Carly Rae Jepsen nude photos hacker suspect arrested

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Back in July, word reached Naked Security that nude photos of pop starlet Carly Rae Jepsen had allegedly been stolen from her personal computer, sparking an investigation by police.

According to media reports, a
25-year-old man is said to have now turned himself in to Vancouver police in relation to the theft.

Christopher David Long has been charged with fraudulently obtaining telecommunications services, unauthorized use of computer, mischief to data, identity fraud, and possession of stolen property.

It is alleged that Long was attempting to sell images of the "Call Me Maybe" singer to various websites.

Which, if true, reminds me rather of the case of Christopher Chaney who hacked into the email accounts of various female stars, including Mila Kunis, Christina Aguilera and Scarlett Johansson.

Clearly everyone - celebrity or not - should be ensuring that they use strong, hard-to-crack passwords and defend your computers with up-to-date security software.

But if you still worry that you could potentially fall victim to a hacker stealing naked pictures of yourself, here is my further advice. (I originally offered it to Mila Kunis, but it actually works for anyone who is worried that hackers may steal their nude photographs):

Long has been released from custody and is due to appear in court on January 4th 2013.

Follow @gcluley

Carly Rae Jepsen image from Shutterstock.

View the original article here

Securing a tablet for web browsing in six easy steps

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Internet on the go has finally become a reality with today’s mobile technology. Whether you’re checking email at the coffee shop or taking a quick conference call at the beach, tablets make it easy to stay entertained and productive virtually anywhere life takes you.

Beware though. Taking your tablet online can make you vulnerable to an assortment of internet dangers, including identity theft and hackers. This is especially true if you’re taking advantage of a public hotspot rather than your home network. Follow these simple steps to ensure safe and secure browsing no matter where you are.

1. Use 3G rather than free WiFi

Wireless hotspots are often unsecured, leaving your information within sniffing reach of anyone within range of joining the network. Even encrypted WiFi connections can make your data accessible to the other guests around you. A 3G or 4G data plan is the best option for security, but not all mobile services are unlimited. The next few tips will minimize your risks when you do connect through a public network.

2. Use a VPN

Virtual private networks (VPN) are available through many mobile service providers. Featuring multiple layers of encryption, a VPN offers a secure way to surf the web without compromising your sensitive data. A VPN may also include additional features, such as remote desktop access to safely and conveniently access and transfer files between your home and work networks.

3. Be selective with your browsing

If you are not using a VPN, it's important to use caution when you're surfing the web using a WiFi hotspot. Websites with https addresses (rather than just http) are encrypted for better security. Make sure your email server uses this encryption throughout your session to keep snooping eyes out of your inbox. Save sensitive activities like banking or shopping for home if you can.

4. Keep your device secure

Hopefully, everyone understands the importance of protecting your tablet from physical thieves. You should have a strong PIN code or passphrase to prevent unauthorised access, and follow Naked Security's advice on how to protect your phone or tablet from thieves.

But be aware of the others ways criminals could access your data or tablet's resources.

Whether you’re connecting over a 3G network or a public hotspot, a good security app can prevent many headaches. These apps are similar to computer security software and can help protect your device from malware, as well as other online mishaps.

Sophos provides a free tool for securing Android devices from malware and other threats.

Unfortunately, Apple doesn't allow fully-featured anti-virus programs in its App Store - but the good news is that iOS hasn't suffered so far from anything like the malware problem that has troubled Android devices.

VPN services can provide secure surfing for laptops and tablets.

5. Download from trusted sources

Even when you’re browsing over a secure network, certain types of websites can pose threats to the security of your tablet. Some sites may attempt to download files to your device that could collect information or damage your existing files. Downloading apps from third-party sources can put your device at risk as well. Stick to trusted app stores such as the iOS App Store, Google Play and the Amazon App Store.

Historically, the official marketplaces have been suffered less from malicious apps than the third-party unofficial stores.

6. Keep your OS and apps up-to-date

Keeping your tablet and its software up to date is the best way to protect yourself as well as your device. System upgrades are particularly important because many of these updates contain vital security fixes. Running a previous version of the operating system can open your device up to even more dangers, especially hackers. Be sure to keep your apps up to date as well. Many have access to a great deal of information.

Tablets make it much simpler to stay connected in today’s busy world, but leaving your device open to security threats is a big mistake. Be sure to follow the advice above before you take your tablet online.

Follow @CharliRadke
Follow @NakedSecurity

View the original article here

Windows passwords: "Dead in Six Hours" - paper from Oslo password hacking conference

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Featured, Windows

OK, so Dead in Six Hours isn't quite what the paper is called. I made that up.

It's actually called Exacerbating Global Warming. (It is. Really.)

In the paper, researcher Jeremi Gosney describes a pet project of his.

He's lashed together 25 AMD Radeon Graphics Processing Units (GPUs) into a specialised computing cluster.

It will cost you about $20,000 to build one, and you'll need twenty rack units of space in a server room. (That's just under a rack-metre.)

You'll also need an industrial-style power supply delivering 7kW, which is where the paper's title comes from, plus some half-decent air conditioning.

In return for your investment, claims Gosney, you'll be able to brute-force all regular eight-character Windows passwords from their NTLM hashes in about six hours.

That's about four times faster than Gosney's previous top-end hashbusting machine, which needed 24 hours - an entire day! - to do the same job.

Why so fast? And why Windows passwords?

The reason is that NTLM relies on one of the easiest-to-crack hashing systems still in widespread use: a straight, unsalted, uniterated MD4 hash of your password. (The raw password is presented in little-endian UCS-2 format, with 16 bits per character, not as an ASCII string.)

If you have a UNIX-flavour command prompt and some common utilities handy, you can convert any ASCII password to its NTLM hash like this:

$ echo -n "password" | iconv -f ASCII -t UCS-2LE \ | openssl dgst -md4(stdin)= 8846f7eaee8fb117ad06bdd830b7586c

Note that, with no salt, everyone who chooses "password" as a password will end up with the same hash, so you can use a pre-computed database of common hashes.

But with Gosney's cracker, you might as well not bother pre-calculating anything: you can churn through nearly 400,000,000,000 MD4 hashes per second and save yourself the space you'd need to store the lookup table.

Big deal, you say. Microsoft no longer recommends NTLM anyway, and Active Directory logins don't use it.

But perhaps consumers and small businesses should be worried? After all, if you have an ad hoc network of Windows computers, without Active Directory or a Windows domain, you're still wedded to NTLM.

