Monthly Archives: September 2014

Panda Security

5 million Gmail passwords leaked

Leave a comment

gmail

Do you have a Gmail account? This may interest you! A Russian cybersecurity forum has published a file containing more than 5 million Gmail accounts.

According to several experts, more than 60% of the username and password combinations were valid. However, Google says that the information is “outdated“, that is, these accounts have been suspended or the users no longer access them.

In a statement, Google said that it has no evidence that its systems have been compromised, but explains that “whenever we become aware that accounts may have been compromised, we take steps to help those users secure their accounts.“

The file published mainly contains British, Spanish and Russian accounts. If you want to know whether your account is on the list of those affected, you can do so here.

Panda Security recommends you increase the security of your passwords and use two-step verification of your Gmail account.

More | How to increase the privacy of your Gmail account

The post 5 million Gmail passwords leaked appeared first on MediaCenter Panda Security.

ESET

Facebook tag – fears over “Faceprints” after genetic match

Leave a comment

A young man who got an email from Facebook ‘identifying’ him via Facebook tag in a series of photographs which turned out to be his mother as a young woman, says that the “oddly compelling” incident “opens the door to larger and more difficult questions,” according to a report in The Verge.

Specifically, the incident raises questions over what else Facebook’s algorithms can do.

Clearly in this case, they made an error, Fred Benenson, a data scientist at KickStarter, says, but the inadvertent ‘tagging’ shows off that the algorithm currently in use on Facebook to ‘tag’ photos can, in theory at least, trace people’s families via genetic traits translated into their faces.

“What about the cases where this algorithm isn’t used for fun photo tagging?” Benenson said to The Verge via email.

Facebook tag: What can this technology do?

“What if another false positive leads to someone being implicated for something they didn’t do? Facebook is a publicly traded company that uses petabytes of our personal data as their business model — data that we offer to them, but at what cost?”

NEC’s Neoface biometric software is already being used by police forces in the U.S. and the UK to identify people from video footage, as reported by We Live Security.

Facebook’s photo tagging is currently only used within the site, and is an option the user can control. The site has refused to say how they might use this data in future.

Facebook’s faceprints are already controversial. When Facebook extended the reach of its ‘faceprints’ so it could identify people via profile photos, as well as those they were tagged in, the ‘feature’ was banned in Europe.

Controversial technology

Senator Al Franken said in a press release, “How many Faceprints does Facebook have? . “Presumably, this would lead to a significant expansion of Facebook’s faceprint database. It would also likely capture some of Facebook’s least active users—those who are visible in their public profile photo but are not tagged in any other photos. These people are often less active users who may not be aware of Facebook’s privacy changes. I urge Facebook to reconsider this change.”

Facebook has already extended the ‘reach’ of tagging, by allowing brands to reach into people’s news feeds by ‘tagging’ other brands or celebrities, according to Marketing Land, and thus reaching the news feeds of people who did not opt to follow them.

Benenson’s case shows off, The Verge says, the power of such algorithms to identify people by family affiliation, race, and even regardless of age: if someone has posted a picture on Facebook, the site will be able to identify them years later.

Facebook’s current face-matching algorithm is limited in scope, at least compared to an algorithm unvveiled as part of one of the networking giant’s AI research projects.

Deepface was one of these – and can match two previously unseen photos of the same face with 97.25% accuracy – humans can do the same with around 97.5% accuracy, a difference which TechCrunch describes as “pretty much on par”.

Deepface: The alarming ‘next step’

It’s a huge leap forward in the technology, which some see as having potentially alarming implications for privacy.

Although Deepface is a research project, and unrelated to the technology used on the site, it “closes the vast majority of the performance gap” with human beings according to the Facebook researchers behind it (PDF research paper here), and can recognize people regardless of the orientation of their face, lighting conditions and image quality.

Publications such as Stuff magazine describe the technology as “creepy”, saying that were it implemented “in the wild” it should make site users “think twice” about posting images such as “selfies.”

Deepface uses deep learning to leap ahead of current technology – an area of AI which uses networks of simulated brain cells  to ‘recognize’ patterns in large datasets, according to MIT’s Technology Review.

 

The post Facebook tag – fears over “Faceprints” after genetic match appeared first on We Live Security.

ESET

Salesforce software – millions of users at risk of Dyre malware

Leave a comment

A strain of malware which previously targeted banks has turned its attention to users of the popular Customer Relationship Management (CRM) software Salesforce, used by 100,000 organizations and millions of subscribers, according to SC Magazine’s report.

