STE WILLIAMS

SALT LAKE CITY, Aug. 28, 2013 /PRNewswire/ — Acquirers and ISOs now have a simple way to check merchants’ mobile processing security: SecurityMetrics MobileScan, an app created for merchants to identify potential security threats and protect devices through scanning and remediation. Through a quick mobile vulnerability scan, the app inspects many issues known to cause mobile insecurity such as a lack of password polices, Wi-Fi weaknesses, unauthorized peripherals, and known operating system vulnerabilities that may allow cybercriminals access to a merchant’s processing device.

(Logo: http://photos.prnewswire.com/prnh/20130125/MM48717LOGO)

SecurityMetrics MobileScan includes acquirer/ISO access to a Merchant Compliance Console that aggregates mobile device compliance results, tracks when vulnerability scans have run, and reports each merchant’s mobile device scan status.

The app was built based on a foundation of Payment Card Industry (PCI) Data Security Standard (DSS) requirements in order to help mobile Point-of-Sale

(mPOS) merchants follow PCI mobile payment acceptance security best practices.

“Though convenient, mobile processing increases liability for both merchants and processing parties,” said Wen Free, SecurityMetrics VP of Business Development.

“It’s only a matter of time before hackers target insecure mobile devices for profitable payment card data.”

SecurityMetrics MobileScan, powered by MokiMobility (mokimobility.com), is available today in both Android and iOS app stores. For more information on a MobileScan program for your merchants, or if you’re interested in referral program opportunities, please call 801-995-6860.

About SecurityMetrics (www.securitymetrics.com) SecurityMetrics protects electronic commerce and payments leaders, global acquirers, and their retail customers from security breaches and data theft. The company is a leading provider and innovator in merchant data security, and as an Approved Scanning Vendor and Qualified Security Assessor, has helped over 1 million organizations manage PCI DSS compliance and/or secure their network infrastructure, data communication, and other information assets. Among other things, SecurityMetrics offers PCI audits, mobile device vulnerability scanning, penetration testing, and forensic analysis. Founded in October 2000, SecurityMetrics is a privately held company headquartered in Orem, Utah, USA.

Article source: http://www.darkreading.com/mobile/app-helps-secure-mobile-devices-reports/240160556

NEW YORK, Aug. 28, 2013 /PRNewswire/ — Newtek Business Services, NASDAQ: NEWT, The Small Business Authority, with a portfolio of over 100,000 business accounts, announced today the findings of its SB Authority Market Sentiment Survey, a monthly window into the concerns of independent business owners. Based on a poll of over 2,700 respondents, one of the key findings from the August survey is 86% of business owners feel that their current website is secure.

Additionally, of those polled, 41% believe their website is the prime revenue driver for their business.

The full August 2013 results showed the following:

Poll Question Poll Answer 2013 Percentage

————- ———– —————

Do you feel that your current website is secure?
Yes 86%
No 14%

— —

Is your website the prime revenue driver for your business?
Yes 41%
No 59%

— —

Barry Sloane, Chairman, President and CEO of The Small Business Authority commented, “We value the responses our clients give us regarding their needs, concerns and business sensitivities. We do believe that our independent business owners are not very concerned about cyber-security, even though they should be.

Ironically, they do value their internet presence as an extremely important aspect of their business but seem to have a casual attitude regarding the secure nature of their content and data.”

About Newtek Business Services, Inc.

Newtek Business Services, The Small Business Authority, provides the following products and services:

— Newtek Advantage(TM): Mobile real-time operating platform for business

intelligence. The Newtek Advantage(TM) puts all critical business

transactions in real-time. Access data on your smartphone, tablet,

laptop or PC as it relates to eCommerce for credit/ debit transactions,

website statistics, payroll, insurance and business loans.

— Electronic Payment Processing: eCommerce, electronic solutions to accept

non-cash payments, including credit and debit cards, check conversion,

remote deposit capture, ACH processing, and electronic gift and loyalty

card programs.

— Managed Technology Solutions (Cloud Computing): Full-service web host,

which offers eCommerce solutions, shared and dedicated web hosting and

related services including domain registration and online shopping cart

tools.

