STE WILLIAMS

HOLLYWOOD, FL – (September 19, 2013) – Prolexic, the global leader in Distributed Denial of Service (DDoS) protection services, announced today that it has released a number of best practices that firms operating e-Commerce websites can implement to reduce the impact of cyber attacks.

In a new Executive Series white paper, “Safeguarding e-Commerce Revenues from DDoS Attacks in Q4,” Prolexic advises online retailers to be on high alert for DDoS attacks in Q4. Extended site downtime and the resulting inability to make sales and process online orders during the holiday shopping period, including Black Friday and Cyber Monday, can significantly jeopardize Q4 revenues for e-tailers.

Prolexic expects DDoS attacks against e-Commerce sites to increase in size and intensity this fourth quarter, based on previous attack events noted in the company’s “Q4 2012 Quarterly Global DDoS Attack Report.” In Q4 last year, the most active quarter of the year, Prolexic mitigated attacks that reached more than 50 Gbps directed against clients in e-Commerce, financial services and SaaS markets. The average attack duration was 32.2 hours, a crippling duration in e-Commerce.

“Past experience shows that online retailers must take seriously the increased threat of DDoS and other cyber-attacks during the holiday shopping season,” said Stuart Scholly, president of Prolexic. “Online shoppers have many options, and if they can’t readily conduct business with you, they will quickly turn to competitors instead. This white paper offers insight about the current DDoS threat landscape and provides a clear blueprint for building a stronger DDoS defense, so you can avoid downtime and support sales.”

This executive series white paper addresses the escalating cyber threats targeting e-Commerce sites and recommends best practices for protecting online retailers against loss of sales and revenue, damaged brand reputation, and reduced customer confidence due to DDoS. Prolexic also reveals key warning signs that a website could be targeted for a denial of service attack and concludes with best practice recommendations for making DDoS mitigation a part of a disaster recovery plan. The white paper is available to the public at www.prolexic.com/safeguarding.

The white paper also provides a link to PLXplanner, Prolexic’s free, online DDoS protection and planning tool. PLXplanner helps e-Commerce sites understand their vulnerabilities for a denial of service attack, as well as provides recommendations on how to strengthen their DDoS defense. PLXplanner is available at www.prolexic.com/plxplanner.

About Prolexic

Prolexic Technologies is the world’s largest, most trusted Distributed Denial of Service (DDoS) protection and mitigation service provider. Able to absorb the largest and most complex DDoS attacks ever launched, Prolexic protects and restores within minutes mission-critical Internet-facing infrastructures for global enterprises and government agencies. Ten of the world’s largest banks and the leading companies in e-Commerce, SaaS, payment processing, travel, hospitality, gaming and other industries at risk for DDoS attacks rely on Prolexic for DDoS protection. Founded in 2003 as the world’s first in-the-cloud DDoS mitigation platform, Prolexic is headquartered in Hollywood, Florida, and has DDoS scrubbing centers located in the Americas, Europe and Asia. To learn more about how Prolexic can stop DDoS attacks and protect your business, please visit prolexic.com, and follow us on LinkedIn, Facebook, Google+ and @Prolexic on Twitter.

Article source: http://www.darkreading.com/vulnerability/prolexic-shares-best-practices-for-prote/240161539

Ahoy, me hearties!

Check your almanacks, for today be International Talk Like a Pirate Day, arrr!

I know what you’re thinking.

Why does that matter? What’s the point? How could this ever be worth covering on Naked Security?

How do you talk like a pirate, anyway?

To answer those questions, I’ll consult the officially self-appointed ITLAPD website:

Why do we need an International Talk Like a Pirate Day?

Make no mistake. We do. But it’s a little hard to articulate why.

So, there is an official reason: not a very good reason, to be sure, and one supported by no explanation at all, but a reason nevertheless.

That’s enough on its own for some people, but there’s actually one genuine reason why you might want to join in, even if your first thought is that it’s an entirely silly concept. [It *is* silly. Ed.]

The reason is this: Talking Like a Pirate is surprisingly popular amongst computer techies. [Really? Are you sure? Ed.]

In other words, with almost no effort, you can probably cheer up the guys in your IT department with a single word, just by letting them know you know.

So, think of it as an extension of Sysadmin Day, when you do something, anything, to put smiles on the dials (that’s not Pirate talk, it’s just rather old-fashioned slang) of your IT staff.

