/webinar.

With 85% of all malware attacks coming from the web and an estimated 30,000+ websites infected with malware every day, it is critical for organizations of all sizes and more importantly SMBs with limited infrastructure and resources to protect and monitor their Web vulnerability and online reputation. Based on the proliferation of malware and its impact on an SMB’s online reputation, Verio is offering Website security reports, valued at $50 each, through its partnership with StopTheHacker.

“At Verio, we give security the utmost priority. Our main goals are to protect our customers’ data and to keep their sites up and running,” said Fred White, vice president of Marketing and Product Management. “However, most businesses do not realize they have a responsibility for the security of their own sites, as well. Through our relationship with StopTheHacker, we’re working to make securing their sites as easy as possible.”

With the free website security report offer, Verio aims to increase website security awareness among small businesses, and encourage customers to protect their sites by signing up for security services starting at as little as $10 per month.

“We are very excited to partner with Verio as they understand the importance of website security. We see that 90% of all the malware in the world is being distributed by legitimate small business websites,” said Ridley Ruth, vice president of Sales, StopTheHacker. “This valuable, free website security report will further serve to educate Verio’s customers to this growing problem while presenting products that will help protect them from becoming one of the over

9,500 websites that Google blacklists every day.”

To learn more about Website security and online reputation, tune into the Verio Webinar on October 9, 2013 at 1:00 p.m. EDT. To register for the Webinar visit:

www.verio.com/website-security/webinar.

Get Your Free Report

To receive your free StopTheHacker website Security report, please visit www.verio.com/securityoffer . Limit one report per customer.

About Verio Inc. (www.verio.com)

Verio is the leading provider in delivering innovative online business solutions to SMBs worldwide. Verio’s solutions provide Cloud, web hosting, managed services, application hosting and SaaS that enables SMBs to drive online success. Verio is a subsidiary of NTT Communications and supports its operations with their highly reliable and scalable Global Tier-1 IP Network. Through this network, Verio provides partners and customers with access to business solutions in more than 120 datacenters worldwide. For more information, join us on Twitter @Verio, Facebook Verio or www.verio.com.

About StopTheHacker

Based in San Francisco, California, StopTheHacker is one of the tech industry’s most respected leaders; a provider of SaaS services focused on cyber warfare in the arenas of web malware, security and reputation protection. StopTheHacker’s Artificial Intelligence and Machine Learning based technology is supported by the National Science Foundation and has won multiple awards since 2009.

StopTheHacker has become widely recognized globally, protecting website owners ranging from large multi-nationals to web hosting companies and small business owners, all who are vulnerable to malicious hacker attacks.

Article source: http://www.darkreading.com/applications/verio-and-stopthehacker-team-to-offer-sm/240161826

A “small but very potent” botnet run by an identity theft service has tentacles reaching into computers at some of the country’s largest consumer and business data aggregators, security journalist Brian Krebs has revealed following a seven-month investigation.

The service, which sells the Social Security numbers, birth records, credit and background reports of millions of US residents, has for the past two years run at ssndob[dot]ms (Krebs calls it simply SSNDOB, and I’ll follow suit).

SSNDOB markets itself on underground cybercrime forums as “a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident”, Krebs writes, charging from 50 cents to $2.50 per record and from $5 to $15 for credit and background checks.

The transactions are carried out mostly via largely unregulated and anonymous virtual currencies, including Bitcoin and WebMoney.

The source of SSNDOB’s data remained a mystery until earlier this summer, when the service was attacked and its database raided.

The alleged attackers – teenage hackers apparently associated with the hacktivist group UGNazi – pilfered personal information for celebrities including Beyonce, Kanye West, Jay-Z, First Lady Michelle Obama, CIA Director John Brennan, and then-FBI Director Robert Mueller.

They then exposed the data on exposed.su.

Exposed.su – which has apparently been taken down – is a Soviet Union domain that lists SSNs, birthdays, phone numbers, and current and previous addresses for dozens of top celebrities, Krebs says.

KrebsOnSecurity.com obtained and reviewed the database that the hackers stole from SSNDOB.

Analysis of the networks, network activity and credentials used by SSNDOB administrators eventually revealed that they were running a botnet – i.e., a network of hacked computers that they could remotely control to carry out their dirty work.

Two of the hacked servers belonged to LexisNexis, which maintains a massive database of legal and public records-related information.

LexisNexis confirmed to Krebs that the two systems listed in an interface for the botnet – both public-facing LexisNexis servers – had been compromised, while the botnet’s dashboard indicates that the infection was planted as far back as 10 April 2013.