— eCommerce: A suite of services that enable small businesses to get up

and running on-line quickly and cost effectively, with integrated web

design, payment processing and shopping cart services.

— Business Lending: Broad array of lending products including SBA 7(a) and

SBA 504 loans through our lending subsidiary, Newtek Small Business

Finance, Inc.

— Insurance Services: Commercial and personal lines of insurance,

including health and employee benefits in all 50 states, working with

over 40 insurance carriers.

— Web Services: Customized web design and development services.

— Data Backup, Storage and Retrieval: Fast, secure, off-site data backup,

storage and retrieval designed to meet the specific regulatory and

compliance needs of any business.

— Accounts Receivable Financing: Receivable purchasing and financing

services.

— Payroll: Complete payroll management and processing services.

The Small Business Authorityis a registered trade mark of Newtek Business Services, Inc., and neither are a part of or endorsed by the U.S. Small Business Administration.

Newtek Business Services, Inc., The Small Business Authority, is a direct distributor of a wide range of business services and financial products to the

small- and medium-sized business market under the Newtek(TM) brand. Since 1999, Newtek has helped small- and medium-sized business owners realize their potential by providing them with the essential tools needed to manage and grow their businesses and to compete effectively in today’s marketplace. Newtek provides its services to over 100,000 business accounts and has positioned the

Newtek(TM) brand as a one-stop-shop provider of such business services.

According to the U.S. Small Business Administration, there are over 27.5 million small businesses in the United States, which in total represent 99.7% of all employer firms.

Article source: http://www.darkreading.com/small-business-authoritys-survey-shows-o/240160557

Edison, NJ (August 28th, 2013) – StrikeForce Technologies, Inc. (SFOR.OB), a company that specializes in Cyber Security for the prevention of Data Breaches, announced today that it has received an official Notice of Allowance from the United States Patent Office stating that their patent application “Methods and apparatus for securing keystrokes from being intercepted between the keyboard and a browser” has been allowed for issuance and a patent.

“We are extremely excited about getting the patent for our GuardedID Anti-Keylogging Keystroke Encryption technology,” says Mark L. Kay, CEO of StrikeForce. “GuardedID is in a league of its own. It proactively encrypts each and every keystroke typed on a keyboard. One thing that all security experts can agree on is that the use of encryption is the best way to protect your data,” says Kay, “and until GuardedID, there wasn’t any way to encrypt data at the point of origin, when typed on a keyboard including our Cryptocolor user visualization feature.”

Prior to GuardedID, consumers and organizations relied on anti-virus software to keep them safe, but as the world has seen, anti-virus software is no match for today’s sophisticated hackers armed with zero-day threats. The growth in cybercrime is a staggering eye opener. In a CNBC article which was published on August 14th, 2013 titled, “The Threat from cybercrime? You ain’t see nothing yet,” it was cited that cybercrime is now estimated at a staggering $400 billion annual market and continually increasing. It was noted that a large portion of those annual losses were due to the lack of a real-time anti-keylogging solution.

“The timing of this patent couldn’t be more perfect for StrikeForce,” says Kay. “In addition to the almost six million people that have downloaded our keystroke encryption technology over the last several years, this patent enables us to expand on our current patent litigation strategy.”

About StrikeForce:

StrikeForce Technologies helps to prevent cyber security online. Its products help protect consumers and their families while banking and shopping online, and businesses in “real time” against data loss and breaches. StrikeForce Technologies, Inc. (SFOR.OB) is headquartered in Edison, N.J., and can be reached at www.strikeforcetech.com or by phone at (732) 661-9641 or toll-free at (866) 787-4542.

Article source: http://www.darkreading.com/authentication/strikeforce-technologies-incs-guardedid/240160565

The Syrian Electronic Army (SEA)’s hijacking late yesterday of the Internet domains of The New York Times, two Twitter services, and The Huffington Post’s UK site initially set off alarm bells over a potential domain-name system (DNS) security meltdown, but it appears the political hacktivist group’s modus operandi and mission were much more simple and straightforward.