After all, they’ve probably had a tough time of it lately, what with a veritable panoply of updates to deal with lately.

In the last week or so, they’ve had updates from Microsoft, Adobe, Oracle, and Apple; then updates to Microsoft’s updates; then an emergency “Fix it” for Internet Explorer; and, last night, the latest Firefox fixes.

Give it a try. It’s easy.

Just have a normal conversation, but remember these four alternative phrases, all beginning with A:

• Instead of “hello,” say: Ahoy!
• At the end of every statement, pause for a moment (imagine a comma), and then say: Arrr!
• Instead of “yes,” say: Aye!
• Instead of “goodbye,” say: Aye, aye!

Silly, indeed, but you might just cheer up the techies in the office, since they so often bear the brunt of everyone’s complaints about the inconvenience of computer security.

Whatever you do, just remember that there’s one Piratical phrase that you should avoid, no matter how humorously you might intend it.

IT staff, even those who Talk Like Pirates all the time, do not want to hear anyone saying, “Beatings will continue until morale improves.”

Not on 19 September, anyway.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-7pWgdF6ytk/

Fire sprinklers and clearly marked escape routes are a great way to save lives in the event of fire. But smoke alarms save both life and property, and they do so at a much earlier stage.

It’s much the same with cyberattacks: malware rarely gets into your network without signs of smoke beforehand.

Learning to spot smoke, and react accordingly, is not only a smart way to protect your physical property, but a handy metaphor for keeping your network safe, too.

As with fire, there are many ways that malware and other threats can get a foothold in an organization.

That’s why bigger companies have IT staff, firewalls, security policies, anti-virus software, and more. But, even with strong defensive mechanisms, a threat only becomes a problem if it has an opportunity, and opportunity often boils down to a user decision.

Malware is designed to be devious: it searches for ways to circumvent a defensive perimeter. And users can be surprisingly good at finding ways around defensive processes, especially if they feel they get in the way of productivity.

Cybercriminals, of course, exploit this propensity with social engineering: actively persuading users to take shortcuts or to indulge in behaviors that get the attacker past the smoke alarms.

Training users to recognize suspicious on-screen behavior is the best security measure that any family or organization can take. It goes far in curtailing inadvertent participation. It goes beyond policies and mechanisms.

That’s because it doesn’t just prevent inadvertent participation, it recognizes a basic tenet of human nature: security policies and mechanisms are sometimes circumvented when faced with individual authority or sympathy.

Many cyberattacks begin when we do everyday things: check email, browse the web, click on a tempting news story, or agree to some sort of update. They are initiated by activity that should not have been approved.

With just a little training and occasional reinforcement, your users will recognize the seductive signs of phishing and malware knocking at the door, from the clumsy and prurient (Check out these hot babes), to the falsely authoritative (You need to update Adobe Flash).

Educated users who are knowledgeable of trends and wary of unexpected behavior become your first line of defense. They feel empowered. They are proud to participate in security and they play a more important role in suppressing threats than policies, procedures and technology.

It’s impossible to cover all of the sneaky ways in which malware circumvents suspicion and gains temporary trust – just enough that it can get in the door. But a few simple examples can give users a defensive edge.

So, show users the suspicious signs. Cultivate their antennae. Remind them of the most common hooks used in social engineering. These hooks play either on one of several deep-seated, natural desires such health, wealth, sex and status, or (ironically) on a user’s desire to maintain and even to help improve security.

Here are some examples:

• Trust this brief exception! (Threat poses as important maintenance.)
• Check this out! (Inducement appears to be from a friend.)
• Get more friends! (Appeals to sex, money or personal status.)
• Limited time offer! (Urgency: act fast, or miss out on a bargain.)
• Enjoy life more! (Who doesn’t want greatly enhanced anatomy?)

The interesting thing about these offers is that they create a seductive path between truth and desire. It’s easy to joke about offers for Viagra – after all, who gets lured into these things? – yet Viagra is one of the best selling drugs in the world. So, the key to persuading family or staff to mitigate threats is not to change human nature.

Instead, get them to recognize the risks and to understand that those risks are mitigated the most when they decide to initiate online activities themselves, rather than to be talked into an action by an invitation from a stranger.

Find your own way

Here are a few ways to make sure you are following your own path to an online web destination, rather than being (mis)guided by an outsider:

1. Enter important URLs directly, or use a bookmark.

If you have an account on a website, and you plan to log in, don’t be lazy and use a search engine to get you there: type the full URL into the address bar, or use a bookmark that you previously created. (Many browsers automatically initiate search queries from the address bar if you enter something that doesn’t look like a URL, so be sure to type thecompany.example, not just thecompany.)