Two more compromised servers were located inside the networks of Dun Bradstreet, a data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing and supply chain management, Krebs writes.

The botnet administration panel shows the Dun Bradstreet machines as having been infected at least as far back as 27 March 2013.

A fifth server on the botnet was located at internet addresses assigned to Kroll Background America, a company that provides employment background, drug and health screening, Krebs reports.

The company has since been taken over by HireRight, a background-checking firm managed by Altegrity, a holding company that owns both the Kroll and HireRight properties.

The Kroll/HireRight machine’s takeover extends back to at least June 2013.

LexisNexis confirmed to Krebs that its servers did in fact appear to have been compromised starting in April but that the company didn’t find any evidence that “customer or consumer data were reached or retrieved” from the breached systems. It’s still investigating the breach.

For its part, Dun Bradstreet said that it’s investigating, but it gave no further details. Altegrity declined to confirm or deny the apparent breaches.

The FBI confirmed to Krebs that it’s “aware of and investigating this case” but declined to comment further except to say that the investigation is ongoing.

Beyond PII

Beyond the potential loss of personally identifiable information (PII) that can be used to perpetrate identity theft, something far more valuable is at stake, fraud experts told Krebs.

Namely, the breached firms have control of massive amounts of data about consumers’ and businesses’ habits and practices – a collection of data known in the industry as knowledge-based authentication (KBA) that’s used to determine how likely it is that a given credit application is valid or fraudulent, mostly based on how accurately an applicant answers a set of questions about their financial and consumer history, Krebs writes.

Avivah Litan, a fraud analyst with Gartner, told Krebs that KBA has become “the gold standard of authentication” among nearly all credit-granting institutions:

Let’s say you’re trying to move money via online bank transfer, or apply for a new line of credit… There are about 100 questions and answers that companies like LexisNexis store on all of us, such as, “What was your previous address?” or “Which company services your mortgage?”

They also have a bunch of bogus questions that they can serve up to see if you really are who you say you are.

Litan says that Dun Bradstreet does more or less the same thing for businesses.

Paradoxically, problematically, the people who fail to answer some of the questions likely don’t remember the answers, Litan said, whereas the criminals are the ones breezing through, since they have the data right at hand.

She told Krebs this story, heard from a fellow fraud analyst who had the chance to eavesdrop when a mortgage lender was asking KBA questions of a credit applicant who was later determined to have been a crook:

The woman on the phone was asking the applicant, “Hey, what is the amount of your last mortgage payment?”, and you could hear the guy on the other line saying hold on a minute… and you could hear him clicking through page after page for the right questions.

In fact, Litan told Krebs, the death knell is likely tolling for KBA.

That’s probably a good thing, given that she and others have been saying for years that the major KBA providers have been compromised.

The problem, she says, is that we just don’t have any good alternatives that are easy to implement. We lack a sufficient software alternative.

Nor are there biometric identifiers ready to be rolled out for use by the entire US population at this point, and perhaps there never will be.

As always, Krebs’ report is thorough and fascinating, so please do give it a read. He offers tons more detail on the investigation, including, for example, the finding that the identity theft service has served more than 1.02 million unique Social Security numbers to customers and nearly 3.1 million date of birth records since its inception in early 2012.

What he doesn’t offer, of course, is an alternative to the KBA on which these data brokers rely.

That’s a problem that needs time and serious work to figure out, Litan has written.

In the meantime, she says, service providers must be made aware that they can’t count on “the veracity and reliability of the process to indeed authenticate the ‘right’ and legitimate individual.”

One stark example of this that received much media attention was that of Mat Honan, the journalist whose Twitter account went berserk and whose devices were wiped after a fraudster called up Apple support and tricked them into handing over control to his iCloud account in August 2012.

How do you defend against such knowledge-dependent attacks?

It’s hard, as Paul Ducklin notes in his writing about Honan.

KBA attacks seem to be harder still, given the wealth of information to be stolen from data brokers.

Entrepreneurs, there’s a big, fat, potentially very profitable business opportunity waiting for you.

Oh, and while Cybersecurity Awareness Month in the US doesn’t start until next week, there’s no reason to delay getting rid of potential zombies (bot infections) on your own computer.

Remember that while this botnet is particularly valuable to the crooks because the infected computers are inside networks with juicy content, any zombified computer is a usable and useful tool for cybercriminals.

Be part of the solution, not part of the problem!

Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as Troj/Delf-FPW.

Follow @LisaVaas

Follow @NakedSecurity

Image of Social Security theft, credit history and fingerprint security courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iuIggGLcNWM/

Italian computer scientist Michele Spagnuolo recently wrote about what he considered a security issue in Dropbox’s popular iPhone and iPad email app Mailbox.

