Suspected Android SMS malware author arrested in France

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

French police have arrested a 20-year-old man in Northern France, in connection with an attack that infected thousands of Android smartphones with money-making malware.

According to the authorities, the man worked out of his parents basement in the city of Amiens, creating fake apps that pretended to be legitimate applications. The man's apps are said to have sent SMS text messages without the user's approval, allowing him to earn mobile payments.

According to a BBC News report, prosecutors claim the man stole money from 17,000 victims, earning him approximately 500,000 Euros (£405,000) since 2011.

In addition, usernames and passwords were said to have been stolen by the Android malware from the users of gaming and gambling websites.

Police say that the man admitted his guilty after he was arrested, but reportedly claimed that he was not motivated by greed but by his love for computer technology.

The problem of Android SMS malware is not a new one, and SophosLabs frequently encounters rogue applications which surreptitiously send expensive text messages from victims' smartphones.

In the past, cybercriminals have disguised their Android apps to trick people into believing they were installing versions of popular apps such as Angry Birds and Instagram and Skype.

Earlier this year, French police arrested two men in connection with the Foncy Trojan horse that sent expensive SMS messages from infected Android smartphones.

If you want to better protect your Android device, try out Sophos's free anti-virus and privacy app.

Follow @gcluley

View the original article here

42% of lost mobiles have no security in place to protect data, says report

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

If the UK is any indication, we're letting our precious mobile devices drop from our bags and pockets, scattering our unprotected data throughout the land at an alarming rate.

Surveying 1,008 UK consumers between the ages of 16 and 64, Sophos found that 42 percent of devices that were lost or left in insecure locations had no active security measures to protect data.

More findings from the survey, which was part of a wider awareness campaign regarding mobile device security:

20% of lost devices had access to work email, potentially exposing confidential corporate information. 20% contained sensitive personal information such as national insurance numbers, addresses and dates of birth.Over 10% contained payment information such as credit card numbers and PINs. 35% had access to social networking accounts via apps or web browser-stored cookies.

Sophos's James Lyne notes that the lack of awareness around data security among the general public is inevitably going to lead to BYOD-induced holes poked into corporate security:

"Indeed, the research already shows that corporate email - on lost and potentially unsecured devices - opens up a potential security hole in the infrastructure. This lack of precaution and awareness risks putting businesses in the firing line when it comes to complying with data privacy legislation and protecting sensitive information."

The survey also produced some interesting findings regarding how likely we are to lose devices depending on our gender, age, and whether or not we live in London, where people evidently seem to drop gadgets like hot potatoes.

In a nutshell, if you're a young, male Londoner, you've practically got an allergy to cell phones, tablets and the like. The findings:

38% of men had lost devices. But don't feel bad, o ye multi-chromosomed ones. You tend to secure yours better, given that...66% of men had security measures in place. 33% of women, on the other hand, had lost a device, but only ...49% of women claimed to have had security in place.50% of Londoners had lost a device, compared with... 36% throughout the nation. But again, don't feel too bad about that, given that Londoners are more inclined to security, with...66% of Londoners having secured their devices, compared with only...58% of UK citizens overall who claim to have secured their gadgets.

The survey also found that young people do not get along particularly well with gadget retention, but they're smarter than their elders when it comes to securing the mobile devices they lose.

The findings:

People between the ages of 16 and 24 were over four times more likely to lose an electronic device compared to those aged between 55-64. 59 percent of the older age group had no security precautions, compared to ...45 percent of 16- to 24-year-olds who didn't secure their toys.

That's all well and good. It shows that younger people are learning lessons about how to protect their data.

But, Lyne pointed out, the numbers still show a sizable chunk of people who haven't learned the lesson:

"Those with protection are still too low and as we begin to rely on and invest more in our electronic devices, there needs to be a shift across the board in the attitude and education surrounding mobile, laptop and tablet security."

Other survey findings:

36 percent of those surveyed had lost an electronic device in public at some stage.Of those who had lost an electronic device, 78 percent had lost a mobile phone, laptop or tablet.58 percent of those surveyed were never able to recover the lost device.One-fifth got the device back within 24 hours, but... The return rate dropped significantly after 24 hours.

These findings point to a lot of data getting lost, and that points to a huge potential for security holes, as Lyne said.

Education of the masses is key, but businesses also have to get their BYOD policies in order, he said:

"Businesses … should ensure their traditional IT security educational policies extend to laptops and mobile devices. Otherwise they are spending significant amounts of time and money securing data in one part of their infrastructure only to allow the same information to walk out of their building on an unsecured employee device."

Sophos has tips for businesses on how to secure devices and offers this free mobile security toolkit.

On an individual level, the loss of a device promises the forfeiture of personal data (such as photos and contact information).

It also often carries the risk of personally identifiable information that can lead to thieves plundering bank accounts and credit card accounts and/or hijacking social media accounts, not to mention the cost of the device itself.

Follow @LisaVaas
Follow @NakedSecurity

Worried man, dropped phone and passcode on phone images courtesy of Shutterstock

View the original article here

"Im getting paid!" - Websites hosted on WordPress hacked due to users' poor password security

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Millions of blogs hosted on WordPress.com can breathe a sigh of relief - although a hacker did manage to break into thousands of sites and publish a make-money-fast advert, it wasn't because of any vulnerability on the WordPress.com site itself.

Instead, it seems users had simply been careless with their password security.

The alert was initially raised by The Hacker News (THN) and Sucuri, after some blog owners received messages from WordPress.com telling them that their passwords had been reset.

One affected WordPress.com user told THN that he had discovered hackers had published a page containing a money-making advertisement (pictured below).

A Google search for

site:wordpress.com "Im getting paid!"

finds evidence of thousands of sites that suddenly found they had unwittingly published "Im getting paid!" webpages.

Although some theorised that the hacker may have exploited a vulnerability on WordPress.com (which would be a very serious problem as the WordPress.com infrastructure is used by many of the world's most popular blogs and news sites), the truth seems to be rather more pedestrian.

Barry Abrahamson from Automattic (the company which runs WordPress.com) told Naked Security that there was no compromise of the WordPress.com servers, and that rather than vulnerability the most likely cause of the problem was "people sharing the same password across multiple services."

According to the firm, it spotted the problem quickly, notified affected users and reset passwords.

