This thing called GDPR will impact data security and privacy policy at many US firms when it takes effect two years from today. Start learning what the EU General Data Protection Regulation means to your business.
The post GDPR Day: countdown to a global privacy and security regimen? appeared first on We Live Security.
US government data say 45% curtail online activity due to privacy and security fears, which is sad but not surprising because we could see this coming.
The post Privacy and security fears – predictably – impact US online commerce appeared first on We Live Security.
Welcome to this week’s security review, which includes a detailed look at a new video scam sweeping Facebook and the return of a data-stealing malware dubbed Qbot.
The post The security review: Facebook scam, webcam security & Qbot appeared first on We Live Security.
The subject line is very irresistible. And the email came from a friend of mine, that only I hear from every 10 months or so whenever she is in town. So imagine my concern when I saw the following message:
Am so sorry that i didn’t inform you about my trip. I’m writing this with tears in my eyes. I came down here to Odessa Ukraine for a short vacation unfortunately i was mugged at the park of the hotel where i stayed. all cash, credit card and cell were stolen off me but luckily for me i still have my passports with me.
I ‘ve been to the embassy and the Police here but they’re not helping issues at all and my flight leaves in less than hours from now but having problems settling the hotel bills. the hotel manager won’t let us leave until i settle the bills, I’m freaked out at the moment.
I could hear my friend’s voice in the body of the email. She is also a world traveler with a deep interest in Central and Eastern Europe, and is definitely one to pop over to Odessa for a long weekend to see the famed Potemkin Steps or visit the city as part of a larger trek around The Black Sea. The poor punctuation and strange spacing confused me. Then again, she was panicked and under intense time pressure.
In other words, I was hooked. So I replied.
The email long tail finds the weak minds
Using various communications channels to finagle money or information from someone has a long and varied history. Many of the scams rely on the promise of easy returns. The Nigerian Prince is a case in point. The scam is similar to the 19th Century Spanish Prisoner scenario, but has usually relied mainly on mail, faxes, and email as part of a multistage setup that targets people with enough money to supposedly help smuggle millions of dollars out of an African country, often Nigeria (hence the name). Those that take the bait and pay the (fake) transfer fees are promised exponential returns on their investments that never emerge. There are scores of variations on the scam. For instance, a long-lost relative leaves a person a pile of money; to get the inheritance, the person needs to pay all the legal fees. But in general, most of these scams rely on greed to hook interest.
By contrast, “stranded friend” phishing attacks take advantage of a reader’s good will. We all want to help people we know and like. I certainly do. In my case, the conmen had used malware (probably a Trojan) to hack my friend’s email account and access her contacts. The message I received was addressed to around two dozen people. It’s unclear whether the hackers created their shortlist of targets using the communications history between my friend and her contacts or their geographic locations, but it seems likely given that other scams employ similar tactics. For example, hacked mailing lists from charitable organizations allow bad guys to set up fake charities and target the people most likely to donate based on past activity.
And email is cheap and easy. By stealing or buying stolen databases, scammers can obtain access to hundreds of thousands of addresses. With a bit of segmentation, they put the odds in their favor that someone will bite on their hooks.
Failed the friendship version of the Turing Test
In my case, my fake friend replied that I should wire several thousand dollars to a Western Union in Odessa. Before agreeing, I asked her to name a mutual acquaintance who had once joined us for dinner. Of course she could not. So I then called my friend’s fixed line (in another country) and left a voicemail alerting her that her email account may have been compromised.
Now I like to believe I’m smart enough to not fall for such scams. But criminals have access to the same analytics as governments and major corporations. They’ve also been practicing their trade for decades (sometimes centuries), so have tremendous insight into how best to influence even the strongest of minds. To stay sharp, there are several things you can do:
The steps above may not be foolproof. But they can help ensure the adoption of a security mindset.
The scene unfolds like a cyber thriller. You fire up your PC and a message appears saying your files have been encrypted. Your screen looks like it’s from the FBI. Sometimes it identifies itself as malware. Sometimes it’s a plain-text message. When you click around in your PC (assuming you still can), you find that your photos and text files are indeed unavailable.
The screen also asks for money. To get the key to unencrypt your files, you must pay, usually in some form of untraceable currency, such as bitcoin. In most cases, there’s a firm deadline when payment must be made. If you miss it, the fees shoot up. At some point, your files are permanently encrypted.
Welcome to the world of ransomware.
While this form of malware can slip into devices in any number of ways, phishing is probably the most common vehicle. Basically, bad guys send innocent-looking emails that ask recipients to click on a link or download an attachment. (Phishing is also used to ask for money directly. A tiny piece of software infects the machine and goes about encrypting files before demanding cash. Sometimes the message pops up automatically. Sometimes there’s a time delay or a switch that lets hackers turn it on when it’s convenient to them.