His report is extremely simple to describe: the Mailbox app runs any JavaScript that appears in the content of an HTML email.

And that’s the long and short of it.

Spagnuolo has street cred as a security researcher, including a recent Google reward of $3113.7 (he won the larger sum of $5000 the month before that, though it doesn’t sound so cool), but not everyone seems happy about his “vulnerability.”

Over on self-styled alpha geek technology website Ars Technica, Spagnuolo has had a bit of a hammering from some commenters.

They’re saying, “So what?”

Almost every web page, like almost every email, is in HTML, and web sites are packed with JavaScript – in fact, JavaScript was developed to jazz up HTML, and the modern web simply wouldn’t work without it.

We know there are risks, notably that JavaScript makes it easy for cybercrooks to hide malicious content in web pages so that it springs into play only at the last possible moment.

→ Malicious JavaScript is often heavily obfuscated (deeply and cunningly disguised) so that while it is in transit across the internet, it looks like shredded cabbage. When loaded into, and executed by, your browser, it unscrambles itself to produce or download more malevolent content. This often includes additional scripts, which may themselves be heavily obfuscated, and so on.

But no-one is reporting JavaScript as a vulnerability to the browser makers.

Sure, some of us like and use tools like NoScript that heavily regulate the execution of JavaScript while we browse, but we’re not seriously suggesting that JavaScript be banned outright from all web pages.

Imagine if you banned JavaScript. No Facebook! No Outlook.com! No interactive doodles on Google! No YouTube!

Therefore, the naysayers are confronting Spagnuolo with remarks along the lines of, “Sensationalist claptrap. This is not a vulnerability. This is Web 2.0. Nothing to see here. Move on.”

The fact is, however, that few, if any, modern email clients, execute JavaScript in email, at least not by default.

Even webmail sites, which rely utterly on JavaScript in their own web pages, suppress JavaScript inside the emails they display for you.

And, do you know what?

Spagnuolo is right, and so is that almost-unanimous majority of email software: JavaScript in email shoudn’t be executed, and that’s that.

So now the question is, “Why?”

Why should we consider JavaScript unexceptional in web pages, but dangerous in the body of an email?

I was interested to know what various experts and educators thought, so I set about looking and asking around.

Here’s colleague and fellow Naked Security writer Mark Stockley on the issue:

I think context is everything. Email is reading something on your computer whereas using the web is more like reading something on somebody else’s computer. They’re functionally no different but I think the underlying mental models are very different. The difference between the mental model and reality is a gap into which security problems can sprout.

Stephen Chapman, advisor and educator, writing on About.com:

With web pages it is the person browsing the web who decides which web pages that they visit… With emails it is the sender who has the most control over what emails are sent and the recipient has less control. Because emails that we don’t want can get through our spam filter we want the emails that we do see to be made as harmless as we can.

And an anonymous commenter on Quora.com, replying to someone who had asked that very same “Why?”:

I think it’s simply that people don’t want more interactive emails. Most person-to-person email is text-based: other than maybe some HTML formatting, people send email to each other via written paragraphs, maybe with a picture attachment or two… Since email is pushed onto the user, it makes sense that the content being pushed is as unintrusive as possible.

There are other important reasons, too.

Perhaps the most significant is what browsers call the same origin policy.

This basically says that scripts are limited to reading data from, and sending data to, the same source as the page they’re running in.

By this restriction, for example, scripts on your favourite social networking site can’t see or use the session cookies set by your webmail client; data uploaded via a page on a technical support site can’t inadvertently be sent somewhere else; and so forth.

But how would you decide the “same origin” for an email you’d received?

How would you usefully limit the behaviour of JavaScript inside an email body, short of limiting it completely by not executing it at all?

For webmail, the same origin policy is even trickier: if you allowed JavaScript in email, cybercriminals would be able to inherit the origin of your webmail domain in scripts they sent in from anywhere, which would be a security disaster.

Dropbox, to whom the Mailbox.app belongs, seems to agree, albeit not unreservedly: this morning, the company announced that it would strip out JavaScript before delivering emails to mobile devices.

[T]oday we implemented a process that strips javascript from messages before delivering them to mobile devices.

That’s one security measure, of course, but it’s nowhere near as good as adapting your app so it refuses to execute JavaScript altogether, even if it does get through your scrubbing filters.

→ This reasoning, defence in depth, is why running an email spam filter to strip malicious attachments isn’t a substitute for endpoint anti-virus, but a complement to it. To be fair: Dropbox may be planning a two-pronged fix, but updating an app on the App Store is not an instantaneous process.