It all started with a spearphishing email that duped a U.S. reseller of domain registrar Melbourne IT, which hosts The New York Times, Twitter, The Huffington Post, and other sites. But despite the SEA basically acquiring keys to the kingdom with potential access to Melbourne IT’s other high-profile domain customers, such as Google.com, Microsoft.com, Yahoo.com, Cisco.com, and Adobe.com, the hacktivists merely concentrated on controlling the domains of The New York Times, Twitter’s twimg.com image service and t.co URL-shortening service, and huffingtonpost.co.uk.

“There were tons of other domains [registered with Melbourne IT] that were a much better target. And they didn’t have a ‘lock’ in place — like mcafee.com, symantec.com, and cisco.com,” says HD Moore, chief research officer at Rapid7 and creator of Metasploit, who has been tracking the attacks. “They were really focused … The hack was really clunky, the redirects didn’t work for very long.”

What remains unclear is just what restrictions, if any, were in place for the compromised domain reseller to modify other domains under Melbourne IT’s purview, Moore says.

Moore says The New York Times’ email and other domains also were exposed in the attack, but it doesn’t appear the attackers went after them. “Any of the companies who did not have a lock in place would have been potentially vulnerable to unauthorized changes to their DNS servers, which, in turn, could allow incoming email to be stolen, which can also lead to rogue SSL certificates being created in their name via domain name validation,” he says.

A Cisco spokesperson says the company’s CSIRT team is working on locking down cisco.com with a registry lock.

Employing a so-called registry lock would have deflected the attack, a technique that Melbourne IT is now recommending for its high-profile customers. This measure basically prevents any modification by the registrar or any other registrar to the domain name or its contact information. Moore in his research found that twitter.com did, indeed, have such a lock in place, which saved the social network from massive disruption, but others did not.

In the past 16 hours, Moore found that the huffingtonpost.com, mapquest.com, patch.com, starbucks.com, techcrunch.com, tweetdeck.com, twimg.com, and vine.co domains, as well as others, all had applied the lock feature. Twitter’s t.co URL-shortening service that was hit by the attack has now been moved to a different registrar, he says.

There’s no evidence the SEA altered any of the exposed domains, he says, but it would have been possible with the access they gained in the hack. “Things could have been much worse,” Moore says.

Among the domains hosted by Melbourne IT that have not been locked down as of this posting are adobe.com, barnesandnoble.com, bbandt.com, cisco.com, ibm.com, mcafee.com, norton.com, prnewsire.com, symantec.com, tweetdeck.com, and vmware.com, according to Moore’s data.

“For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain registries including .com – some of the domain names targeted on the reseller account had these lock features active and were thus not affected,” Melbourne IT said in a statement to its customers that was included in a blog post by Matthew Prince, co-founder and CEO of CloudFlare, a Web infrastructure and security company. “The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne’s IT systems. The DNS records of several domain names on that reseller account were changed — including nytimes.com.”

Melbourne IT had not responded to requests for comment as of this posting. Several reports quote the registrar as confirming that the attack came from a spearphishing email sent to one of its resellers.

CloudFlare’s Prince also recommends using a registry lock on domains. “There is one sensible measure that domains at risk should all put in place immediately. It is possible to put what is known as a registry lock in place for your domain. This prevents even the registrar from making changes to the registry automatically. If you run a whois query against your domain, you can see if you have a registry lock in place if it includes three status lines: serverDeleteProhibited, serverTransferProhibited, and serverUpdateProhibited,” Prince said in his post.

The trade-off of employing a registry lock is that it makes automatic renewal more complicated. “There is more administrative overhead,” says David Ulevitch, CEO at OpenDNS. “It can be super-effective, and it can also be a pain. The trade-off is flexibility … that’s the nature of security.”

Malware Mystery
Meanwhile, the malware component of the attack still has security researchers baffled. The New York Times’ URL was redirected to a malware-poisoned site, which was up and down during the attack.