And sometimes attacks are big and bold. Two assaults on major hospitals in the US, for instance, used multipronged ransomware infiltration to shutdown key networks and records. But experts largely agree that most attacks are on individuals. Mass emailing allows criminals to take advantage of long-tail effects and the fact that many people would rather just pay a few hundred (or thousand) dollars to have their data – which many consider their life – returned to them rather than fight back through various law enforcement channels.
Data hostage taking is on the rise
Given the efficacy of ransomware, the number of attacks is set to grow. In its annual Threat Landscape report, published in January 2016, the European Union Agency for Network and Information Security (ENISA) characterizes 2015 as “the year of ransomware”. According to the study, the number of reported incidences nearly doubled in 2015 compared to 2014, with aggressive phishing campaigns a hallmark of many attacks. Targets tended to be in North America and Western Europe, as residents are perceived to have the money to pay.
ENISA also notes that 2015 was a year of innovation in ransomware development and deployment. The number of new ransomware types quadrupled in the first half of the year alone. Criminals have set up service centers, allowing the non-technical to buy crimeware-as-a-service, further expanding the reach of ransomware. And stealthier delivery methods are still being developed.
Do I know you? Did I ask for this?
Phishing is still the most common delivery method. Which is convenient, in a way, as there are some practical steps you can take to avoid getting scammed. Probably the most important is to maintain an online “stranger danger” mindset. If an email looks even the slightest bit suspicious, don’t open it. If it’s from someone you don’t know, don’t open it. If it says you’ve won the lottery, are being watched by some security agency, asks about an order (you did not make), or promises rewards in some other way, don’t open it. (Similar phishing attacks also appear on Facebook.)
For emails you’ve opened, if they include links or attachments you weren’t expecting or didn’t ask for, don’t click or download. If you feel that you must do either, reply to the sender (if you know them), and ask if they did indeed send you something. If you do not know the sender – delete the email.
And of course, you should build a fortress around your device. This is where AVG can help. We provide antivirus, link scanners, attachment and download checkers, enhanced firewalls, spam blockers, and file encryption to help keep your photos, videos, files, contacts, and devices safer. If you haven’t done so already, give us a try on your PC or Android phone.
Have you seen the “Most Used Words” quiz on Facebook? Chances are you probably have – because it shockingly accumulated close to 20 million shares in just a few days. It also gained access to the personal data of over 16 million users.
With this kind of virality, it’s little wonder a 2016 report from Cisco found that Facebook scams are the most common online attack method used by cybercriminals. With 1.6 billion users, the social media site serves as a cost-effective way of spreading scams on a large scale quickly and relatively easily.
To help you stay ahead of the bad guys, we’ve assembled a list of the top types of (often overlapping) scams to look out for on Facebook:
Sensational news stories
These have clickbait headlines to tempt you into clicking without first verifying the news. The problem is that they can lead to websites with viruses, ransomware, and other forms of malicious content and advertising. But the good news is that Facebook has made a lot of progress in preventing these kinds of posts from appearing in your News Feed.
Hidden content
An extension of clickbait headlines are sites that require you to enter details before certain content will be “revealed”. For instance, before a juicy celebrity video shows or the answer to a self-assessment quiz displays, you must enter an email address or agree to terms and conditions. This is simply a sneaky way for scammers to capture your information.
Like farming
This occurs when a page is set up by scammers with the purpose of artificially accumulating likes. This is so they can use the large number of likes to distribute additional scams or sell the page on the black market for profit (pages like these are highly valuable to unethical marketers). So think twice when you see one of those adorable cat memes – the source could be a scammer who’s hoping it’ll go viral for their benefit.
Quizzes that promise a prize or gift voucher
If something sounds too good to be true, it usually is. These kinds of quizzes are designed to phish for your personal details or have you fill in surveys that the scammers get paid for you to complete! You definitely won’t win a free business class air ticket or $100 grocery voucher.
Dodgy apps
Some third-party Facebook applications require you to grant unnecessary permissions, including access to your name, profile picture, list of friends, history of posts, and the devices you use. The terms and conditions you accept could even enable a scammer to sell your data or post directly to your timeline. “See who’s viewing your profile” is a classic example of an app created specifically for this (while Linkedin provides such functionality, Facebook currently doesn’t).
Questionable private messages
These are likely to include social engineering schemes, such as offers to work from home. They may even claim you’ve “won” a lottery; then ask for a small advanced fee so you can claim your prize. Hint: your prize will never be delivered!
So what can you do to protect yourself?
Take note of the Facebook scams we’ve mentioned above, and always:
We are in the midst of a rapid technology evolution. We’re only four months into 2016 and already we’ve seen two major industry shows dominated by the Internet of Things (IoT).
In January, at CES, the connected home stole the spotlight – highlights included a Family Hub fridge, a Wi-Fi water leak detector and an AR-equipped robot vacuum.