Cybercriminals spend plenty of time and money trying to poison search engines so that their malicious sites supplant legitimate ones at or near the top of search results.

2. Look for the HTTPS padlock.

If you plan to do anything that involves logging in, or viewing or uploading information you wouldn’t want anyone in the world to know about, look for “https” (secure HTTP) in the address bar.

Don’t bother looking for assurances of security and privacy within the actual window, such as pictures of padlocks or mention of cryptographic key lengths. Simply saying something doesn’t make it true.

3. Don’t be influenced by words or images.

It’s common for friends to send links within an email and, personally, I don’t think that it is necessary for organizations to prohibit this sort of email use, or to block links in messages.

But there are some links that we should learn to shun instinctively.

Never use email links to web pages where you have an account, or to any site which requires login. With email, it is difficult to verify the original sender, or to be certain of the integrity of the path between sender and recipient.

Check, and check again

So, when you visit a website where you have an account, follow the advice given in (1) above. When the web page opens, look at the URL again, and follow the advice in (2).

Check that the page is secure (https), and that the domain name is exactly what you expect. Watch out for unfamiliar characters, or a variant of the domain name you are looking for, immediately before the first slash. (E.g. check you are going to bank.example/ and not something like bank.example.198.51.100.12/.)

As with all security threats, alert users are the best prophylaxis against infection. If in doubt, leave it out!

Follow @NakedSecurity

Image of smoke alarm with smoke courtesy of Shutterstock.

Image of pointy click-me hands courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UXCJ161Y8dM/

Supercharge your infrastructure

A “low risk” Mac Trojan seemingly linked to the Syrian Electronic Army has surfaced on the web.

The Mac-specific Trojan comes disguised as a picture of a kissing couple. If opened, it creates a back door on compromised Apple computers.

“This appears to be a targeted attack, though the method of delivery is not yet known,” a blog post by Lysa Myers of Mac security specialists Intego explains. “So, while this has been affecting users in the wild, the overall threat level appears to be low.”

The Trojan is an application disguised as a picture file – the .app file-extension is not visible by default. Possible delivery mechanisms include as an attachment to emails or from a compromised website frequented by targets.

If installed, the Trojan opens a back door that phones home to a command-and-control server. This server is currently down.

However, during testing, Intego was able to connect to the CC server, which collected system information before downloading an image file depicting the eagle-themed coat of arms of the Syrian Electronic Army, a notorious bunch of hacktivists loyal to the Bashar Assad’s regime.

The SEA is best known for hijacking the Twitter feeds of Western media organisations using phishing to push propaganda messages but it has also engaged in website defacement and DNS redirection-style attacks, such as a recent assault against the New York Times website.

Malware attacks, including spyware flung at the computers of human right activists, have long been a feature of the wider Syrian civil war but have not been a tactic favoured by the SEA, at least up till now.

The SEA has yet to comment on the attack one way or another. It would be naive to assume the malware is the work of the hacktivists simply because it includes a logo referring to the SEA and for this and other reasons the authorship of the malware remains unclear. ®

Bootnote

Asked directly whether the SEA had anything to do with creating the trojan the group denied any involvement. A representative of the prolific hackers told El Reg:

“No, it’s not associated with us.”

Free ESG report : Seamless data management with Avere FXT

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/19/mac_trojan/

Supercharge your infrastructure

Linux supremo Linus Torvalds jokingly admitted US spooks approached him to put a backdoor into his open-source operating system.

During a question-and-answer ‪session ‬at ‪the LinuxCon gathering in New Orleans this week‪, Torvalds ‬and his fellow kernel programmers ‪w‬ere‪ asked by moderator Ric Wheeler whether America’s g-men leaned on the Finn to compromise Linux’s security, allowing spies to infiltrate computers.

Torvalds replied with a firm “no” while nodding his head to say yes, a response greeted with laughter fr‪o‬m the audience. He quickly followed up by repeating “no” while shaking his head in the negative.

South Korean Red Hat developer Tejun Heo, sitting alongside the kernel boss, quipped: “Not that I can talk about.” A video of the QA session is below – the short exchange about US spooks starts at the 24-minute mark.

