Category Archives: Antivirus Vendors

Antivirus Vendors

Microsoft Office 365 service module offers MSPs the best of both worlds

Life for a managed services provider (MSP) is seldom straightforward.   Support staff in the service center have long had to juggle between screens as they log in and out of numerous applications from different vendors in the course of their day-to-day remote management operations. Over the years advances in technology have created ever more diverse technical environments for them to manage.  Nowadays it’s commonplace for customers to have a mix of traditional on-premise IT along with mobile devices and the latest cloud-based applications. The number of management screens just keeps on multiplying – all the while pushing up the time and costs of administration.

The Microsoft® Office 365™ cloud-based collaboration, communications and productivity software platform is a good example.  Its combination of Exchange e-mail, SharePoint online, Lync VoIP and conferencing online, web hosting via SharePoint and the Office Web Apps has proved extremely popular with businesses of all sizes. Indeed Microsoft’s own executives have described it as the fastest growing business in its history. Little surprise, then, that it has also gained a strong channel following with more than 60 percent of top MSPs seeking to wrap their services around one of the market’s current best sellers.

Yet managing this along with a multitude of other applications is no picnic.  Our MSP partners have been telling us that they would like a more convenient way to administer hybrid physical and online environments so that they can add value for customers with the Office 365 cloud platform.  In view of the large numbers of MSPs using Office 365, developing a solution to help our customers support and obtain recurring revenue streams from supporting Office 365 with ease and simplicity has been a priority.

The Microsoft Office 365 service module for AVG Managed Workplace®, just released, goes some way towards addressing this issue. It allows our channel partners to provide management services such as user password resets and mailbox policies – which Microsoft typically will not do – via a single screen through AVG Managed Workplace. In fact the module allows MSPs to remotely perform five of the most popular management tasks. Apart from the two already mentioned you can also set license expiration alerts, receive service down notifications and managing users without using Windows PowerShell®. Other administrative tasks can be accessed without any additional logins.

Allowing administrators to view all the essential information they need about cloud-based and on-premise applications together within the same screen in this way gives IT services providers the best of both worlds.  In so doing it neatly solves problem of multiple logins for partners and helps them to run their operations more efficiently.

Our simplification of Office 365 management for services providers is a clear demonstration of our commitment to our channel partners.  We will continue to add modules to AVG Managed Workplace that allow IT service providers reap productivity benefits and deliver long-term value to their customers.

In summary, the Office 365 service module represents a first step in developing easy ways to manage cloud data within AVG Managed Workplace – something that appears destined to become commonplace as more everyday objects and devices are IP-connected to form the Internet of Things. It also further enhances the wide range of productivity benefits already available to MSPs who use AVG Managed Workplace to remotely manage the IT of their entire customer-base through the same, single pane of glass.

Week in Security: Game over in Korea, cellphone snoops and phishy Bitcoins

Gamers and cellphone users were targeted by criminal groups around the world in our security news this week – with results varying from slightly eerie surveillance towers, to a gigantic data breach in which 220 million records were traded. The former were struck with a series of irritating service outages caused by a hacktivist group, plus a data breach of enormous proportions, which swept up half of South Korea’s population in a scam designed to steal virtual money and goods.

Cellphone users were left looking over their shoulders as a security news report highlighted the sale and use of tools which could track a user with high accuracy from town to town and even to other countries – and these tools are being bought not only by oppressive regimes, but by gangs.

Even more disconcerting was the discovery of at least 17 ‘fake’ cellphone towers which hacked into nearby handsets to either eavesdrop, or install spyware. The fake towers, found, oddly enough, by a company which markets handsets immune to such attacks, were found throughout America – with one, puzzlingly, in a casino….

Meanwhile, POS malware continues to multiply, and a new phishing attack highlighted how social engineering can strike anyone…

Security news: Half of South Korea breached

By anyone’s standards, it was a massive data breach – involving 27 million people, half the population, and 220 million private records changing hands. It also highlighted just how much South Korea loves playing games, as it hit adults and children alike – the breach targeted registration pages and passwords for six online gaming sites, with the aim of selling game currency and virtual goods.

The breach affected 70% of the population between the ages of 15 and 65, according to Forbes.

The sixteen hackers who were jailed had used 220 million items of personally identifying information, with the goal of breaking into online game accounts. A 24-year-old man, surname Kim, bought these records from a Chinese hacker he met in another online game in 2011, according to the Korea JoonGang Daily.

Kim and his associates are thought to have used a hacking tool known as an “extractor” to log in to accounts and steal virtual currency to and items to sell – earning in the process 400 million won ($390,919).

1,000 U.S. firms infected with credit-card-stealing POS malware

An official warning issued this week highlighted the rise and rise of malware targeting point-of-sale systems in retail outlets, with the goal of stealing credit card details – with Secret Service operatives warning that one particular strain had infected a vast number of American firms.

The United States Computer Emergency Readiness Team issued a statement saying that the “Backoff” malware was rife in U.S. businesses, taking over administrator accounts and removing customer data from several hundreds of companies. Their information was based on Secret Service estimates, after conversations with POS software vendors in America.

