Facebook users can now see if and when you have read their group posts. Privacy anyone?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Facebook quietly introduced new functionality onto its site last week that could have some worried about their online privacy.

The social network is rolling out the ability to see if and when someone has seen a post on a Facebook group.

For now you can still snoop on the profiles and pictures of your ex-partners (their privacy settings permitting) to keep a track - without them knowing - of how miserable their life has become since they split up with you.

But if you are in the same Facebook group (perhaps related to a school, club or joint interest), you can see both whether someone has seen a particular post and at what time they saw it.

So, although you can configure Facebook to not tell your online friends when you are online (effectively hiding from their instant messaging chats, and maintaining a pretence that you have a social life rather than being plugged into the internet constantly) they can still keep some track on what you are up to, and when, on Facebook.

I don't want to come across as a complete privacy zealot here. I can understand that there are justifiable explanations of why knowing if someone has read a group announcement could be very useful... but is there anyone else who agrees that Facebook just became a little less private?

Similar functionality already exists in the Facebook Messenger app, telling you if and when your contacts have read a message.

One wonders if this is a slippery slope, and whether Facebook will consider introducing the (desired by many, and dreaded by the privacy conscious and anonymous snoopers) ability to tell who has been checking out your Facebook profile?

When TechCrunch asked Facebook if the "Seen by" functionality would be ported over to the news feed, the site said it was "not going to discuss what we might (or might not) do in the future."

Hmm.

In the meantime, I've been unable to find any way to prevent Facebook from sharing whether I had read a group post, or share to users with the Messenger app if I had seen a message. I would, at least, have liked the option.

Once again, Facebook has become a little less private.

If you want to learn more about privacy and security threats on the social network and elsewhere on the internet, join the Naked Security from Sophos Facebook page.

Follow @gcluley

View the original article here

Apple's App Store bypassed by Russian hacker, leaving developers out of pocket

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A Russian hacker calling himself ZonD80 has stirred a whirlwind of controversy by creating a website you can use to make fraudulent in-app purchases on your iPad or your iPhone.

An in-app purchase is a way for developers to make money beyond merely charging for their apps, and it's a popular - and user-friendly - way of offering chargeable content.

If you've come up with a complex game, for example, you don't need to charge full whack up front and hope that people will be willing to buy it before they've had a chance to see if they like it.

You can sell the game itself for a modest fee, or give it away for free, and then sell new levels and extensions from inside the game itself.

ZonD80 has cheekily named his site the in-appstore. His scheme exploits a cryptographic weakness in the protocol used by Apple for processing in-app payments.

The in-appstore tricks an app into conducting what it thinks is a purchase from Apple, but is, in fact, a transaction with ZonD80's site. The bogus App Store then returns a bogus "purchase receipt" that the app accepts as genuine.

The good news - at least for law-abiding, bootleg-copy-eschewing users - is that you can't stumble into lawless transactions on the in-appstore by mistake.

You need to reconfigure your iDevice so that it avoids the real App Store, and so that it trusts the imposter site. This involves:

loading and trusting a fake CA (certificate authority) SSL certificate,loading a fake SSL certificate signed by the fake trusted authority,changing your DNS settings so you'll be redirected to the fake App Store.

(You read that last bit correctly: for this to work, you need to undertake voluntarily the sort of device reconfiguration that the DNS Changer malware wreaked surreptitiously to bring you under criminal control.)

Once you've made your crooked purchase, you reverse the changes so your iDevice performs normally once again.

We've written and spoken before about the importance to iOS developers of validating Apple's so-called App Store Receipts.

Early reports on ZonD80's exploit suggested that strict receipt checking - in particular, validating receipts with your own server, not just with Apple's - would give programmers a sure-fire way to protect their in-app purchases.

But although self-checking your app's receipts seems to protect your revenue for now, further digging suggests that it isn't a permanent fix.

ZonD80 has even published a helpful diagram implying that a future enhancment to the in-appstore will let you defraud even those developers who operate their own validation servers.

This is a pretty big blow to Apple - especially at a time when it is facing criticism for some of the stuff it lets into the App Store in the first place.

Indeed, although the fruity company is normally silent on security matters until it has actually published a fix, it has already commented publicly on this issue. As Apple-centric news site The Loop reports:

"The security of the App Store is incredibly important to us and the developer community," Apple representative Natalie Harrison, told The Loop. "We take reports of fraudulent activity very seriously and we are investigating."

That may not be much of a response, but - as John Milton famously and poetically observed on going blind - they also serve who only stand and wait.

When it comes to actually fixing the problem, however, it looks as though Apple will need a better cryptographic protocol, and as though developers will need to adapt their applications accordingly. If that's the case, let's hope that App Store approval for any needed code updates will be quick and easy to obtain.

By the way, reports suggest that tens of thousands of dishonest "purchases" have already been made through the in-appstore

May I suggest that you control any urge you might have to join in?

(Especially if your excuse is of the they-can-afford-it-why-should-I-make-them-even-richer sort. If you really are that strongly opposed to commercial content, you should avoid it altogether and actively support those who offer their stuff for free instead.)