Sadly, when Spagnuolo went to validate Dropbox’s claims, he found that although JavaScript is supposed to be scrubbed, the filters could easily be bypassed.

And, since the Mailbox app still runs JavaScript if it doesn’t get filtered out, we’re back to Step One.

By the way, my opinion is that I don’t want JavaScript to run at all in my email client, so I agree with Mr Spagnuolo.

What do you think? Is this a vulnerability of sorts? Or a fuss about nothing?

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Q7_IGM8nZ_4/

Berlin, September 26, 2013 – Cybercriminals continue to respond with lightning speed when they see an opportunity to exploit a national or global news story to spread malware. In fact, the Research Team of Eleven, leading German e-mail security provider, now sees instances of criminals inventing “breaking news” that appears to relate to high-profile current events.

The Eleven Research Team continually analyzes malicious campaigns that exploit breaking news using the CNN name and other prominent news outlets to lure email recipients to malicious sites. The average time between an actual news event and its exploitation hovered around 22 hours during the last three months.

On Friday, September 6, malware distributors invented fake news designed to take advantage of public interest in the possibility of a U.S. airstrike against Syria. The emails used the subject line, “The United States Began Bombing,” and were crafted to appear as a legitimate CNN news alert. It is an example of the cybercriminal community harnessing the interest and anxiousness about current events to increase the success of their malicious campaigns.

Prior to the Syria-related example, the average start time for a virus attack was already decreasing. In March 2013, when the new Pope was elected, the first malware and phishing attacks began after 55 hours. In April 2013, after the Boston Marathon bombing, it took 27 hours to see the first related attacks exploiting interest in the event. Further examples include the newborn royal baby and news about the NSA whistleblower Edward Snowden. But examples such as the recent Syria-related campaign in September show that spammers are not waiting around – they are becoming even “faster” than the events themselves.

Each month, the research team of Eleven, leading German e-mail security provider, presents the “Number of the Month” – a number representing and illustrating a current issue or trend in Internet security.

Eleven on Twitter: http://www.twitter.com/elevensecurity

Eleven – Integrated Message Security

Leading German e-mail security provider Eleven is a pioneer in the field of managed e-mail security and offers products and services for protecting e-mail infrastructures for companies, ISPs, and public institutions. The company, founded in 2001 and headquartered in Berlin, specializes in cloud-based managed e-mail security. In addition, Eleven also offers in-house software and white-label solutions as well as SDKs for OEM partners.

Eleven examines and filters over one billion e-mails every day. Globally, Eleven solutions protect over 45,000 companies. Eleven customers include Internet service providers such as 11, T-Online, Freenet, and O2 as well as renowned corporations and organizations such as Air Berlin, BMW, the Federal Association of German Banks, DATEV, the Free University Berlin, Porsche, RTL Television, SAP, and ThyssenKrupp. Eleven is part of the globally active Internet security provider Commtouch (NASDAQ: CTCH). For more information, visit our website at: http://www.eleven.de.

Article source: http://www.darkreading.com/vulnerability/22-hours-average-time-it-takes-malware-d/240161855

On Monday night, a very hush-hush Facebook tiptoed into testing an “Autofill with Facebook” feature – autofill your credit card information, that is – that it will begin rolling out to some users this week, according to The Verge.

According to sources familiar with the company’s plans, the new payments product will allow online shoppers to make purchases on mobile apps using their Facebook login, AllThingsD reports.

Wait, you say – Facebook has my credit card information? Where did it get it from? The NSA?

No, no, no, Facebook doesn’t have your credit card details. As far as I know. Yet. Unless you’ve already given it to them, that is, to buy e-sheep or whatever on FarmVille or some such Facebook app, you crazy e-farming nut, you.

If you have given Facebook your credit card information, you’ll be able to buy things on partnering e-commerce mobile apps without having to enter your billing information – instead, you’ll be able to use your Facebook account to fill it in for you.

Facebook told The Verge that Facebook Login will not be required for Autofill to pop up, but that users will need to be logged into the Facebook app on their device and have their card already on file with the network in order to see it.

AllThingsD says that Facebook has been testing the payment feature with “a handful” of retail partners. Only a small group of users now have the feature enabled and can only use the new “Autofill with Facebook” through apps from two pilot partners: clothing retailer Jack Threads and photo printer Mosaic.

Facebook will reportedly scale up the service as it continues testing and as it signs on more retail partners.

Is Facebook looking to replace PayPal or to compete with its payment services brethren – Google Wallet, Amazon, ProPay, Square, or startups such as Braintree, Stripe and Klarna?

Sucharita Mulpuru, a retail analyst at Forrester Research, told AllThingsD that it sure sounds that way.