ESET Malware Researcher Lysa Myers says, “Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now.”

Myers offers a detailed guide for businesses concerned that they may be being targeted with POS malware.

Cellphone users targeted by cyber-snoops

Cellphone users, you may be being watched – by a surveillance industry which one privacy group claims is worth $5 million a year.  This week saw an in-depth report into the export of equipment  which can track the movements of anyone carrying a cellphone – from town to town and even into other countries.

It also saw the discovery of “fake” cellphone towers known as “interceptors” in active use on U.S. soil, according to Popular Science. The technology is known, but expensive, and it’s unclear who is operating the towers, or why.

High-end surveillance technologies which penetrate networks to track users are freely on sale not only to oppressive regimes, but also to criminal gangs, according to a report by the Washington Post.

Third-party surveillance apps are, of course, widely available which allow suspicious spouses and more nefarious individuals to track the owner of a phone by surreptitiously installing and hiding such an app. Such ‘domestic spyware’ is often involved in domestic violence cases.

The gear used by oppressive regimes is of a higher level altogether. “Surveillance systems are secretly collecting these records to map people’s travels over days, weeks or longer, according to company marketing documents and experts in surveillance technology,” the Washington Post reports.

“The capabilities of surveillance technology have grown hugely in the past decade – in the hands of a repressive regime, this equipment eradicates free speech, quashes dissent and places dissidents at the mercy of ruling powers as effectively as guns and bombs, if not more so,” Privacy International says in its report.

Game Over, man! PSN taken down, other networks under attack

A new hacktivist gang disrupted and brought down several gaming services this week, including Sony’s PSN network, and the Twitch gamer-TV service, which returned only after presenters Tweeted photographs of themselves with the group’s name written on their foreheads.

Most of the attacks were basic denial-of-service attacks, and no information was lost during Sony’s network outage. The FBI took an interest when a reported bomb threat by the same group caused the diversion of a flight carrying a Sony executive, according to Reuters report.

Sony summed up in a blog post, “The networks were taken offline due to a distributed denial of service attack. We have seen no evidence of any intrusion to the network and no evidence of any unauthorized access to users’ personal information.”

It is as yet unclear what the group’s motivation is – with DDoS attacks also aimed at popular PC titles such as Blizzard’s Battle.net, Riot’s League of Legends and Grinding Gear Games’ Path of Exile.

Bitcoin phishing a cryptic success with non-users

How hot is Bitcoin right now? So hot that even non-Bitcoin users are tempted to click on phishing links referring to Bitcoin wallet sites (which they don’t use). The relative success of the attacks shows how social engineering can take many forms – and that clicking on links in ANY unsolicited email is a bad idea.

Previous Bitcoin wallet phishing campaigns usually targeted known lists of Bitcoin users. The new waves of phishing emails were targeted at corporations, rather than those with an interest in cryptocurrency. The tactic has proved a success for the criminals behind it – with nearly 2.7% of victims clicking on the malicious link embedded in the two waves of 12,000 emails.

Proofpoint, which monitored the attack, said that the high success rate proved how much the hype behind the Bitcoin wallet had caught the imagination of the general population.“Unregulated and designed for anonymity, Bitcoin represents an attractive, $6.8 billion target to cyber criminals,” Proofpoint said.

The Register’s John Leyden reported, “This high click-through rate is a concern because crooks could easily switch from Bitcoin scams to targeting curious users with DDoS malware, remote access Trojans, corporate credential phish, or other threats.”

Some things, of course, don’t change: the emails took the form of a classic “account warning” phishing email, just using a Bitcoin site instead of a bank.

The post Week in Security: Game over in Korea, cellphone snoops and phishy Bitcoins appeared first on We Live Security.

Internet privacy: Seven rules to keep secrets safe

Internet privacy is something consumers are increasingly aware of, but which is near-impossible to achieve. You are never truly invisible on the internet – just witness how quickly the Blackphone, made by encryption legends Silent Circle met its match at DEF CON.

But while the free internet relies on “watching you” to sell ads, and others watch you just because they like it, there are a few steps sensible internet users should take for those moments when a little internet privacy IS required.

Most are the basics of internet privacy - password hygiene – and good security practice on social networks.

But when it comes to things you might want to keep private – business conversations that would be of interest to a rival, hobbies such as motorcycling that might be of interest to an insurer, a few basic steps can help.

If you ARE James Bond, no security tip in the world will stop your enemies watching you – that’s their job. For most of us – from college students to small businesses to people afraid of one particular watcher, such as domestic violence survivors – some basic steps will help you stay private.

Tinfoil hats are not required. Nor is switching to a “private” browser such as Tor – although privacy-conscious users may find it surprisingly fast these days.

Rule one: Use the internet privacy tools provided by ‘the watchers’

There are good reasons to revisit the internet privacy menus on your Facebook account – and it’s highly unwise to post anything to the network that is in any way sensitive. Facebook  is not content with the trove of data provided by its own users – it deals with third-party “data broker” companies, who provide the company with encrypted lists of email addresses (for instance, of users who have bought a vacuum cleaner), which Facebook then matches against its own encrypted list. This means the company may ‘know’ more than you think it does. The only defense is to be cautious with data both inside and outside Facebook.