In fact, any local accounts on a Windows PC have NTLM hashes stored locally in the Security Accounts Manager (SAM) database. Grab the hashes, and you can attack them offline.

Big deal, you say. If hackers can leech your SAM database, they've already got Administrator rights, so they don't need your password.

But if they do get and crack your password hashes, they may be able to get back in later at their leisure, even if you close the security hole they used to grab your SAM data. And they'll have the plaintext of your password, which could cost you if you have used it anywhere else.

So here are two lessons we can learn from this:

• Eight characters just isn't long enough for a password these days.

? Choose long and complex passwords, or use a password management tool to help you. That way, you keep ahead of the bulk cracking tools. If eight characters gives 98-to-the-power-8 choices, adding just three more randomly-chosen characters multiplies that by a further 98-to-the-3, or close to 1,000,000-fold.

• You probably have other passwords even more easily crackable than your Windows one.

Some websites or online services may even even keep plaintext, or unhashed, copies of your password. Cracking time for those is zero.

? Don't use the same password for multiple accounts. That way, you don't lose the keys to the whole castle if any of your individual passwords is compromised.

Oh, and if you're looking for the briefest of technical challenges over the holiday season, why not satisfy yourself how risky simple passwords are by having a go at the hashes in the Windows 8 screen shot above?

Estimated time to crack once you're ready to go, even without a GPU: well under a second.

Here they are, cuttable-and-pastable for your cracking pleasure:

Administrator:500::F773C5DB7DDEBEFA4B0DAE7EE8C50AEA:::duck:1001::BECEDB42EC3C5C7F965255338BE4453C:::

Enjoy.

Follow @duckblog

View the original article here

NASA hacker Gary McKinnon will not face charges in the UK

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Gary McKinnon, the British hacker who broke into US government computers hunting for evidence of UFOs and fought a long fight against extradition, has been told that he will now *not* face prosecution in the UK.

Keir Starmer, the Director of Public Prosecutions, announced the decision, three months after Home Secretary Theresa May told the House of Commons that McKinnon would not be extradited.

The decision, which is unlikely to go down well with the US authorities, appears to end the controversial 10-year-long saga of Gary McKinnon's fight.

The 46-year-old hacker, who has been diagnosed as having Asperger's Syndrome, has had an impressive support group campaigning for him, with figures such as Sting, London Mayor Boris Johnson, former Beirut hostage Terry Waite, Pink Floyd's David Gilmour, and Julie Christie amongst those who backed his fight against extradition.

And it's not just celebrities. In 2009, a Sophos poll of 550 IT professionals found that 71% believed that McKinnon should not be extradited to the USA.

What do you think of Gary McKinnon escaping charges in both the United States and UK? Is it the right decision? Leave a comment below.

Here are some of the past stories we have written about this fascinating case:

Follow @gcluley

View the original article here

Suspected gang behind the $850 million Butterfly botnet arrested

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The FBI has announced that 10 individuals have been arrested, suspected of involvement in infecting 11 million computers with spyware that led to an alleged $850 million in losses.

The FBI is said to have worked in co-ordination with law enforcement agencies around the world on the investigation.

The suspected gang were arrested in Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the United Kingdom, and the United States, as international computer crime cops linked the individuals with the Yahos malware.

According to the FBI, the Yahos malware threat compromised 11 million PCs worldwide, forming the Butterfly botnet, and stole computer users' credit card details, as well as bank account information, and other personal data that could lead to identity theft.

Typically, computers became infected through the oldest trick in the book - duping unsuspecting users into running an executable program that installed the malware. The malware managed to spread its impact by spreading via popular instant messaging services as well as social networks such as Facebook and MySpace.

The FBI has publicly thanked the security team at Facebook for providing assistance with the investigation, providing data that helped identify the perpetrators and - importantly - those who had been affected by the malware.

The authorities certainly should be applauded for investigating those alleged to be behind the Yahos malware and Butterfly botnet. Computer crime cases like this can often be complicated, and cover multiple jurisdictions and time zones.

Once again, it's a good reminder to all of us who use computers that we should not be dissuaded from reporting a malware attack simply because "the bad guys are probably based in a country far far away".

It would be a crying shame if the authorities were able to determine who they believed was responsible for malware or a botnet, but was unable to dig up any victims. Thankfully, with the help of Facebook, that hasn't happened on this occasion.

(By the way, don't confuse the Yahos/Butterfly botnet with the Mariposa botnet. It's an easy mistake to make as "Mariposa" is Spanish for "butterfly").

Follow @gcluley

Evil butterfly image from Shutterstock.

View the original article here

Samsung Smart TV security hole allows hackers to watch you, change channels or plug in malware

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Did your Samsung Smart TV just switch channel?

Don't blame the dog for stepping on the remote control - there's a remote possibility it could be hackers who've hijacked your smart TV.

Researchers with Malta-based security consultancy and bug seller ReVuln have found a vulnerability in an unspecified model of a Samsung LED 3D TV that they exploited to get root access to the TV and any attached USB drives.

In a video titled "The TV is Watching You", ReVuln shows a Samsung TV screen with which the researchers systematically fiddle.

Here's what the researchers found they could access:

TV settings and channel listsSecureStorage accounts Widgets and their configurationsHistory of USB moviesIDFirmwareWhole partitionsUSB drives attached to the TV

By exploiting the vulnerability, ReVuln also found that they could retrieve the drive image, mount it locally, and check for sensitive documents or material that should remain private, such as usernames, passwords, financial documents, or any other type of material typically kept on USB drives.

If the victim uses a remote controller, ReVuln also found that they could get its configuration and thereby control the TV remotely.

ReVuln also found they could install malware remotely to gain complete root access to the TV, co-founder Luigi Auriemma told IDG News Service:

"If the attacker has full control of the TV...then he can do everything like stealing accounts to the worst scenario of using the integrated webcam and microphone to 'watch' the victim."

The vulnerability extends beyond one specific model tested in the firm's lab, he said:

"The vulnerability affects multiple models and generations of the devices produced by this vendor, so not just a specific model as tested in our lab at ReVuln."

ReVuln is a recent entrant into the market for buying and selling bug and vulnerability information and mostly focuses on vulnerabilities in SCADA and ICS software that run utilities, industrial systems and the like.

Auriemma has played around with TVs before. In April, he stumbled on a vulnerability in all current versions of Samsung TVs and Blu-Ray systems that would allow an attacker to gain remote access.

At the time, he said that the vulnerabilities could be found in all Samsung devices with support for remote controllers.