Dyre, detected by ESET software as Win32/Battdil.A, is believed to be an entirely new strain of malware, and has in the past targeted users of large banks, siphoning data from machines to steal logins, with additional features allowing it to bypass some two-factor authentication systems.

Salesforce software posted a warning on its site this month saying, “Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance.”

Dyre has previously targeted Bank of America and Citigroup customers, as well as a number of British banks such as NatWest. It is thought to be delivered as a “service” to criminal customers: on sale to the highest bidder.

Salesforce software: Under threat from hi-tech malware

The Register says of the remote-access Trojan (RAT), “Once it’s installed on a Windows PC, usually via a phishing attack, the software nasty then looks out for data sent from web browsers – even SSL-encrypted data – and siphons it off to its masters.”

It’s unclear why Salesforce software users are being targeted. SC Magazine speculates that the switch may be due to a specific order from a “customer”.

The magazine points out that while the company does not publish specific customer numbers of its Salesforce software, it’s estimated that 160,000 organizations and around five million subscribers use the cloud software.

Dyre: New strain of malware on sale to highest bidder

Named Dyre, or Dyreza (and detected by ESET software as Win32/Battdil.A), the Trojan software was discovered by researchers investigating a phishing scam that was spreading via Dropbox. It is believed to be a completely new family of malware, similar to but sufficiently distinct from, the Zeus malware. The news that it is targeting Salesforce software users is an entirely new “use” for the malware.

Dyre was initially designed to target certain banks in particular – Bank of America, CitiGroup, NatWest, RBS and Ulsterbank. It is thought to be an example of ‘crime-as-a-service’ – malware for hire to the highest bidder. It has been found able to bypass both SSL encryption and two-factor authentication systems.

The phishing campaign first used to spread the malware worked via asking users to download a zip file that claims to contain invoices or federal tax information. Dropbox quickly removed the links from its system, but the hackers switched to Cubby, a similar service, to continue their campaign.

The post Salesforce software – millions of users at risk of Dyre malware appeared first on We Live Security.

Security

Google Releases Security Update for Chrome

Leave a comment

Original release date: September 10, 2014

Google has released Chrome 37.0.2062.120 for Windows, Mac and Linux. This update addresses multiple vulnerabilities one of which could potentially allow an attacker to cause a denial of service.

US-CERT encourages users and administrators to review the Google Chrome release blog and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

ESET

Five million Gmail credentials posted online

Leave a comment

[Updated to clarify that the Gmail account passwords exposed were not necessarily those for your Gmail account.]

According to reports that started to appear on Reddit and other forums on September 9, some five million account credentials were published that have a Gmail address as the user name. For example, if you subscribed to a newsletter on the finegardenz.com site using [email protected] as your user name and the password thumbsup then it is is possible this may have been made public. How? Possibly finegardenz.com was hacked at some point in the past.

The site where the data was published referred to itself as Bitcoin Security and the language of the site that published the email addresses with matching passwords is Russian.

Some people who reviewed the data said that in most cases, the passwords were five years old and did not allow access to their accounts. However, apparently some were still current and reports of attempts to use the credentials have been seen. The assumption is that this compromised data is a collection of credentials obtained by phishing campaigns or malware attacks over recent years.

A website called isleaked.com appeared during the day purporting to allow people to check if their Gmail address had been compromised. However, as of right now, it does not appear to be functioning correctly and frankly I would not go there. Instead, you can check your email address at this site — Have I been pwned — which is run by Troy Hunt, a trusted Microsoft MVP.

The Russian site CNews was the first to publish a story about the credentials and connected them to other recent leaks such as the one affecting Yandex, a popular search engine in Russia. Later TheDailyDot published a screenshot of leaked credentials belonging to Spanish, English and Russian speakers.

Representatives from Google and Yandex issued assurances that their systems had not been compromised, but as mentioned above, the keys had been stolen by phishing campaigns and unauthorized access to user accounts (in other words, not leaked by the system for which the credentials were created, but by users of those systems).

Obviously, Gmail account credentials themselves are of great value, given that they provide access to so many Google services, such as Google+ and Google Maps. Access to those two services alone could potentially reveal your home address and allow a stranger to see who your friends are. The lesson here is that if you use a Gmail address as a user name at some site or online service, you should NOT use your Gmail password with that. Remember: different passwords for different sites/services.