There are other good reasons behind people’s distrust of Facebook, and to ensure your account is locked up as much as possible. This year, the social site added hidden tracking in its ubiquitous ‘Like’ button to track users outside of Facebook pages. The new tracking method actually ignores users’ Do Not Track preference settings (the browser setting where users can choose “ask websites to not track me”). Staying logged out as much as possible is a good idea to increase your internet privacy.

Google is a major player in collecting data – every Google service from YouTube to Search collects information on signed-in users, and collates it to refer to one user profile. This is used to tailor Google ‘adwords’ – the text adverts that appear around searches and above Gmail’s Inbox – to the user. Google, however, is very open about how it all works, and you can opt out of almost everything, even if you’re a heavy user. If you do so, the only service you’ll really be unable to use is the excellent Google Now on Android, which relies heavily on search history and location history. It poses its own privacy risks, of course, if anyone looks over your shoulder…

Google itself offers a clear explanation of how its data collection works – and provides a dashboard of tools web users may wish to use to prevent themselves being tracked. For Google, personalized adverts are a service, and one you can choose not to use. Facebook’s approach is more opaque. Facebook said that it would also ignore “do not track” signals sent by browsers – a measure put in place to offer users choice on privacy – because “because currently there is no industry consensus.”

Rule two: Don’t tell the internet your age, or if you went to college

Sharing information too openly online is a bad idea – leaving you open to spear phishing attacks. But data also falls into the hands of companies which trade in it – billions of data points at once, sold to advertisers and other companies. Most of these are perfectly normal companies. Some are not. The Federal Trade Commission is investigating ‘data brokers’. The industry is thus far largely unregulated, and brokers will offer anything from anonymous data gleaned from browsing, to a mix of data, some publicly available, some from website cookies and other tracking tools. You are significantly more likely to be identifiable from your data if you share things publicly – even the fact you own a dog, or your address, or if you geolocate pictures. Take control of this data. Don’t share when you don’t have to.

internet privacy

Consumers are increasingly concerned about privacy, a Silent Circle poll found

Social networks are a prime example, but “overfilling” a profile on a blog or corporate site can also reveal details. If there’s ever a box about sharing data with other companies, make sure you tick (or don’t tick) so your data isn’t shared. Whatever happens to it, it isn’t going away. Some, not all data brokers categorise customers in a way which may impact future eligibility for financial products – categorising them as uneducated, or putting them in a category of older people, or instance. This is information you should not share publicly, as it may impact your financial future.

Rule Three: Don’t trust ‘Do Not Track’ – Incognito or Private mode are better

Many companies ignore a browser’s request not to be tracked – including high profile firms such as Facebook.  The only fix is to use Incognito or Private browsing, and not log in to Facebook as you browse.

You will still be followed by trackers (cookies and scripts embedded in most websites) as you browse, but the profile that’s built up applies to a user who disappears when the session ends. You are still, of course, not truly ‘private’ – your IP address can still be traced as having visited a particular website, but it helps. Setting your browser to delete cookies on closing also helps in this regard – but it’s not a silver bullet.

Rule Four: Don’t use Facebook log-ins on apps

Don’t imagine smartphones are any different from PCs – you will be tracked on your browser, just as you are on PC, and there are other security concerns, too. But one step is easy to take. Many apps allow users to log in using their Facebook details, which spares user the time of filling in a form.

internet privacy

However, this allows the social network to use information from the app, and apply this to its advertising profile to target adverts. Any information in the app becomes available to Facebook. If you’re worried about how much Facebook ‘knows’ about you, use email to log in instead.

Rule Five: Turn to Tails if you  really need to be private

If you are determined not to be watched, Tails is a high-end internet privacy tool – although it should be noted that it is not “spy proof”. It boots from a DVD or USB stick, and forces internet traffic through the anonymizing service Tor (all non-Tor connections are rejected). Tor is of course not immune from spying – but it’s as secure as it gets, most of the time.

When you’ve finished, Tails deletes all data from the session (it’s stored in RAM rather than in computer storage). It can be used on any computer, and leaves no trace once the session ends. You are, of course, still vulnerable to some techniques – for instance, electronic listening devices could pick up your keystrokes.

Rule Six: If you’re doing business, use a VPN, and encrypt everything you can

If you are using the internet for sensitive business reasons, use VPN software. Either provided by your company, or if you’re a small business or freelancer, use your own VPN client. Likewise, ensure you encrypt as much as you can – from emails to data stored on your PC. ESET researcher Stephen Cobb argues that encryption is now essential for business – and with the rate of data breaches seen over the past few months it’s hard to argue. Malware researcher Lysa Myers says,”The best way to protect your data from prying eyes is to make more of it unreadable to outside parties. And the best way to do this is to encrypt as much as you can both data that is saved on your hard disk, and data that you send out of your machine, via email, web or other methods.”