Facebook might be playing coy, but for what it’s worth, it told AllThingsD that no, no, that’s crazy, given how tight its relationship is with PayPal. For now, it’s focused on simplifying checkout, with a setup that will still allow partnering commerce companies to still work with whatever payment processor they like.

After all, as all the payment services providers well know, entering payment information on our dinky little devices is a bit of a pain.

As its name suggests, the feature appears to simply fill information into existing forms, rather than completely taking over the process of checkout.

But would anyone actually trust Facebook with their financial information?

No, Mulpuru told AllThingsD:

Nobody trusts social networks with their financial information, and they are certainly not going to trust Facebook. … Maybe they have a few million people that have bought something on things like FarmVille, but that does not a network make.

A commenter on the Verge story, Tuan X, pointed out that it’s not appropriate to freak out, given that the PayPal-ish, Google Wallet-esque service is opt-in:

Well the plus with all of these services is that everything is an option! Sometimes people get out of hand think Facebook or whomever is trying to steal their life identity when they, 91.3% of the time, don’t have any info that they haven’t give them themselves.

Thank you for the reminder, Tuan X, but I’m instead opting for full, adrenalin-overdose, skin-tingling freakout on this one.

If this stays opt-in, then fine. Go forth, Facebook, and feast upon the valuable in$ight you and your advertisers will undoubtedly glean from the types of products and services your users buy off of Facebook.

But Facebook has never shown much taste for opt-in. We see that repeatedly.

The most recent example is a proposed privacy policy change that would rubber-stamp the use of teenagers’ names, images and personal information to endorse products in advertisements, with Facebook declaring that it’s going to deem teens’ presence on Facebook as meaning that their parents or legal guardians have agreed that commercial use of their tots is all fine and dandy.

Will Facebook someday require us to hand over credit card information to get or maintain our accounts?

It sounds far-fetched. Maybe that’s a paranoid idea.

Maybe the only thing we have to look forward to, at least in the near future, is the prospect of Facebook handling part of the mobile payment process.

What could possibly go wrong?

Please share your rants, screams of terror and maniacal laughter in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Take Our Poll

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WJkz1SENEKI/

We really didn’t want to write another Apple iOS 7 story.

With two lockscreen holes and a fingerprint sensor that can be fooled with woodglue, we thought we’d given diehard iPhone fans a horse that was already dangerously high enough for them not to get down from. [I think you have mixed more than a metaphor there, Ed.]

For example, we chose not to cover the fact that the New York Police Department were handing out flyers over the weekend advising residents of the Big Apple to take Even Bigger Apple’s advice, and to upgrade to iOS 7 as soon as possible for security reasons.

We’re weren’t entirely sure that we agreed with New York’s Finest there, not least because we’d already gone so far as to suggest that you might want to consider sticking at iOS 6.1.3 until the lockscreen holes were fixed.

But we didn’t want to enter a public wrangle with a concept we agree with strongly in principle.

Cybersecurity is important to and for everybody, not only for privacy reasons, but also as an aspect of crime prevention, so it is great to see beat cops trying to get people interested in it.

Hoewever, as you’ve no doubt noticed, this is another Apple iOS 7 story, and it’s yet another tale of woe at the lockscreen.

All about Siri

With Naked Security readers saying to us, “Ha! Did you hear about Siri?”, we could hardly let this one go.

We’ve written before about Siri, Apple’s voice control system.

Firstly, we covered Siri because Apple avoided the limitations of the voice-processing power of your handset by uploading your mumblings to its own servers, doing the processing in some stadium-sized data centre somewhere.

The company also retained both your audio data and transcripts of what you said “for a period of time” so that Apple could “generally improve” its products and services.

IBM famously banned Siri precisely because it didn’t want unspecified transcripts of employees’ musings lying around at Apple, and with all the recent fuss about internet surveillance, that may have been a prescient move.

Secondly, we covered Siri because of lockscreen problems, where locking crooks out of the keyboard and the touch interface didn’t stop them asking your phone to bypass its own security.

Seems like déjà vu all over again.

There’s a video going around, for example, from a company called Cenzik, apparently showing Siri blocking a Facebook post with a feminine-sounding equivalent of HAL’s infamous “I’m sorry, Dave, I’m afraid I can’t do that” from 2001, A Space Odyssey.

But immediately afterwards, following some modest Home button “hacking” (a feat that seems to be no more complex that holding the Home button down for a while) Siri complies politely and quickly with an almost identical request.

And a Naked Security commentator suggests:

Industry reaction has been interesting, with one publication actually using the words “access is limited,” as though there were little cause for concern, before confirming that the “limitations” apparently don’t prevent you sending email, or posting to the user’s social networks.

