Megaupload's Kim Dotcom gets back some of his seized property, and receives right to see evidence against him

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The warrants that police used to raid the home of Kim Dotcom in a SWAT-style raid were too broad, a New Zealand judge ruled on Friday.

The High Court judge, Chief Justice Helen Winkelmann, wrote in her decision that the search and arrest warrants were written in such a way that police felt authorised to seize and take away "a wide category of items" without first figuring out whether the stuff was actually relevant to the charges against Dotcom.

She wrote:

"They continue to assert that they are so authorised. This has given rise to a miscarriage of justice."

Thus, Dotcom has won back the right to see all the evidence against him before - rather than after - his possible extradition to the US to answer charges of racketeering, money laundering, online piracy and copyright infringement.

If you're a bit lost in this ongoing saga, Paul Ducklin detailed where we were a few months ago.

Dotcom's extradition hearing, rescheduled twice, is now set for August.

The January 2012 raid of his New Zealand mansion was an over-the-top affair that included at least one helicopter, dogs, and heavily armed officers who apprehended Dotcom in his unlocked safe room.

(Check out this 3NEWS report on the raid [YouTube video], in which the newscaster notes that the raid was "slightly American," Glocks and semi-automatics and all. Not surprising, given that the Federal Bureau of Investigations [FBI] was behind it and that FBI agents were present at the raid.)

Besides computers and hard drives, police seized 18 luxury vehicles, including a 1959 pink Cadillac, giant-screen TVs and works of art.

In her Friday decision, Justice Winkelmann ruled that Dotcom be given clones of any seized items that contain only relevant material, prior to clones being provided to the US.

She also ruled that seized items that contain irrelevant data be returned. "Mixed content devices" - e.g., those containing both relevant and irrelevant data - should also be returned to Dotcom, she said, although police can retain clones.

Justice Winkelmann said that the removal of cloned data from New Zealand to the US was illegal. She ordered police to ask US authorities to destroy any materials that aren't relevant to Dotcom's alleged crimes.

New Zealand police are going to have to foot the bill for the review of what's relevant and what's not, while none of the seized items now in New Zealand will be allowed to leave the country.

Not to condone copyright infringement, by any means, but I must say that I like how the New Zealand court is handling this case.

I think the accused should have every right to examine the evidence police have against them, so as to mount a well-grounded defense.

Otherwise, you've got lopsided justice, which is no justice.

Besides, for the love of all things irrelevant, what does a pink Cadillac have to do with copyright infringement?

Follow @LisaVaas Follow @NakedSecurity

View the original article here

Anatomy of a change - Google announces it will double its SSL key sizes

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Google just announced that its HTTPS web pages will be ditching 1024-bit RSA keys in favour of 2048 bits.

"Pah," I hear you say. "I have one or two questions about that - three questions, in fact."

How is this newsworthy when many other web properties have already made the switch to 2048 bits? (Kim "Big Fella" Dotcom's mega.com.nz, for example.)Why switch if 1024 bits is much bigger than the largest RSA key yet known to have been cracked, at 768 bits?Why the fuss about 1024 bits anyway, if just 128 bits is considered more than enough for other encryption algorithms, such as AES?

Let's start at the end: why thousands of bits of RSA key but only hundreds for AES?

An n-bit symmetric key gives 2n different possible keys to choose from; if we assume there is no algorithmic shortcut, we have to try all 2n of them to be certain of cracking the key. For obvious reasons, this is called a brute force attack.

A cryptographic attack that requires an equivalent effort to brute-forcing n bits of symmetric cipher key is said to have a security strength of n.

According to the US National Institute of Standards and Technology (NIST), security strengths of 112 and above are considered OK until the end of 2030. Security strengths below 112 are already considered deprecated, a word that means "used with disapproval."

From the end of 2013, they'll move from "deprecated" to "disallowed", at least if you follow NIST's playbook. So, you have until the end of the year to get all your cryptosystems up to a security strength of 112 or more.

AES uses keys of 128, 192 or 256 bits in length, so AES implicitly meets this condition.

But RSA encryption is a public/private key cipher, meaning you have one key to lock and another key to unlock.

You make the locking key public, so that anyone can encrypt messages and send them to you; you keep the corresponding unlocking key private, rather obviously, so that only you can decrypt them.

Technically and algorithmically, a 128-bit RSA key isn't anything like a 128-bit AES key. It's actually a 128-bit number n that is constructed by multiplying together p and q, two randomly-chosen 64-bit prime prime numbers. To crack such a key requires you to factorise n back into p and q.

This sort of factorisation is computationally complex, but it doesn't take 2128 tries to guarantee a result.

? Straight off the bat, we know that the largest possible factor of n is vn, and v(2128) is 264. So that cuts the maximum number of tries to 264. And neither factor can be even, since then it wouldn't be a prime factor, which instantly halves the maximum number of tries to 263. Clearly, the cost of factoring n-bit prime products is well below 2n.

If fact, an 128-bit RSA key would be absurdly weak by modern standards. In practice, a 1024-bit RSA key is only considered equivalent to an 80-bit symmetric key, and thus has a security strength of 80.

So the fuss about 1024-bit RSA keys is that they too, like AES or similar keys below 112 bits, will become "disallowed" at the end of the year.