The fact that the SEA incorporated a malware redirect is “significant,” says Andre DiMino, a security researcher with DeepEnd Research. “If their sole purpose was to deface and get their message out, yet they are still piggybacking malware redirection to monetize [their attack], that’s a significant development.”

DiMino says without knowing what the malware is or does, it’s difficult to determine what this twist to the attack means.

It’s not clear why the malware was involved, Rapid7’s Moore says. It could have been in place to set up a longer-term attack, he says, but given how short the malware site was up and running, it wouldn’t have made much of an impact.

“From 3 p.m. and on, the website only loaded once or twice,” Moore observed.

The one sure thing is that the end user continues to be the weakest link, and phishing remains the tried-and-true method of snaring victims. “You can have all the technical controls, patching, and pen test your networks to death. But just a simple email that looks really great allows access to the network,” DeepEnd Research’s DiMino says.

Know Your Registrar
The SEA’s attacks were a vivid reminder of the delicate trust relationship with a domain registrar, one that is often forgotten until it’s time to renew the domain registration. The way the attackers breached The New York Times and the others via Melbourne IT and gained control of its registry records is a supply chain wake-up call, experts say.

“It makes it all the more compelling for companies today — to understand and secure the digital linkages they’re making with their partners, suppliers, social networks, and content vendors, as in this particular case. The application layer remains an easy target that hackers exploit to retrieve the company’s most sensitive data, financial information, and records,” says Bala Venkat, chief marketing officer for Cenzic.

Rapid7’s Moore recommends keeping tabs on your domains and regularly confirming that you “still own them.”

[From the Washington Post and CNN to the Twitter feeds of the Associated Press and Reuters, hacktivists have news outlets — and their social-media presence — in their crosshairs. See How Hacktivists Have Targeted Major Media Outlets.]

The relatively good news was that the SEA, which supports Syrian president Bashar al-Assad, kept to its hacktivist roots. “They were brilliant and stupid at the same time,” OpenDNS’s Ulevitch says, noting how the redirected URLs struggled to remain online. A worst-case scenario would have been that they would have used their attack to embed a zero-day Flash exploit via Twitter and amassed a 10 million-host botnet, he says.

“It was high-profile, certainly — they got a lot of publicity for it,” Ulevitch says. “But there aren’t a lot of IT admins cleaning up today because 10 million computers were infected by a botnet.”

“This was more of a modern-day defacement than a real intrusion,” Rapid7’s Moore says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/syrian-electronic-army-strikes-again-in/240160551

Enterprises are increasingly finding it harder to detect attacks in a timely fashion or quickly determine the scope of attacks when they are discovered. A new survey out this week shows that while the majority of organizations seem confident in their ability to quickly analyze and respond to security alerts, many have a hard time finding attacks in real-time or even being sure they’ve experienced an attack.

Conducted among 250 decision-makers worldwide, the Bit9 survey showed that 62 percent of organizations analyze and respond to security alerts. However, more than a fifth of organizations reported their ability to protect endpoints and servers from emerging threats that have no signature to be deficient or non-existent. Nearly the same amount of organizations reported the same deficiency in their ability to determine in real-time how many systems are infected by file discovered to be malicious.

Furthermore, 55 percent of organizations reported that they either couldn’t discover zero-day attacks or only could find them by accident during routine maintenance or if a user contacts help desk due to abnormal system behavior.

[Are you missing the downsides of big data security analysis? See 3 Inconvenient Truths About Big Data In Security Analysis.]

Perhaps most telling of all, though, is that a full 13 percent of decision makers reported that they didn’t know whether they’d experienced an attack in the past year.

“That was a big surprise. I would expect that number to be a single digit and a low single digit at that,” says Nick Levay, CSO of Bit9. “A lot of organizations don’t necessarily do a good job of keeping track of metrics related security events. I have a feeling that inadequate tracking of some of that stuff results in senior decision makers not necessarily having an accurate view of what kinds of security events are occurring in the network.”

It’s a trend corroborated by many experts operating within the security space, who explain that organizations are not able to keep up with advanced attacks due to poor visibility across isolated systems.