Oh, and you can call anywhere, just as you can with the “emergency call” hole.

What to do?

There’s a workaround: disallow Siri from the lockscreen, by heading to Settings|General|Passcode Lock and turning off Allow access when locked for Siri. (Why, oh why, is that not the default?)

You could go one step further, of course, and follow IBM’s lead by turning off Siri altogether.

There are some things that HAL’s smooth-sounding stepsister just doesn’t need to hear.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZJhxkLdfs5g/

It is time to start thinking of our hearts as random number generators. That’s so they can serve as passwords to secure medical devices that are vulnerable to hacking, researchers at Rice University have proposed.

In their paper on the authentication technique – called Heart-to-Heart (H2H) – the researchers note that the use of implantable medical devices (IMDs) is growing in the US: for example, each year, over 100,000 patients receive implantable cardioverter defibrillators that detect dangerous heart rhythms and administer electric shocks to restore normal activity.

Other IMDs – a category that includes devices either partially or fully implanted into patients’ bodies – include pacemakers, neurostimulators, and insulin or other drug pumps.

The researchers at the US university in Houston, Texas, say that H2H addresses a fundamental tension between two critical requirements for IMDs:

• Emergency responders have to be able to swiftly reprogram or extract data from the devices, lest treatment delays prove fatal to patients as they hunt for keys or passwords, and
• The devices’ wireless access must be protected from hackers who might harm patients or expose their medical data.

The researchers – Rice electrical and computer engineer Farinaz Koushanfar, graduate student Masoud Rostami, and collaborator Ari Juels, former chief scientist at RSA Laboratories – describe H2H as implementing a “touch-to-access” control policy.

H2H involves a medical instrument that the researchers generically call a programmer. This is allowed to wirelessly access a patient’s medical device only when it has direct contact with a patient’s body.

A medical technician uses the programmer to pick up a waveform generated by the patient’s beating heart – i.e., an electrocardiogram (ECG) signature.

The external device – that is, the programmer – compares the ECG details with the internal medical device. Only if the signals collected by both at the same time match up is access granted.

Rostami told Softpedia’s Eduard Kovacs that, in essence, given a heartbeat’s variability, the heart can function as something of a random number generator:

The signal from your heartbeat is different every second, so the password is different each time. You can’t use it even a minute later.

Hacking of medical devices is, at this point, demonstrably feasible.

The US government in October 2012 told the US Food and Drug Administration (FDA) to finally start taking medical device security seriously, whether we’re talking about intentional hacking, unencrypted data transfer that can be manipulated or a host of other threat vectors.

In June 2013, the FDA complied, calling on medical device manufacturers and health care facilities to start addressing medical devices’ vulnerability to cyberattack.

Koushanfar and Rostami will present the system in November at the Conference on Computer and Communications Security in Berlin.

Before we see H2H debut, it will need to obtain FDA approval. After that, it’s up to medical device manufacturers to adopt the technology.

It’s a fascinating approach to authentication.

My insulin pump and I look forward to seeing whether it wins approval and achieves adoption in the medical device industry.

After that, who knows?

Perhaps our beating hearts will someday be a viable alternative to the easily guessable, completely hackable security questions that are now used to supposedly verify that we are, indeed, who we say we are.

Follow @LisaVaas

Follow @NakedSecurity

Image of heartbeat courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/j77VoqF9kV4/

Yahoo announced in June 2013 that it was going to recycle inactive email addresses by giving them to other users who wanted them.

Addresses and Yahoo IDs that had been inactive for at least a year would be reset, in the hope of allowing someone with an awkward address, such as johnsmith4737, the opportunity to grab something far more desirable, like plain johnsmith.

About a month ago the company began to inform successful users of their new email addresses, and set up a $1.99 watchlist for those who wanted to monitor up to five IDs and receive notification if they became available.

Security experts and other critics raised concerns about Yahoo’s plan at the time.

Yahoo, however, was keen to downplay security concerns, saying:

To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce-back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.

Unfortunately, however, some new owners of recycled accounts have nevertheless received messages of a sensitive nature.

InformationWeek, for example, has reported the cases of three users who received messages intended for the previous owners of their accounts.

At the outset, they received spam, but soon afterwards started to receive messages that contained PII – that’s “Personally Identifiable Information”, grist to the mill of identity thieves.

Tom Jenkins, an IT security professional, said he had received emails that contained account details and much more:

I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding.

Other users of recycled accounts were sent emails about recent purchases, court information, and even funeral information.