Rumours of backdoors and other forms of hidden access routes in Microsoft Windows, Linux and security protection products have circulated in infosec circles for years. Fresh revelations from NSA whistleblower Edward Snowden that US and UK intelligence have subverted key technologies have reopened the debate.

These blockbuster claims from Snowden suggest that the NSA can crack TLS/SSL-encrypted connections, the widespread crypto securing HTTPS websites and virtual private networks (VPNs). Spooks can compromise these supposedly secure communications by gaining access to the root certificates and encryption keys, exploiting backdoors in equipment and algorithms, or otherwise allowing the signals boys and girls to run man-in-the-middle attacks on encrypted traffic flowing through the world’s fibre optic cables.

The NSA’s highly classified Bullrun programme relies, at least in part, on collaboration with unnamed technology companies.

Firsthand evidence from a former engineer at Microsoft sheds light on how the feds theoretically go about asking for special favours: Peter Biddle, an ex-Microsoft programmer who worked extensively on BitLocker – the company’s full-disk encryption tool – claimed he was informally approached by g-men to add a backdoor to the product.

But he said he rebuffed the government agencies. The pressure on Biddle came primarily from FBI agents who said they needed a skeleton key, of sorts, to easily break the crypto on suspects’ computers in child-abuse investigations, allowing the locked-up data to be examined.

Meanwhile, Nico Sell, founder of the pro-privacy self-destructing-messages app Wickr, said he was informally approached by an FBI agent about placing a law-enforcement backdoor in his software.

It seems that developers are informally sounded out about the possibility of placing secret access to spooks in their technology before the discussion goes any further on the technical details and requirements. Once a programmer snubs the feds, the g-men back off, it’s believed.

In light of these revelations, worried netizens have become far more paranoid about the possibility of backdoors in the technology they use and this paranoia extends to both closed-source and open-source software.

Earlier this month Torvalds rejected a petition calling for his kernel to turf out an Intel processor instruction called RdRand, which is used in the generation of cryptographically secure random numbers. It was feared Chipzilla had deliberately weakened that operation under the influence of US spooks to produce cryptographically weak values, ones that can be predicted by intelligence agents to smash encryption.

The fiery Finn dismissed the petition as technically clueless.

El Reg reckons his response to a question about backdoors at LinuxCon was intended as a joke – but just because you’re not paranoid that doesn’t mean they aren’t out to get you, after all. ®

Free ESG report : Seamless data management with Avere FXT

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/19/linux_backdoor_intrigue/

Change is hard for everyone. Many appreciate and depend on the routine of their daily cycle. They may complain about the monotony, but they do nothing to change it. And then there are security folks. Monotony is not in our vernacular. I suspect most would give their eyeteeth for some monotony.

Security folks face new challenges every day, most of which remain out of our control. We can’t control what new innovative attack owned our data center. We can’t control the rainmaker that clicks on the wrong thing two or three times a month. We have to accept our place in the system and clean up the mess. For the 2 years we stay in each job, anyway.

What we can control is how we react to everyone else’s fear. And nothing causes fear like new, cool technologies. Take Apple’s new Touch ID fingerprint reader. The mainstream technology product reviewers love it. It makes stronger authentication transparent to the consumer. We’ve always said that until security becomes transparent, it’ll never really be accepted. So this is a good thing, right?

For most folks it is. Yet there are those fear-mongers still operating among us that use unsubstantiated and likely baseless claims to question new technologies. We heard the same stuff a few years ago when the cloud came into vogue. Oh, the cloud is dangerous. They were happy to point out when big cloud providers had availability issues. Conveniently forgetting when your own data center was down due to a faulty firmware upgrade or a rogue backhoe.

And SaaS provided a bunch more fuel for these naysayers. What happens when the SaaS provider gets attacked? It’s like Groundhog Day. Blah fear blah fear blah. It’s the same stuff that was bandied about when every innovation appeared in the market over the past 100 years. They decried the steam engine and the cotton gin. The car was going to crowd the road for all of the horses.

There are folks that just can’t see the benefits of innovation, or choose not to see the benefits. So they hide behind fear of change. They find so-called experts to legitimize their point of view. But here’s the deal, they can’t get in the way of progress.

I was talking about Touch ID, right? How does this relate? Rich referenced a FUD-tastic article on Touch ID (FUD filled vacuum) in this week’s Incite. He made the point that in the absence of verifiable fact, folks will make stuff up to stir up fear of the new.