“Many companies have infected machines and don’t even know it, highlighting the advanced nature of certain malware,” says Vann Abernethy, senior product manager at NSFOCUS. “Some very advanced malware variants can move laterally within an organization to avoid detection, then go dormant for a long time, communicate back to its command and control using encryption, or turn off common anti-virus and anti-malware.”

Abernethy explains that organizations need to be able to augment existing security defenses with better forensics, so that security teams are looking closely at system behavior through “daily forensic inspection and data analysis.”

Most organizations today don’t focus enough on that kind of analysis, instead overly relying on alerting and prevention tools, says Jason Mical, vice president of cyber security for AccessData.

“These products only catch what you tell them to look for,” he says. “At this point, organizations need to increase their visibility into what’s happening in their enterprises and focus on eliminating those cyber security blind spots.”

In order to do that, more security organizations have to streamline their cybersecurity infrastructure, Mical says.

This means finding ways to better enable real-time collaboration across different infosec teams and potentially considering ways to consolidate disparate analysis tools into a platform-based technology approach.

“Right now, most organizations still have disparate teams, each using several disparate tools. They have to correlate all the critical data manually,” he says. “It causes dangerous delays in validating suspected threats or responding to known threats.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/struggling-with-attack-detection-and-ana/240160568

Movies tend to paint fingerprint sensors as high-security devices used only to protect military installations–devices whose security, however, can easily be circumvented by the crafty protagonist.

With the hyperactive Apple rumor mill predicting a fingerprint sensor in a future iPhone, the biometric technology could finally get the boost it needs to become widely adopted. The sensors, if delivered with Apple’s typical panache, would likely raise the overall security of smartphones by making a common level of protection widely available, says Chace Hatcher, CEO of Diamond Fortress Technologies, a Birmingham, Ala., startup focusing on allowing the rear-facing camera to act as a fingerprint sensor.

“If Apple releases a fingerprint sensor, it will give a boost to the whole concept of the mobile wallet and having good security on the phone,” he says.

Biometric security in general, and fingerprint sensors in particular, have had a hard time cracking the consumer code. While such technologies promise easier authentication with greater security than typical passwords, a variety of problems have plagued implementations. While promising convenience, false negatives–where the user’s biometric is not recognized–have been common. In addition, security issues with such a key authentication technology can cause problems: Last year, security firm Elcomsoft found that the widely-used UPEK fingerprint sensors stored users’ passwords in poorly obfuscated plain text in the Windows registry, essentially breaking the Windows security model.

Yet, Apple’s purchase of biometric technology firm AuthenTec in 2012 may mean that change is coming. Late last year, Apple was granted patents on using biometric technology on the iPhone in a two-step unlock process similar to the current method that allows users to unlock their phones via a personal identification number, or PIN.

[A new security startup is building an authentication model with what it describes as a “human” approach that doesn’t use biometrics, passwords or passcodes. See Startup To Offer ‘Human’ Authentication.]

While Apple’s patent filings show that the iPhone could work with any biometric–fingerprint and facial recognition are shown–fingerprints tend to be the most reliable, says Jamie Cowper, senior director of business development for authentication provider Nok Nok Labs.

“Fingerprint sensors–they are better today than voice and face,” Cowper says. “They are harder to spoof. It is always possible on a one-to-one basis, but not at scale.”

Securely implemented biometric authentication would only use the biometric–whether a fingerprint, a facial image or a voice recording–to unlock credentials in a local vault on the device that would then be used for authentication. No biometric data–or data derived from a biometric, such as a hash–would be communicated over the Internet. In many ways, the model is similar to a password vault, such as LastPass or 1Password, where a single strong password protects access to many other strong passwords.

Yet, the real test will be how easy the technology is to use. Any technology that does not improve the user experience will fail, says Troy Vennon, director of the Mobile Threat Center at Juniper Networks.

“If you put a technology in front of the access to the device, in front of people’s ability to complete their work, it better work, or they are going to go around it,” Vennon says.

Six out of every ten people do not have a PIN on their phone because it makes the device slower to use, according to Frost Sullivan, a research firm. Yet, if e-commerce providers and banks begin recommending that users enable their fingerprint sensors, the technology could take off, the analyst firm stated earlier this month.