It's good news that the sites hosted on WordPress.com weren't hacked due to a vulnerability. After all, many blogs choose to host on WordPress.com in order to avoid the headache of managing their own security and updates on self-hosted WordPress installations.

So, remember folks - please use different passwords for different websites. If you use the same password in multiple places, it only requires your password to be stolen in one place for it to have an unpleasant impact on your other online activities.

Follow @gcluley

View the original article here

Flashing on the Queen's highway can reveal your identity - a cautionary tale

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

How cautious are you about identity theft?

Do you worry about the pounds and hope that the pennies will look after themselves?

Ironically, there's not a lot we can do about some of the big stuff, at least after we've submitted our information for processing - things like passport applications, for example, or tax returns.

On the other hand, even though it's fairly easy to look after the "pennies" of our personally identifiable information (PII), some of us don't seem to bother.

We probably assume that individual snippets of PII aren't likely to yield much.

But that's a big assumption. Building up an identity profile piece-by-piece from information that's already published even has a name: OSINT, or open source intelligence.

Just as open source software is built from code that's out there for the finding, so open source intelligence is compiled from information that's already out there, waiting to be found and stitched together by anyone willing to look.

Cops love OSINT. It's comparatively easy to collect. It avoids any of the contentious (and dangerous) aspects of intelligence gathering, such as surveillance and undercover work. And, best of all in today's cash-strapped times, it's free.

If you want to know just how far you can get using OSINT, take a look at this fascinating SophosLabs report:
The Koobface malware gang - exposed!

Sadly, of course, what's good for the goose is good for the gander.

Cybercrooks can buy and sell information accumulated from all over, combining legally-acquired PII pennies with ill-gotten PII pounds until they have the level of detail they want for identity-related crime.

So here's an amusing example of what not to do: don't flash your corporate ID badge while you're commuting to work.

The photo below was taken by a Naked Security fan in our very own neck of the woods, North Sydney, just round the corner from the office:

See the badge? Even at average mobile phone quality, snapped by a passenger who couldn't get any closer and didn't have a zoom lens, we were able to make out a fair bit of detail.

We've obliterated the significant details, but you can see the New South Wales Government logo bottom left (an instantly-recognisable red Waratah flower with the letters NSW underneath), and the name of the badge-holder and his department.

We figured out his work address from the name of the department where he works, which has an office well-placed for the lane he's riding in and the turn he's probably about to make.

But we couldn't quite read his last name. We got close, but we ended up with two choices for each of the first three letters, leaving us to guess (name changed, of course) amongst:

Sam Phonera - Sam Phinera - Sam Peonera - Sam PeineraSam Chonera - Sam Chinera - Sam Ceonera - Sam Ceinera

With only eight to choose from, we're already close enough for mischief, but thanks to NSW Roads and Maritime Services, we were able to work out the exact name on the badge.

As we remarked in a tongue-in-cheek piece a week or two back, Roads and Maritime operate a website to let you customise your number plates.

If you want a new letter and number combination, you just type it in to see if it's available. But if you want to restyle your existing plates in funkier colours, you have to type in your last name as well, presumably as some sort of confirmation that they're really your plates. (By experimenting, you will find that only the first three characters of the name have to be correct.)

With just eight possibilities, it didn't take us long to mount a brute force attack. Sam Chinera, we know where you work, what bike you drive, your route to work, the time you start, and what you look like.

OK. There's no major cause for alarm here. As Steve Jobs once famously said, "Not that big of a deal."

But it is the sort of data a social engineer or identity theft can abuse. Sam: you really didn't need to reveal your badge like you did. Put the badge in your pocket or your top-box.

There's a simple rule you should follow at all times when it comes to PII: if in doubt, don't give it out.

Follow @duckblog

PS. Sam, I know I'm giving you a load of unsolicited advice today. But here's some more: I'd give serious consideration to some decent protective clothing. If you prang in work shoes and suit pants, it usually doesn't end too well. And those gloves leave a fair bit to be desired. Just saying.

View the original article here

Warning: Here are three emails you don't want to see in your inbox

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Here are three emails you don't want to see in your inbox today.

Although the emails may claim to have been sent by the likes of LinkedIn, YouTube and Google the truth is that the headers are forged, and the emails have been specially crafted to look like legitimate communications from online firms.

Clicking on the links could send your computer to Canadian pharmacy-like spam sites offering to sell you Viagra, or even webpages hosting malicious payloads.

Always be careful about clicking on links in unsolicited emails. Hover over links with your mouse to tell where it's really going to before clicking, and keep your anti-virus and anti-spam protection updated.

If you're careless you could be falling into the spammers' trap, and putting your finances and data in danger.

(Oh, and we've just seen emails claiming to come from Amazon too).

http://twitter.com/gcluley

View the original article here

HSBC recovers from DDoS attack, after internet banking services disrupted

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

HSBC has successfully recovered from a distributed denial-of-service (DDoS) attack which saw a number of its websites brought down, making it impossible for customers to use internet banking services.

The international bank stressed that no customer data was impacted by the attack in a statement posted on its website:

On 18 October 2012 HSBC servers came under a denial of service attack which affected a number of HSBC websites around the world.

This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking.

We are taking appropriate action, working hard to restore service. We are pleased to say that some sites are now back up and running.

We are cooperating with the relevant authorities and will cooperate with other organisations that have been similarly affected by such criminal acts.

We apologise for any inconvenience caused to our customers throughout the world.

According to an update posted on its website, HSBC restored all of its websites globally to full accessibility as of 3:00am UK time.

DDoS attacks, which are illegal, occur when a criminal commands a number of computers to bombard a website with unwanted traffic.

In many cases, the computers used in an attack will have been hijacked by hackers using malware, and will be taking part in the assault without the knowledge of their owners. In other cases, people will willingly participate in a DDoS attack.

A co-ordinated deluge of web traffic can effectively clog up a website, preventing legitimate visitors from reaching the site, and bring it to its knees.

You can picture a distributed denial-of-service attack as being something like 15 fat men trying to get through a revolving door at the same time. Nothing moves.

Of course, denial-of-service attacks are no laughing matter.

Some DDoS attacks have been perpetrated for political or hacktivist reasons, while others have tried to blackmail money out of large companies.

Don't allow your computer to be caught up in a denial-of-service attack. Now would be a good time to ensure that you have good defences in place to prevent your personal computer from being recruited for someone else's online fight.