Now we come to the second question: why the jump from 1024 to 2048 bit keys?

In 2014, symmetric keys will need to go from a minimum of 80 bits to a minimum of 112 bits; in 2031, they'll go from 112 to 128 bits. Those are key-size increases of 40% and about 15% respectively.

But in 2014, RSA key sizes are required to grow by 100% (1024 to 2048 bits), and in 2031 by 50% (2048 to 3072 bits). Why the discrepancy in the scale-up?

The reason is that the complexity of a brute-force attack against a symmetric key grows exponentially with the number of key bits, so each additional key bit multiplies the strength by a constant factor of 2.

But each additional key bit in an RSA key multiplies the strength by an ever-decreasing amount, so you need a bigger jump in key size for the same increase in resilience to brute force attack.

And finally, the first question: is this a big deal only because Google has announced it?

It shouldn't be a big deal for anyone to make an announcement like this. Inded, it should be expected and unexceptional, as Google itself explains.

In theory, you should easily be able to change website certificates as a matter of routine, not least because they expire and need refreshing anyway. Everyone's software should automatically adapt.

But SSL certificates don't usually stand alone, or else anyone could mint a certificate that claimed to be from sophos.com, or microsoft.com, or anywhere they liked.

So SSL certificates are themselves generally signed by other people who vouch for you - firstly by one or more intermediaries (which might be security teams in your own company) and finally by a root certifier. This creates a so-called "chain of trust," topped out by a root certificate that is automatically trusted by software on your computer, such as your browser or the operating system itself.

The list of root certificates is often rather long - perhaps alarmingly long when you think about the power and authority it conveys.

Of course, root certificates themselves aren't immune from expiry, or from compromise, or from needing key-size updates. So software that uses its own list of trusted roots must provide a way to update that list, for changes neccesitated both by routine (e.g. expiry) and emergency (e.g. a hack of the certificate authority's network).

Note that Google will be changing its root certificate size to 2048 bits as well, so that all the certificates in its chain of trust are 2048 bits.

So Google is warning all of us, in good time, in case any of us have software (or, more challengingly, firmware burned into devices like games consoles, phones, and printers) that rely on hard-wired lists of root certificates.

If you have software that relies inflexibly on hard-wired SSL trust lists, take this as a good time to change the way your code works.

As Google points out, firmly but fairly, in its FAQ:

The only way to do this correctly is to build software that understands that Roots can change, and can adapt to that.

Google does have some self-interest here, as it doesn't want potential customers being put off by certificate warnings as as result of this change. On the other hand, those certificate warnings shouldn't really happen, so Google is acting in the interest of the whole ecosystem by highlighting these issues.

The takeaways?

Build SSL certificate flexibility into your software.Switch to 2048-bit RSA keys before the end of 2013.

For the greater good of all!

Follow @duckblog

Tags: AES, brute force, certificate, key bits, nist, private key, public key, RSA, security strength, SSL, symmetric key

View the original article here

Sophos RED scoops "Protector Award" at this year's AusCERT conference

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

We try to avoid being too marketroidistic here on Naked Security.

After all, we're aware that you can work out which company's products we'd recommend just by looking at the URL of this article.

But when our technical colleagues get outside recognition for the excellence of the products they create, we can't help but mention it.

(Especially when said techies are stuck at the coalface, knee deep in code, while one of their colleagues gets to collect their award at a Gala Dinner event in a subtropical holiday resort.)

So we're proud to say that at this evening's 2013 Information Security awards at the AusCERT conference in Australia, Sophos scooped the Protector Award with Sophos RED.

RED, you ask, from a company with a blue logo?

Yes! RED stands for Remote Ethernet Device, and it's a brilliantly simple way of connecting up your branch office or remote workers:

The Sophos Remote Ethernet Device protects branch offices and provides secure remote access. Simply plug the device into your Internet router and centrally manage it from the Sophos UTM appliance at headquarters. Branch office traffic is forwarded to the Sophos UTM appliance for complete security.

The neat thing about the RED is that it can't be misconfigured when it arrives at the remote office.

You enter the unique device ID printed on your RED into your Sophos Network Security Gateway (or UTM for short) back at HQ, and a new configuration file is automatically created and stored with the Sophos provisioning service.

When the non-techie at the remote office plugs in the unit and turns it on for the first time, the RED and the cloud automatically do the rest.

You end up with an encrypted Virtual Private Network (VPN) connection that is equivalent to having your remote workers plugged into your wired network at head office.

Delivering a product of this sort that Just Works isn't a job for the faint hearted programmer.

The challenge of words like zero in computer science is that they are unambiguously absolute.

So when you promise a "zero configuration" experience, you really have to mean it: you can't have a single pop-up dialog, tick box, or [OK] button.

? Even a washing machine typically needs some user-side configuration, no matter that it's just twiddling a dial and pressing a switch.

So, congratulations to our techie brothers and sisters for making "zero" mean zero!

By the way, if you're wondering why you might want to consider a full-blown VPN instead of just relying on remote workers to connect to key services over HTTPS, take a look at some of the comments on our recent Wireless Security Myths video.

HTTPS secures individual transactions, but it doesn't secure the DNS lookups of your remote users, and it doesn't shield the times or destinations of their connections.