Rule Seven: You are never invisible online

No matter how paranoid you are, how security-conscious you are, there is always a way round your snoop-proof techniques. Unscrupulous and greedy people will find it. If you want something to stay private, don’t do it online, or on the phone. Do it in the real world. As more consumers use internet privacy tools, new unknown techniques appear to bypass them. ‘Canvas fingerprinting’ is a new technique, invisible to users, which became widespread among companies selling data to advertisers before the media were even aware of it. Requiring PCs to render a fragment of text, it bypasses “do not track” instructions to create a fingerprint which “shatters” current privacy tools, Princeton researchers say. One provider which uses the ‘fingerprinting’ technique,  touted as a replacement for cookies for advertisers keen to track users across the web, uses its scripts in thousands of sites – and reaches 97.2% of the internet population in America, according to Comscore.

The post Internet privacy: Seven rules to keep secrets safe appeared first on We Live Security.

Malware still generated at a rate of 160,000 new samples a day in Q2 2014

  • The second quarter of 2014 has seen the creation of 15 million new strains of malware
  • Trojans are still the most common type of malware, though they are losing ground thanks to the rise of PUPs (Potentially Unwanted Programs)
  • Smartphones, both Android and iOS, are still under attack
  • The global infection rate during this period was 36.87%, a significant increase on previous quarters, thanks in part to the increase in PUPs

 QReport

Panda Security, The Cloud Security Company, has announced the latest findings of the PandaLabs quarterly report for Q2 2014. The main conclusions of the study include the fact that malware is still being created at the record levels reached in the previous quarter: 15 million new samples were generated, at an average rate of 160,000 every day.

While Trojans are still the most common type of malware, accounting for 58.20% of new malware, this figure is significantly lower than the previous quarter (71.85%). This is not so much due to a drop in number of new Trojans, but more to a substantial increase in PUPs (Potentially Unwanted Programs) during this period.

Attacks on mobile devices have continued to gather momentum over this quarter, though this time they have also targeted the Apple iOS in addition to Android. In the case of the latter, the most notable cases have involved fake antivirus apps and ransomware.

There have also been many notable cases of hacking targeting major companies across different sectors, such as eBay, Spotify or Domino’s Pizza,as well as more attacks by the Syrian Electronic Army (SEA). A security flaw -dubbed Heartbleed– in the OpenSSL library used for encrypting communications made the headlines around the world in April.At the same time, Microsoft ceased to offer support for Windows XP, with serious security implications for users of this OS.

PUPs on the rise

While Trojans are still the most prevalent type of malware (58.20% of new threats), they are losing ground thanks to the rise of PUPs (Potentially Unwanted Programs). In fact, in recent months there has been a notable increase in software bundlers, which install PUPs -without the user’s consent- along with the programs that the user really wants to install.

Trojans are followed a long way behind in the ranking by worms (19.68%), adware/spyware (0.39%) and viruses (0.38%).

Trojans the cause of most infections

Trojans, once again, have accounted for more infections (62.8%) than any other type of malware, although this figure is lower than the previous quarter (79.90%). PUPs are in second place with 24.77% of infections, underlining how these techniques are now being used massively. A long way behind came adware/spyware (7.09%), viruses (2.68%) and worms (2.66%).

Infections by country

The global infection rate during the second quarter of 2014 was 36.87%, a significant rise on recent periods, thanks largely to the proliferation of PUPs. Country by country, China once again had the most infections, with a rate of 51.05%,followed by Peru (44.34%) and Turkey (44.12%).

It’s clear from this ranking that the regions with the highest levels of infections are Asia and Latin America. Spain also has an infection rate above the global average with 37.67%.

On the other hand, Europe is the area with the lowest infection rate, with nine countries ranked among the least infected countries. Sweden (22.13%), Norway (22.26%) and Germany (22.88%) had the lowest rates while Japan, with an infection rate of 24.21%, was the only non-European country in the top ten of this ranking.

 

The full report is available here.

The post Malware still generated at a rate of 160,000 new samples a day in Q2 2014 appeared first on MediaCenter Panda Security.

Bad news for SMBs: Target’s “Backoff” malware attack hits 1,000 more businesses

PoS attacks

avast! Endpoint Protection can protect your network

U.S. merchants advised to protect themselves against same PoS hack that hit Target and Neiman Marcus last year.

More than 1,000 U.S. businesses have had their systems infected by Backoff, a point-of-sale (PoS) malware that was linked to the remote-access attacks against Target, Michaels, and P.F. Chang’s last year and more recently, UPS and Dairy Queen. In the Target breach alone, 40 million credit and debit cards were stolen, along with 70 million records which included the name, address, email address, and phone number of Target shoppers.

The way these breaches occur is laid out in BACKOFF: New Point of Sale Malware, a new U.S. Department of Homeland Security (DHS) report. Investigations reveal that cybercrooks use readily available tools to identify businesses that use remote desktop applications which allow a user to connect to a computer from a remote location. The Target breach began with stolen login credentials from the air-conditioning repairman.

Once the business is identified, the hackers use brute force to break into the login feature of the remote desktop solution. After gaining access to administrator or privileged access accounts, the cybercrooks are then able to deploy the PoS malware and steal consumer payment data. If that’s not enough, most versions of Backoff have keylogging functionality and can also upload discovered data, update the malware, download/execute further malware, and uninstall the malware.