Follow @gcluley

View the original article here

Hackers pwn the sun - Exploit code released for software used to manage solar energy plants

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Black hat hackers can now take over photovoltaic solar arrays and harness their combined energy to create vaporizing solar death beams.

Well, that may be an exaggeration, but only a slight one.

The US Department of Homeland Security is warning about vulnerabilities in a common SCADA (supervisory control and data acquisition) package that is used to remotely monitor and manage solar energy-generating power plants.

The DHS’s ICS-CERT issued an advisory on Wednesday that exploit code was circulating on the internet for security holes affecting the Italian vendor Sinapsi’s eSolar Light Photovoltaic System Monitor.

The eSolar Light Photovoltaic System Monitor is a SCADA product that allows solar power stations to simultaneously monitor different components of photovoltaic arrays, such as photovoltaic inverters, energy meters, gauges and so on.

According to information released by the researchers Robert Paleari and Ivan Speziale, the Sinapsi eSolar product contains a number of critical security vulnerabilities that make the devices easily exploitable by remote attackers, who could gain administrative privileges and run arbitrary commands and code on vulnerable eSolar devices.

Those security holes include a slew of SQL injection vulnerabilities in webpages included with the device firmware. Among other things, the researchers found they could exploit SQL injection holes in the web based management interface to access the underlying MySQL database, gaining access to usernames and passwords for the device.

Passwords, the researchers noted, were stored in plaintext.

And, in a pattern that has become distressingly common in the SCADA world, the researchers discovered hard coded administrative accounts for the Sinapsi devices.

The login.php page would accept a small number (two or three) of universal passwords that would grant access to the device regardless of what user login they were paired with.

ICS-CERT said in its advisory that the vulnerabilities, if successfully exploited, could allow attackers to remotely connect to the management server, "executing remote code, possibly affecting the availability and integrity of the device."

The researchers disclosed the holes to Sinapsi in August, 2012 and released details of their findings on October 9, after failing to get a response, they said.

The impact of the security holes could be widespread. The Sinapsi eSolar management product is bundled with photovoltaic SCADA products from other vendors, as well. They include the Enerpoint eSolar Light, Astrid Green Power Guardian and Schneider Electric Ezylog Photovoltaic Management Server, according to ICS-CERT.

Follow @paulfroberts
Follow @NakedSecurity

Solar panel and sunlight images courtesy of Shutterstock

View the original article here

Monday review: the hot 24 stories of the week

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Tags: chrome, games, Huawei, IT, kiosk, Mitt Romney, piracy, scada, threat response, virus removal, warcraft, WoW, ZTE

View the original article here

Is Google about to start scanning your Android for malware?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Do you still think that there's no need for an anti-virus on your Android smartphone? Soon you might not have any choice.

Judging by a report on the Android Police website, a new edition of the Google Play app (Android's equivalent to the iOS App Store) has put in place the foundations for some kind of anti-virus functionality.

Looking at the code seen inside the app, it appears that Google could soon have the capability to perform anti-malware scans on your smartphone. Our own examination has confirmed the existence of strings in the app's code such as:

"Allow Google to check all apps installed to this device for harmful behavior? To learn more, go to Settings > Security."

"Installing this app may harm your device"

"Installation has been blocked"

"To protect you, Google has blocked the installation of this app."

There are also some interesting-looking graphics (well, not that interesting.. but you can probably imagine how they might be used):

Our examination of the new code in Google Play suggests that the company is building an API framework for virus-scanning in the future, and that the functionality will not be available until at least API level 17 (which will be supported in the version of the Android operating system after Android 4.1 (Jelly bean).

This functionality would also make use it seems of the Google Safe Browsing API.

Google attempts to keep malware out of its official Google Play Marketplace (with varying levels of success), but that doesn't stop users from installing Trojans from unofficial sources.

In the past we've seen fake versions of Instagram, Angry Birds and many more popular Android apps distributed via non-official channels with the intention of infecting Android phones and tablets.

My advice would be for Android users to protect their devices against malware. The problem is becoming too serious to ignore. Sophos has a free anti-virus for Android which you can download (naturally enough) from the Google Play store.

http://twitter.com/gcluley

Hat-tip: Android Police

View the original article here

Nude photos of Justin Bieber a ruse: bellybutton tells the tale! Think before you click

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Don't click on that photo of Justin Bieber!

It's not him, fans say.

Sure, there's the trademark bird tattoo on the left hip, but the nipples are all wrong.

A photo distributed on the internet shows a headless naked male body engaged in what might perhaps be a sexual act with himself.

It was allegedly leaked when a thief made off with the singer's laptop and camera after a show in Washington.

The gadgets contain "a lot of personal footage," the star tweeted within hours of the theft:

yesterday during the show me and my tour manager josh had some stuff stolen. really sucks. people should respect other's property—
Justin Bieber (@justinbieber) October 10, 2012

i had a lot of personal footage on that computer and camera and that is what bothers me the most. #lame #norespect—
Justin Bieber (@justinbieber) October 10, 2012

There's just so much wrong with this picture, and I'm not talking about Justin Bieber's pink parts.

The first bit of wrongness has to do with anybody who'd actually risk their cyber security by clicking on an alleged celebrity photo.

The land of Twitter has plenty of skeptical Twitizens, but so too does it have far too many drooling fans eager to click on JB's charms.

Take Breanna, for example:

Sucks about JB getting his stuff stolen, but I'm low key hoping for some racy photos out of this. #selfishtweet #biebernudes—
breanna (@Breannuhh) October 10, 2012

Hopefully, young fans like Breanna have wise friends who can educate them regarding malware, which loves to hitch a ride onto PCs using come-ons like nude celebrity pictures.

Earlier this week, Microsoft released its most recent Security Intelligence Report, which showed that photos, movies, software and other media are increasingly infested with Trojans and other attack vectors.

Anybody who goes out searching for nude photos of celebrities is just asking to be taken advantage of.

There's a long history of malware authors making the most of splashy celebrity-related headlines, whether it's the death of Michael Jackson or Amy Winehouse, Rihanna sex videos or a purported video of the killing of Osama Bin Laden.

Beyond the danger of clicking on what could be malware-laced photos, what in the world is Bieber doing storing personal footage on a laptop that hasn't been properly encrypted and secured with a strong password?