That might not sound like a lot, but an attacker who controls your DNS can entirely own your network, and an attacker who knows the pattern of your communications can apply traffic analysis and learn more about your business than you might like.

Much worse, rather obviously, is that HTTPS works with co-operating secure websites only; it protects nothing else that leaves or enters your computer.

So...which company's product would I recommend for remote office connectivity?

Let me just say, "You can work it out just by looking at the URL of this article."

Follow @duckblog

View the original article here

Cyber security in US power system suffering from reactive, self-policed rules

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

North America’s electricity generation and distribution network is a vital piece of infrastructure, and is rightly considered a major potential target for attack from terrorists, activists or corporate snoops.

Its cyber defences seem to be inadequate though, with regulation mainly self-imposed and minimally enforced. Policy in the area also appears to focus on reacting to emerging threats, rather than setting up proactive barriers against potential problems.

A major report on the subject has been produced by the offices of two US Congressmen, Ed Markey (D-Mass.) and Henry A. Waxman (D-Calif.). They found that most power companies were under heavy cyber attack, but that few had done more than the minimum to implement protective processes.

A run-down of the report’s major findings can be found at The Register – there are plenty of juicy, scary stats based on responses to a survey sent to over 150 organisations.

The main point the study’s authors are trying to make is that there are many rules in place for how networks and systems should be protected, some mandatory and some optional, and not everyone’s applying all the mandatory steps yet, let alone the optional ones.

The rules are laid out by a non-profit body called NERC, the North American Electric Reliability Corporation. This is a cross-industry group focussed on keeping America’s lights on, generating standards and best practices for electricity generation and infrastructure. They’re overseen by FERC, the Federal Energy Regulatory Commission.

To create a new rule for the power companies to follow, a NERC committee (of which there seem to be many) will draft a guideline, which must then be approved by the membership – which is the power companies. If approved, the guideline is then passed to FERC for further approval before becoming an enforceable standard.

Obviously, this is a slow process, with any rule which is thought likely to cause difficulties to the people it’s supposed to be imposed upon likely to be vetoed, by those very same people.

The complexities of the system, and the highly distributed nature of the US power infrastructure, make it hard to monitor and enforce compliance, even when guidelines do become rules.

NERC produce some epic documents – their full run-down of standards makes for an eye-watering 1800-page read.

The (relatively) juicy bit concerning cyber security is section CIP-007, about a quarter of the way down.

Just keeping up with the latest tweaks and additions must be a tough task, let alone trying to apply or enforce them.

Even if the standard creation process can be sped up and made more enforceable, as the report’s authors are urgently suggesting, there’s another problem here.

The emphasis seems to be heavily on responding to threats – how did people respond to 9/11, what have people done in the wake of Stuxnet, what was their reaction to Aurora.

They need to be thinking much more proactively, predicting new attack vectors and implementing protection against new vulnerabilities before they are discovered, let alone put to use by the bad guys.

At least some people at NERC are thinking along the right lines, with another detailed report, released last year by their Cyber Attack Task Force, emphasising the importance of attack trees and other predictive approaches.

What seems to be needed here is a combination of the two vectors, with carefully considered generally defensive strategies combined with fast responses to new, unforeseen vulnerabilities. Sadly when government and big business intersect, pragmatism and speedy reactions are rarely in evidence.

Follow @virusbtn
Follow @NakedSecurity

Image of Power failure cartoon courtesy of Shutterstock.

View the original article here

Cybercrooks siphon $800,000 from US fuel distribution firm

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Thieves drained $800,000 from a fuel distribution company in the US state of North Carolina earlier this month - a loss that the company thinks might have something to do with its bank having recently upgraded its security system.

According to security journalist Brian Krebs, the loss could have been a lot less if the bank or the targeted company - Mooresville, N.C. based J.T. Alexander & Son Inc. - had noticed the penetration earlier.

As it is, the attackers drained money for five days before a reporter notified either business of what was going on. Krebs didn't identify the reporter.

On the morning of May 1, the cyber thieves started carving out sub-$5,000 and sub $10,000 chunks of cash from J.T. Alexander's bank, Peoples Bancorp of North Carolina Inc.

They then sent the money via automated clearing house (ACH) payment to about a dozen money mules who laundered the stolen funds.

On top of the funds stolen from the bank, the ACH payments themselves were deducted from J.T. Alexander's payroll account, Krebs writes.

David Alexander, J.T. Alexander & Son’s president, told Krebs that the loss was “pretty substantial” and “painful” for the small company, which employs a staff of only 15.

The company typically spends less than $30,000 on its total payroll every two weeks. In five days, the crooks managed to steal more than a year's worth of salaries.

While J.T. Alexander & Son may be able to get some financial relief for cyber fraud losses from its insurer - Employer’s Mutual Casualty Company (EMC) - it will be far less than what the company lost, according to what EMC adjuster Jim Mitchell told Krebs:

"They’ve got some specific coverage, but unfortunately the amount of coverage they’ve got is not going to cover anywhere near the amount of money they lost."

According to the victimized company, its bank upgraded its security system a mere month before the theft.

Prior to the upgrade, J.T. Alexander & Son's controller was required to enter a login ID, password, and a six-digit code to be read by an automated system at the bank. That automated system would then call the company.