Meanwhile, passwords–and the reliance on users to choose good passwords–continues to pose serious security issues for both online providers and the users themselves. While a fingerprint sensor will not protect a smartphone from the most common threats–being lost of stolen–it will better secure online transactions than using a common 4-digit PIN code.

“In the end, I think it is a foregone conclusion that fingerprint biometrics will replace passwords and PINs,” Diamond Fortress’s Hatcher says. “I think biometrics is going to make those mechanisms go the way of the dodo.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/mobile/rumored-ios-fingerprint-sensor-would-boo/240160570

Despite concerted attempts to bring it down, the Kelihos botnet is alive and well and infecting devices all over the Web, according to a new report. The good news is that it’s not too hard to spot.

In a blog posted Tuesday, Zscaler researcher Chris Mannon offers an analysis of the latest iterations of Kelihos, and four tipoffs that indicate its infection.

“Firstly, the use of P2P [peer to peer] style communication via SMTP [Simple Message Transfer Protocol] raised an eyebrow,” Mannon says.

“Secondly, we observed the overt way the botnet installs several packet capturing utilities and services,” the blog states. “This is done so that the infection can monitor ports 21, 25, and 110 for username and password information.”

Third, the botnet attempts to categorize its new victim by using legitimate services to gather intelligence, Mannon says. In one instance, “the malicious file actually queried the victim’s IP address on Barracuda Networks, SpamHaus, Mail-Abuse, and Sophos,” the blog says. “These services primarily exist to notify users of abuse seen on the site or IP address. Kelihos is using it to to determine if the new victim is already seen as malicious or not.

“A final point to make about this threat is that it makes no attempt to hide exactly how loud it is regarding network activity,” Mannon says. “We noted a spike in TCP traffic across a distinct 563 IP addresses in the span of two minutes. Network administrators should take extra care in monitoring users with anomalous levels of traffic. A single node giving off so much traffic to different services in such a small window” could indicate that an end user is infected, he writes.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/four-tips-for-spotting-the-kelihos-botne/240160583

Pinterest and StumbleUpon have patched critical vulnerabilities in their services that could have enabled an attacker to discover users’ email addresses.

The flaws, discovered by security researcher Dan Melamed, were quite simple to exploit and could have been employed to build a huge list of email addresses which would have been extremely valuable to someone looking to profit from the service. As Melamed put it:

With Pinterest surpassing over 70 million users and given the amount of high profile figures and brands that are using the site, such a flaw could have spelled disaster in the hands of a blackhat. A hacker could have setup a bot to retrieve all of the email addresses from a list of users for spam or malicious purposes.

Melamed discovered that changing a small part of a specific URL to a user’s ID or username would allow him to return a page that displayed their email address.

He gave an example URL on his blog which demonstrated how it would return the email address for the user ‘pinterest’:

This flaw works with any user on Pinterest. It works with either a username or a user id. And it works with any access token. A solution to this problem, is to check the owner of the access token against the user whose information is being requested.

He also posted a video as a proof of concept:

Melamed shared his discovery with the Pinterest security team who he said responded quickly to protect users’ privacy.

Pinterest also recognised him in its Heroes of Pinterest list and gave him permission to share his findings with the security community.

The security researcher had an altogether different experience with StumbleUpon, a site that caters to some 30 million users. He discovered a similar flaw that allowed him to view the name, age, gender, location and email address of any of its users but was unable to gain permission to reveal the exploit.

An email from Barry Conway, StumbleUpon Community Advocate said,

“As far as I understand it, the team deployed a fix for the specific issue which you so kindly reported to us, and they were – as you might imagine – conducting a code review to make sure that nothing similar had been released into the wild”

We do understand that you’d like to publish, and in that respect we hope that you appreciate that we are not in a position to actively “give you permission” to do so, nor officially support this move. I imagine we’re not alone in preferring to take a “no comment” stance on the subject of security (and other aspects of how our system works!)”