One hopes that the researchers have acted responsibly and informed Samsung of the vulnerabilities in their consumer devices, and that an over-the-internet firmware update to plug the security holes will be forthcoming.

Follow @LisaVaas
Follow @NakedSecurity

View the original article here

How to report a computer crime: Fake anti-virus

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Do you know how to report a computer crime? Or even who you would report it to?

So far, we have looked at phishing and SQL injection attacks, trolling, unauthorised email account access and malware in our series of articles on how to report a computer crime. In this article, we'll look at fake anti-virus.

We'll look at what offences are committed in different countries when a crime like this happens, how you should report the crime, and what evidence you can preserve that might help in the subsequent investigation.

Take this scenario:

Peter is browsing the internet at home using his PC and lands on an adult content web portal. He sees a hyperlink offering to download an X-rated movie. Peter downloads the file.

Peter has the option “Hide extensions for known file types” selected in the folder option of his user account settings, so he is not aware of the fact that the file he has downloaded is in fact an executable file and not the AVI file it is masquerading as.

Peter runs the file and nothing appears to happen. He attempts to access Windows Task Manager but he finds he is unable to. After about two minutes, the icons on Peter's desktop disappear and he is presented with a scrolling window that appears to be scanning the contents of his hard drive. Once the scan has finished, Peter is told that his computer is infected with over twenty pieces of malware.

This, of course, isn't the case; Peter is infected with Trojan/FakeAV-GCK which he had downloaded from the web portal.

Peter has an anti-virus application installed, but received no alert at the time of the download because the fake anti-virus malware was a new variant.

Peter telephones the customer support number displayed by the fake anti-virus application and reads out his credit card number to pay for the 'license fee' of 85 pounds. He is given a 'license key' and enters it into the fake anti-virus which then completes its quarantine and cleaning cycles and declares that Peter’s PC is clear of malware. Of course, the real malware is still on his computer.

A day later, the malware is detected by Peter's anti-virus software following a signature update.

The fake anti-virus operation, including the call centre processing the fraudulent payments, is part of the activity of an online criminal group. The cybercriminals' intention is to infect as many computers as possible in order to generate money by tricking their victims into believing they were infected with multiple instances of malware.

In this scenario, two primary offences have taken place which can be broken down like this:

Firstly, the cybercriminals performed an unauthorised modification in relation to a computer.

It is unauthorised because they did not have permission to install the malware on Peter’s computer. He believed he was running a movie file and had he known the full circumstances he would not have consented to the cybercriminal’s action.

The cybercriminals knew that this activity was unauthorised. They intended to impair his computer by preventing access to the Task Manager, and then falsely reporting the PC was infected.

Secondly, the cybercriminals committed a fraud by false representation.

Peter has been tricked into believing his computer is riddled with malware. As a result of that deception, he made a payment unwittingly to the cybercriminals in the belief it would resolve the malware infections.

We've focused on the UK, USA, Canada and Australia, but each country has its own legislation, though the relevant statute often exists to accommodate the same offences in each country.

UK

In the UK, most computer crime falls under offences covered by one of three pieces of law:

Other associated crimes could include Conspiracy or Money Laundering offences, but victims of computer crime are more often than not affected by at least one of the three acts listed above.

In this case, the cybercriminals commit two offences. The first, Unauthorised Acts with Intent to Impair, contrary to Section 3 of the Computer Misuse Act 1990, is committed when an offender modifies a computer with intent to impair the functionality of that computer.

The second, Fraud by False Representation, contrary to Section 2 of the Fraud Act 2006, is committed when Peter is tricked into believing his computer is infected.

In this instance, false representation is made both with and without human intervention. The call centre operator takes part in the deception and the malware falsely indicates that the computer is infected. The false representation may be express or implied.

USA

In the USA, most cybercrime offences are covered by Title 18, United States Code (USC) Section 1030 – Fraud and related activity in connection with computers.

This is what the cybercriminals contravened when they disseminated the malware.

Canada

The Criminal Code of Canada contains sections that specifically cater for cybercrime, including:

Unauthorised Use of Computer Possession of Device to Obtain ComputerMischief in Relation to DataIdentity Theft and Identity Fraud

In this case, both Section 342.1 Canadian Criminal Code (CCC) - Unauthorised Use of a Computer - and Section 430(1.1) CCC - Mischief in Relation to Data (damaging data) - were contravened.

Australia

Both state laws and commonwealth laws exist in Australia. In South Australia, the investigation of cybercrime by police is classified under three tiers and is spread across the organisation depending, mainly, on severity.

The primary legislation for computer offences is the Summary Offences Act, 1953 (SOA) and the Criminal Law Consolidation Act, 1935 (CLCA).

In this scenario offences falling within Section 86 CLCA were committed.

UK

In the UK, when a crime has taken place it should be reported to the police, so Peter should immediately report it at the local police station.

A crime allegation may be investigated by a police force or may be referred to the Police Central e-Crime Unit (PCeU) which provides the UK's investigative response to the most serious incidents of cybercrime. The PCeU requests that the routine reporting of computer crime offences are not made directly to them.

There is also an alternative reporting body for internet-enabled crime: Action Fraud.

Action Fraud records and passes on crime reports to the National Fraud Intelligence Bureau, who then decides whether the incident requires further investigation, as not all computer crimes are investigated.

USA

The Department of Justice website contains a Computer Crime and Intellectual Property Section with a contact page for reporting incidents to local, state or Federal Law Enforcement Agencies (LEA).

Two Federal LEAs have a remit to investigate some computer crimes:

The Federal Bureau of Investigation (FBI)The United States Secret Service (USSS)

In this case the crime should be reported at the FBI Local Office, or US Secret Service or Internet Crime Complaint Centre.

Canada

The Royal Canadian Mounted Police (RCMP) are the main agency with regard to the investigation of federal statutes, but they also have policing responsibility for a number of the Canadian provinces and all 3 territories, as well as some local police services in towns and cities.

A computer crime victim, like Peter, should report the incident to their local police service. If appropriate, it will be escalated for the attention of the agency with federal responsibility, the RCMP.

Australia

Peter should report the crime to the Australian State or Territory Police.

Investigation policy differs from state to state but the Australian Federal Police website offers a guide on whether the crime should be reported to either Australian State or Territory Police.

Peter may want to consider preserving the fake anti-virus alert by taking a screenshot of the PC. If the malware is preventing Peter from doing this, he could take a photograph of the screen. Peter should also write down the telephone number he dialled to make the payment.

Any subsequent genuine anti-virus alerts should also be recorded.