Kristie Williams, who works in accounting and finance for J.T. Alexander, told Krebs that the security change - of which she wasn't aware - entailed transforming what was once a single-IP-controlled process into something a whole lot more promiscuous:

"... It used to be we could only access the bank’s site from my computer. … The way [the bank] changed it, anybody anywhere could access it as long as they had my login, and apparently that’s what happened because the logins came from a different IP address than our normal one. I think they made it more convenient, but less secure. I wasn’t aware all of that had changed.”

The bank didn't return Krebs's calls requesting comment.

At first blush, it looks like both the bank and the business might share the blame for the loss, but as Brian notes, it's the victim who tends to bear the liability.

Krebs includes a link to a set of online banking best practices for businesses that should help to protect businesses from being victimized in this manner.

Last year, I attended a great talk at Source: Boston about cyber liability insurance, given by Jake Kouns, director of cyber security and technology risks underwriting at insurer Markel Corp.

I was lucky enough to get him in front of a camera so as to glean some tips on buying such policies. Here's a link to the video.

There's a lot to know about these insurance policies, but here's a good first lesson: a general liability policy won't cover your organization.

The costs can be devastating, as J.T. Alexander & Son is now experiencing.

Hopefully, your business won't suffer the same fate. But in case it does, be prepared.

Now is the time to learn about the ins and outs of insurance, not after your business gets drained and your insurer tells you that you really don't have much in the way of coverage.

Follow @LisaVaas
Follow @NakedSecurity

View the original article here

Only 36% of small firms apply security patches. No wonder cybercrooks are stealing their cash

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Small businesses are under constant attack from malware, scams and online fraud.

They are not only losing money directly to fraud, but also in costs associated with maintaining security. Small businesses are simply woefully under-prepared to keep their assets safe. Despite reorganisation and redirected priorities, the police can still do little to help.

This all emerges from a report on the threat of online fraud to small UK businesses, released by the FSB. No, not Russia's slightly cuddlier successor to the KGB; this is the Federation of Small Businesses, a UK pressure group representing the needs of small businesses, and providing a range of services to them, boasting over 200,000 members.

The study takes the form of a survey of a subset of that membership, covering their experiences of online fraud, their attitudes to how it affects them, and what actions they've taken to protect themselves.

Now, such studies are notoriously biased - asking people with a vested interest and minimal specialist knowledge what they think of a complex technical issues will always give some off-the-wall results.

This report contains some useful data though, both on what small business owners think has happened to them in the past, and on the parlous state of their cyber defences.

The report kicks off with a third-party figure of £18.9 billion lost to fraud by small-and-medium enterprises. This boils down to an average of just under £4000 per business in their study, although that covers all kinds of fraud. A previous analysis came up with a figure of £2900 for 'normal' fraud, hinting that the figure for online losses is over a quarter of the total.

On the plus side, 49% of businesses suffered no fraud losses at all, and only around 7% lost more than £5000. 10% reported incidents of card fraud, including 'card not present' problems associated with online trading. Such issues, along with the costs and complexity of PCI-DSS compliance, have apparently discouraged many businesses from operating online at all.

20% report 'virus' infections, with a further 8% spotting hacking or other 'electronic intrusion', and that's only those that knew about the issues - 73% claimed they had had no problems.

It would be interesting to see how the list of victims overlaps with those who regularly apply security patches to software (a mere 36%), and those who regularly update their anti-virus software (a much higher, but still rather depressing, 59%). 17% claimed they took no actions to counter cyber-attack, from a lengthy list of options.

The figures contrast rather oddly with another survey published just a month ago, produced by the Department for Business, Innovation and Skills (BIS), who also partnered with the FSB on this report. That survey does cover all types of data breach and all associated costs though, rather than just the direct costs of fraud.

A lot of businesses have gripes about the banks, how little they do to help and how much they cost. They also claim the police don't help much either.

Indeed, among the study's headline recommendations are a need to 'manage expectations around the police response to fraud and online crime by highlighting the benefits of reporting in terms of feeding into a wider intelligence picture' and 'Inform businesses what the police do not have the capacity to deal with so they can take preventative measures to help themselves more'.

This is basically admitting that if your businesses is robbed online, the police may provide you with a pat on the hand and a sympathetic "there, there", but that's about it - you should be dealing with this stuff on your own.

At least there is that encouragement to keep reporting issues so their levels can be monitored, which gives some hope that one day even the police will begin to sit up and take notice. The police's centralised, outsourced Action Fraud reporting system is referenced.

The FSB study also provides a good, clear 'ten top tips' to help business owners protect themselves.

It includes the basics of running up-to-date security software, applying patches and using at least reasonably strong passwords.

Here is the FSB top ten tips:

Implement a combination of security protection solutions (anti-virus, anti-spam, firewall(s))Carry out regular security updates on all software and devicesImplement a resilient password policy (min eight characters, change regularly)Secure your wireless networkImplement clear and concise procedures for email, internet and mobile devicesTrain staff in good security practices and consider employee background checksImplement and test backup plans, information disposal and disaster recovery proceduresCarry out regular security risk assessments to identify important information and systemsCarry out regular security testing on the business websiteCheck provider credentials and contracts when using cloud services

This is a good start, but business owners clearly need a lot more help. In the UK at least, they may not be so at risk from the POS malware targeting their US cousins, but they face some serious issues.