Follow @duckblog
-

View the original article here

Cybercrime trio sentenced for $3m hacking spree via WiFi and malware

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The Seattle Times has reported on the final nail in the coffin of a Pacific North West hacking trio, with the third and final member of the group being sentenced by the court.

The three men, Joshuah Allen Witt, 35, John Earl Griffin, 36, and Brad Eugene Lowe, 39, have all now been given stiff prison terms. Lowe picked up the lightest sentence, with six-and-a-half years, whilst Witt and Griffin were sent down for nearly eight years each.

They attacked companies both externally - by wardriving and looking for poorly-protected corporate WiFi connections - and internally - by breaking in and installing keyloggers on company computers. (It's much easier to infect a PC if you do it deliberately!)

There are two lessons to be learned here.

The first lesson is to make sure you get your WiFi security right - at work and at home. We've written up some simple guidelines before to help you do the right thing.

To summarise, here are three things which do not provide WiFi security. Two of them provide a touch of safety against inadvertent connections, but none of these protect you against wardrivers:

WEP encryption. The security system in WEP (Wired Equivalent Privacy) is flawed and can easily and automatically be cracked. A wardriver will bypass WEP in 60 seconds - and that includes the time taken to park outside your office and boot up his laptop. Use WPA instead.

MAC address filtering. MAC (Media Access Control) addresses aren't secret. WiFi networks broadcast the MAC addresses of all currently-connected devices, so a wardriver already has a list of addresses he can use.

SSID hiding. The SSID (Service Set identifier) is your network name. Hiding it merely means your network doesn't openly advertise itself for use. But it isn't a secret - the SSID appears in other network traffic anyway, so the wardriver knows what it is.

The second lesson is to be doubly vigilant after a physical break-in. Don't just look for what's missing, but what might have been left behind.

(That's the same sort of lesson as we should all learn from the recent DNS Changer excitement.)

Cybercrooks who have physical access to your network can install malware on your computers, connect hardware keylogging devices to your keyboards, and even stash rogue wireless access points behind the furniture.

Just what the crooks were after in this case is clear: money.

They're said to have netted $3 million, raiding company bank accounts and even, it seems, modifying database records to steal directly from the payroll.

The crooks will now have years to regret their actions. Sadly, so too will the companies whose finances were plundered.

Follow @duckblog
-

The images of imprisoned hands, the little red "X for Noooo!", and the stylised WiFi antenna on the main page are courtesy of Shutterstock.

Tags: conviction, Cybercrime, griffin, IT, lowe, Malware, north west, prison, seattle, wardriving, wifi, witt

View the original article here

Practical IT: handling perimeter expansion and disintegration

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

It used to be easy. Everyone had a desktop on a fixed IP range and your perimeter firewall had half a dozen carefully-managed holes. A simple ACL of "ALLOW 10.0.0.0/8", or equivalent, was a fairly robust access control.

A decade or two later and it’s a very different picture. Clients move around non-stop and expect constant access when they are on the road. The tenuous link between a user and a "trusted IP" has been completely severed.

The perimeter, traditionally demarcated by a corporate firewall, probably doesn’t even encompass half the servers you care about. Given their fuzzy, soft and shifting edges, the cloud analogy is particularly apt.

Even the traditional model incurs serious risk. If your organisation still only has desktops always sitting behind a network firewall you're still vulnerable to attack. Unfortunately, attackers long ago started focusing on the few holes that they know you have to allow, web and email particularly.

Web and mail filters are a crucial, of course, but defence in depth is required. All it takes is a single successful drive-by-download or malicious mail attachment and an attacker has full control over a machine inside your perimeter. Your network firewall, focused on blocking attacks from the outside world, won’t offer much help.

Those in charge of security in large organisations have been fretting about this for years, but the trend is accelerating and all organisations need to take a strategic approach to combatting the risks.

The first step is to stop trusting your client devices. All of them. This can be quite liberating as it’s a great opportunity to focus on what is really important to your organisation and ensure security resource is focused appropriately.

Adopting an untrusted approach doesn’t mean you shouldn’t try to protect your clients. It just means considering what to do if the protection fails.

Damage-control is an important first consideration. If a client has full access to all your servers, and those servers are not well-hardened, then any potential problem is going to spread rapidly.

Defending your servers means isolating them from your clients. The perimeter firewall is no longer enough. Minimising the attack surface between your clients and servers limits the risk of a server compromise via an insecure management port, for example. Likewise, if all your clients access applications through a web interface, exposing the database server directly creates more unnecessary exposure.

Server-side endpoint security is also crucial. Simply isolating them from the internet is not sufficient – they should be able to withstand attacks from the inside. The good news is that it can actually be easier than client-side endpoint security.

Servers tend to perform a less diverse range of tasks so it’s easier to define and lock down behaviour. They’re rarely used for web browsing, for example and they’re not subject to frequent software installation which can cause problems with heuristic anti-virus detections. Chances are you’ll also have more success tuning an IDS system.

Internal controls and segmentation generally buy you time and, as a consequence, visibility is an important consideration. Spotting malicious activity before it compromises valuable resources will allow you to operationally react to problems.