Important: Peter should also immediately inform his bank of the fraudulent activity. The bank may recommend he changes his bank card as he has passed its details over to criminals.

Peter should also ask his bank to preserve all account information relating to the fraudulent transaction, and tell them that the matter has been reported to the authorities.

Finally, Peter should keep all of his own personal bank correspondence connected to the incident.

Peter should run a malware removal tool to identify and clean up the infection. (Sophos has a free Virus Removal Tool which does just this.)

As the effects of different kinds of malware vary considerably, Peter should also talk to his anti-virus vendor for advice on any other remediation he should perform which is particular to the kind of malware he has.

In future, Peter should always exercise caution when running programs downloaded from the internet, verifying by comparing checksums if they are available.

He should make sure his anti-virus signatures are kept up to date, and that his operating system and applications are patched.

Peter should also modify the folder options on his computer to display file suffixes. Malware authors often take advantage of the fact that hidden file extensions can cloak the true nature of the file displayed. Below are two screen shots of genuine fake anti-virus - one shows the file with its extension hidden and the other shows the file with the extension displayed, revealing the file is in fact an executable.

To make sure file extensions aren't hidden, Peter will need to make a change to his Folder Options. How you do this varies by system, but in general the “Hide extensions for known file types” box should be unchecked.

You can do this in XP like this:

Or Windows 7 like this:

In general, it's important that all computer crime is reported. Even if no investigation follows, crime report intelligence can be built up and an accurate picture of the levels of computer crime can be produced.

If victims of a particular crime do not come forward to report incidents, then the number stated in crime reporting statistics will be not be a true reflection of the number of crimes taking place.

The scenario above is given as an example to help you in understanding when and what offences have taken place. Please be reminded that no two situations are the same and we have not catered for the “what if” situation.

We have also not included any corporation’s AUP (Acceptable Use Policy) that may be in place and may have been breached.

All of the scenarios are made up and the characters depicted bear no resemblance to any person.

Naked Security gratefully acknowledges the assistance of the following organisations in preparation of this series of articles:

UK Police Central e-Crime Unit
Action Fraud
United States Federal Bureau of Investigation
United States Secret Service
Royal Canadian Mounted Police
South Australia Police

Follow @NakedSecurity

Police officer, computer, warning sign and fake stamp images courtesy of Shutterstock.

View the original article here

Complaint from Better Business Bureau really contains malware attack

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The Better Business Bureau (BBB) is well known in North America for championing consumer rights, so if you run a company in the United States or Canada and receive a complaint from the organisation chances are that you will want to take it seriously.

Which is precisely what the cybercriminals behind the latest malware attack being spammed around the world are banking on.

Email messages have been sent to addresses around the world, posing as a communication from the BBB.

Here's a typical example (click on the image below for a larger version):

Here is the full text of the message:

Owner/Manager

The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer's concern are included on the reverse. Please review this matter and advise us of your position.

As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.

In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by December 11, 2012. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.

The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.

We encourage you to print this complaint (attached file), answer the questions and respond to us.

We look forward to your prompt attention to this matter.

Sincerely,

The Better Business Bureau Complaint Department

You can probably understand that some firms (who don't employ security-savvy staff like yourself) might be tempted to open the attached file.

Sophos security products detect the attached malware as Troj/Agent-ZGD - a Trojan horse designed to take remote control of your Windows computer, and allow a remote hacker to gain access and steal information or install more malware onto your PC.

If you use a security product from a different vendor, you should check that your systems are properly protected from this attack.

We've seen similar malware attacks in the past which pose as messages from the Better Business Bureau. If you receive one either now, or in the future, please exercise caution.

Follow @gcluley

View the original article here

Australian Defence Force Academy in stinkingly bad password breach

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The Australian Defence Force Academy (ADFA) is the latest high-profile organisation to become embroiled in a data breach.

Students at the Academy apply both to the Defence Force and to the University of New South Wales (UNSW), which runs the academic side of ADFA's operations in Canberra.

It turns out that a hacker calling himself Darwinare breached the UNSW's servers about a month ago and sucked down a heap of SQL database records, including those of ADFA students.

He then uploaded the data to an anonymous dump site, where interested members of the public can acquire it at will.

Fast-forward four weeks to today, and the breach is starting to attract attention, no doubt because of the connection of UNSW Canberra with the Defence Force Academy.

It's certainly a bad look for both the University and the Academy.

It's not the end of the world, fortunately. No juicy Defence secrets such as troop movements, aircraft plans, coastal patrol schedules, or weapons purchases have been revealed.

And UNSW did the right thing, candidly explaining the breach to those affected the day after it was reported. The breach included student ID, full name, email address and date of birth; similar data about staff was dumped, too.

Nevertheless, it shouldn't have happened, and there can be no excuses.

Worst of all, the data dump reveals that UNSW was storing usernames and passwords for at least one of its computer systems in plaintext.

To be fair, these passwords were meant just for initial login, and were therefore expected to have a short life. But passwords should never be weak or guessable, or, for that matter, stored in plaintext. And the algorithm for generating the passwords in the dump is like a timewarp back into the 1970s.

They are all just seven or eight lower-case letters long. Many are repeated. All are meant to be pronounceable - surely an unnecessary step for a password that is intended to be typed in once and then changed - which leads to a conspicuous lack of randomness. Only a small set of digraphs (two-letter pairs) is used.

That produces some comic results. One percent of the passwords, for example, end in -poo, making them rather sadly self-descriptive.

Make sure this doesn't happen to you.

Harden your web services! Bring your password handling into the 1990s, if not actually the twenty-first century! Do it today!

Thanks for listening.

Follow @duckblog

Do you run a web server at home, perhaps for friends and family, or even just for fun? How well protected are you?

Why not try our free Sophos UTM Home Edition?

You get a web application firewall, web and email filtering, IPS, VPN and more for up to 50 IP addresses.

Turn that spare PC into a full-on network security appliance!

View the original article here

But did she STEAL the iPhone? App takes photo of woman trying to unlock it

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A woman who tried to unlock a stolen iPhone unwittingly took her own photo. An app on the phone then automatically sent the photo to the owner, who called the police.

The app, identified by some media outlets as iGotYa, can only be installed on jailbroken iPhones.

iGotYa takes a picture of anyone who tries to unlock it, maps their location and then sends the information to the owner in an email.

That's exactly what happened in this particular case, Sussex Police said, with an iPhone that had been stolen from the Coalition nightclub in Brighton, East Sussex, earlier this month.

Police have released the picture of the woman who might have stolen the phone.