These folks are worried about the privacy impact to storing your fingerprint on the device. Well the device could be attacked and then attackers would have access to biometric information, right? It turns out they store the fingerprint data on a dedicated spot in a chip on the device, that doesn’t seem to be accessible. But as Rich says, Apple isn’t doing itself any favors by keeping such a tight lid on how Touch ID actually works. Nature abhors a vacuum and an information vacuum is still a vacuum. Without sufficient detail, so called “experts” will just make stuff up.

Now to be clear, I’m not being critical of folks asking tough questions about important security and privacy issues. Lord knows that we (as an industry) have a bad habit of not asking questions until it’s too late (Dropbox privacy anyone?). So the questions need to be asked. I guess when evaluating potential vulnerabilities and threats, we’d all be better off if there wasn’t a rush to judgement. That we’d cause an uprising, only when an uprising is called for.

Yet in the age of monetizing page views and breaking news, I’m probably being a little naive to think that anyone would actually wait for facts to emerge before hypothesizing about what may be. Or what may not be. So you are going to see the good, the bad, the baseless, and the wrong. The impetus is on all of us to not react and wait for the facts to emerge. Then to take the appropriate actions based on those facts.

Now I better get back to my link baiting on the Securosis blog. We need to drive some page views…

Mike Rothman is President of Securosis and author of The Pragmatic CSO

Article source: http://www.darkreading.com/vulnerability/its-new-and-shiny-be-afraid-be-very-afra/240161507

ENISA today presented its list of top cyber threats, as a first “taste” of its interim Threat Landscape 2013 report. The study analyses 50 reports, and identifies an increase in threats to: infrastructure through targeted attacks; mobile devices; and social media identity thefts carried out by cyber-criminals over Cloud services.

Some key trends identified in the study are:

Cyber-criminals increasingly using advanced methods to implement attack techniques (vectors) that are non-traceable and difficult to take down. Anonymisation technologies and peer-to peer systems (so called distributed technologies) play an important role in this. It is clear that mobile technology is increasingly exploited by cyber-criminals. Threats of all kinds that were encountered in the more traditional arena of IT will affect mobile devices and the services available on these platforms.

The wide spread of mobile devices leads to an amplification of abuse based on knowledge/attack methods targeting social media.

The availability of malware and cyber-hacking tools and services, together with digital currencies (e.g. Bitcoins) and anonymous payment services is opening up new avenues for cyber-fraud and criminal activity.

There is a real possibility of large impact events when attacks combining various threats are successfully launched.

As reported by ENISA in its report on major cyber attacks (2013/07/20), cyber-attack is the sixth most important cause of outages in telecommunication infrastructures, and it impacts upon a considerable number of users. Taking into account these incidents, and denial of service threat developments, we observe an increase in infrastructure threats in 2013.

The study identifies the following top threats with major impact since 2012.

Drive-by-exploits: browser-based attacks still remain the most reported threats, and Java remains the most exploited software for this kind of threat.

Code Injection: attacks are notably popular against web site Content Management Systems (CMSs). Due to their wide use, popular CMSs constitute a considerable attack surface that has drawn the attention of cyber-criminals. Cloud service provider networks are increasingly used to host tools for automated attacks.

Botnets, Denial of Services, Rogueware/Scareware, Targeted Attack, Identity Theft and Search Engine Poisoning are the other trending threats.

A full ENISA Threat Landscape 2013 report is due by the end of the year.

The Executive Director of ENISA, Professor Udo Helmbrecht commented: “This short, interim report informs security stakeholders as early as possible about developments in cyber threats, so that they are able to take countermeasures”.

Article source: http://www.darkreading.com/vulnerability/interim-report-top-cyberthreats/240161508

Clearwater, FL., U.S.A., September 18, 2013 – (ISC) (“ISC-squared”), the world’s largest information security professional body and administrators of the CISSP, today announced the finalists for its 10th annual U.S. Government Information Security Leadership Awards (GISLA) program.

Sponsored by (ISC)2’s U.S. Government Advisory Board for Cyber Security (GABCS), the GISLA program was established in 2004 to spotlight federal information security leaders who are modeling excellence and achieving clear results as they help to build a more secure federal IT infrastructure and a highly qualified and ethical information security workforce. Awards are given to individuals or teams in five categories.