Returning to previous examples: how easily would you spot a server attempting to access an external website? Would your firewall spot and log a client port scanning your network for open database ports? Log and security event management tools to make sense of all the data can really help.

Authentication and authorisation also needs to be taken into consideration. "Coming from a known IP address" or "on the corporate LAN" is still a useful authentication factor but should certainly not be relied upon. Although challenging to achieve, a nuanced approach to trusting authentication claims is required.

Device type is one factor to consider. Separate VPNs and wireless networks for managed and unmanaged devices will allow you to tailor application access based on device trust. VPNs, proxies and applications themselves can do something similar for user authentication. Requiring an additional certificate or token when accessing sensitive applications, data or functionality is a sensible strategy.

Shifting from a binary in-or-out trust model requires some fundamental network architecture changes. It’s a strategy, not a task, but it’s a necessary one which could really help enable you users. If you know your critical assets have good, multi-layered protections, safely allowing access to them from a diverse range of devices and locations becomes much easier.

View the original article here

Shocking 17-year-old public high school antics clickjack unwary Facebook users into scam

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Many Facebook users were assaulted by the following message earlier today, seemingly shared by their online friends:

[SHOCK] At 17, she did THIS in public high school, EVERY day! Outrageous?
[LINK]

Is it normal to let her do that? In PUBLIC and such!

The image of a young woman's bottom in tight-fitting jeans might or might not (depending on your taste) entice you into clicking further - and if you did succumb you would have found your browser taken to a third-party webpage which pretends it is about to show you a video.

However, the "play" button on the video hides a secret "Like" button, which means that you share the link even further across your social network by clickjacking - helping the scammers spread their link virally.

The purpose of scams such as these are typically to lead you to online surveys (which earn the scammers affiliate commission) or to trick you into handing over personal information such as your cellphone number which will then be subscribed to a premium rate service.

One day the scammers will be using links purporting to be videos of giant snakes eating zookeepers, the next it might be a sex video of an Asian film star.

The disguises may change, but the trick is the same. Keeping your wits about you is your first defence.

You should always be careful about what you click on on Facebook - as you could be carelessly sharing a scammers' link onto your online friends.

If you're a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page - where more than 190,000 people regularly discuss the latest attacks.

http://twitter.com/gcluley

View the original article here

Android botnet wants to sell you Viagra, penny stocks and e-cards

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Malware, Mobile, Spam

The plot of the Android malware story thickens. SophosLabs has discovered the latest way to monetize mobile malware, using it as a spam botnet.

Historically mobile malware has made money from capturing SMS messages used for online banking authentication and sending premium-rate SMS messages to collect the subscription fees.

The messages appear to originate from compromised Google Android smartphones or tablets. All of the samples at SophosLabs have been sent through Yahoo!'s free mail service and contain correct headers and DKIM signatures.

The first samples we analyzed were text only, but some other samples also contain images. An example pharmacy spam reads:

Incredible National Rx Store
Now offering medications for Weight Loss, Diabetics, Pain Reduction!!!
Reduced Prescription's
Viagra+Cialis Super Active, Alprazolam, Vicodin etc...
Pick Up You're Meds for 75% Off Today

Sent from Yahoo! Mail on Android

Some of the image spams not only have a graphic, but an animated one!

You can imagine the cellular phone bill you might receive if your phone is being used to download and spam out thousands of these messages.

Even if you thought you were going to buy some counterfeit Viagra from criminals because you are too embarrassed to see your physician, it is still a classic bait and switch. The URL leads to a knock-off "herbal Viagra" the performs miracles with no side effects.

It is likely that Android users are downloading Trojanized pirated copies of paid Android applications. The samples we analyzed originated in Argentina, Ukraine, Pakistan, Jordan and Russia.

The widespread nature of source devices is unusual as most Android malware is not downloaded from Google Play, but localized "off market" download sites.

Android users should exercise caution when downloading applications for their devices and definitely avoid downloading pirated programs from unofficial sources. Google, Amazon and others may not be perfect at keeping malware off of their stores, but the risk increases dramatically outside of their ecosystems.

Considering the risks, why not give Sophos Mobile Security for Android a try? It's free and also allows you to track your device if it is lost or stolen. You can find it on Google Play.

Update: It is important to note that we do not have the malware, so it is not confirmed that it originates from Android devices. For more information read our follow up with all of the details.

Special thanks to Savio Lau at SophosLabs Vancouver for spotting this spam and performing the research necessary for this post.

Follow @chetwisniewski

View the original article here

Pseudorandom domain name generation and the Blackhole exploit kit

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

In this post I want to highlight one of the script injections we have been tracking for the past month or so, which is being used to redirect web traffic to exploit sites (running the Blackhole exploit kit). Two factors make this particular script injection worthy of discussion, namely:

large scale attacks. Many legitimate sites have been hit in these attacks.JavaScript generates a random string which is used within the target domain name.

We first this redirect script at the start of June. Sophos products block infected pages as Mal/Iframe-AF, and since early June, the prevalence of this threat has risen to the top of our web threat stats (accounting for 30-50% of all web threat detections).