The trend continued at MWC where a smart air conditioner, 4G-enabled security camera, and smart shoes were on display. If these two major events are any indication, the horizon shows a hyper-connected future. But what are the trust issues at hand?
AVG collaborated with the organization, MEF, on its global survey to take a look at consumers’ concerns around the future of IoT. According to the MEF survey findings, people are enthusiastic about a connected future – when asked about their concerns around IoT, only 1 in 10 said there would be no tangible benefits. Yet, as the network of IoT devices grows, so too do consumers’ concerns about what this increased connectivity and data sharing means for security.
As a security company, it is our responsibility to recognize and unpack such concerns so we can use that insight to address fears and vanquish threats down the road.
The MEF study, which surveyed over 5,000 mobile users in eight markets, examined consumer perceptions about the future of a connected world. The findings are significant, and indicate tremendous worry about a world of inter-connectivity:
MEF’s research shows a consistent decline in consumer trust, which continues to dip as the war on privacy wages on, leaving consumers to decide what data tradeoffs are worthwhile.
If we, as an industry, don’t address these trust issues, consumers may disengage since they will no longer be willing to sacrifice their privacy for greater connectivity. Considering that 62% of consumers already name privacy as their top concern when it comes to the IoT, that tipping point is likely to arrive sooner than we expect.
In order to respond to consumer concerns and stop the erosion of trust, the industry has to act. And when we do, it is vital that we don’t let our desire to get products to this burgeoning market quickly trump the need for responsible and secure design. Security cannot become an afterthought as we innovate toward connectivity.
If we care about our consumers and about the potential and longevity of IoT, we need to make ‘security by design’ a fundamental approach, regardless of device.
In an era when children are becoming digital natives, using and understanding technology from an early age, safety risks that have existed for some time could also affect them, if we fail to take the necessary precautions.
The post Online grooming: A threat to minors that demands our attention appeared first on We Live Security.
The SSLv2 protocol had its 21st birthday last month, but it’s no cause to celebrate with an alcohol beverage, since the protocol was already deprecated when it turned 18.
Announced today is an attack called DROWN that takes advantage of systems still using SSLv2.
Many cryptographic libraries already disable SSLv2 by default, and updates from the OpenSSL project and Red Hat today catch up.
CVE-2016-0800, also known as DROWN, stands for Decrypting RSA using Obsolete and Weakened eNcryption and is a Man-in-the-Middle (MITM) attack against servers running TLS for secure communications.
This means that if an attacker can intercept and modify network traffic between a client and the host, the attacker could impersonate the server on what is expected to be a secure connection. The attacker could then potentially eavesdrop or modify important information as it is transferred between the server and client.
Other Man-in-the-Middle attacks have included POODLE and FREAK. The famous OpenSSL Heartbleed issue from April 2014 did not need a Man-in-the-Middle and was therefore a much more severe risk.
The DROWN issue is technically complicated, and the ability to attack using it depends on a number of factors described in more detail in the researchers’ whitepaper. In short, the issue uses a protocol issue in SSLv2 as an oracle in order to help break the encryption on other TLS services if a shared RSA key is in use. The issue is actually quite tricky to exploit by itself, but made easier on servers that are not up to date with some previous year-old OpenSSL security updates. They call this “Special DROWN”, as it could allow a real-time Man-in-the-Middle attack.
Red Hat has a vulnerability article in the Customer Portal which explains the technical attack and the dependencies in more detail.
OpenSSL is affected by this issue. In Red Hat Enterprise Linux, the cryptographic libraries GnuTLS and NSS are not affected by this issue as they intentionally do not enable SSLv2.
Customers who are running services that have the SSLv2 protocol enabled could be affected by this issue.
Red Hat has rated this issue as having Important security severity. A successful attack would need to be able to leverage a number of conditions and require an attacker to be a Man-in-the-Middle.
Red Hat advises that SSLv2 is a protocol that should no longer be considered safe and should not be used in a modern environment. Red Hat updates for OpenSSL can be found here: https://access.redhat.com/security/cve/cve-2016-0800. The updates cause the SSLv2 protocol to be disabled by default.
Our OpenSSL updates also include several other lower priority security fixes which are each described in the Errata. Your organization should review those issues as well when assessing risk.
If you are a Red Hat Insights customer, a test has been added to identify servers affected by this issue.
If you are unsure of any details surrounding this issue in your environment, you should apply the update and restart services as appropriate. For detailed technical information please see the Red Hat vulnerability article.
Security protocols don’t turn 21 every day, so let’s turn off SSLv2, raise a glass, and DROWN one’s sorrows. Cheers!
Researcher Troy Hunt explains how his hack of a Nissan Leaf works, and his experience disclosing the issue to the carmaker.