General steps SMBs and consumers can take to protect themselves

  • You should use a proper security solution, like avast! Endpoint Protection, to protect your network from hacking tools, malicious modules, and from hackers using exploits as a gateway to insert malware into your network.
  • Regularly monitor your bank and credit card statements to make sure all the transactions are legitimate.
  • Change default and staff passwords controlling access to key payment systems and applications. Our blog post, Do you hate updating your passwords whenever there’s a new hack?, has some tips.
  • Monitor your credit report for any changes. You’re entitled to one free report per year from each of the three reporting agencies.

Specific tips to protect your business and customers

Remote Desktop Access

  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts.
  • Limit the number of users and workstations who can log in using Remote Desktop.
  • Use firewalls to restrict access to remote desktop listening ports.

Network Security

  • Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network.
  • Segregate payment processing networks from other networks.

Cash Register and PoS Security

  • Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities.
  • Install Payment Application Data Security Standard-compliant payment applications.
  • Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system.

See more mitigation and prevention strategies from DHS.

Learn more about PoS attacks against small and medium-sized business in our blog, Should small and medium-sized businesses be worried about PoS attacks?

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter, Google+ and Instagram. Business owners – check out our business products.

Anyone want to know my Social Security Number?

Let me tell you about yet another brain-dead Facebook meme* about ‘your [something or other] name’ games. These games are the sort of round-robin post that tell you how to generate your very own witness protection name, your soap character name, and similar richly meaningful concepts.

It’s Only Rock and Roll

Apparently the rock star name meme has been around since at least 2007, but I somehow managed to miss it for most of that time. Clearly I should consider dedicating what is left of my twilight years to Facebook so that I don’t miss anything.

Perhaps this one has something to do with the way rock stars, footballers, and movie stars, worried that alternatively pampering and neglecting their offspring might not be the optimum parenting methodology, give them ludicrous names like Leafmould Cheesecake. Or I suppose it might be a way of generating a name that will get you mistaken for a celebrity and ensure that you get into nightclubs and pay a larger than normal deposit on hotel rooms. Anyway, most of the examples I’ve seen (thank you so much, Google, for brightening my life yet again) are generated by combining the name of your first pet and something like your current car, your first car, or the street where you live. (I apologize if I’ve increased the danger that some future reader will be christened Tiddley Widdley 2CV.)

Security content coming up. (Finally.)

It may not have escaped your notice that those elements are very similar to those secret questions that banks and such want us to use to supplement those passwords that they take such good care of. Sometimes. (Here’s a list of other name ‘games’, several of which have a disquieting tendency to be based on ‘secret question’ data.)

I started looking into this social phenomenon when I recently came across a variation on the rock star meme: this one offers us the following way to find our own rock star names. Ready, steady, type:

  1. Your mother’s maiden name
  2. Your first pet’s name
  3. The model of your first car
  4. Your High School mascot
  5. Your favourite uncle
  6. The last four digits of your Social Security Number (SSN)

Several of my friends in the security business found this meme extremely amusing. As you probably will too, knowing that this is a parody – or an extreme example – of the kind of ‘secret questions’ that financial providers and others are fond of passing off as additional security. In fact, the first three are common – even stereotypical – secret questions proposed by real service providers. 4 and 5, maybe not so much. But SSNs are commonly used in the US as authentication, so there’s certainly possible value there for someone trying to harvest useful information about you.

Still, surely no-one could fail to recognize the danger there? Well, some people who commented clearly thought it would be worth putting it out there to see who (or how many) fell for it, if only out of curiosity. No ethical qualms there, then.

Friendship and Fiendship

I’ve talked before (for Virus Bulletin) about the potential of the Facebook meme for collecting data that could be used for malicious purposes. One datum addressed there was your date of birth  (mildly obfuscated, but if I could find out how it worked, so could any bad guy who could use a search engine). Another was the instance cited by Graham Cluley of the Royal Wedding in 2011, inviting Facebook users to generate their ‘royal wedding guest name’ by combining an aristocratic title, one of their grandparent’s names, and the name of their first pet ‘double-barrelled’ with the name of the street they grew up on. I can assure you that if I absent-mindedly sign this article as Lord Melvin Sundance-Acacia, I won’t be giving any sensitive data away. After 25 years in security, I’m not naïve enough to think that everyone who’s a friend on social media – or a reader of my blogs – is to be trusted with personal data. I don’t think there are many burglars or identity thieves in my immediate circle of acquaintance, but friends of friends of friends are another matter. In any case, I’m pretty sure that some of my friends aren’t as paranoid with their – or my – posts and data as I am. Furthermore, I’m no fan of the way that various social networks try to insist on my giving them far more personal information than they really need to know.

Not, of course, that I’m advocating a general policy of dishonesty in social networking profiles, but as I commented in that article and elsewhere, these are organizations who regard subscribers not as customers but as sources of commoditized data. Big names in the social media are constant targets for hacking, and don’t always take the care over securing sensitive data that you might expect. In fact, they often have an agenda that is at heart anti-privacy, since our data is exactly what matters to the retail organizations and service providers who are their real customers. While we the subscribers are all too willing to give away the sort of material targeted in a data aggregation (or data inference) attack, where individual items may seem harmless, but an aggregation of such items gives an attacker all he needs to indulge in a little identity theft.