Many of these problems are based on a simple lack of know-how and IT security illiteracy.

Sadly, even the best defenses can get breached, and there needs to be a stronger deterrent in the criminal system. With the internet involved, this means global action, which remains a rather distant dream.

Follow @VirusBTN
Follow @NakedSecurity

Image of small businesses and small business crushed by foot courtesy of Shutterstock.

View the original article here

Why Twitter's two-factor authentication isn't going to stop media organisations from being hacked

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Twitter has announced the availability of two factor authentication (2FA) for its service, meaning that users can opt-in to something stronger than just a username and password to protect their accounts.

In a blog post, Twitter explains how the new security measure works.

If you decide to turn 2FA on for your Twitter account, every time you try to log into the site you will be prompted to enter a six-digit code that Twitter sends to your phone via SMS.

Here is a video Twitter released, demonstrating the feature:

So, the big question is this... is this going to help media organisations such as The Guardian, NPR, the Financial Times, and others who have found their Twitter accounts hijacked by the likes of the Syrian Electronic Army?

Sadly, I don't think it's going to help them at all.

Media organisations who share breaking news via social media typically have many staff, around the globe, who share the same Twitter accounts.

2FA isn't going to help these companies, because they can't all access the same phone at the same time.

Either those people will have to leave themselves permanently logged into Twitter (which is itself unwise from the security perspective), or one central trusted person will have to "own" the phone - and share the six-digit code with journalists as they try to log in to share breaking news stories.

It's a complex problem to fix, and for that reason many media organisations may choose not to enable Twitter's additional security at this time.

Of course, *another* solution would be to have an intermediary service, acting as a proxy, to which journalists could post their Twitter updates (using appropriate authentication) and then have *that* service feed the official Twitter account.

If you take that approach, just ensure that you have proper security systems in place for that proxy service - to keep out hackers and mischief-makers.

Corporations with "shared accounts" on Twitter would be wise to keep their defences updated, educate their staff on security and best practice, and learn the lessons of how Twitter accounts have been hacked in the past.

If you do enable Twitter two-factor authentication, whether you are Joe Public or a multinational corporation, realise that the technology isn't going to help if you have users who are easily phished.

Determined online criminals could use "man-in-the-middle" techniques to grab the six digit passcode alongside your password and username if they are determined.

So, even if you do turn on Twitter's 2FA, you still need to double-check that when you enter your username and password, or your six digit code, that you are *really* on Twitter's https website.

Otherwise, the crooks can just use all three items to log in as you...

In time, Twitter will surely mature and offer appropriate security, and mechanisms which recognise how many corporate brands and news organisations are using Twitter today.

Maybe they will one day adopt a system like Facebook has, where multiple users can have access to an account - all with different levels of authority, all with different usernames and passwords.

Right now Twitter's 2FA is more likely to be welcomed by individuals who own personal accounts, and small companies with a Twitter presence, than embraced by the high profile victims attacked by the Syrian Electronic Army in the past.

Follow @gcluley

View the original article here

Patching your business, Yahoo breach, Google Glass, DDoS-for-hire - 60 Sec Security [VIDEO]

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Our 60 Second Security videos are back!

In the last series, we produced episodes every two weeks; this time, we're hoping to publish a weekly roundup that's quick, fun and useful.

There is a serious side to these videos: we want to give you punchy computer security anecdotes to use in your own "elevator advocacy."

You probably know the feeling.

You get in the lift, sorry, elevator, with someone who's just had a run-in with IT over a security principle that you think is obvious, but they think is tiresome.

"Who cares about Windows updates? Why do I have to change my password? What's the big deal about privacy? Who's going to hack little old me?"

60 Second Security helps you fire back friendly answers to all those questions, long before you get to Level 11.

Here you go: watch the latest security news in just 60 seconds.

In this episode:

(If you enjoyed this video, you'll find plenty more on the SophosLabs YouTube channel.)

http://twitter.com/duckblog

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Congress, data breach, DDoS, FBI, Glass, Google, Japan, Patching, small biz, Small Business, yahoo

View the original article here

Vermont slaps patent troll with first-ever suit of its kind

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Late last year, a patent troll had the gall to send thousands of letters to small businesses around the US, demanding payment of between $900 and $1,200 per worker for - get this - using scanners and then emailing scans.

According to Ars Technica's Joe Mullen, this "brazen patent-trolling scheme" was conducted by a company called MPHJ Technology Investments, along with "dozens of shell companies with six-letter names."

The state of Vermont has a problem with that. A big problem.

In a left-right double punch, the State Attorney General has filed a groundbreaking complaint [PDF] against the infamous scanner troll, while the state's governor on Wednesday signed bill H.299 [PDF], the nation's first-ever anti-patent trolling law.

It was bad enough that MPHJ was allegedly shaking down small businesses and thereby running afoul of the state's Consumer Protection Act.

To make matters worse, two of the businesses it allegedly picked on were nonprofits that assist developmentally-disabled people: Lincoln Street, a Springfield nonprofit that gives home care to developmentally-disabled Vermonters, and ARIS Solutions, a non-profit that helps the disabled and their caregivers with various fiscal and payroll services.