The injected script is obfuscated as we expect nowadays, and will typically be seen appended to legitimate JavaScript libaries within sites. An excellent write-up here suggests that a vulnerability in Plesk (server admin software) was used to gain access to sites, and add the malicious code.

Deobfuscating the malicious JavaScript is trivial and lets us see the true payload, an iframe redirect. However, this attack is made slightly more interesting by the use of a simple date-based algorthim to generate a random string that is used in the target domain name.

The script generates a random string based on the current date, changing the string every 12 hours. It is a pretty simplistic approach.

This is not the first time we have seen this tactic in malicious JavaScript redirects - Sinowal did something similar back in 2009. Of course, once they have their hands on the code, it is easy for the good guys to generate all the possible domain names and get them blacklisted. Sinowal responded to this by including unpredictable data in its algorithm - using content pulled from a live Twitter feed.

No such elegance here I am afraid. The best we have seen are some later variants of the code which prepend a string for a "random" colour.

The iframe that the script adds to the page is intended to point the browser to a TDS server the attackers control. One of the strings used in some of the iframe URLs is responsible for the 'Runforestrun' nickname that has been attached to this attack. *

Latter variants of the script use different strings, and they have started to use dynamic DNS services for the referenced target sites (a favourite trick we have seen Blackhole use aggressively).

The traffic will be bounced (via a HTTP 302) from the TDS to the exploit site (normally via a second TDS). To date the exploit site has typically been running Blackhole, where the usual array of Java, Flash and PDF exploits are used in order to infect the user.

The final payload users are infected with varies - we have seen these payloads ranging from backdoor Trojans and Zbot to ransomware.

Aside from the Mal/Iframe-AF detection of the initial script redirect, Sophos products block the rest of the components involved in the driveby download chain as follows:

blacklisting of the TDS serversblacklisting of the exploit sitesdetection of the landing page and PDF, Java and Flash components used by Blackhole

The final word on this should probably some advice for site admins whose sites have been hit by this attack. As noted in the excellent blog I linked above, it is believed that a Plesk vulnerability was used to gain access to sites. So admins should ensure they update Plesk, and change ALL associated passwords.

* This is a reference to the "Run Forrest, Run!" line from the film Forrest Gump (spelling has never been the focus of malware authors).

Follow @SophosLabs

Black hole in space image, courtesy of Shutterstock.

View the original article here

Find and Call - is it *really* the first malware in the iOS App Store?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

When our friends at Kaspersky reported yesterday that they had found a malicious app in both the Android and iOS app stores, it was hardly a surprise that it made the headlines.

Although there have been plenty of reports of Android malware, attacks targeted towards iPhone and iPad users are much much rarer.

Indeed, the most significant incidents we have seen of iOS attacks (the Ikee and Duh worms) only affected poorly-secured jailbroken iPhones.

Clearly Apple's "rigorous" screening of apps before they're allowed in the App Store wasn't quite rigorous enough in the case of the "Find and Call" app, as it was able to slip through the net.

It's good to hear that Apple has now removed the app, so it is no longer available.

But I'm not sure I 100% agree with Kaspersky that it is malware.

It would probably be more accurate to say that the "Find and Call" app is "spammy" - as it leaks data all over the place in plain text via http (which means, of course, that the data could be intercepted and sniffed by someone wanting to snoop on you).

Once the contact details are uploaded from the affected smartphone there is some server-side code that sends each contact an SMS message with a link to the download location of the app.

In this way the app promotes itself to all of your contacts.

That's pretty ugly behaviour, as there are no previous warnings or explanations for the user.

My guess is that the developers realised the value of collecting a lot of data (and they're in good company, after all. Let's not forget that data is Google's and Facebook's highest valued resource) and they thought of a perfect way to collect it.

And it's not as though "Find and Call" is a new company - it's website has been around for some time.

Perhaps they imagined that their data-collection technique was acceptable and legitimate. In some ways, the "Find and Call" app feels similar to the spammers who don't believe that sending spam is a bad thing as it's "just direct marketing after all".

Indeed, maybe the app's developers share some similar opinions to the likes of Mark Zuckerberg, and believe that users don't really care that much about privacy.

When I analysed the app's code I found a number of clues which made me think that this wasn't the typical smartphone malware:

1. The apps have been created both for iPhone and Android phones, with identical names. If this was a truly malicious app why use the same name? As soon as one rogue app is discovered on one store, folks are bound to spot its cousin in the other.2. The apps are not skeleton apps, they actually contain quite a lot of functionality (which makes them somewhat more complicated to analyse). If the apps were purely intended for malicious purposes, there would seem little point creating the additional functionality. This wasn't a quick "snatch and grab".3. Websites with the domain findandcall.com have been setup and althought they appear a bit spammy they are not malicious.

Nevertheless, the headlines mean that every anti-virus product will want to reassure customers that these apps are being properly detected - regardless of arguements as to whether they are truly malware or not.

Sophos has accordingly added detection of the Android variant as Andr/FndNCll-A and the iOS version as iPh/FndNCll-A.