The Huffington Post quoted Pc Gavin Crute, of Sussex Police, as saying that they're eager to talk to the woman or anyone who might recognise her:

"We know where and when the photo was taken, and it appears to be in a vehicle with quite a large sunroof."

"We don't know that the woman is the person who stole the camera, but she obviously has had some connection with it in the meantime, and I'd like to speak to her about it."

Of course, not everyone wants to jailbreak their iPhones.

Fortunately, there are other ways to protect either an iPhone or an Android, as Naked Security outlines here.

Switching on a smartphone's GPS tracking function can help, and you can do that with either Apple's Find my iPhone app or, for Androids, Sophos's free Mobile Security app.

The cost of the phone is only one thing to worry about when it comes to losing a pricey smartphone, of course. Loss of data is another thing entirely.

Which is another reason to use one of these or similar applications: Either Find my iPhone or Sophos Mobile Security will remotely wipe data in case of theft or loss.

Many such applications include additional features such as protection from malware.

An enterprise edition of Sophos's free app, called Sophos Mobile Control, also allows you to:

Enforce your security policies to ensure complianceTurn on the built-in security features of iOS (iPhone/iPad), Android, BlackBerry and Windows Mobile devices, including password protection or any iOS encryption.Ensure that only registered devices that meet your policies - i.e., not rooted (Android) or jailbroken (iOS) - have full access to corporate data and that the users of non-compliant devices are blocked or face other consequences until the situation is rectified.Help locate, lock or wipe lost devices, from the admin web console or the self-service portal.Have an immediate overview of your company's device status from the security dashboard.Prove your corporate compliance with easy inventory and reporting tools.

You do need an app like iGotYa to take an automatic snapshot of people trying to unlock your device, though.

Whichever route you pick - free app, paid app that lets you snap photos of people trying to unlock your phone, or enterprise app with more features - is better than leaving that precious gadget stark naked, unprotected and untrackable.

In the meantime, if you recognise the woman in the photo, Sussex Police ask that you call it in. In England, dial your local police on their non-emergency number: 101.

Follow @LisaVaas
Follow @NakedSecurity

View the original article here

SSCC 100 - John McAfee, OS X malware, Swiss intel, NASA laptops and Romanian carders

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Featured, Podcast

Chester finally brings up his century with Chet Chat Episode 100 - the Benjamin Franklin edition!

(For readers not familiar with US history and culture, Benjamin Franklin was not only one of America's Founding Fathers, but also also a tireless scientist, engineer and inventor. His likeness appears on the US $100 banknote, which is where the "century" connection comes in.)

Chet's guest in the 100th Chet Chat is Paul Ducklin.

The pair discuss a range of recent security issues:

• John McAfee and geolocation data - advice for non-fugitives.

• Website with Dalai Lama connection hit with Mac malware - making sense of the risk to OS X.

• Swiss intelligence agency in huge data theft - terabytes worth!

• NASA loses yet another laptop - find out what they're doing to prevent (yet another) repeat.

• Romanian carders hack 500,000 Australian credit cards - but law enforcement strikes back.

(07 December 2012, duration 15:37 minutes, size 11.3 MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 100. And why not take a look at the back-catalogue of Sophos Podcasts in our archive? We have loads of interesting stuff for your listening pleasure.

http://twitter.com/duckblog

Tags: carding, chet chat, Dalai Lama, John McAfee, macfee, NASA, ncb, OS X, Podcast, Romania, sscc

View the original article here

SHA-1 brute-force attack trimmed by 21% - paper from Oslo password hacking conference

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Two months ago, we wrote about the conclusion of the NIST Cryptographic Hash Algorithm Competition.

The winner was Keccak - now officially dubbed SHA-3.

Despite the formal ratification of this new standard, NIST's earlier hashes remain commonly used. Indeed, we can expect to see SHA-1 and SHA-2 in the wild for years - possibly even for decades.

SHA-1, in particular, is still widely encountered in password hashing.

Password hashing is where you use a cryptographic hash function in some part of your password archival system to create a one-way function.

A one-way function is a process that's easy to compute in one direction, but complex - or, better yet, computionally infeasible - to work out in reverse.

So, if you store one-way password hashes instead of the actual passwords, attackers who steal your database can't directly recover those passwords. They have to try password after password themselves, until they get lucky.

? Using a one-way function to store passwords is not a replacement for keeping your password database secure. It's additional security that offers a touch of defence-in-depth, just in case your server does get broken into.

Because one-way functions can't be computed in reverse, cracking cryptographically-hashed passwords is inevitably a brute-force affair. It means computing a one-way function over and over again.

As a result, password cracking experts put a lot of effort into improving the performance of widely-used password hashing algorithms, notably including SHA-1.

In June 2012, for example, researchers magnum and JimF (Jim Fougeron) contributed code to the password cracker John the Ripper that boosted raw SHA-1 password hashing speeds by 80%.

And, for the same release, Tavis Ormandy came up with an optimised implementation offering a 115% performance improvement, albeit limited to passwords under 15 characters.

? Password crackers are easily abused. You probably want to control their use inside your organisation. But they have a legitimate defensive purpose: to find poor password hygiene on your own network before the bad guys do.

Now, Jens Steube, author of the pasword cracking tools in the hashcat family, has added to the optimisations against SHA-1 when cracking passwords.

Steube described his work in a paper at the recent Passwords^12 conference in Oslo, Norway.

Steube's password cracking improvements reduce by 21% the number of computer instructions needed to compute a SHA-1 hash. This may allow previous optimisations - such as the the ones described above - to be tweaked yet further for additional speed.

Steube noticed that SHA-1's "inner loop" can be usefully slimmed down if you are repeatedly computing hashes from input data in which only the first input word (32 bits, or four bytes) changes each time.

For a password attack, this can easily be arranged.

Greatly oversimplified, the SHA-1 algorithm consumes its input in blocks of sixteen 32-bit words (512 bits, or 64 bytes), mixing each block into a cumulative hash of five 32-bit words (160 bits, or 20 bytes).

for block in blocks() do for i = 17 to 80 do -- each step here extends the original 16-word input -- block to 80 words by adding one word made by mixing -- together four of the previous sixteen words. block[i] = minimixtogether(block,i) end for i = 1 to 80 do -- each step here mixes one of the words from the 80-word -- "extended block" into the five-byte hash accumulator hash = giantmixtogether(block,i) endend

The giantmixtogther() function that scrambles the extended input into the hash uses a range of different operations, including NOT, AND, OR, XOR, ADD and ROL (rotate left).