Dylan Casey, senior director of Consumer Platforms at Yahoo, played down the extent of the problem, saying that:

We take the security and privacy of our users very seriously. We have heard from a very small number of users who have received emails through other third parties which were intended for the previous account holder.

Casey also added that Yahoo is continuing to encourage companies to implement its Require-Recipient-Valid-Since (RRVS) email header system in order to minimise such occurrences in the future.

Yahoo’s hope is that more companies will add the RRVS header to password reset and other sensitive emails so that Yahoo can check the age of the email account before delivering the message to the account holder.

If the account ages don’t match the email would be bounced back to the sender who would then be expected to make contact via other channels.

For now, I recommend logging into your Yahoo account every six months or so in order to ensure that you retain control over it.

This could be especially important if you signed up to sit on your own or company name, or if you use the account as a backup for password resets.

Follow @Security_FAQs

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KmY4XT1KEN8/

A “small but very potent” botnet run by an identity theft service has tentacles reaching into computers at some of the country’s largest consumer and business data aggregators, security journalist Brian Krebs has revealed following a seven-month investigation.

The service, which sells the Social Security numbers, birth records, credit and background reports of millions of US residents, has for the past two years run at ssndob[dot]ms (Krebs calls it simply SSNDOB, and I’ll follow suit).

SSNDOB markets itself on underground cybercrime forums as “a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident”, Krebs writes, charging from 50 cents to $2.50 per record and from $5 to $15 for credit and background checks.

The transactions are carried out mostly via largely unregulated and anonymous virtual currencies, including Bitcoin and WebMoney.

The source of SSNDOB’s data remained a mystery until earlier this summer, when the service was attacked and its database raided.

The alleged attackers – teenage hackers apparently associated with the hacktivist group UGNazi – pilfered personal information for celebrities including Beyonce, Kanye West, Jay-Z, First Lady Michelle Obama, CIA Director John Brennan, and then-FBI Director Robert Mueller.

They then exposed the data on exposed.su.

Exposed.su – which has apparently been taken down – is a Soviet Union domain that lists SSNs, birthdays, phone numbers, and current and previous addresses for dozens of top celebrities, Krebs says.

KrebsOnSecurity.com obtained and reviewed the database that the hackers stole from SSNDOB.

Analysis of the networks, network activity and credentials used by SSNDOB administrators eventually revealed that they were running a botnet – i.e., a network of hacked computers that they could remotely control to carry out their dirty work.

Two of the hacked servers belonged to LexisNexis, which maintains a massive database of legal and public records-related information.

LexisNexis confirmed to Krebs that the two systems listed in an interface for the botnet – both public-facing LexisNexis servers – had been compromised, while the botnet’s dashboard indicates that the infection was planted as far back as 10 April 2013.

Two more compromised servers were located inside the networks of Dun Bradstreet, a data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing and supply chain management, Krebs writes.

The botnet administration panel shows the Dun Bradstreet machines as having been infected at least as far back as 27 March 2013.

A fifth server on the botnet was located at internet addresses assigned to Kroll Background America, a company that provides employment background, drug and health screening, Krebs reports.

The company has since been taken over by HireRight, a background-checking firm managed by Altegrity, a holding company that owns both the Kroll and HireRight properties.

The Kroll/HireRight machine’s takeover extends back to at least June 2013.

LexisNexis confirmed to Krebs that its servers did in fact appear to have been compromised starting in April but that the company didn’t find any evidence that “customer or consumer data were reached or retrieved” from the breached systems. It’s still investigating the breach.

For its part, Dun Bradstreet said that it’s investigating, but it gave no further details. Altegrity declined to confirm or deny the apparent breaches.

The FBI confirmed to Krebs that it’s “aware of and investigating this case” but declined to comment further except to say that the investigation is ongoing.

Beyond PII

Beyond the potential loss of personally identifiable information (PII) that can be used to perpetrate identity theft, something far more valuable is at stake, fraud experts told Krebs.

Namely, the breached firms have control of massive amounts of data about consumers’ and businesses’ habits and practices – a collection of data known in the industry as knowledge-based authentication (KBA) that’s used to determine how likely it is that a given credit application is valid or fraudulent, mostly based on how accurately an applicant answers a set of questions about their financial and consumer history, Krebs writes.

Avivah Litan, a fraud analyst with Gartner, told Krebs that KBA has become “the gold standard of authentication” among nearly all credit-granting institutions:

Let’s say you’re trying to move money via online bank transfer, or apply for a new line of credit… There are about 100 questions and answers that companies like LexisNexis store on all of us, such as, “What was your previous address?” or “Which company services your mortgage?”

They also have a bunch of bogus questions that they can serve up to see if you really are who you say you are.