Apple and Google have removed the "Find and Call" application from their respective App stores. Obviously it would have even better if the app's lax respect of users' privacy had been spotted in the first place, and they had never been allowed into those online stores.

Follow @SophosLabs

View the original article here

Cybercrooks preying on small businesses

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Small businesses might think they are little enough to escape cybercrooks' attention, but they're increasingly wrong.

Case in point: thieves in May took a mere few hours to vacuum $1.2 million out of the bank account of a mannequin maker and importer, according to the Wall Street Journal.

The cybercrooks used online transactions to fraudulently transfer the money from the bank account of Lifestyle Forms & Displays Inc., a 100-employee company in Brooklyn, NY.

The mannequin maker's problems started when the head of finance couldn't get a routine online payment to a foreign vendor to go through.

Repeated attempts to log into the company's banking site with a secure ID token password only resulted in error messages.

The bank said it wasn't a problem on its end. The three-person IT team at Lifestyle Forms & Displays suspected a virus, even though the anti-virus software was up to date.

By the next morning, after IT had cleaned up the computers, they discovered that the thieves had wired the $1.2 million through nine transactions of about $150,000 each to three major U.S. banks and one Chinese bank, the WSJ reports.

CEO Lloyd Keilson tried to claw that money back.

He was partly successful: within five days, the company's bank, New York-based Signature Bank, managed to recover nearly $800,000 from two recipients of the stolen funds: Wells Fargo and J.P. Morgan Chase.

Keilson didn't have such luck with Bank of America and Agricultural Bank of China, the latter of which the WSJ couldn't even manage to reach for comment.

So Keilson set out to make a nuisance of himself: a productive strategy, it turns out.

He pulled the strings of his network. That got him in touch with the secretary to the CEO of one of the US banks.

Using such tactics, he regained a total of about $1.04 million of the stolen money within 15 days of the robbery.

Keilson told the WSJ that he's now trying to figure out if his company's bank is legally responsible for making up the balance of the funds, which are now unaccounted for.

Signature Bank has denied that the security vulnerability was on its part, however.

If the bank is truly without blame, Mr Keilson can likely kiss those funds goodbye, barring the FBI and/or New York Police's success in tracking it down.

George Tubin, a senior security strategist for Trusteer Inc., a provider of cybercrime prevention technology, told the WSJ that courts don't often hold banks liable in cybercrime cases that involve security breaches of their customers' computers:

It comes down to what type of security a bank has in place to detect fraud and what the small business did for the hackers to be able to access its accounts. … As long as the bank provides commercially reasonable security, then the bank's not liable.

The WSJ reports that the theft is indicative of a growing trend wherein criminals are increasingly targeting small businesses.

That trend can be seen in figures from Verizon Communications, which found that about 72% of 855 data breaches analyzed in its 2012 Data Breach Investigations Report [PDF] were at companies with 100 or fewer employees, up from 63% of 761 data breaches analyzed in 2010.

Since the theft, Keilson has instituted a few important safeguards to protect Lifestyle Forms & Displays: 1) no more outbound bank transactions without verbal clearance from an authorized company executive, and 2) a $1 million insurance policy that costs $13,000 a year and will cover losses from cyber fraud.

Good moves. Not many businesses, small or large, have realized what a good deal cybercrime damage insurance currently is.

At the SOURCE:Boston security conference in the spring, Jake Kouns, director of cyber security and technology risks underwriting for Markel Corporation, noted that most companies assume their general liability or professional liability insurance will cover them in the case of cyber attack.

They, most likely, don't.

Sony, for one, found that out following its huge PlayStation Network breach.

Sony's insurer, Zurich American Insurance Co., contested any obligation to cover costs related to lawsuits filed over the breach, arguing that its policy only covered claims for bodily injury, property damage, or personal and advertising injury.

So, is $13,000 a lot for an insurance policy?

Think of the potential costs of a data breach:

Lawsuits, including fines and penaltiesTransmission of malicious code to other networksLoss of the use of your networkCost to notify affected individuals Credit monitoring for customersIdentity restoration servicesSecurity consultantsLegal noticesRestoration of system and dataExtra expenses to remain functional, including new hardware and/or servicesPayment of extortion demandsLost time, lost monies, lost businessLiability from defamatory content maliciously posted on your site, intensified by the search potential of the internet

That list is just for starters.

Is $13,000/year a lot to cover such costs?

Mr Keilson evidently thinks not. Perhaps other small businesses - and large ones too, for that matter - should follow his lead.

Follow @LisaVaas

Cyber criminal photo and cartoon courtesy of Shutterstock.

Lloyd Keilson image: Sarah E. Needleman/The Wall Street Journal.

View the original article here

You pig! Malware-laced emails spammed out posing as incriminating photos

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A widespread malware attack has been spammed out, posing as incriminating photos of the recipient which could get them in trouble with their partner.

The emails, which have the subject line "You pig!", are designed to infect Windows users and carry a malware attachment posing as a digital photograph.

Subject: You pig!

Message body:
You should be stoping ignoring me or i will send this photos to your spouse!!!