Sophos's Graham Cluley made this YouTube video a while back to explain how to choose a hard-to-crack but easy-to-remember password, but if you're tackling the task of security education for Beliebers, you might want to cut right to the part where he addresses password management software programs like 1Password, KeePass and LastPass, any of which will lift the task of remembering all their different passwords.

And with that accomplished, we will leave Bieber's fans to the task of bellybutton analysis.

But do point out to them that, as the Huffington Post shows, the star's belly button is clearly an outie.

Follow @LisaVaas

View the original article here

US court says reading other people's online email is OK, privacy be damned

(B) any storage of such communication by an electronic communication service for the purposes of backup protection of such communication.

Justices Kaye G. Hearn and John W. Kittredge wrote that because the man, respondent Lee Jennings, had no other copies of his Yahoo email, they couldn't possibly constitute a backup as outlined in clause B.

The two judges wrote:

"We decline to hold that retaining an opened e-mail constitutes storing it for backup protection under the Act."

"The ordinary meaning of the word 'backup' is 'one that serves as a substitute or support.' Thus, Congress's use of 'backup' necessarily presupposes the existence of another copy to which this e-mail would serve as a substitute or support. We see no reason to deviate from the plain, everyday meaning of the word 'backup,' and conclude that as the single copy of the communication, Jennings' e-mails could not have been stored for backup protection."

For her part, Chief Justice Jean Hoefer Toal, with Justice Donald Beatty concurring, said that Jennings' email stopped being a 'backup' after its recipient opened them:

"In my view, electronic storage refers only to temporary storage, made in the course of transmission, by an ECS provider, and to backups of such intermediate communications. Under this interpretation, if an e-mail has been received by a recipient's service provider but has not yet been opened by the recipient, it is in electronic storage."

The case came about after Jennings' wife, Gail, found a card for flowers for Jennings' paramour in his car. When Gail confronted him, he confessed he had fallen in love with another woman.

Jennings refused to identify his lover but admitted they had been corresponding via email for some time.

Gail confided in her daughter-in-law, Holly Broome, who had previously worked for Jennings and knew he had a personal Yahoo account.

Broome hacked into his account by correctly guessing answers to his security questions. She read the emails between the two lovers, printed out copies and handed them over to Gail's lawyer and to a private investigator Gail had hired.

Earlier court rulings found that the emails at issue were in "electronic storage", thus protected under the SCA. Wednesday's ruling reversed that decision, agreeing with Broome's earlier contention that the court had misunderstood the definition of "electronic storage" under the Act and incorrectly concluded the e-mails had been stored for the purpose of backup protection.

The case, as well as our expectations that email won't be hoovered up like so many dust bunnies, turns on an acrobatically convoluted definition of the term "backup".

Previous court decisions have held that opened email that's kept in your online inbox, be it in Yahoo, Gmail or whatever other web service you use, is kept there for backup.

But in this case, Jennings v. Jennings, the judges dived into Merriam-Webster's dictionary for a definition of the word.

Regardless of what that dictionary says, it seems darn clear to me that if people aren't deleting their email, they obviously want to store it for possible future reference.

Woodrow Hartzog, a professor at the Cumberland School of Law at Samford University, holds the same opinion, as he told Ars Technica:

"All of the discussions regarding backups, temporary copies, and the read/unread distinction seem to have very little to do with the way that most people perceive their use of e-mail."

Hartzog said that a "politically palatable" update to the SCA hasn't yet been achieved.

At any rate, there's still hope for Jennings, he told Ars, given that Broome could still be found liable under the Computer Fraud and Abuse Act.

Turning to a dictionary for a definition of a word such as "backup" is a time-honored way to supposedly win an argument, as the court did in this case.

But this pedantic tactic of treating a dictionary as sacred gospel ignores the fact that dictionaries morph, sag and lag behind current usage. After all, if they were in fact sacred documents, there would be no need for more than one dictionary.

I refer you here to David Foster Wallace's brilliant 2001 review of Oxford University Press's then-recent release of Bryan A. Garner's A Dictionary of Modern American Usage, in which Foster Wallace illustrates the point:

Did you know that probing the seamy underbelly of U.S. lexicography reveals ideological strife and controversy and intrigue and nastiness and fervor on a nearly hanging-chad scale? For instance, did you know that some modern dictionaries are notoriously liberal and others notoriously conservative, and that certain conservative dictionaries were actually conceived and designed as corrective responses to the "corruption" and "permissiveness" of certain liberal dictionaries? That the oligarchic device of having a special "Distinguished Usage Panel ... of outstanding professional speakers and writers" is an attempted compromise between the forces of egalitarianism and traditionalism in English, but that most linguistic liberals dismiss the Usage Panel as mere sham-populism? Did you know that U.S. lexicography even had a seamy underbelly?

If the court wants to determine the meaning of the word "backup" as it pertains to actual usage, by real, live, breathing, email-using humans, as opposed to deriving meaning from an arbitrary dictionary definition, I'd suggest that judges survey real, live, breathing humans, many of whom, I predict, would deliver the unsurprising news that they don't delete their cloud messages because they're storing them for backup purposes - backup meaning, in this case, "I don't want to delete this yet."

Not that we should trust the cloud to protect our precious documents, mind you.

One incident that made this clear was when US feds told Megaupload users to choose between paying for the forensic expertise to dig out their seized files, or suing Megaupload or its server farm to get them.

No, we shouldn't trust the cloud. But in default of doing anything to further protect our content - namely, backing it up - we do.

And lo, I come across this piece on Lifehacker about Dashlane Courier's new service for sending private, encrypted notes that self-destruct after being read.

Could that be a solution? Are such emails truly deleted forever, beyond the reach of the courts?

If you're familiar with this type of service, please share your thoughts below.

Until and unless the courts apply the Computer Fraud and Abuse Act or other privacy-protecting measures in cases such as this one, it would be nice to have an alternative email solution, for when we really, really don't want email to be read by lawyers and judges.