But the minimixtogether() function used to condition the input data uses only XOR and ROL. Because of its relative simplicity, Steube found a way to skip the minimixtogether() loop, and to calculate the "expanded" input values block[17] to block[80] directly inside the giantmixtogether() loop.

Steube's method still needs some precalculation, but multiple separate hash evaluations can share this precalculated data if only the first block (i.e. the first four characters) of the input has changed.

If you were hashing a randomly-selected series of files, for example, this would do you no good.

But when conducting a brute force attack against passwords, it's a simple matter to put your input into a suitable sequence so that the first four characters change most rapidly, followed by the rest of the password. (Just imagine a car odometer with the digits reversed.)

If you can do this, then implemeting Steube's tweaks will make your code run 25% faster. Just like that.

And there you have it: yet another reminder that security is an arms race.

Follow @duckblog

View the original article here

US Secret Service probed after sensitive files left on Metro train

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A contractor working for the US Secret Service walked onto a Washington, DC Metro train carrying two tapes full of extremely sensitive data. He got off at his stop carrying neither.

A few years later, the US Secret Service is under investigation for what's being described as the "immense breach".

The tapes contained personal information about all agency employees, contacts and overseas informants, according to Fox News, which interviewed multiple law enforcement and congressional sources for the story.

The extremely sensitive personal data included Social Security Numbers, home addresses, information about family members, phone numbers, dates of birth, medical information, bank account numbers, employment information, driver's license numbers, passport numbers, and biometric information - all of which were secured only with "very basic encryption", according to Fox News who quoted a Secret Service source with knowledge of the incident:

"It was very basic encryption. Let's just say it wouldn't take a genius to crack it."

This contradicts the Secret Service's account.

Secret Service spokesman Ed Donovan told Fox News that the data was secured by "multiple layers of security":

"In February of 2008, a contract employee whose function was to maintain, secure and transport this type of information lost two 'back-up' tapes on the DC Metro while transporting them to an off-site facility. These back-up tapes were not marked or identified in any way and were protected by multiple layers of security. They could not be accessed without the proper equipment, applications and encoding."

The Department of Homeland Security Office of Inspector General (DHS-OIG) is investigating the incident.

It's only one of 13 ongoing investigations into the Secret Service, dubbed "Culture of Secret Service" and launched at the behest of the Senate Homeland Committee following the Cartagena, Colombia prostitution scandal in April.

The DHS-OIG report on the agency's culture is expected in the spring.

The tapes were lost on the Red Line of the Metro in 2008 by a reportedly young, low-ranking employee of a private contracting company hired to transport them from headquarters to a secure vault in Olney, Md., where, Fox says, government agencies store contingency plans, documents and other backup material.

The employee volunteered to drop off the tapes because he lived near the vault, but he got off at the Glenmont, Md., Metro stop without the tapes.

Sources told Fox News that Secret Service failed to follow strict DHS protocols for reporting and responding to privacy incidents involving personally identifying information (PII).

Secret Service officials contacted Metro Transit Police and asked them to keep an eye out for the tapes but filed no police report. Neither did they inform law enforcement or affected staff of the severity of the breach, the sources said - basically, they just whitewashed the incident.

One source told Fox that it's typical for the agency:

"They just covered it up so they wouldn't get in trouble, so they wouldn't be scrutinized for such a huge breach of security... That's why OIG opened up a case on this matter—and the other ones they've opened up are similar in that they show efforts on the part of Secret Service leadership to whitewash security breaches."

At the time of the prostitution scandal, President Obama praised the Secret Service overall, saying that the conduct of "a couple of knuckleheads" shouldn't detract from the agency's good work.

The prospect of losing a backup tape (or two) isn't going away as long as humans are frail, error-prone humans.

Does it reflect a more pervasively weak approach to security?

Let's withhold judgment until the report comes out.

But if the report confirms the allegations of weak encryption on the tapes, failing to follow DHS protocol in properly reporting breaches, and failing to inform the many staff members whose PII was lost, then for shame, Secret Service, for shame.

Follow @LisaVaas
Follow @NakedSecurity

Washington DC metro train image from Shutterstock.

View the original article here

What computer security threats can we expect to see in 2013?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Earlier this week, Sophos released the latest edition of its Security Threat Report, summing up the biggest threats seen during 2012, along with five trends that are likely to factor into IT security in the coming year.

Regarding the malware rides we experienced in 2012 and the thrills we can expect in 2013, there will be cross-over, for sure: Blackhole was huge in 2012, and it's not going away, barring the law nailing the person/s running it, the report notes.

Between October 2011 and March 2012, out of all threats detected by SophosLabs, nearly 30% either came from Blackhole directly or were redirects to Blackhole kits from compromised legitimate sites, as Naked Security's coverage of Blackhole exploits attests.

This adroit exploit kit rapidly mutates to thwart security efforts against it, while its software-as-a-service business model is, as the report notes, something for business school grads to drool over.

The professionalization of crimeware such as Blackhole marks a major shift as we head into the new year.

SophosLabs is seeing the ready availability of professionalized, commercialized testing platforms - some that offer money-back guarantees - as laying the foundation for future attacks that give criminals long-term, high-impact access to businesses' data.

This professionalized, consistent poking at businesses' defences will likely turn our attention to layered security and detection across the entire threat lifecycle in the coming year, the report says, as opposed to just focusing on the point of initial entry.

Here are five more trends that SophosLabs anticipates will shape the IT security landscape next year:

Basic web server mistakes. SQL injection attacks increased in 2012, with large volumes of user names and passwords getting hacked out of web servers and databases. Targets have been both big and small enterprises, motivated by both political and financial ends.

Some of the big ones:

In May, the website for Wurm Online, a massively multiplayer online game, was shuttered due to an SQL injection while the site was being updated.In July, criminals stole 450,000 logins, stored in plain text by Yahoo Voices, using a "union-based SQL injection technique".

Given the uptick in these credential-based extractions, the report says, "IT professionals will need to pay equal attention to protecting both their computers as well as their web server environment."

More "irreversible" malware. Ransomware, which encrypts data and holds it for ransom, increased in 2012, and SophosLabs expects to see more in 2013.

The most recent high profile example was in November, when Hacked Go Daddy sites were infecting users.

Unfortunately, the damage can be impossible to repair, the report says:

"The availability of public key cryptography and clever command and control mechanisms has made it exceptionally hard, if not impossible, to reverse the damage."

In 2013, SophosLabs expects to see more such attacks, which should focus IT professionals' attention on behavioral protection mechanisms, as well as system hardening and backup/restore procedures.