Attached file: DCIM.zip

The emails can claim to come from a variety of different places, including LinkedIn, UPS and Hotmail.

Although the malware-laden emails are poorly spelt, it wouldn't be a surprise at all to hear that many people would be tricked by the aggressive tone to open the attachment. Unfortunately, the contents of the ZIP file are designed to infect Windows computers with a Trojan horse.

The subject line "You pig!" is certainly enough to make many people stop in their tracks, and wonder what has just arrived in their inbox.

It strikes me that even those who rightly suspect the email is spam, might be bemused enough (considering the main ingredient of what Hormel Foods nearly called flappertanknibbles) to open the messages and explore further.

Sophos detects the malware inside the ZIP files as Troj/Agent-WXL and the ZIP files themselves as Troj/BredoZp-KP. If you are a user of a product from other vendors check that your software is up-to-date and intercepting the malware.

http://twitter.com/gcluley

View the original article here

Facebook to target ads based on what mobile apps we use

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Do you use your Facebook account to log onto places like LinkedIn and Yelp from your phone?

If so, get ready to start seeing ads in your mobile device's Facebook News Feed that will be targeted based on your mobile app usage.

Here's how it will work, according to the Wall Street Journal: if you like to play Zynga Inc.'s "Words with Friends," your mobile News Feed will soon target you with ads for yet more Zynga games.

If the WSJ's sources are correct about all this, the new ads will represent a boundary-breaking move for an ad-delivery company, given that none has thusfar tracked consumers on the basis of mobile app usage.

The ads will be enabled by the Facebook Connect feature, which lets users easily log in to third-party sites, applications, mobile devices and gaming systems with their Facebook identities.

Sources familiar with Facebook's plans told the WSJ that the company is launching a new type of mobile advertising that will target consumers based on what apps they use, "pushing the limits of how companies track what people do on their phones."

But wait, there's more.

The unnamed sources told the WSJ that beyond tracking consumers' use of mobile apps, Facebook is also pondering whether to track what people do on those apps.

That move would be an even bigger game-changer. As it now stands, mobile-ad networks only target consumers based on what ads a person clicks on from his or her mobile browser.

Both Apple and Google track their users' mobile apps, but neither company tracks what people do in those apps.

One of the WSJ's sources said that Facebook will charge advertisers every time an app is installed on a user's smartphone.

That's a highly profitable prospect, the WSJ noted, for obvious reasons - i.e., a heck of a lot more consumers download apps than click on ads:

Facebook can charge significantly more for an app installation than it can for the traditional cost of every one thousand people who have viewed an ad.

Privacy advocates would far prefer that Facebook let users log in with Facebook Connect and then have a way to opt out of the new mobile ad targeting.

The WSJ quoted Justin Brookman, director of the Center for Democracy and Technology's project on consumer privacy, who noted that consumers just aren't used to having ad companies peering over their shoulders every time they use a mobile app:

"Once you're signed in, are you really expecting that Facebook is going to be watching you while you're on there?"

Of course, with the post-IPO Facebook now under the gun to monetize features such as Facebook Connect, it's hard to imagine that the company won't track what people do in their mobile apps.

What would that look like? The possibilities are limited only by our activities while using mobile apps.

Searching for experts in a given field - say, infosec! - in LinkedIn, for example, would open up whole new worlds of targeted advertising.

One of the WSJ's sources said the new ads might be announced on July 16, unless privacy concerns convince the company to hold off on mentioning it until Chief Operating Officer Sheryl Sandberg conducts the company's first earnings call with analysts on July 26.

The new ads would then launch on July 30, the source said.

What do you think of Facebook's plans to target adverts in this way? Let us know by leaving a comment below.

Follow @LisaVaas

View the original article here

DNS Changer - how not to lose your internet connection on July 9 [VIDEO]

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

On Monday, July 9, the much-talked-about DNS Changer 'internet blackout' will take place.

Hundreds of thousands of computer users could potentially be affected, if they don't take action now.

We've made a video to cut through the hype and help you avoid problems come Monday morning.

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

The DNS Changer Working Group (DCWG), a cross-industry team of experts, has created a number of websites which offer to tell you automatically if your computer might have been affected by the DNS Changer malware. You can access that list here.

Please note that it is still strongly recommended that you scan your computer with an up-to-date anti-virus product, and although one of the DCWG-endorsed tests may give you peace of mind, there is nothing better than checking your DNS settings for yourself.

Further reading: Internet doomsday on July 9th? Don't panic! Take action

http://twitter.com/duckblog
-

View the original article here

Android spam bots? What we know for sure

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

There was a lot of reaction to the post I made yesterday about spam that appeared to originate from a mobile botnet of Android devices. I realize I didn't make it clear that we do not have a malware sample that does this, simply evidence that strongly suggests it is happening.

Many, including Google, have suggested the messages are forged. We see no evidence of this. The messages are delivered to our spam traps from genuine Yahoo! servers with valid DKIM signatures.

The Yahoo! headers note the origin of the messages as "Web API" which could indicate either the normal Yahoo! webmail interface or, as we believe, the Android API interface referenced in the mail headers.

