Oops, Secure Credit Card Chips Defeated →
Ars Technica's Megan Geuss reports the apparent defeat of security technologies associated with so-called 'secure chip-and-pin' credit cards. Today's Must Read.
Ars Technica's Megan Geuss reports the apparent defeat of security technologies associated with so-called 'secure chip-and-pin' credit cards. Today's Must Read.
Apparently, Google Inc.'s (NasdaqGS: GOOG) and Amazon.com Inc.'s (NasdaqGS: AMZN) App stores anti-fraud mitigation activities let a bad actor's apps through the guantlet... In this case, a hijack app, that apparently stole cycles from the devices it was installed on, to mine for BitCoin. Luckily the United States Federal Trade Commission and the Office of the New Jersey Attorney General stepped-up-to-the-plate, eh Sergey?
The FTC and the Office of the New Jersey Attorney General took action against two software app developers, Equiliv Investments and Ryan Ramminger, alleging their mobile app, called “Prized,” hijacked people’s phones to mine for virtual currencies. Users thought they could earn prizes by playing games and taking surveys through the app. But the FTC alleges the app had malware that sapped the phone’s computing power, made phones run slower, drained battery life, and used up data plans – all so the developers could secretly make money mining virtual currencies. - via the FTC
The Internet Crime Complaint Center (IC3) has published a warning focusing on Law Enforcement Officers (and other LEO personnel including family members). The warning explicitly states Law Enforcement Officers, personnel and public officials are at an increased risk of cyber related attacks, due to attacks committed by so-called Hactiviists; primarily focused at this time on the act of DOXING, see the etymology of Doxing here). The full text of IC3 Alert Number I-042115-PSA appears below:
Summary
Law enforcement personnel and public officials may be at an increased risk of cyber attacks. These attacks can be precipitated by someone scanning networks or opening infected emails containing malicious attachments or links. Hacking collectives are effective at leveraging open source, publicly available information identifying officers, their employers, and their families. With this in mind, officers and public officials should be aware of their online presence and exposure. For example, posting images wearing uniforms displaying name tags or listing their police department on social media sites can increase an officer's risk of being targeted or attacked.
Many legitimate online posts are linked directly to personal social media accounts. Law enforcement personnel and public officials need to maintain an enhanced awareness of the content they post and how it may reflect on themselves, their family, their employer or how it could be used against them in court or during online attacks.
Threat
The act of compiling and posting an individual's personal information without permission is known as doxing. The personal information gathered from social media and other Web sites could include home addresses, phone numbers, email addresses, passwords and any other information used to target an individual during a cyber attack. The information is then posted on information sharing Web sites with details suggesting why the individual should be targeted.
Recent activity suggests family members of law enforcement personnel and public officials are also at risk for cyber attacks and doxing activity. Targeted information may include personally identifiable information and public information and pictures from social media Web sites.
Another dangerous attack often used by criminals is known as “swatting.” This involves calling law enforcement authorities to report a hostage situation or other critical incident at the victim's residence, when there is no emergency situation.
Defense
While eliminating your exposure in the current digital age is nearly impossible, law enforcement and public officials can take steps to minimize their risk in the event they are targeted.
Turn on all privacy settings on social media sites and refrain from posting pictures showing your affiliation to law enforcement.
Be aware of your security settings on your home computers and wireless networks.
Limit your personal postings on media sites and carefully consider comments.
Restrict your driver license and vehicle registration information with the Department of Motor Vehicles.
Request real estate and personal property records be restricted from online searches with your specific county.
Routinely update hardware and software applications, including antivirus.
Pay close attention to all work and personal emails, especially those containing attachments or links to other Web sites. These suspicious or phishing emails may contain infected attachments or links.
Routinely conduct online searches of your name to identify what public information is already available.
Enable additional email security measures to include two factor authentication on your personal email accounts. This is a security feature offered by many email providers. The feature will cause a text message to be sent to your mobile device prior to accessing your email account.
Closely monitor your credit and banking activity for fraudulent activity.
Passwords should be changed regularly. It is recommended to use a password phrase of 15 characters or more. Example of a password phrase: Thisisthemonthofseptember,2014.
Be aware of pretext or suspicious phone calls or emails from people phishing for information or pretending to know you. Social engineering is a skill often used to trick you into divulging confidential information and continues to be an extremely effective method for criminals.