Follow @LisaVaas
Follow @NakedSecurity

Lisa Vaas has written about technology - specifically, security, databases, technology careers, resume writing and the applicant tracking systems that eat and/or spit out resumes - since 1995. Her stories have appeared in venues including the print and/or online versions of eWEEK, PC Magazine, Computerworld, CIO, IT Expert Voice, HP's Input/Output, and TheLadders. Read more from Lisa on her website at www.lisavaas.com.
var OBCTm='1328889400668'; jQuery(document).ready(function($){ Gravatar.profile_cb = function( h, d ) { WPGroHo.syncProfileData( h, d );}; Gravatar.my_hash = WPGroHo.my_hash; Gravatar.init( 'body', '#wp-admin-bar-my-account' ); });

View the original article here

Public-access kiosk SNAFU gives public access to intimate personal information

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Two years ago, I reported from the Kiwicon security conference in New Zealand about the insecurity of many internet kiosks.

(The 2012 Kiwicon event starts in just over a month - if you can get to Wellington, I recommend it.)

Sadly, New Zealand is in the "insecure kiosk" news again, for all the wrong reasons.

Kiwi journalist Keith Ng wrote over the weekend about his experiences with kiosk computers at Work and Income New Zealand (WINZ). That's where you go for financial assistance and employment services throughout New Zealand.

Ng's experience was as dramatic as it was unexpected. (Actually, it wasn't entirely unexpected, as someone had told him they thought the kiosks were insecure. But the scale of the insecurity was alarming.)

The idea of kiosks in public service offices might seem strange. After all, if you've gone to the trouble of visiting the office in the first place, surely you're already beyond the sort of assistance you could obtain online?

Not at all. Kiosks in government offices are a great idea - especially for departments which aim to assist those who are least likely to have internet access themselves at home, for example because they have lost their jobs, are on income support, or are simply intimidated by the many risks and complexities of running their own computers - notably the risks of being hacked and losing personal information to cybercrooks.

What you don't expect is for public-access self-service kiosks in government departments to be directly connected to the internal, operational networks of the department itself.

What Ng found at WINZ was that things hadn't been done that way.

One of the functions of the kiosk computers is to let job seekers look for work online, and to send out their CVs. So the kiosk gave Ng access to Microsoft Office.

And right from the File Open dialog, he found he could browse his way around the network of WINZ's parent department - the Ministry of Social Development (MSD).

Ouch. He was able to see logfiles and documents containing a raft of super-personal stuff. This included logs listing documents naming people being investigated for fraud; invoices naming contractors; invoices for medical services detailing patients and their medical complaints; a list of debtors being chased by a commercial debt collection agency; and more.

In short, an identity crook's dream.

The "more" that Ng was allegedly able to access was worse, apparently even including the names and addresses of safe houses, and of children living in them.

The good news is that Ng let the Privacy Commission and the Ministry for Social Development know before publishing, and the MSD will be taking the kiosks offline until the situation is sorted out.

The bad news is, of course, that this sort of thing should never be allowed to happen. Ng didn't even have to hack. He just clicked his way through a standard, ubiquitous, known-by-everyone-by-design File Open dialog - a dialog that's supposed to make it quick and easy for you to navigate wherever you're allowed to go on the network.

What to do?

If you are running kiosks, you need to assume the worst.

Assume that each user can escape from the sandbox you provide and access anything else on the same network as the kiosk. Also assume that each user can set booby traps which, if left intact, could harm the privacy of the next user.

You need to ensure the following:

* Kiosks shouldn't be on your internal network. In fact, your kiosks should give no more access to your internal network than your website does to users who are physically outside your premises. Kiosks are public-access terminals so, from a network perspective, they are external.

* Kiosks should be reimaged or reverted back to a known-clean state after each user. This ensures that user X can't set a booby trap for user X+1, and that user X+1 can't accidentally see left-over data from user X.

* You internal network shouldn't allow anyone to access anything. Careful access control lists, with "deny-by-default", should be used to compartmentalise information to prevent unwanted leakage or disclosure, whether deliberate or accidental and whether internal or external.

* Computer logfiles should be considered personally identifiable information (PII). Metadata such as file and directory names often accurately identify the information contained inside each file itself.

* All files containing PII should be encrypted. Even if an unauthorised user is able to identify and copy (or steal) them, they should end up as just so much shredded cabbage.

Let's hope that WINZ knocks this problem on the head quickly and is able to restore kiosk service, this time safely and on a safe network.

For the rest of us, let's take this as a handy warning that it's always a good time to carry out a security review.

Security - as any textbook, operational framework or methodological study will tell you - is a journey, not a destination.

Follow @duckblog
-

View the original article here

Fake Tesco/Asda voucher scammers on Facebook hit with large fines

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Two firms have been fined a total of £450,000 (approximately US $720,000) for running a series of scams on Facebook.

The scams, which claimed to offer free vouchers and supermarket gift cards for the likes of Tesco and Asda, resulted in members of the public signing-up for expensive premium-rate phone services.

Australian firm mBill Pty and Amazecell Limited, based in Israel, were judged by PhonepayPlus - the regulatory body for all premium rate phone-paid services in the United Kingdom - to have run deliberately misleading promotions on Facebook.

The problem got so bad that Tesco warned its customers not to click on the offending links.

In two separate cases, mBill and Amazecell used affiliates to promote their premium rate competitions, exploiting social networking users trust in what their online friends had "liked" and "shared", and spreading rapidly.

The promotions - which took place in 2011 - included the lure of vouchers worth up to £250 for major retailers, including Tesco and Asda, with messages posted on Facebook users' walls. The messages were either shared on walls without the users' explicit permission, or users were told they were required to 'share' the promotion in order to have a chance of receiving a voucher.

According to PhonepayPlus:

"After clicking on the promotion consumers were misled into participating in premium rate competitions. Consumers believed that these were stages towards receiving the promoted offer and did not realise that by entering their phone number they would be charged."

"In the Amazecell case, consumers were charged £5 per question sent to their phone. Consumers were subsequently charged for further questions regardless of whether or not they answered them. Over 89,000 consumers entered the service only once but were sent a second question for which they were charged."

It's pretty despicable, in my opinion, to dupe people into believing they have a chance of winning a pre-release iPhone 4S for testing, grocery vouchers, theme park tickets or a new iPad or Dell laptop, only to sign them up for expensive £5-a-go SMS messages.

PhonepayPlus' Tribunal found that the companies had breached the Code of Practice by misleading consumers and not providing clear pricing information. Amazecell Ltd was fined £300,000 and mBill Pty Ltd was fined £150,000. Both have been ordered to refund any consumers who request a refund.