The Message-IDs are all valid for the Yahoo! mailers sending them as well. It would not be possible to spoof this information externally.

While it is true in traditional email transactions that headers can be forged, I am not aware of any method to do this using Yahoo!'s API or web interfaces.

So one of two things is happening here. We either have a new PC botnet that is exploiting Yahoo!'s Android APIs or we have mobile phones with some sort of malware that uses the Yahoo! APIs for sending spam messages.

One of the interesting data points supporting the argument that this is new Android malware is the unusually large number of the originating IPs on cellular networks.

More interesting was to compare the geographic distribution to traditional botnets that use Yahoo! webmail via the regular interface.

Of the "Android variant" of this spam 43% originated from Russia and Ukraine, and 25% from 4 Latin American countries.

The traditional Yahoo! spam? <1% from Russia and Ukraine, 48% from 5 Asian countries and 32% from 4 Latin American countries.

If this was a traditional spam bot operator you wouldn't expect to see such a dramatic skew from the normal distribution.

One strike against the theory is that the accounts used to send the spam appear to be randomly generated, not like the messages are being sent using victim Yahoo! accounts.

The other strike is the total absence of malware using the Yahoo! Android API for either platform. Until we find a sample targeting Windows, Mac or mobile phones, it will remain a mystery.

I'm sure the mystery will be solved, but we don't know the answer right now.

I agree with Terry Zink at Microsoft that the evidence suggests it is Android malware and there isn't a good reason to think that pretending it is from Yahoo! via Android devices is of any benefit to the spammers.

Follow @chetwisniewski

Envelope image courtesy of Shutterstock.

View the original article here

July 4th fireworks fiasco in San Diego? Computer virus gets the blame

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Featured, Malware

As local media reported, hundreds of thousands of people gathered at San Diego Bay on July 4th to see what should have been one of America's biggest Independence Day firework spectacles.

But a computer malfunction meant that the planned 17 minute fireworks display was condensed into a 15 second firestorm.

Confused spectators waited for what they believed was going to be the rest of the show, but were told that the event was cancelled and sent home disappointed.

There are numerous videos of the "Big Bay Boom" event on YouTube, but this is my favourite because of one audience member's reaction at the end of the clip.

Some of the media reports have claimed that a virus was responsible for thousands of fireworks on four barges to be fired at the same time.

Was a computer virus really to blame for the firework farce? I doubt it.

It sounds more like a bug in the code which co-ordinated the firework display, or a mistake in the system's configuration, that caused the pyrotechnics to all explode at once.

But it's so much easier to blame a malware author's code for a computer problem, and brush off some of the responsibility for a screw-up. It's also a lazy explanation for journalists who don't want to trouble readers with more plausible explanations.

So it doesn't surprise me that a virus is being fingered as the culprit for how the "Big Bay Boom" became a Big Bay Bust.

http://twitter.com/gcluley

View the original article here

How secure are Apple's iPhone and iPad from malware, really?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Anti-virus veteran Mikko Hypponen made an interesting remark on Twitter yesterday:

"iPhone is 5 years old today. After 5 years, not a single serious malware case. It's not just luck; we need to congratulate Apple on this."

I'm not so sure I can agree.

Of course, there were the Ikee and Duh worms back in 2009, although one could dismiss them as not "serious" malware cases because they only infected iPhones that had been jailbroken without following the critical step of changing the default root password.

Speaking of jailbreaking, this brings up an interesting point about iOS device security.

Virtually every version of iOS has been quickly jailbroken (that is, modified to allow installation of apps and hacks not authorized by Apple or the mobile carrier).

Jailbreaking is accomplished by exploiting security vulnerabilities in iOS. The same exploits used to jailbreak (an arguably legitimate hack) could just as easily be used to infect an iOS device with malware.

And what happens if you get malware on your iPhone, iPad, or iPod touch? You wouldn't necessarily know it. Not all malware has big, flashy alerts like FakeAlert malware. Some is quiet and surreptitious like Flame.

And what's worse, you wouldn't be able to detect or remove iOS malware easily because Apple doesn't allow full-featured, real-time scanning anti-virus software in the iOS App Store.

Meanwhile, you can get free anti-virus software for Android from Sophos and other vendors.

In spite of the existence of Android anti-virus software, when you compare Android with iOS, there's certainly a big difference in terms of device security.

Android app stores (including Google's own) have a history of letting in malware apps, while Apple's more restrictive App Store policies and more careful application vetting tend to keep iOS users safer.

So perhaps Hypponen is right that we should be congratulating Apple, but not for the lack of iOS malware. Rather, Apple should be commended for keeping the App Store relatively safe.

I say "relatively safe" because security researcher Charlie Miller has previously figured out how to break the App Store anti-malware model using a flaw in the iOS code signing enforcement mechanism, and there have been reports of developers working around other App Store restrictions with clever tricks; see the Security Now! episode 330 transcript and search for "vetting."

And just earlier this month, a clearly bogus app purporting to be Microsoft Word 2012 was mistakenly approved by Apple, and appeared in the iOS App Store.

Apple still has a long way to go in making the iOS platform more secure, for example not making users wait months for security patches.