“The accomplishments of this year’s GISLA finalists demonstrate the exceptional skill and commitment to excellence that is required to stay one step ahead in this increasingly complex security environment,” said W. Hord Tipton, CISSP, executive director of (ISC)2 and former CIO of the U.S. Department of the Interior. “It is an honor to have witnessed the evolution of federal security leaders over the past decade and to see how the GISLAs are inspiring each recipient to further their commitment to this very important field.”

The 2013 GISLA finalists are as follows:

Category: Community Awareness

Team led by Chuck Mader, RIAM program manager (acting), U.S. Department of Homeland Security (DHS)/Immigration and Customs Enforcement

Initiative: ICE Social Engineer Training (ISET) at the DHS/Immigration and Customs Enforcement

Team led by Wendy Huskey, CISSP, Security+, FITSI-M, deputy information assurance program manager, HQ Army Materiel Command

Initiative: Task Force Cyber

Category: Federal Contractor

Team led by David Ratnaraj, PMP, program manager, Advanced Information Services Inc.

Initiative: Registration, Compliance, and Verification Legacy Systems Modernization

Darnell Washington, president/CEO, SecureXperts, Inc.

Initiative: Multi-Factor Authentication to Federated Secure Cloud Ecosystems

Category: Process/Policy Improvement

Team led by Roger Seeholzer, CISSP, Network+, A+, Security+, security architect, DHS Headquarters

Initiative: Digital Government Strategy Milestone 9, Promote the Safe and Secure Adoption of New Technologies

Michael Leking, CISM, CISSP, PMP, cyber security advisor, Region I, DHS

Initiative: Cyber Security Advisor Initiative

Category: Technology Improvement

Team led by James Steven, COTR, associate chief information officer, National Information Technology Center (NITC), OCIO, U.S. Department of Agriculture (USDA)

Initiative: USDA NITC Cloud Service Provider FedRAMP Certification

Team led by Lee Kelly, CISSP, acting director, TISS, U.S. Environmental Protection Agency (EPA)

Initiative: CSIRC Program

Category: Workforce Improvement

Major General Earl Matthews, CISSP, director, Cyberspace Operations, U.S. Air Force (USAF)

Initiative: USAF Cyberspace Workforce Development

Each year, a judging committee of senior information security experts from (ISC)’s GABCS and industry reviews the nominees and recommends finalists based upon selection criteria and eligibility requirements. (ISC) officials and sponsors will announce and honor the 2013 GISLA recipients on October 29, 2013, at the Crystal Gateway Marriott in Arlington, Va. Hon. Phillip J. Bond, former under secretary for technology, U.S. Department of Commerce is confirmed to deliver the keynote speech.

Article source: http://www.darkreading.com/government-vertical/isc2-announces-2013-us-government-inform/240161516

PORTLAND, Ore. – September 17, 2013 – iovation, stopping Internet fraud and identifying good online customers with the world’s most comprehensive device reputation database, today announced 30.2 percent of transactions conducted from Tor (the onion router) in August were fraudulent. This compared with an overall fraud rate of 1% for all online transactions in August. The company also announced the general availability of a new capability for its flagship fraud-fighting Reputation Manager 360 service that enables online businesses to expose devices leveraging Tor for transactions.

Tor is a privacy protocol that is intended to help people to browse the Internet anonymously. It does so by redirecting web traffic along hard-to-follow routes and assigning web users a random IP address that can change at any time. This helps to mask users’ true geolocations and the IP addresses of their Internet-connected devices. According to Tor metrics, more than 1.5 million people use Tor every day as of early September 2013, up from 500,000 a day in early August 2013.

“Cybercriminals are always looking for ways to fly under the radar,” said Scott Waddell, Chief Technology Officer at iovation. “While Tor on its surface appears to be for the greater good, it is disproportionately used for fraudulent and abusive transactions. Of note, Tor use more than doubled in August, likely due to a massive botnet leveraging Tor for command and control communications.”

The fraud findings were produced by iovation by analyzing 240 million transactions conducted in August 2013 originating from the 1.5 billion devices it has in its device reputation database. Transactions utilizing Tor were identified by iovation by leveraging technology it developed to correlate transactions to IP addresses that are part of Tor.

The same technology iovation leveraged to measure Tor-related fraud will be generally available to iovation customers starting today. By identifying high-risk devices and transactions specifically using Tor, iovation customers gain an additional level of insight that can have significant uplift in the battle to reduce fraudulent activity.