Attack toolkits with premium features. Cybercriminals are investing big in toolkits like the Blackhole exploit kit. That investment has resulted in features such as scriptable web services, APIs, malware quality assurance platforms, anti-forensics, slick reporting interfaces, and self-protection mechanisms.

In 2013, look for continued evolution as such kits pick up premium features that appear to make it a snap to access ever-more comprehensive, high-quality, malicious code.

Better exploit mitigation. On the plus side, as vulnerabilities increased in 2012 they've become harder to exploit, as operating systems modernized and hardened.

The report also credits ready availability of Data Execution Protection (DEP), address space layout randomization (ASLR), sandboxing, more restricted mobile platforms and new trusted boot mechanisms (among others) for making it tougher to exploit the growing number of vulnerabilities.

Cause for celebration? Well, the report says, we'll probably see crooks just shift over to social engineering to get what they want, from wherever they can get it:

"While we're not expecting exploits to simply disappear, we could see this decrease in vulnerability exploits offset by a sharp rise in social engineering attacks across a wide array of platforms."

Integration, privacy and security challenges. Mobile devices and applications like social media became more integrated in 2012.

Combine that new coziness with new integrated technologies, such as near field communication (NFC) as well as increasingly clever uses of GPS to pinpoint us in real life, and what you get are new chances for cybercriminals to prey on our security and/or privacy.

It's true for mobile devices, of course, but it doesn't disappear for computing in general, the report says.

In 2013, watch for new attacks built on top of such technologies.

This is just a taste of what's in the report. Download the full Sophos Security Threat Report - it's free, and no registration is required - to learn more.

Beyond that, you can hear more about what 2013 will bring if you sign up for a web seminar about the report that will be held on Tuesday December 11th 2012, at 2pm ET / 11am PT.

SophosLabs expert Richard Wang will be at the web seminar, describing what the coming year might bring, as well as taking a look back over the last year and how attackers extended their reach to new platforms like cloud services and mobile devices, adopted malware toolkits to build smarter attacks, and targeted badly configured websites.

Follow @LisaVaas
Follow @NakedSecurity

GPS and Assembler code images from Shutterstock.

View the original article here

You receive the electronic reservation? Malware attack poses as hotel booking email

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Bogus hotel reservation emails have been spammed out widely, which claim to come from Booking.com but in reality carry malware designed to infect Windows computers.

Even if recipients haven't booked a hotel room they might be tempted to open the dangerous attachments, in fear that their credit card has been charged.

Here's what a typical malicious email looks like:

The emails are not entirely convincing, as they use a subject line in somewhat broken English:

Subject:
you receive the electronic reservation [random number]
From:
"Booking.com"
Attached file:
Your electronic reservation ID[random].zip

Here's another example, which claims that you have booked a vacation at the Mandarin Oriental hotel in London's Hyde Park:

As you can see, the cybercriminals behind the campaign have attempted to make their attack harder to block by varying subject lines, attached filenames and the vacation details included in the body of the email.

For instance, a wide variety of hotel names are used in the bogus reservation emails. Here are just a handful of the names used:

Four Seasons HotelMandarin Oriental Hyde ParkShangri-La HotelHotel ImperialMara Safari ClubThe Sanctuary At Kiawah IslandIl San Pietro di PositanoFour Seasons Resort Maui at WaileaGrand Hotel TimeoHotel Ritz-Carlton

If you do receive one of these emails, delete it from your inbox. The one thing you shouldn't do is open the ZIP file and attempt to access the file contained within, as it is designed to infect your Windows computer.

Sophos security products detect the attack as both spam and malware (identifying the attachment proactively as Mal/DrodZp-A).

Of course, this is far from the first time that malware authors have distributed their attack posing as a hotel booking, and it's unlikely to be the last. The reason they use disguises like this is that the social engineering works so well at tricking people into clicking on the dangerous attachment or a malicious link.

It's time to wise up, and tell your friends not to fool for such traps.

You should always be suspicious of email attachments that are sent to you out of the blue. Make sure that your anti-virus product is updated, that you have the latest security patches, and tell your friends to think twice before opening unknown attachments.

Stay safe folks.

Follow @gcluley

View the original article here

Facebook hacks its workers into Hacktober smithereens

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

It was October! The month when slimy worms slither through Facebook! On those cold, dark days when grisly green hands tend to smash through monitors, hungrily grasping at click-happy employees!

At least, that's what one of Facebook's posters implied to its employees last month.

This, Facebook told Mashable, was the second year that the company celebrated its annual Hacktober: a month-long event wherein its engineers brewed up simulations of security threats that they then unleashed on staff computers.

After setting the traps, they sat back and waited to see which employees would fall for them, and which would be good-security doobies and report the fishiness, thereby netting themselves some Facebook-emblazoned swag.

Those who ratted out the engineering crew's phishing scam or other security threats - which were sprinkled throughout the site or sent to company email addresses - got themselves a Facebook-branded shirt, bandana or sticker.

Those damnable souls who were lured into clicking on the booby-traps got sent to hell, aka "further training".

Terror works well in the corporate culture, Ryan McGeehan, a director on Facebook’s security team, told Mashable:

"Webinars don’t exactly fit in well here, so we wanted to do something unique in line with our hacking culture to teach employees about cybersecurity... We took the theme of October, fear and pranks and created something that is both fun and educational."

He said it was also part of a larger effort to celebrate National Cyber Security Awareness month.

Threats were targeted at groups based on what they might realistically come across in the course of doing their jobs. Afterward, the hack was revealed, along with an explanation of how to prevent such exploits outside of the safety of the simulated environment.

Mashable provided one example of a worm hiding as a fake Facebook news story to demonstrate the speed in which spam spreads across the social network.

The worm was a huge success, McGeehan said, both in terms of employee responsiveness and as a way to test and refine the tools and policy systems Facebook uses for reporting suspicious activity:

"We launched a worm to simulate some of the spam campaigns we see on Facebook and other sites, and this was our grand finale. Within minutes, we were overwhelmed with reports from employees, and it was a wild success."

Jenn Lesser, an operations manager on Facebook’s security team who worked with the internal events and design on the project, said that the company faces the same security lethargy that most businesses deal with: namely, staff don't care until there's a problem.

But by then, it's too late.

There are good lessons here regarding proactive security training - as in, security training that comes alive, vs. the typical quick quiz that fails to engage people on a long-term basis.

Pen-testing your own peeps a la Facebook is a great idea, and you don't necessarily have to throw any software development resources at it.