Aside from the Tesco and ASDA Facebook scams, Sophos has also warned of Facebook scams involving other retailers - including Argos, Pizza Hut, Costco, JB Hifi, Apple iTunes, Amazon, Tim Hortons and Starbucks.

Sadly Facebook is rife with scams such as this, duping users into making expensive mistakes and unwittingly tricking their friends to also sign up.

Make sure that you keep informed about the latest scams spreading fast across Facebook and attacks elsewhere on the internet. Join the Sophos page on Facebook, where over 190,000 people regularly share information on threats and discuss the latest security news.

Follow @gcluley

View the original article here

LulzSec hacker pleads guilty to Sony Pictures attack, faces prison sentence

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Raynaldo Rivera, from Tempe, Arizona, has admitted hacking into computer systems belonging to Sony Pictures, and stealing the personal information and passwords of thousands of innocent internet users

The attack, which took place in May last year, was part of a concerted attack against Sony websites by LulzSec and Anonymous hackers during 2011.

Rivera, who was arrested by the FBI in August, admitted his guilt in the form of a plea agreement filed with Los Angeles Federal Court.

Rivera - who used online nicknames including "neuron", "royal", and "wildicv" - admitted launching an SQL injection attack against the Sony Pictures website, extracting confidential and personal user information - such as the names, birth dates, addresses, emails, phone numbers and passwords of people who had entered Sony contests.

The stolen information was subsequently published online by the LulzSec hacking gang, compounding the risk to innocent users.

The hack is said to have cost Sony more than $605,000 in losses.

In an attempt to hide his true identity during the attack, Rivera used the HideMyAss anonymising proxy service to disguise his IP address as he probed the Sony Pictures' website for vulnerabilities.

However, Rivera had not been careful enough in disguising his tracks - and HideMyAss co-operated with the authorities when a court order was received by the anonymising proxy service.

Others considering committing crimes on the net might be wise to stop believing that using an anonymising proxy service will necessarily keep them out of the clutches of the law.

Under the plea agremement, Rivera will pay restitution to his victims. He also faces a maximum five year prison sentence, and a fine of at least $250,000.

Follow @gcluley

Man with clapperboard image from Shutterstock.

View the original article here

New updated Virus Removal Tool from Sophos now available

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

As promised, Sophos has just released an updated version of its free Sophos Virus Removal Tool (Version 2.2).

This Windows tool, which is designed to work alongside your existing anti-virus installation, removes viruses, spyware, rootkits and fake anti-virus.

At the launch of the first version of the software earlier this year in April, Naked Security readers kindly provided feedback for the tool's developers:

The top three issues readers highlighted were:

Speed up scanning timeImprove malware clean-upIncorporate auto-update capabilities

The good news is that this release addresses all these points. It also boasts improved scan status information, including a progress bar for scanning and for cleanup; and the option to run the tool in safe mode as well as run on computers using proxy settings.

Sophos Virus Removal Tool is completely free and requires no registration.

Visit sophos.com to learn more. Or click here to download immediately.

(Oh, and for you Mac users out there, you can download the wonderfully free Sophos Anti-Virus for Mac home edition.)

http://twitter.com/caroletheriault

http://twitter.com/nakedsecurity

Tags: anti-malware, Anti-virus, disinfect, disinfection, Fake antivirus, free, Malware, remove viruses, rootkits, Sophos Virus Removal Tool, SVRT, Virus, viruses

View the original article here

Malware attack strikes, posing as Skype password change notification

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

If Skype users didn't have enough to worry about this week security-wise (with a worm spreading across the system), there's now another threat to warn about.

Emails have been spammed out by cybercriminals, posing as messages from Skype, claiming that you have changed your password on the service.

Here's an example of one such email (click on it for a larger version):

If you look carefully, you may spot that the spammers made a clumsy spelling mistake:

Password successfully changed
Your new Skype password has been set.

You can now view your attached call history and inscturtions how to change your account settings.
If the changes described above are accurate, no further action is needed. If anything doesn't look right, follow the link below to make changes: Restore password
Talk soon,
The people at Skype

Perhaps surprisingly, the links really do point to the genuine Skype website at skype.com.

However, a file (Skype_Password_insctructions.zip) is attached to the email, and if you make the mistake of unzipping and executing its contents (Skype_Password_inscructions.pdf.exe) you run the risk of infecting your Windows computer.

The malware, which is detected by Sophos products as Troj/Backdr-HN, opens a backdoor onto your computer, giving remote hackers access to your system.

The danger is, of course, that users worried by the recent worm will be frightened that their Skype password has been changed without their consent, and open the attachment - and thus infect their PC.

As always, be on the lookout for unsolicited suspicious emails and always be wary of opening attachments which arrive out of the blue. In this case, the file is using the well-known "double extension trick" to dupe the unwary into believing that they might be clicking on a PDF rather than executable code.

Follow @gcluley

Thanks to SophosLabs researcher Julie Yeates for her assistance with this article.

Lock image from Shutterstock.

View the original article here

Facebook scans private messages to inflate the "Like" counter on websites

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Facebook has confirmed that it's scanning private Facebook messages to boost "Like" counters on third party websites.

Killswitch.me, described by The Next Web as a "Polish startup", on Thursday posted a since-deleted YouTube video on Hacker News that showed that sending a link to a website via a private Facebook message increased that website's Facebook Like counter by two likes.

And then by another two. And then another, and another, causing the Likes to steadily balloon.

In fact, one poster on Hacker News testified that people could pump it up by 1,800 Likes per hour.

The video, removed from YouTube, can still be viewed on Vimeo (possibly not safe for work).

When TNW's Emil Protalinski checked with Facebook, company spokespeople confirmed that they had discovered a bug affecting Like counts.

But the bug didn't relate to the actual private-message peeping.

Rather, the bug concerned inflating page counts by two Likes instead of one, as a spokesperson told TNW:

We did recently find a bug with our social plugins where at times the count for the Share or Like goes up by two, and we are working on [a] fix to solve the issue now. To be clear, this only affects social plugins off of Facebook and is not related to Facebook Page likes. This bug does not impact the user experience with messages or what appears on their timelines.