For safety’s sake, I just went and changed my Gmail password and I suggest you consider doing the same, even though it is a real pain. I already have two-factor authentication enabled on my Google account and recommend you do this for Google and other accounts that support it. Here is a handy list for some popular services that offer 2FA:

If you want to implement two factor authentication for access to your website, there are a number of options available, including ESA which you can learn about here.

I hope this information helps. I also hope we see some arrests of the criminals who keep exposing other people’s private information: doing so is illegal in most countries and a total jerk move wherever you live. (I recently wrote about the need to pressure governments to act against cyber criminals.)

Big hat tip to Sabrina Pagnotta of ESET LATAM office for her early reporting and research on this news.

 

The post Five million Gmail credentials posted online appeared first on We Live Security.

ESET

MH17 plane crash victims exploited by cold-hearted scammers

Leave a comment

When Malaysia Airlines Flight 17 (MH17) was shot down in Ukrainian airspace in July of this year, the world was understandably shocked.

The news of an civilian passenger flight from Amsterdam to Kuala Lumpur being possibly downed by a surface-to-air missile was horrifying enough, but coming just months after the loss of another Malaysian Airlines flight (MH370) in mysterious circumstances made the headlines seemed even harder to believe.

As we have previously documented on We Live Security, the earlier lost aircraft has been the subject of various scams including a fraudulent message that spread on Facebook claiming it had been found, a fake video of the supposed rescue of its passengers, as well as claims that hackers had stolen secret classified documents held by Malaysian government officials.

Now it appears, the cold-hearted scammers are exploiting the tragic events that befell MH17 over Ukraine too.

MH17 email scam

Part of the spammed out message reads as follows:

<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>

I am a German Solicitor resident in Germany. I was the personal Attorney to Mr.Foo Ming Lee, a national of Malaysia who used to work with a contruction company here in Germany.

Mr.Foo Ming Lee 52 years old made a fixed deposit of funds valued at Nineteen Million Euros with a Bank here in Europe and unfortunately lost his life in the
Malaysia Airlines Flight MH 17 from Amsterdam to Kuala Lumpur that was shot down by pro-Russian separatists on 17 July 2014, killing all 283 passengers and 15 crew on board as you can see on the following link: http://en.wikipedia.org/wiki/Malaysia_Airlines_Flight_17

To the best of my knowledge as his personal attorney, Mr.Foo Ming Lee has no living beneficiary or next of kin therefore, I want you to reply me immediately after reading this email so that, I can prepare the necessary legal documents and present you to the bank as the only surviving relative to Mr.Foo Ming Lee and instruct the bank to wire the deposit funds Nineteen Million Euros into your provided account.

Yes, it’s “yet another 419 scam”.

Also commonly known as “Letters from Nigeria” or “Advanced Fee Fraud”, the scams typically involve the promise of a vast fortune – but sooner or later (once you have begun to be sucked in and lost all wariness) you will be told that you need to advance an amount of money for logistical reasons, or share sensitive information such as your passport or banking details.

You might not fool for a scam like this, but unfortunately there are plenty of vulnerable people out there who do. And it only requires one person to fool for the scam for it to be worthwhile to the fraudsters, who have typically spammed it out to thousands.

But what makes this scam particularly sick is that it uses the name of a genuine victim of the MH17 tragedy.

As media reports confirm, Foo Ming Lee, who lived in Geneva and was a sales and marketing chief for a Japanese tobacco company, was indeed a passenger on MH17 and was amongst the 43 Malaysians who perished in the downing of MH17 over Ukraine.

It’s clear that whoever is behind this scam has scooped up the name of a victim from media reports, and exploited it in an attempt to defraud the unwary.

After all, anyone who was dubious about the unsolicited message might Google some of the details in an attempt to confirm if any elements of it could be confirmed to be true or not.

Yes, the plane crash happened on the date the scam claims, and Mr Foo Ming Lee was amongst the victims.

What is not true, however, is the claim that he had no next of kin. Another news report confirms that his widow, son and daughter laid his ashes to rest at Nirwana Memorial Park on August 24th.

If scammers had any conscience, they wouldn’t compound the misery of those who have been left bereaved and heartbroken by using the names of victims and details of horrendous accidents and tragedies in their money-making plots.

But the sad truth is that the scammers and fraudsters don’t have any conscience, and are prepared to do anything if it might net them a rich reward.

Hat-tip: Thanks to ESET researcher Pierre-Marc Bureau for bringing this scam to my attention.

The post MH17 plane crash victims exploited by cold-hearted scammers appeared first on We Live Security.