Kevin Young, who's on Adobe's Information Security Team and has done a good deal of security training with both Utah Valley University College of Technology and Computing students as well as nontechnical people at Risk Management conferences, told me about some of his demos that make security concepts easy to grasp:

Weak passwords: Young sets up his laptop running the John the Ripper password cracker in a command window. He minimises the PowerPoint presentation so the audience can see the password cracking window on the side. As he works through the slides, he lets the passwords pop up and scroll off the screen. They get the idea pretty quickly, he says. Social engineering: Young brings an empty Cisco box to a class and pretends to struggle at the door. A student will almost always open it for him, without checking his credentials. Identity theft: Young shows people spoofcard.com, which allows users to call people while displaying a fake name.Silly password tricks: Young shows photos of keyboard undersides displaying supposedly unbreakable passwords.Take photos: Young takes them for a walk around an organisation and discretely takes a few photographs. He shows them any unattended doorways, for example.

If you've got other ways to terrorise your employees into cybersecurity awareness, please share them in the comments section below.

And please, no links to that Facebook meme-of-the-day Brazilian stunt with the fake elevator and the little demon child who popped out of a panel and scared people to the brink of cardiac arrest.

That was just plain creepy.

If you're on Facebook, consider joining our Facebook page, where you can keep up-to-date on the latest privacy and security issues, and learn about the rogue applications, scams and malware attacks threatening Facebook users.

Follow @LisaVaas
Follow @NakedSecurity

Hacktober poster, courtesy of Mashable

Facebook grim reaper, courtesy of Shutterstock

View the original article here

Technical paper: Journey inside the Blackhole exploit kit

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

One of the most common questions we receive at SophosLabs is "How are users most likely to get infected with malware?".

As regulars readers will be aware, the answer is through the web. More specifically, computers are most likely to be infected through compromised legitimate websites redirecting user traffic to malicious websites that are hosting some exploit kit.

The most active of these exploit kits in recent times is one known as Blackhole.

Properly understanding how the Blackhole exploit kit works and why it has become the most popular of the various exploit kits available is important in order to provide the best protection to our customers.

Previous research focused on early versions of the Blackhole exploit kit, and the tricks used by the attackers in evading detection.

More recently, SophosLabs expert Gabor Szappanos has been delving deeper into the internal workings of the Blackhole exploit kit, to get a more thorough understanding of how it works.

Gabor's technical paper, entitled "Inside a Black hole", is now available, and I would encourage all readers to download it and learn more about the Blackhole exploit kit.

http://twitter.com/SophosLabs

Plug hole image from Shutterstock.

View the original article here

Facebook Photo Sync: Nine things you should know

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Facebook has introduced a new feature for iPhone, iPad and Android users which means you can automatically sync any photos you take on your mobile device with your Facebook account.

This removes the nuisance of having to manually choose which photos to upload.

Here are nine things you should know about Facebook Photo Syncing:

You have to opt-in to Facebook Photo Sync. Facebook hasn't turned it on by default. Chances are that your first knowledge of it will be when you access Facebook on your iOS or Android device, and are encouraged to "Get started".

It's good that Facebook has decided to make users consciously opt-in to this service. There would have been a loud out-cry if they hadn't.

If you enable the feature, your last 20 photographs and every subsequent photo you take, will be automatically uploaded in the background to a private Facebook album. So you may want to check what photos you have already taken first.The photos that you have synced from your phone are not visible to any other Facebook users. When you view your synced photos, you can choose then to share them on your Facebook timeline or send them as a message to a friend.If you're worried that Facebook Photo Sync will eat into your data plan, you can tell Facebook to only sync when you are on Wi-Fi rather than via your cellular network.

(Note that Facebook says it will sync photos at a smaller size - approximately 100KB - when you use a 3G or 4G network)

Facebook says it won't sync your photos when battery levels are "low".Automatic uploading of every photo you take means every photo you take. Yes, including the ones you took for that guy you're flirting with, or the one you snapped of that part of your body you can't quite see properly with a mirror.

Furthermore, if someone takes a photograph of you without your permission it will be automatically uploaded to Facebook - you may demand that they delete the photo off their phone, but will it also have been removed from their private Facebook album?

Every photograph synced from your phone will be able to be mined for information by Facebook.

Photos taken on mobile devices can include meta data such as the location where the photo was taken - and this could be used to determine where you are, and help Facebook display localised advertising.

Furthermore, Facebook could integrate its facial recognition technology with Photo Sync, analyse your photos to see whose faces it recognises and automatically tag their names.

Over time a comprehensive database of where you have been, and who with, is built up.

You are no longer in charge of what photos you upload to Facebook. In the past, you could decide what images you uploaded to the social network, and which pictures it could analyse for its own purposes.

Now, all photos - good and bad - will be available to Facebook. That doesn't mean anyone apart from you and Facebook's servers will be able to see them, but there's clearly a reduction in your level of control.

You can disable Facebook Photo Sync by following these instructions.

You can learn more about Facebook's new Photo Sync feature by visiting its official help pages.

If you are on Facebook and want to keep yourself informed about the latest news from the world of internet security and privacy, join the Sophos Facebook page where more than 200,000 people regularly discuss these issues and best practice.

Follow @gcluley

Facebook icon image from Shutterstock.

View the original article here

Sophos staff win Movember contest while raising money for prostate cancer research

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

For the unfamiliar, Movember (The month formerly known as November) is a moustache-growing charity event, held each November, that raises funds and awareness for men's health.

The Mo Bros and Mo Sistas of Sophos Vancouver formed a team this year, Team Mophos, on the international Movember website to see how much money we could collectively raise as an office.

How'd we do? Well, 25 individuals participated from the Vancouver office alone, raising more than $6000 Canadian for charity (It's not too late! Click Team Mophos above to contribute).

In major cities, Movember also coordinates some celebrations and contests at the end of the month and Vancouver was no exception.

There are all kinds of different contests and awards for the best and most creative mustachioed faces.

Peter Gale, Product Development Manager, and Onur Komili, Sr. Web Threat Researcher in SophosLabs, decided to enter the best costume contest as the legendary 1990's wrestling team The Legion of Doom.

Considerable effort was put into the outfits and makeup to create just the right amount of menace, respect and of course an opportunity to show off the stache.

I am proud to announce they were selected by the Mo Bros and Mo Sistas at the Vancouver Gala Parté as best Team Mo Bro, and Onur won the award for Man of Movember.

Congratulations, guys. Aside from the fun we all had we were able to raise a tidy sum of money for a good cause.

Follow @chetwisniewski

View the original article here