Litan says that Dun Bradstreet does more or less the same thing for businesses.

Paradoxically, problematically, the people who fail to answer some of the questions likely don’t remember the answers, Litan said, whereas the criminals are the ones breezing through, since they have the data right at hand.

She told Krebs this story, heard from a fellow fraud analyst who had the chance to eavesdrop when a mortgage lender was asking KBA questions of a credit applicant who was later determined to have been a crook:

The woman on the phone was asking the applicant, “Hey, what is the amount of your last mortgage payment?”, and you could hear the guy on the other line saying hold on a minute… and you could hear him clicking through page after page for the right questions.

In fact, Litan told Krebs, the death knell is likely tolling for KBA.

That’s probably a good thing, given that she and others have been saying for years that the major KBA providers have been compromised.

The problem, she says, is that we just don’t have any good alternatives that are easy to implement. We lack a sufficient software alternative.

Nor are there biometric identifiers ready to be rolled out for use by the entire US population at this point, and perhaps there never will be.

As always, Krebs’ report is thorough and fascinating, so please do give it a read. He offers tons more detail on the investigation, including, for example, the finding that the identity theft service has served more than 1.02 million unique Social Security numbers to customers and nearly 3.1 million date of birth records since its inception in early 2012.

What he doesn’t offer, of course, is an alternative to the KBA on which these data brokers rely.

That’s a problem that needs time and serious work to figure out, Litan has written.

In the meantime, she says, service providers must be made aware that they can’t count on “the veracity and reliability of the process to indeed authenticate the ‘right’ and legitimate individual.”

One stark example of this that received much media attention was that of Mat Honan, the journalist whose Twitter account went berserk and whose devices were wiped after a fraudster called up Apple support and tricked them into handing over control to his iCloud account in August 2012.

How do you defend against such knowledge-dependent attacks?

It’s hard, as Paul Ducklin notes in his writing about Honan.

KBA attacks seem to be harder still, given the wealth of information to be stolen from data brokers.

Entrepreneurs, there’s a big, fat, potentially very profitable business opportunity waiting for you.

Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as Troj/Delf-FPW.

Follow @LisaVaas

Follow @NakedSecurity

Image of Social Security theft, credit history and fingerprint security courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xBdiNe-5Vyk/

Free ESG report : Seamless data management with Avere FXT

Kaspersky Lab has uncovered a new APT campaign aimed at pilfering secrets from governments and supply chain industrial, military, media and technology companies in Japan and South Korea.

Icefog features many of the key attributes of targeted attacks, including the spear phishing email lure to gain a foothold in the victim’s network; the use of malware which exploits known vulnerabilities; and the nabbing of email credentials and system passwords to move laterally inside the organisation.

However, where Icefog differs is that attacks are more laser focused and shorter lived than typical APTs, according to Kaspersky Lab.

The vendor had the following in its report:

Perhaps one of the most important aspects of the Icefog CCs is the “hit and run” nature. The attackers would set up a CC, create a malware sample that uses it, attack the victim, infect it, and communicate with the victim machine before moving on. The shared hosting would expire in a month or two and the CC disappears.

The nature of the attacks was also very focused – in many cases, the attackers already knew what they were looking for. The filenames were quickly identified, archived, transferred to the CC and then the victim was abandoned.

In addition, the Icefog backdoor set – created for both Windows and Mac – is directly controlled by the attackers and its latest version is “operated by the attackers to perform actions directly on the victim’s live systems”, rather than automatically lifting data, the report added.

After sinkholing 13 of the domains used, Kaspersky said it saw connections coming from victims in a range of countries including the US, Canada, Australia and UK, but most originated in Asia.

Based on the more reliable analysis of the CC servers used in the targeted attacks, spear phishing examples and other data collected during our research, we believe that the primary targets of the Icefog operations were in South Korea and Japan.

In total, Kaspersky spotted more than 3,600 unique infected IPs and several hundred victims.

The Icefog gang apparently tried to hit defence contractors Lig Nex1 and Selectron; shipbuilding firm like DSME Tech; Hanjin Heavy Industries; telecom operators such as Korea Telecom; media companies including Fuji TV and the Japan-China Economic Association.

Kaspersky declined to say which of those attacks was successful but it did reveal that the Icefog gang was responsible for a 2011 online attack on members of the Japanese Diet, which was thought at the time to come from China.

Although some messages and code comments in the malware used were in Chinese, Kaspersky declined to publicly blame state-sponsored actors from the Middle Kingdom, and claimed the gang was also based in Japan and South Korea. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/26/icefog_hit_and_run_apt_japan_south_korea/