Social Insecurity

But let’s talk about SSNs. Is giving away just part of your SSN really dangerous? In a paper published in 2009 by Alessandro Acquisti and Ralph Gross in the Proceedings of the National Academy of Sciences of the United States of America, it was claimed (as I summarized here) that there is:

a correlation between an SSN and the birthdate of its “owner” that makes it feasible to infer the SSN, given knowledge of that birthdate and … public access to the Social Security Administration’s Death Master File … to determine SSN allocation patterns based on the zip code of their birthplace and the date of issue.

So how secure is your Social Security Number? Well, here a couple of issues:

  • Some legitimate, convenient-to-subscribe-to organizations may require it who are, nevertheless, not “entitled” to it.
  • The difference between legitimate and illicit organizations (or their web pages, URLs and so on) is not always as pronounced as you might think – otherwise, we wouldn’t have to worry about phishing.

A Social Security Number (like a National Insurance Number in the United Kingdom) is an identifier, not an authenticator, because it isn’t secret: many people know (or at least could gain access to) your SSN. But a problem arises whether or not an organization providing some kind of service to you insists on using it as an authenticator rather than as an identifier.  Even if a criminal doesn’t have direct access to an SSN, he may be able to guess it based on information aggregated from other sources.

The Social Security Office has stated in the past (apparently in the hope of making it easier to spot a fake) that the 9 digits of the Social Security Number are grouped as follows.

  • The first three digits represent the Area Number
  • The next two digits represent the Group Number
  • The four digits at the end are called the Serial Number

And, of course, it’s exactly those four final digits that are under discussion. According to an article in the LA Times from 2009, Acquisti and Gross were able”to identify all nine digits for 8.5% of people born after 1988 in fewer than 1,000 attempts. For people born recently in smaller states, researchers sometimes needed just 10 or fewer attempts to predict all nine digits.” However, the Social Security Office stated at that time that it was moving over to a more randomized SSN allocation system. Unfortunately, that probably hasn’t decreased the risk for many people whose SSN was already allocated by the time such changes were introduced.

Hopefully, most sites that ask for SSN info won’t allow unlimited guesses. Even more hopefully, few people will fall for a blatant, exaggerated data harvesting/phishing attempt resembling the meme described above.

The Sum of the Parts

But how about a story recently passed on by one of my colleagues in the security industry? He related how one of his friends received what appears to have been an automated phone call claiming that his or her debit card had been locked for fraud. Such calls are actually quite common, as in the cases described here, where the recording asks for the target to press 1 and then to ‘unlock’ their card by inputting sensitive financial information including the card number and the PIN associated with it in chip and PIN transactions. This isn’t a new threat, of course. A post at Scamcallfighters indicates that characteristically:

The automated system will ask the victim to key-in, card number, name, date of birth and even the security code! And at the end of it, it will declare that your card is reactivated!

In this case, however, the first thing requested was to input a full 9-digit SSN. Fortunately, the intended victim in this instance knew better than to actually give that information. I suspect, however, that a less greedy scammer might get quite a good hit rate in the right context.

By ‘less greedy’ I don’t just mean not asking for so many data items that even the most naïve end user might start to get suspicious, but also being prepared to do some data aggregation. After all, a victim who just volunteered 2-3 potentially useful data items is probably more likely than average to volunteer further items the second time round. And while a partial SSN requires more effort to build into a full SSN, the trade-off is that a victim is less likely to be scared off by a request for too much information.

After all, we’re conditioned to think that when a bank or other agency asks us to identify ourselves by giving part of an identifier or authenticator – “the 1st, 3rd and 4th character of your special word” or “the last four digits of your credit card number”, they already have the whole identifier/authenticator. Of course, this isn’t necessarily true at all. A scammer might even camouflage a harvesting probe by ‘sacrificing’ a data item that can’t be fully established so as to establish a context of trust in which the victim will:

  • Not take the trouble to check that the call is genuine by ending the call and calling back to a known-genuine number.
  • Go on to supply data items that can be used to implement some form of fraud.

However, in this case, a partial SSN might actually be enough to establish yet another useful (in terms of identity theft) data item.

Sadly, this use of automation for fraudulent purposes is another case where well-meaning (but not necessarily well-implemented) attempts by banks to reduce the impact of fraud has actually been perverted by criminals into an attack.

Technology versus Education

In the security industry, there’s a longstanding debate between those who advocate more user education and those who say that if education was going to fix the cybercrime problem it would have worked by now. (Randy Abrams and I discussed that debate at some length back in 2008: People Patching: Is User Education Of Any Use At All?

This particular threat exemplifies that conflict/tension: the efficiency of a technical solution – automated detection of fraudulent (or at least unusual) transactions – is compromised because card users are not well enough informed to distinguish between legitimate and fraudulent phone calls.