It took Apple four months after the release of iOS 5.0.1 for the next security update to become available, iOS 5.1, which patched a whopping 81 vulnerabilities. That's too long. I realize that 5.1 added a lot of features, but Apple could have easily patched the 81 vulnerabilities in a security-only update and called it "iOS 5.0.2" while working on adding new features to 5.1, but they didn't do that.

Meanwhile, the jailbreaking community are masters at exploiting undisclosed vulnerabilities, and ready to exploit them whenever Apple releases a new version of iOS. If these hobbyists can collect and take advantage of vulnerabilities, just imagine what others (a government perhaps?) could do.

And this isn't fantasy, defense contractors are already openly hiring for people with experience of exploiting vulnerabilities on mobile devices.

The history of jailbreaking iPhones and iPads has provided plenty of evidence that smartphone users are being made to wait too long to get security updates for their devices.

So yes; good job, Apple. But you can do a lot better.

Follow @theJoshMeister

View the original article here

Automatic daily security updates coming for OS X Mountain Lion

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The new version of Mac OS X, Mountain Lion, is just around the corner and contains a feature which should go down well with security-minded end users.

AppleInsider reports that one of the new features included in OS X 10.8 Mountain Lion is automatic security updates.

That means that you will be able to configure any Macs you have that are running Mountain Lion to automatically check Apple's update servers on a daily basis (or when the computer is restarted) to see if a security update is available, and apply it without user interaction.

Of course, most days it is unlikely that Apple will have released a security update - but for those times when they have, this feature will hopefully reduce the window of opportunity for malicious hackers to exploit any vulnerabilities in OS X.

At its recent WWDC event, Apple revealed that its newest range of laptops are coming with a "PowerNap" feature, allowing security updates to be downloaded while the rest of the computer is in sleep mode.

This, alongside the removal of requiring the user to give permission for a security patch to be installed, should ensure that more Macs are kept more up-to-date.

Anything which makes that attack window smaller has to be good news for Mac users. So, well done Apple.

One thing that is interesting is that Apple claims to also be introducing a more secure connection to its update servers with Mountain Lion. Earlier this month it was revealed that the Flame malware had used a "man-in-the-middle" attack against the Windows update system.

Of course, in business environments the concept of automatic, silent updates to the Mac operating system may be less popular. Often organisations prefer to test a security update before rolling it out across a large number of computers, in case there are bugs or conflicts.

Furthermore, companies may not like the idea of lots of their Mac computers individually pulling down hefty security updates and gobbling up their internet bandwidth.

Presumably Apple will provide mechanisms for businesses to handle these issues when OS X ships next month.

Follow @gcluley

Image credit: AppleInsider

View the original article here

Tips for staying safe online over the July 4/Canada Day holiday

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Featured, Privacy

Today is the 145th anniversary of the founding of the Dominion of Canada and this week our American readers will be celebrating Independence Day for the 236th time. I am a citizen of both nations and am quite proud of what each of them have accomplished.

As with any event that impacts a large number of people, cybercriminals are always on the prowl, so we thought it might be helpful to post some tips for staying safe online during these summer holidays.

Keep an old Apple Powerbook handy (note: *must* be pre-Intel and pre-OS X, so check that those ageing batteries can still hold charge!) in case you find an enormous alien spaceship hovering overhead on the Fourth. Be wary of posting photos and videos of your "perfectly legal in the state where I purchased them" fireworks. The internet is a public place and no matter how much you drink, the internet never forgets. There are now officially fewer than six months' worth of online shopping days until Christmas! Watch out for festive season scams, such as warnings about how many online shopping days there are until Christmas, which tend to start popping up about now.
When buying Canada Day vacation weekend specials online, NEVER confuse the Sydneys (Nova Scotia and New South Wales) or the Torontos (New South Wales and Ontario). The differences can be enormously costly in both time and money. And if you do make a blunder, DON'T FORGET YOUR PASSPORT. The vast majority of the world's workforce aren't American and won't have a clue why 04 July should enjoy any special significance from a computer security company. Therefore reading about it anyway will make them feel right at home, because it will remind them of the Stuxnet virus, which passed away on 24 June 2012. When looking for something to kindle that fire to start the BBQ for your picnic, consider shredding sensitive documents and using the resulting confetti for tinder. Fills your belly while protecting your privacy. When you get advice to be extra careful because of a public holiday, or your monarch's diamond jubilee, or both, apply the advice on that day only, on the assumption that the crooks are unashamedly waiting for you to do something silly on holidays. When you get advice to be extra careful because of a public holiday, or your monarch's diamond jubilee, or both, apply the advice on every day except the one suggested, on the assumption that the the crooks will be trickily double-crossing you with the whole holiday thing. Lastly, if you have difficulty differentiating between Americans and Canadians when they visit your country, check out this video for some tips (or watch William Shatner's take on it).

Happy 4th of July/Independence Day/Canada Day/Dominion Day/Nice Summer Weekend and until next time... Stay secure.

Follow @chetwisniewski

Special thanks to Paul Ducklin for helping formulate many of the tips.

View the original article here