The fact that this is function is baked into Facebook code as opposed to being a potential fluke of privacy transgression is confirmed, as Protalinski noted, on the Facebook Developers page, which states that a websites' number of Likes is the sum of:

* The number of likes of this URL

* The number of shares of this URL (this includes copy/pasting a link back to Facebook)

* The number of likes and comments on stories on Facebook about this URL

*The number of inbox messages containing this URL as an attachment.

Facebook's scanning of private messages isn't new.

The power of the social media mammoth's data mining technology when applied to private messages came to light in March, when Facebook was credited with quashing potential child molestation between a 13-year-old girl and a man in his 30s who were having a private Facebook conversation about sex.

As Facebook described it at the time, its data mining technology scans postings and chats for criminal activity, analyzing relationships to find suspicious conversations between unlikely pairings: i.e., between people of widely varying ages who only have loose and/or newly formed relationships.

Email providers such as Gmail also have a long-standing practice of reviewing messages to weed out spam and to target ads.

Those are reasonable uses of data mining technology, but it's disconcerting to find what might be yet more intrusive forays into allegedly private messages.

Thus, it's a bit of a relief to learn that Facebook later clarified the privacy issue, saying that "absolutely no private information" is exposed in the private-message-derived Like inflation:

Absolutely no private information has been exposed and Facebook is not automatically Liking any Facebook Pages on a user's behalf.

Many websites that use Facebook’s 'Like', 'Recommend', or 'Share' buttons also carry a counter next to them. This counter reflects the number of times people have clicked those buttons and also the number of times people have shared that page's link on Facebook. When the count is increased via shares over private messages, no user information is exchanged, and privacy settings of content are unaffected. Links shared through messages do not affect the Like count on Facebook Pages.

At any rate, the integrity of the Facebook Like counter has been in question for a while.

It came up again last week, when well-Liked pages began to sag as Facebook swept out bogus Likes gained via malware, compromised accounts, duped users or purchased bulk Likes.

Unfortunately,the fact that Facebook registers URLs shared in private messages means that we're now all potentially contributors of unintended likes.

It means that sharing a link that outrages, disgusts or appalls the sender will result in that website's Facebook Like counter going up.

Researching hate groups? Discussing corporate malfeasance?

Be prepared to add to your subjects' Facebook counter glow, whether you want to or not, if you send URLs via private Facebook conversations.

If you're on Facebook, and want to learn more about security and privacy issues on the social network, consider joining the Naked Security Facebook page.

Follow @LisaVaas
Follow @NakedSecurity

Private stamp, courtesy of Shutterstock

View the original article here

US investigators will call for ban on Huawei, ZTE over spying concerns

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The US House of Representatives Intelligence Committee will issue a report Monday that recommends that Chinese firms Huawei and ZTE should be barred from the US market because their products could be used to undermine domestic cyber security, according to a draft copy of the report obtained by Naked Security.

In a damning indictment of both companies, the House Intelligence Committee report accuses Huawei and ZTE executives of hindering its investigation of their business practices and hiding information.

Huawei may even be guilty of violating US trade laws, according to the report, which recommends that the US Government use its authority under the Committee on Foreign Investments in the United States (CFIUS) to block acquisitions or mergers involving Huawei or ZTE.

In addition, the US Government and intelligence agencies should block any use of technology from the two firms. US businesses, the report recommends, should consider the "long term security risks" associated with doing business with either ZTE or Huawei, the report advises.

The report caps off a year-long official inquiry into the firms, which have been expanding their business in the United States, while maintaining close ties to the Chinese Communist Party and People’s Liberation Army at home.

The Committee sought to establish whether there was any factual claim to charges that the two firms posed a security risk to the USA by understanding how the companies functioned and their formal or informal ties to the Chinese government and Chinese Communist Party.

The investigation also looked into reported violations of US companies’ copyright and intellectual property rights.

Huawei, based in the city of Shenzhen in Guangdong province, China, is the world’s largest maker of telecommunications equipment and employs 140,000 people world-wide.

The company is the world’s largest maker of telecommunications equipment and is a chief competitor to US-based firms like Cisco Systems, which has seen Huawei eat into its market share, especially in developing markets.

The two companies sparred over charges of copyright infringement and what Cisco alleges was the illegal use of Cisco code.

ZTE Corp., also based in Shenzhen, is the world’s fifth largest telecommunications equipment maker, and a major manufacturer of mobile phones, mobile telecommunications equipment and software.

The company found itself in hot water with United States regulators and business partners after Reuters reported that ZTE had helped funnel software and hardware from US firms including Oracle, Microsoft and Cisco Systems to the government of Iran in 2010 for use building what was described as a $130m, nation-wide surveillance system.

That act violated an American embargo on technology sales to the government of Iran and put ZTE’s US partners in hot water.

Ahead of the House Intelligence Committee report, one of those: Cisco Systems said it was breaking ties with ZTE, Reuters reported.

As part of the investigation, Committee members reviewed “open source” information and conducted interviews with company and government officials and held an open hearing with senior officials from both Huawei and ZTE.

Does networking gear from Chinese firms Huawei and ZTE come with secret back doors accessible to the People’s Liberation Army?

The report’s authors admit that they found no “smoking gun” on that issue and lacked the technical expertise to pursue it seriously, anyway.

However, the Committee’s report notes that “companies around the United States” have experienced “odd or alerting incidents using Huawei or ZTE equipment.” The report also alluded to classified intelligence, not included in the public release, that is more damning.

That and the companies’ intransigence in the face of questions from the House Committee were enough to prompt the Committee to assume the worst about Huawei and ZTE’s practices – and recommend that American companies and government agencies do the same.

The United States government isn’t the first to ban equipment from the two telecom giants.

In May, 2010, India banned telecommunications firms there from importing Chinese networking equipment over fears that they were riddled with information-stealing spyware.

More recently, the federal government in Australia banned Huawei from participating in multi-billion dollar deals to supply equipment for a national broadband network, also over fears that the equipment could be used to aid cyber attacks by China’s government.

Follow @paulfroberts
Follow @NakedSecurity

China poster, Circuit board and red circuit board images from Shutterstock.

View the original article here

Monday review: the hot 21 stories of the week

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Android, Facebook, Fake anti-virus, Internet Explorer, Law & order, Malware, Mobile, Phishing, Security threats, Social networks, Spam, Twitter, Vulnerability

Tags: Android, Apple discount cards, Bing, Blackhat, bsd, bugbear, China, defibrillators, Facebook, ftc, hacking, Insulin Pumps, Japan, keccak, Microsoft, nitol, scareware, SEO Poisoning, TinKode, Twitter, White House, wifi

View the original article here

Ransomware encrypts files claiming SOPA piracy charges

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The latest iteration of ransomware proclaims to be from the "Stop Online Piracy Automatic Protection System".