David Harley
ESET Senior Research Fellow

* Meme: An idea, behaviour, style, or usage that spreads from person to person within a culture. (Merriam-Webster)

The post Anyone want to know my Social Security Number? appeared first on We Live Security.

Android security mystery – ‘fake’ cellphone towers found in U.S.

[There have been many comments to this story from people who are assuming that these ‘towers’ are physical installations. There’s no reason to assume this is the case: it’s far likelier that they are mobile installations of the kind used not only by law enforcement and government agencies, but also by scammers and other criminals. (David Harley)]

Seventeen mysterious cellphone towers have been found in America which look like ordinary towers, and can only be identified by a heavily customized handset built for Android security – but have a much more malicious purpose, according to Popular Science.

The fake ‘towers’ – computers which wirelessly attack cellphones via the “baseband” chips built to allow them to communicate with their networks, can eavesdrop and even install spyware, ESD claims. They are a known technology – but the surprise is that they are in active use.

The towers were found by users of the CryptoPhone 500, one of several ultra-secure handsets that have come to market in the last couple of years, after an executive noticed his handset was “leaking” data regularly.

Its American manufacturer boasts that the handset has a “hardened” version of Android which removes 468 vulnerabilities from the OS.

Android Security: Towers throughout the US

Despite its secure OS, Les Goldsmith of the handset’s US manufacturer ESD found that his personal Android security handset’s firewall showed signs of attack “80 to 90” times per hour.

The leaks were traced to the mysterious towers. Despite having some of the functions of normal cellphone towers, Goldsmith says their function is rather different. He describes them as “interceptors” and says that various models can eavesdrop and even push spyware to devices. Normal cellphones cannot detect them – only specialized hardware such as ESD’s Android security handsets.

Who created the towers and maintains them is unknown, Goldsmith says.

Origin of towers ‘unknown’

“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says.  “One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip.  We even found one at South Point Casino in Las Vegas.” [Editor’s note: Goldsmith has asked us to stress that the tower was actually in the vicinity of the casino, not within the casino itself.]

Their existence can only be seen on specialized devices, such as the custom Android security OS used by Cryptophone, which includes various security features – including “baseband attack detection.”

The handset, based on a Samsung Galaxy SIII, is described as offering, a “Hardened Android operating system” offering extra security. “Baseband firewall protects against over-the-air attacks with constant monitoring of baseband processor activity, baseband attack detection, and automated initiation of countermeasures”, claims the site.

“What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.” says Goldsmith.  “Whose interceptor is it?  Who are they, that’s listening to calls around military bases?  The point is: we don’t really know whose they are.”

Baseband attacks are considered extremely difficult – the details of the chips are closely guarded. “Interceptors” are costly devices – and hacking baseband chips is thought to be technically advanced beyond the reach of “ordinary” hackers, ESD says. The devices vary in form, and are sold to government agencies and others, but are computers with specialized software designed to defeat the encryption of cellphone networks. The towers target the “Baseband” operating system of cellphones – a secondary OS which sits “between” iOS or Android, for instance, and the cellular network.

Goldsmith says that the devices cost “less than $100,000” and does not mention what level or type of device his team has detected. Most are still out of reach of average hackers, although freely advertised. One model is the VME Dominator, which is described as, “a real time GSM A5.1 cell phone interceptor. It cannot be detected. It allows interception of voice and text. It also allows voice manipulation, up or down channel blocking, text intercept and modification, calling & sending text on behalf of the user, and directional finding of a user during random monitoring of calls.”

What has come as a surprise is how many “interceptors” are in active use in the U.S., and that their purpose remains mysterious.

The post Android security mystery – ‘fake’ cellphone towers found in U.S. appeared first on We Live Security.

WhatsApp. Beware of cyber-crooks and scams!

whatsapp app

 

This week, WhatsApp has announced that it now has 600 million active users.

The news was released by Jan Koum, the CEO and co-founder of WhatsApp, through his Twitter page. Koum made it very clear that this figure refers to the number of active, not registered, users, which means that WhatsApp’s user growth may actually be larger.

whatsapp

 

The term ‘active users’ refers to the number of users who have used the app at least once in the last month.

WhatsApp security

Despite the doubts raised a few months ago when Facebook bought WhatsApp, it seems that the messaging app continues to be as popular as ever. The figure of 600 million users affirms WhatsApp as the world’s most widely used instant-messaging application, well ahead of rivals like Line or Telegram.

But this success has also placed it in the crosshairs of cyber-criminals who, over the last few months, have come up with countless ways to exploit the app as a means to attack users.

Want to know how? Discover the most dangerous WhatsApp scams and beware of malicious messages!

The post WhatsApp. Beware of cyber-crooks and scams! appeared first on MediaCenter Panda Security.

Google dorks – FBI warning about dangerous ‘new’ search tool

The FBI has issued a warning to police and other emergency response personnel about a lethal new tool which ‘malicious actors’ have been using to deadly effect against American government institutions – Google dorks.

The warning, reported by Ars Technica, refers specifically to ‘Google dorks’  or “Google dorking” – ie the use of specialized search syntax,  using terms such as “filetype:sql”.

