During the first half of this year, ESET has observed an increase in the number of detections of Nymaim, a long-known malware family whose prevalence has fallen markedly since 2014.
The post Nymaim rides again in 2016 and reaches Brazil appeared first on We Live Security.
Season one of last summer’s hit new TV show, Mr. Robot, was filled with interesting and, for the most part, accurately portrayed hacks. The hacks were carried out by the show’s main character Elliot and hacker group fsociety. Their goal throughout the season was to take down the multi-national conglomerate, E Corp.
Image via: USA Network @whoismrrobot
We officially have a password problem. The average user in 2015 had at least 90 online accounts, says Dashlane, maker of a popular password manager. In the UK, the number was 118. In the US, a whopping 130. Even more troubling, we store far too many login details on our phones and tablets (I am certainly guilty of this), meaning anyone with access to our phones can also access our accounts.
Fingerprint locks—Touch ID for iPhone users—promised to be our salvation. They are easy to use and depend on characteristics unique to each of us. We are also always attached to our digits, so they cannot be stolen or forgotten. And dactylogram complexity supposedly makes our prints nearly impossible to crack.
The reality, however, is rather different. Of the various reasons to not use fingerprint locks, for me, three stand out:
#1 People can hack your fingerprints (and scanners)
We leave fingerprints behind everywhere we go: on doorknobs, on railings, on cups and glasses, on keypads, on screens, in photos—you name it. So there are lots of places hackers can harvest this supposedly uncrackable password.
The Chaos Computer Club demonstrated this as far back as 2008. To protest a German politician’s proposal to implement biometrics, the club used a photograph to recreate his fingerprint. In 2013, it used latex to create a fake finger to open a lock. More recently, the approach has been repeated with playdough and Elmer’s glue, highlighting just how easy it is becoming to recreate physical prints.
Worse yet, fingerprints can also be hacked virtually. At the 2015 Black Hat convention in Las Vegas, a couple of security experts demonstrated a number of hacks for fingerprint locks. They built an app that mimicked a phone’s unlock screen; when used by the victim, it could approve a financial transaction. They pre-loaded fingerprints onto the phone, enabling access. They showed it was relatively easy to rebuild a fingerprint from the file used to store it. And they hacked the scanner itself, allowing them to grab fingerprint images whenever used.
#2 You can change your password
This is so basic it is often overlooked. When my email account was hacked several years ago, I changed the password and the problem went away. But if someone were to hack my fingerprint, they would always have it. Think about that what means. Fingerprints are forever. Once the bad guys have them, they can keep using or selling them to other bad guys. This is particularly disturbing when you consider how many government organizations collect fingerprints and the increasing number of private firms using it for authentications.
#3 Police don’t need your permission to unlock a phone with biometrics
It is also important to remember that we are not always in control of our own hands. All someone has to do to get you to unlock your phone is press your fingers against the screen.
This has been allowed in the US, where a judge granted a search order to police officers in Glendale, California. The position is that a fingerprint is “physical evidence,” akin to a physical key, which can be gathered as evidence or demanded by court order. Moreover, fingerprints are readily available because they are routinely collected as part of basic police and legal procedures. And because fingerprints are physical and not “testimony,” they are not protected by the Fifth Amendment’s clause on self-incrimination.
Not so passwords and PIN codes. Forcing a person to show you something “in their mind” is testimonial, and thus coercion is prohibited. Large tech companies (including AVG) make a similar argument about corporate information. Fighting the FBI to a largely unresolved standstill over access to the phone used by the San Bernardino terrorist, Apple made the legal argument that the FBI was attempting to force Apple to speak—and speak against its own interests, something that should not be allowed. The FBI dropped the case after paying a third party to hack the phone. While rent-a-hacker proved effective, it also proved rather expensive; and for the time being, most cases are unlikely to warrant such an investment.
Still, it is within the realm of possibility that law enforcement agencies could force or coerce manufactures to include back doors to devices for harvesting prints through fingerprint locks.
Final note on fingerprints and security
Of course I don’t expect people to give up using fingerprint locks. They are just too convenient. Right or wrong, however, the power of government to collect and store information on our digital selves is soaring. The FBI’s Integrated Automated Fingerprint Identification System includes tens of millions of prints not related to criminal activity, collected from military personnel, government workers, and other innocents. And more generally, government files are not always secure. The 2015 data breech at the US Office of Personnel Management included 5.6 million fingerprints, suggesting fingerprints have become one more thing that can be hacked and used to violate our privacy, in this case, for a very long time.
Nintendo’s new location-based augmented reality game Pokémon GO has been making rounds since its launch just a few days ago. People are so excited to catch ’em all that brought Nintendo’s market-value gains to $7.5 Billion (£5.8 Billion) in just two days – the highest surge since 1983.
Due to the huge interest surrounding Pokémon GO, even hackers are using the game’s popularity to distribute
Consumers are putting themselves and their data at risk while traveling abroad.
It is important to protect businesses against threats that lurk in the cyberworld. The threats may seem innocent at first, but usually, those are the ones that cause the most damage. Reselling your hard drive, for example, may seem like a simple task, but it could actually open the door for cyber delinquents.
A recent investigation found that, out of 200 hard drives bought off of second-hand websites like eBay or Craigslist, more than 2/3 still contained highly sensitive information from the previous owner. A good amount (11%) stored private data from businesses.
Some of the gems that the investigators were able to rescue from the storage devices included social security number, CVs, corporate emails (9%), CRM records (1%), spreadsheets with projected sales or inventories (5%). Imagine what an ill-intentioned hacker could do with this lot of private information.
The scariest part of it all is that most owners believe their hard drives were wiped clean before putting them for sale online. Two out of every five devices (36%) indicated that the content was cleared from the system, by means of the Recycling Bin (which is really just another extra folder) or by the delete button.
The Recycling Bin is really just another extra folder on the computer.
Not one of these elimination techniques are affective enough to completely get rid of all information on hard drives. With the right know-how, it could actually be quite easy to securely and permanently recuperate the previously deleted data. If you format the device multiple times, the information could be completely overwritten. Nevertheless, there is only one way to be completely certain the hard drive’s content has completely disappeared: destroy it.
If you plan on recycling, reusing or reselling your machines, “attempting” to delete their contents is not an option. In the majority of the tested hard drives, the owners did not even take the first step towards security. Only 10% of the investigated hard drives went through an erasure process, such as formatting in various steps.
The post Reselling Business and Home User Information appeared first on Panda Security Mediacenter.
Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin
Persistent Cross-Site Scripting in WP Live Chat Support plugin
Red Hat Enterprise Linux: New kmod-i40e, kmod-i40evf packages are now available for Red Hat Enterprise
Linux 7.
Red Hat Enterprise Linux: Updated kernel packages that fix one bug are now available for Red Hat
Enterprise Linux 5.