SOPA, you might recall, was a controversial US law that was widely opposed by internet users earlier this year. It never became law.

It goes on to tell you that your computer is on a "S.O.P.A. IP Black List" because it was used to download copyright infringing materials, child pornography or illegal software.

The malware encrypts all of your data files and holds them hostage, offering to decrypt them if you pay a fee to the criminals.

As we saw before they are asking for $200 in fines that can be paid by MoneyPak. Green Dot MoneyPak is a cash equivalent prepaid card available at many popular US retailers.

Fraud using MoneyPak has become enough of a problem that the company has posted a prominent warning to victims urging them not to send payments to any company not on MoneyPak's approved list.

For some reason Americans and Canadians get a discount as they are requesting 200 Euros for victims outside North America.

The usual 72 hour warning is present, letting you know that if you don't pay up within 3 days they will delete all of your precious data.

One thing I hadn't seen before is a decryption test service. If you are willing to mail off one of your encrypted documents with your unique ID number the criminals will decrypt it for you to demonstrate they do in fact possess the keys.

If you end up infected by this, I would strongly urge you not to give in to the criminals demands. The best course of action is to restore from a backup to a nice clean system and be sure to apply all patches and security precautions.

As the number of ransomware cases continues to increase we are seeing new social engineering techniques being used to convince victims to pay up or lose everything.

My colleague Paul Ducklin has written about ransomware families like the FBI-spoofing Reveton before, even producing a video demonstrating how ransomware works.

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

http://twitter.com/chetwisniewski

View the original article here

TinKode sentenced after hacking Oracle, NASA and others to expose weak security

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The infamous hacker known as TinKode has been sentenced by a Romanian court, according to media reports.

Cernaianu Manole Razvan was arrested in January 2012, after a series of high profile hacks of government and military websites, exposing their poor security and often publishing passwords and screenshots as evidence.

Past victims have included website belonging to the British Royal Navy, MySQL.com (which ironically fell foul of a SQL injection attack) and NASA servers.

To the relief of many, TinKode appeared to be inspired more by the desire to embarrass organisations into improving web security - rather than making money.

In an interview with Network World in 2011, TinKode compared his activities to a free security audit:

Until now, no. I don't do bad things. I only find and make public the info. Afterwards I send an email to them to fix the holes. It's like an security audit, but for free.

Nevertheless, his actions were illegal and led to his arrest by Romanian authorities earlier this year. Last month a Romanian court ordered Razvan to pay 93,000 Euros (approximately $120,000) to cover the costs suffered by his breached victims, and gave him a two year suspended prison sentence.

That's a lesson that others would be wise to learn from if engaged in similar activities.

An online petition, started by TinKode's sympathisers, failed to receive significant support (a hoped-for 5000 signatures has only reached 187 at the time of writing). It remains to be seen whether they will help the young Romanian pay his substantial fine.

It's no excuse for TinKode's criminal hacks, but if the websites had been properly secured in the first place they would have never found themselves embarrassed by the Romanian hacker.

If you haven't already done so, check out our free technical paper about "Securing websites", which discusses common ways web servers are attacked and the various ways that they can be protected.

Follow @gcluley

View the original article here

Beware the Bad Piggies: Fake games hit 82k Chrome users with adware

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Malware authors are expert at spotting opportunities and market conditions that will aid them in distributing their wares. We saw that again last week, when security firms began warning that a supposedly "free" versions of the Angry Birds spin-off "Bad Piggies" for Google's Chrome browser are, in fact, fakes that harvest data and install adware.

Researchers at the firm Barracuda Networks wrote that spammers and other online scam artists have jumped on excitement about the Angry Birds sequel with phony Bad Piggies offerings that install adware and harvest data from users' web sessions.

Bad Piggies, from the Finnish mobile application developer Rovio, is a spin-off of the mega-popular Angry Birds franchise that flips the perspective of that game: putting players in the position of the pigs, rather than the vengeful birds.

The game was released on September 27th and quickly became the top download from Apple’s iOS App Store.

The game runs on iOS, Android, Windows and Apple Mac. There isn’t a version (yet) for Google’s Chrome platform, creating an ideal opportunity for spammers and rogue application developers.

A search of Google’s Chrome Store on Sunday revealed five Chrome applications that posed as versions of Rovio’s Bad Piggies, while other games mention “Bad Piggies” along with “Angry Birds.” None are official versions of the Rovio game.

The two top offerings, both named “Bad Piggies,” are packaged to look like the official Rovio game, though neither is a playable version of Bad Piggies

The first, from the web site gametc.net, received 1.5 stars out of five and was downloaded 8,543 times, according to the Chrome Web store. It collected 143 reviews, all negative and many warning of links to adware laden web sites.

The second, from the publisher Pabeda, was downloaded 1,958 times is an inferior, cloned version of Angry Birds that collected 29 reviews ranging from cautionary to hostile.

Researcher Jason Ding said that Barracuda found many of the phony Chrome applications ask for wide ranging permissions to collect data from any user web sessions. Others installed a plugin that monitored what websites the user visited and then superimposed ads on those sites, including yahoo.com, ebay.com, Disney.go.com and msn.com, in addition to the official chrome.angrybirds.com website.

Ding said that, as of October 2nd, 82,593 Chrome users installed some version of the ad-injected Chrome applications.

This isn’t the first time that Google’s Chrome Store has been used to distribute information stealing adware.

In May, 2011, Naked Security wrote about a similar scam involving a playable version of Super Mario that also harvested data from your browsing history and Web sites you visit.

Google’s hands-off policy for its Chrome Store and Google Play app store have aroused the ire of security experts before.

Writing for Barracuda, Ding said that Google should provide more security on the Chrome Web store to protect its users. In the meantime, Chrome users should beware of applications that request permissions far in excess of what they reasonably need to run.

Sophos researchers have confirmed that the rogue Bad Piggies applications ask for permission to snoop upon an alarming amount of web data, and have blocked access to the affected websites.

Follow @paulfroberts
Follow @NakedSecurity

View the original article here