‘Google dorks’ refers to search syntax which allow users to search within a specific website (using the term in:url) or for specific file types, and can thus be used to search databases. Such search terms are widely known, and legal – the warning alerts units who may not be aware of the technique to secure databases properly.

Google dorks: Weapon of the ‘malicious’?

“In October 2013, unidentified attackers used Google dorks to find websites running vulnerable versions of a proprietary internet message board software product, according to security researchers,” the FBI warning says.

“After searching for vulnerable software identifiers, the attackers compromised 35,000 websites and were able to create new administrator accounts. ”

“For example, a simple “operator:keyword” syntax, such as “filetype:xls intext:username,” in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries.”

The warning refers to several online resources commonly used to automate “Google dork” queries – and offers advice on the scope of such search terms.syntax.

Shock as web users employ ‘search’

The warning also offers a useful link to Google’s own testing centre for pre-empting such attacks, the Google Hacking Database. Webmasters can use this to check whether files are “visible” to Google dorks, then hide them if they wish.

Ars Technica points out that the warning refers to “malicious cyber actors” and refers to a notorious case in which reporters were accused of “hacking” a website by using freely available information and an automated tool, GNUGet.

However, as Ars explains, the warning is not really meant to highlight a “new” technique, i.e Google dorks, but to warn webmasters to make their websites more secure.

“This warning from the DHS and the FBI was mostly intended to give law enforcement and other organizations a sense of urgency to take a hard look at their own websites’ security,” Ars comments. “Local police departments have increasingly become the target of “hacktivists.” Recent examples include attacks on the Albuquerque Police Department’s network in March following the shooting of a homeless man and attacks on St. Louis County police networks in response to the recent events in Ferguson, Missouri.”

The warning says, “Ensure sensitive websites are not indexed in search engines. Google USPER provides webmaster tools to remove entire sites, individual URLs, cached copies, and directories from Google’s index.”

The post Google dorks – FBI warning about dangerous ‘new’ search tool appeared first on We Live Security.

Hackers reveal their secrets on Twitch, the gamers’ streaming platform

twitch

Twitch was set up in 2011 as a video streaming platform yet, unlike YouTube, it is mostly videos of games and playthroughs that are broadcast on the channel. Another distinguishing feature is that Twitch doesn’t use any copyright system to establish payments: it operates with voluntary donations to those who provide content and share their experiences with other Internet users.

With a view to complementing its offer with such content, Amazon has invested an incredible US$970 million (735 million euros) in purchasing the company. Google and Yahoo had also bid to take over the company, though in the end it was the online store that managed to take this highly-coveted asset.

This fierce competition over Twitch is not without motive. The channel already had 3.2 million active users in its first month of existence. It now has over 50 million users, each of whom spends an average of 106 minutes watching its content.

The website, founded by the American Justin Kan (also responsible for Justin.tv) was initially set up to broadcast conventional content. However, another of the site’s founders, Emmett Shear, who had a passion for computer games, decided to change focus go for another type of content.

The platform allows users to take part in the broadcasts and form a community, one of the keys to success on the Web, especially when it comes to online gaming: the channel’s now famous ‘eSports’, are real competitions between gaming professionals.

twitch games

Given its content, it’s hardly surprising that it’s mainly young people who visit the channel. Over half the users are under 25, although the average age of those taking part in competitions is somewhat higher, around 40 years old. However, all of them are keen Internet users.

So far, so good. But what happens when those who broadcast their online adventures are not just gamers, but also hackers?

George Hotz and Ricky Zhou, two renowned hackers, have started broadcasting the resolution to different challenges, which can last up to five hours. The first of these was largely aimed at overcoming certain levels of Vortex, a game designed for hackers. The challenges are resolved by commands written in code.

twitch code

In the second challenge, dubbed ‘The Great CVE Race‘ (CVE stands for Common Vulnerabilities and Exposures), the participants tried to exploit a security hole in the Firefox browser. The CVE database is maintained by MITRE, a US NGO, and contains all the known bugs or vulnerabilities for many software programs.

After selecting the security flaw, the hackers design an exploit: a tool or technique that takes advantage of the software error to prevent the program from running properly or to allow third party access to the service. This can include anything from a computer virus to alterations to the software’s code, for example, a set of instructions to run the program in a different way.

Client-side exploits are strategies aimed at vulnerabilities in applications normally used on any operating system, such as a Web browser. The tool is applied to a file that the program has to open, such as an email.

When this modified file is run by the user and there is no antivirus security control, the hacker can access the user’s information. This is exactly what Hotz and Zhoy are showing in their videos: how to create an exploit for Firefox.

twitch security

If hackers were to follow their instructions, they would learn how to take control of the program or change some aspects of one version of Firefox without the developer’s consent.

Although Twitch doesn’t monitor content and gives free rein to those who broadcast videos, the creation of such tools can even be illegal, as they don’t have the administrator’s authorization and they interfere with the activity of third parties. The platform may have to think about keeping a closer eye on what is published on the site.

The post Hackers reveal their secrets on Twitch, the gamers’ streaming platform appeared first on MediaCenter Panda Security.