Advise family members to turn on security settings on ALL social media accounts. Family member associations are public information and family members can become online targets of opportunity.
via TrendMicros' TrendLabs Threat Response Engineer Anthony Joe Melgarejo, cryptographic extortion enabled ransomware appears to be enlarging it's genre attack footprint based on first quarter 2015 statistics. Read the bad news here.
News, via Ars Technica's inimitable Dan Goodin, detailing the FireEye discovery of remnant iOS application FREAK HTTPS vulnerabilities, regardless of host device patching.
'Security researchers from FireEye recently examined the most popular apps on Google Play and the Apple App Store and found 1,999 titles that left users wide open to the encryption downgrade attack. Specifically, 1,228 Android apps with one million or more downloads were vulnerable, while 771 out of the top 14,079 iOS apps were susceptible. Vulnerable apps were those that used—or in the case of iOS, could use—an affected crypto library and connected to servers that offered weak, 512-bit encryption keys. The number of vulnerable apps would no doubt mushroom when analyzing slightly less popular titles.' - via Ars Technica's Dan Goodin
via Pete Herzog at ISECOM; for more information, visit HackerHighschool.
In a typically fascinating post, over at TrendLabs, written by Lambert Sun, Brooks Hong (Mobile Threat Analysts) and Feike Hacquebord (Senior Threat Researcher), we learn of a recently discovered iOS espionage tool. Ladies and Gentlemen, Girls and Boys, behold, the money quote:
"We found two malicious iOS applications in Operation Pawn Storm. One is called XAgent (detected as IOS_XAGENT.A) and the other one uses the name of a legitimate iOS game, MadCap (detected as IOS_ XAGENT.B). After analysis, we concluded that both are applications related to SEDNIT. The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server. As of this publishing, the C&C server contacted by the iOS malware is live." - via TrendMicro's TrendLabs blog authors Lambert Sun, Brooks Hong and Feike Hacquebord.
Ah, news outlets are reporting evidence release by the United States Department of Justice's Federal Bureau of Investigation; in this case detailing DPRK complicit activity in the now infamous SONY hack...
Information is Beautiful has created a diagrammatical tour de force, carving the litany of questionable security competence within the compromised companies, onto like-minded information security architects, engineers and researchers.
Read it and weep my friends...
Marc Rogers' take on the SONY [NYSE: SNE] incursions, with a step-by-step rebuttal of the ostensible involvement of the Government of North Korea. Mr. Roger's argument - bolstered by the opinions of other, highly respected security professionals - is hardly surprising, yet satisfying in it's diametric view of the Federal Bureau of Investigation's examination of the matter...
The United States Federal Bureau of Investigation has just issued an update to the Bureaus' ongoing investigation into the SONY [NYSE: SNE] breach, and the miscreants that committed the crime. The gist: North Korea has been implicated in the crime.
Outstanding screed, penned by Nicholas White, writing at The Kernel, details the apparent Gentrification of Cybercrime. Who'd A Thought... An electronic Thomas Crown, eh wot?
{with apologies to the Blandings...}
Brian Krebs illustrates a proliferation of legal businesses with nefarious polar-opposites as the lead-in to the main topic of that day's posting: An online service that will thoroughly deplete a targeted competitor's advertising budgets. While interesting in-and-of-itself, the topical post contains a sub-plot of existential interest. Curious? Read On.
The fascinating content of Mr. Krebs well-researched and concise post is not the miscreant service he describes in superb detail, but the notion of business/anti-business constructs [a la Matter/Antimatter, if you will...].
With the application of scrutiny (whether cursory or in-depth), researchers can locate exact, crime-laden copies of nearly every legit business or activity existing in the under-belly of our beloved Interweb. This behavior exactly matches the physical world, as the nature of the two opposing antagonists will expand to fill any empty space, vis-à-vis the concept of horror vacui.
via Michael Riley, writing at Bloomberg Businessweek, comes the sordid tale, with film-noir-like building-blocks, of miscreant Russian nationals targeting the NASDAQ stock exchange, the kicker? They succeeded...
Word, of the resurrection of the Gameover Zeus Botnet has made the news... Yes, notwithstanding the original take-down, the botnet under the bot herders' command and control facility has arisen, as plagues always do.
Evidence of extortion racketeering bubbles up through the flotsam of crime targeting tech sector entities , worldwide. Bad tidings, yet hardly surprising.