While it is good to see that StumbleUpon have patched the flaw that was identified, I’m still somewhat disappointed by its “no comment” stance. Dan Melamed has done StumbleUpon a great service and I believe the site could have benefited from being more receptive to the security community in this instance.

As Melamed himself said, “Combining both the Pinterest and StumbleUpon flaw would have allowed a hacker to collect over 100 million email addresses.”

I, for one, am glad that a security researcher was the first person to discover this and that he shared the details in a responsible manner.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ydJxKRariuI/

News, opinion, advice and research: Chet and Duck (Chester Wisniewski and Paul Ducklin) bring you their unique and entertaining combination of all four in their regular quarter-hour programme.

By the way, you can keep up with all our podcasts via RSS or iTunes, and catch up on previous Chet Chats by browsing our podcast archive.

Listen to this episode

Play now:

(27 August 2013, duration 16’06”, size 9.7MB)

Download for later:

Sophos Security Chet Chat #115 (MP3)

Stories covered in Chet Chat #115

• Microsoft predicts bleak future for XP users after patches run out.
• Anatomy of a brute force attack – how important is password complexity?
• LastPass password manager gets security patch against password leakage bug.
• Next version of the web will have resistance to surveillance at its core.

Previous episodes

Don’t forget: for a regular Chet Chat fix, follow us via RSS or on iTunes.

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PYSFVshqoU0/

Slightly more than a week after the Syrian Electronic Army (SEA) redirected readers of Time, CNN and The Washington Post through its hack of Outbrain, the group continued its online assault of Western media companies by taking down social media giant Twitter and “newspaper of record” The New York Times.

The methods are unknown, but some basic detective work suggests they are continuing their previous work of using phishing to compromise trusted third parties of major brands, rather than attacking the targets directly.

Both The New York Times and Twitter purchase their internet domain names from a company called Melbourne IT Ltd, which does business as Internet Names Worldwide.

This appears to be the source of the trouble.

Starting at about 2013-08-27T12:00-4 (noon on the US East Coast), the first signs of trouble for The New York Times began.

The name server records for Internet Names Worldwide were redirected to M.SEA.SY, MOD.SEA.SY and SEA.SY, servers under the control of the Syrian Electronic Army.

This did not impact most internet users immediately, however, as DNS records for high traffic sites are commonly cached for extended periods of time – in the case of the Times, just short of 23 hours.

If we dig a little deeper, we see the IP address of the new name server, 141.105.64.37, which is owned by an ISP in Moscow, Russia.

This ISP hosts both the SEA’s website as well as other controversial sites like Qatar Leaks.

Just a short while later Twitter started experiencing the same issues. Twitter’s records at Internet Names Worldwide were altered in a similar way to those at The Times.

It looks as though the hack was meant merely to divert visitors to the SEA’s own site, but (in a fit of almost-amusing irony) produced enough redirected traffic that the SEA effectively DoSed itself, and the site went down.

These incidents demonstrate a sad truth: Security is hard.

Media organizations are well aware of the previous antics of the Syrian Electronic Army and have worked hard to raise their game.

Employees at these companies have been trained to watch out for phishing attacks and be more suspicious of requests for information.

While these reactions are appropriate, they are not enough. You are only as strong as your weakest link, which in this case appears to be an external internet service provider.

Understanding all of the bits and pieces your organization relies on to do its work is only the first step in assessing your “hackability”.

I hear from many IT professionals at conferences, seminars and customer engagements that their management wants to know that they are “secure”. The answer they want is an answer you really shouldn’t give.

You can reduce your risk, though.

By raising awareness among your employees about phishing attacks, these incidents can help demonstrate the real risks of being tricked.

Use it as a reminder to everyone about proper authentication practices at your organization.

You should also work with your service providers to find out what they are doing to protect your organization against attacks on their infrastructure.

Note: As of 2013-08-27T23:25Z, Twitter’s Indian domain name (twitter.co.in) is still under the control of the Syrian Electronic Army. It is advisable to use twitter.com until Twitter regains control.

Follow @chetwisniewski

Image of a house-lock courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GeyGcZqSiqc/