This new feature is available free of charge for customers of iovation’s ReputationManager 360. The service leverages current and past device behavior intelligence to stop fraud. With this intelligence, iovation stops more than 200,000 fraud attempts daily, proactively identifying devices that are associated with abuse and stopping bad actors before they can strike.

About iovation

iovation protects online businesses and their end users against fraud and abuse through an industry-leading combination of advanced device identification, shared device reputation and real-time risk evaluation. More than 2,300 fraud managers around the globe leverage iovation’s database of Internet devices and the relationships between them to determine the level of risk associated with any type of online transaction. Retail, financial services, insurance, social network, gaming and other companies make real-time queries to iovation’s knowledge base of more than 1.5 billion devices from every country in the world. Clients also leverage iovation’s Fraud Force Community, an exclusive virtual crime-fighting network of the world’s foremost security experts, to share intelligence about cybercrime and prevention techniques. Every day, iovation stops more than 200,000 fraud attempts. For more information, visit www.iovation.com.

Article source: http://www.darkreading.com/attacks-breaches/iovation-finds-30-percent-of-transaction/240161509

US citizens are now one step closer to being able to do (more or less) what they want with their gadgets – at least as far as choosing a wireless carrier goes.

On Thursday, six months after the White House publicly endorsed a citizens’ petition to regain the right to unlock smartphones and tablets so that they can be used on whichever wireless network the owner wishes, the government has set the ball rolling with a petition [PDF] to the Federal Communications Commission.

The petition, from the National Telecommunications and Information Administration (NTIA), asks the FCC to amend its rules so as to require carriers to unlock any wireless devices they sell, including smartphones and tablets.

The rationale is to both boost competition in the mobile industry and to give consumers a break.

It reads:

By giving consumers greater freedom to choose among alternative mobile service providers and use wireless devices that they lawfully acquire from others, the proposed rule would both increase competition in the mobile services market and enhance consumer welfare.

In March, the White House had thrown its weight behind some 114,000+ US citizens who signed a petition to make cell phone unlocking legal.

That citizens’ petition was against new regulations, handed down as an edict from the Library of Congress in January, that made it illegal for consumers to slip past software restrictions that keep cellphones from being used on different wireless networks than the networks the phone vendor had them on to begin with.

On February 21, two days before the deadline to get enough petition-signers to trigger the administration’s re-examination of an issue, 100,000 annoyed people had demanded the right to be given back.

The NTIA had strongly supported maintaining the expired exception to the Digital Millenium Copyright Act (DMCA), which had outlawed carrier unlocking, and the White House agreed with it.

As it was, the DMCA, passed in 1998, was originally intended to fight piracy but ended up also criminalizing phone unlocking.

Mind you, that didn’t really stop consumers from unlocking their phones.

From November 2006 up until October 2012, as Forbes’s Elise Ackerman notes, the uptick in smartphone adoption was met by repeated exemptions to the DMCA for unlocking.

That all stopped in 2013, after lobbyists for the carriers argued that unlocking threatened how they offered wireless devices and services and would actually undermine the systems of subsidies that allows them to sell phones for prices below list, making up the difference by having consumers commit to a monthly service contract.

The NTIA, on the other hand, doesn’t think the sky will fall for the mobile industry if legal unlocking experiences rebirth, and it seeks to require carriers to unlock devices at no extra charge.

The petition puts it this way:

As long as a consumer continues to adhere to any existing service agreement – or pays the specified fees or penalties for prematurely terminating that agreement – the unlocking rule’s benefit for consumers does not unduly burden the original providers.

Thanks, NTIA, for pushing forward this consumer rights issue. I, for one, agree with you: it’s hard to see how unlocking could be so pernicious, given that the mobile industry didn’t wither away all those years when it was legal.

What does this have to do with security? As with earlier discussions, unlocking is the sole focus, with no mention of jailbreaking or rooting that I can see.

In 2012, EFF actually asked for – and won – exemptions for jailbreaking or rooting mobile phones to run unapproved software. That didn’t extend to tablets, however.

A petition to make it legal to jailbreak or root tablets expired without meeting its signature threshold around the same time that citizens had petitioned to get their unlocking rights back.

Unlocking is a consumer issue, whereas jailbreaking introduces dangers such as worms that only work on jailbroken phones.

So, hurray for the progress of consumer rights in the realm of unlocking.

But don’t forget: once you push past the jail, things can get a little dicey.

Follow @LisaVaas

Follow @NakedSecurity

Image of unlocked smartphone and smartphone threat courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/q6hYadAwFog/