In a statement released on Wednesday, Vermont State AG William H. Sorrell quantified the blood-sucking and listed the ways that government is trying to stop the vampires:

Patent trolling is a national problem. A recent major study out of Boston University estimated the cost of patent trolling on the US economy at $29 billion in 2011 alone.

Representative Peter Welch recently co-sponsored the Saving High-Tech Innovators from Egregious Legal Disputes (“SHIELD”) Act of 2013 in Congress to address the problem and the Federal Trade Commission held a workshop to address patent trolling in December 2012.

Sorrell is alleging that the scanner troll neglected to conduct due diligence before sending the letters and made deceptive statements about its threats of suit and whether other companies had taken a license.

Indeed, the questionable - it might be more accurate to say laughable - legitimacy of MPHJ's patent is outlined here by Mike Lloyd, one of the management team at a patent-mapping software company.

As Lloyd demonstrates, patents relating to scanning and emailing documents are not only very plentiful; they also go far back in time before MPHJ got its grubby little paws on its own version - back to, for example, Xerox, which filed a similar patent in October 1993.

In an interview with Ars, Sorrell said that he's hoping that other states follow Vermont's lead:

All of a sudden, these nonprofits were getting threats... This caused consternation on behalf of a number of Vermont companies and caused them to incur expenses when they hired private legal counsel.

We're hopeful that other states will take action to protect their businesses and organizations. They've sent threatening letters all over the country.

We hope so too. Nice work, Vermont. Thank you for taking the lead on this.

Follow @LisaVaas
Follow @NakedSecurity

Image of patent troll courtesy of Shutterstock.

View the original article here

NYPD detective charged with hiring email hackers to break into colleagues' personal accounts

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

New York City police have arrested a NYPD detective for hiring an email hacking service to pinch the login details for at least 43 personal email accounts and one cell phone belonging to at least 30 individuals.

Edwin Vargas, 42, of Bronxville, New York, is accused of having paid $4,050 via PayPal to an illicit hacking service between March 2011 and October 2012.

According to a statement from Preet Bharara, the US Attorney for the Southern District of New York, Federal Bureau of Investigations (FBI) agents arrested Vargas outside his home on Tuesday.

Officials said that 19 of Vargas' alleged targets are current NYPD officers, one is retired from the NYPD, and another is an administrative staff member of the NYPD.

Vargas allegedly used the login credentials to peek into at least one personal email account belonging to a current NYPD officer. He also allegedly accessed another victim's online cellular telephone account.

Law enforcement officials said that when they checked out the hard drive on Vargas' NYPD computer, they also found that his Gmail account Contacts section included a list of at least 20 email addresses, along with what looks like telephone numbers, home addresses, and vehicle information corresponding to those email addresses.

The list also contained what seem to be passwords for the email addresses.

Vargas also allegedly accessed the federal National Crime Information Center (NCIC) database to get information about at least two NYPD officers and then paid email hacking services to filch their logins.

The detective has been charged with one count of conspiracy to commit computer hacking and one count of computer hacking. Each count carries a maximum sentence of one year in prison.

US Attorney Bharara said in the statement that it's pretty darn bad when the cops themselves are the ones breaking the laws they're paid to enforce:

As alleged, Detective Edwin Vargas paid thousands of dollars for the ability to illegally invade the privacy of his fellow officers and others.

He is also alleged to have illegally obtained information about two officers from a federal database to which he had access based on his status as an NYPD detective.

When law enforcement officers break the laws they are sworn to uphold, they do a disservice to their fellow officers, to the Department, and to the public they serve, and it will not be tolerated.

FBI Assistant Director-in-Charge George Venizelos also said in the statement that gosh, you'd think you'd be able to trust your coworkers if your workplace is a police department:

As alleged, the defendant illegally acquired log-in information for the email accounts of dozens of people, including police department co-workers.

Of all places, the police department is not a workplace where one should have to be concerned about an unscrupulous fellow employee.

Unlike the email accounts, the defendant didn't need to pay anyone to gain access to the NCIC database. But access is not authorization, and he had no authorization.

Let's assume that Naked Security readers won't fall for pitches from such email hacking services, such as this charmingly misspelled/garbled one:

If you want to know someone's email password than get it right now. How to hack? No, you don't have to do that, let our experts to hack your requested password in less than 48 hrs and you will be charged with $100

How do these services work?

Some of them, in their marketing materials, put up lists of techniques that include brute-force attack, keylogger installation, dictionary attacks, sniffing (if the hacker and the victim share the same wireless network, such as in a workplace or cyber cafe), and/or social engineering techniques.

Unfortunately, if the allegations prove true, it sounds as though the NYPD not only harbored one bad apple; it also has plenty of staff who might well have fallen for one or more of the email hacking services' techniques.

As far as protecting ourselves from having our accounts breached, the tried and true advice holds: keep on top of patches; don't click on phishy links or open phishy email; make sure you're using a password management program to generate convoluted, hard-to-guess passwords; and/or read Graham Cluley's piece about cooking up your own.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

Better still, follow the advice I saw on a cartoon on Wednesday:

Sorry, your password must contain a capital letter, two numbers, a symbol, an inspiring message, a spell, a gang sign, a hieroglyph and the blood of a virgin.

Bravo!

Follow @LisaVaas
Follow @NakedSecurity

Image of login screen courtesy of Shutterstock.

View the original article here

Inside the "PlugX" malware with SophosLabs - a fascinating journey into a malware factory...

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Featured, Malware

Join SophosLabs Principal Researcher Gabor Szappanos (Szappi) as he takes you on a fascinating journey into the PlugX malware factory.

This is a malware family that keeps evolving as the criminals in charge of it churn out new variants.

Just like legitimate software, malware has major version upgrades and point releases.

In this paper, Szappi looks at the recently-released Version 6.0 of the PlugX malware framework.

You'll enjoy Szappi's paper because it's not so technical as to get bogged down in researcher-only jargon, yet not so high-level as to skip over the details that help you to understand how virus writers think.

Szappi writes clearly and logically, taking apart and explaining the numerous and deliberately-distinct phases in the malware's infection mechanism.

Splitting up malware means that each step does only a small piece of the overall work, in order to avoid looking suspicious on its own.

The aim is to reduce the chance of being flagged as dangerous by heuristic defences that expect more complex behaviour.

Szappi even uses some debugging features left behind in the malware to estimate the size of the programming project behind it, using a statistical technique first used in anger during the Second World War.

The Allies used it to convert observations from the field into reliable estimates of how many tanks the Nazis had at their disposal; now it's turned against the PlugX crew.

And Szappi describes how, and why, the malware carries around with it a pirated copy of a legitimate, digitally-signed application (this one is from Chinese social media outfit Tencent) to help it do its dirty work.

A fascinating paper, well worth reading: clearly written, interesting, and informative.

Download now

Follow @duckblog

View the original article here

How to hack an electric car-charging station

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Is there anything more annoying than infrastructure that turns on you?

For years we've been warned about the specter of hacker-induced nuclear power plant meltdowns, breached electric-grid control systems or Samsung TVs that let hackers watch you. We've even heard we could lose our data to juicejacking, when all we want is an emergency phone charge.

And the lack of security in SCADA systems? It's more like SCAD-DON'T.

The latest entrant into the scary-infrastructure category comes from a technology that feels like it should be a lot warmer and fuzzier: namely, electric car-charging stations.

In a video recorded at Hack In The Box 2013 Amsterdam and posted courtesy of Help Net Security, Ofer Shezaf, founder of OWASP Israel, talks about the lack of security in these charging stations, which often amount to little more than a computer sitting behind a key-lock panel on the street.

A computer that takes customers financial and personal information, that is.

For three years, Shezaf, an application security expert, worked for a company that makes infrastructure for the car-charging stations.

The equipment in a charging station typically includes these components, he says:

Main board; Communication equipment to connect with a central server and, often, with the internet;An RFID card reader that lets users identity themselves and begin charging their cars; andElectric components, such as a circuit breaker to protect from electrocution and a meter to measure the amount of electricity consumed.

Why do you need such a computer sitting on the street? Somebody has to pay for the electricity, Shezaf says, and controls are needed. You can't have everybody getting electricity at the same time, or the system will fry.

But once you put a computer on the street, information security comes into play, as does the potential for hacking.

Here are the ways Shezaf says attackers might hack into an electric car-charging station:

Via physical access on the street equipment. The computers, typically Linux-based, are often protected with a panel opened with a simple key. Once an attacker opens the panel, he has access to the components, allowing analysis and reverse-engineering of hardware, CPU, and firmware. Also, attackers can connect via processor ports to enable real-time analysis while customers are charging their cars.

Via communications. In many cases, Shezaf says, there's a large number of charging stations in a single parking lot, linked via serial connection, which he calls "very slow and very, very ancient, with very little security." This can enable hackers to tap in to intercept information about the identities of the customers who are charging their cars, plus their payment information. Another potential is for attackers to conduct a man-in-the-middle attack.Via RFID card. There's high pressure on manufacturers to buy the cheapest ones available. Such cheap RFID cards are known to include either no encryption or insufficient encryption protocols. Back doors that allow technicians to connect to charging stations and get immediate access. Maintainability is a key element of these large physical networks. It has to be cheap and easy for technicians to fix issues, Shezaf says. He found one example in an equipment manual online that describes how access to the charging station is gained through a physical key. Beyond that, there's no security whatsoever - not even a password requirement.

What can hackers do once they're in? Shezaf gave this list:

Identity theft. Attackers can intercept information while people charge.Financial theft. Charging for free or charging on someone else's account. DoS. A hacker can, for example, take out an entire parking lot, making cars inoperable. Hackers could also potentially shut down an entire network, shutting down electric car traffic in an entire city or region.

How likely are these types of physical attacks? Not very, Shezaf says, given a few things.

First, they sound simple, but they're not:

"You need a subject matter expert. That limits the number of people who can do it."

For one thing, encryption is a key challenge of securing charging infrastructure. But encryption is "a tough subject," he says. There just aren't that many people who know how to break it.

We don't see charging stations getting hacked or, for that matter, planes falling out of the sky, but we do see virtual hacking galore.

The reason, Shezaf proposes, is that physical damage frightens us, from an evolutionary standpoint.

If you're out to make some easy money, hacking a bank online is physically safe. The same can't be said for physical attacks against, for example, smart cars or car-charging stations:

"While naturally criminals and nation states will use those techniques, a lot less people who are doing it for money will try to hack charging stations."

Hopefully, that all adds up to this particular hacking scenario being relevant, for the most part, to Hollywood scriptwriters.

Follow @LisaVaas
Follow @NakedSecurity

Images of electric car, charging station and caution tape courtesy of Shutterstock.

View the original article here

LulzSec members jailed over hacking

Members of a group of young British computer hackers who masterminded sophisticated cyber attacks on major global institutions from their bedrooms have been jailed.

Ryan Ackroyd, Jake Davis, Mustafa Al-Bassam and Ryan Cleary considered themselves to be "latter-day pirates" when they masterminded sophisticated cyber attacks on major global institutions including the CIA, Sony, the FBI and Nintendo.

They were "hactivists" with the LulzSec collective behind attacks that stole sensitive personal data including emails, online passwords and credit card details belonging to millions of people. News International, the NHS and the UK's Serious Organised Crime Agency (Soca) were also victims of the group, who lived as far apart as London and the Shetland Islands and never met in person.

Sentencing them at Southwark Crown Court in London on Thursday, Judge Deborah Taylor said some of their taunting of their victims "makes chilling reading". What they considered a cyber game, she said, had in fact had real consequences. "You cared nothing for the privacy of others but did everything you could through your computer activities to hide your own identities while seeking publicity," she said.

Stolen information was posted unencrypted on their website and file-sharing sites like Pirate Bay in 2011, the court had previously heard. They also carried out distributed denial of service (DDoS) attacks, using linked networks of up to one million computers to overpower and crash websites.

Their activity collectively cost their targets millions of dollars and potentially left millions of people at risk from criminals. All had admitted offences under the Computer Misuse Act 1990.

Cleary, 21, of Wickford Essex, known as ViraL, pleaded guilty to six charges including hacking into US air force agency computers at the Pentagon. He was jailed for a total of two years and eight months.

Ex-soldier Ackroyd, 26, from Mexborough, South Yorkshire, was jailed for 30 months having previously pleaded guilty to one charge of carrying out an unauthorised act to impair the operation of a computer. The Iraq veteran used the online persona of a 16-year-old girl called Kayla.

Al-Bassam, 18, from Peckham, south London, used the alias tFlow. He was at school at the time and is currently sitting his A-levels, the court heard. He was given a sentence of 20 months suspended for two years, plus 300 hours of community work.

Davis, 20, from Lerwick, Shetland, used the alias Topiary and was LulzSec's main publicist. He was ordered to serve 24 months in a young offenders' unit. He and Al-Bassam had previously pleaded guilty to hacking and launching cyber attacks on a range of organisations, including the CIA and Soca.

View the original article here

Apple fixes 41 iTunes security flaws, some more than a year old

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Apple has released iTunes 11.0.3 for OS X and Windows today.

This update fixes a certificate validation issue for both Mac and Windows. If this vulnerability were exploited an attacker would be able to spoof an SSL certificate without a warning being presented, allowing the attacker to potentially execute arbitrary code.

They also fixed 40 other vulnerabilities in the Windows version of iTunes, which sounds really terrible (and might be), until you consider why.

iTunes renders a lot of HTML and Mac users already have the WebKit-based browser, Safari, installed on their Macs.

The Windows version of iTunes cannot rely on the Safari version of WebKit being present (thank God Apple doesn't require Safari to be installed), so Apple includes the needed libraries inside of the iTunes for Windows package.

What is unclear is why Apple has waited for so long to release these fixes for Windows users of iTunes. Let's take a look at the history of the oldest vulnerability fixed, CVE-2012-2824.

CVE-2012-2824 is a "use after free" vulnerability in the SVG parsing code in WebKit. It has a CVSS severity score of 10, is considered easy to remotely exploit and could result in remote code execution (RCE).

It was first reported on 27 April 2012 by miaubiz and was fixed in Google Chrome's implementation of WebKit on 26 June 2012, about 2 months from initially being reported.

Apple's first attempt at fixing this flaw was in iOS 6.0.1 and Safari 6.0.2 on 1 November 2012, approximately six months after being reported.

It is on of the vulnerabilities bundled into today's iTunes 11.0.3 update more than one year after disclosure.

Another vulnerability of note fixed in today's Windows version of iTunes is CVE-2012-5112, or as it is better known the Pinkie Pie vulnerability from Google's Pwnium 2 contest at the Hack in the Box 2012 conference.

In combination with another flaw this bug won Pinkie Pie $60,000 USD and a Chromebook courtesy of Google.

While I do question the amount of time Apple needed to fix these bugs, that isn't the point of this post.

The point is you should update iTunes now, especially if you are a Windows user who needs it to manage your music, movies, TV shows, iPad or iPod.

The latest version of iTunes for Windows or OS X is always available at http://www.apple.com/itunes/download/.

Follow @chetwisniewski

View the original article here

Get ready for the next #sophospuzzle - coming soon to a T-shirt near you

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

It's almost time for the annual AusCERT conference in Queensland, Australia.

And for everyone who's asked, the answer is, "Yes! There's a #sophospuzzle."

And a Sophos AusSHIRT to go with it.

Over the past few years, the Sophos AusSHIRT Puzzle has become a something of an institution.

It's also one of the coolest and most sought-after giveaways of the show.

(What am I saying? It's the most sought-after giveway!)

For those who won't be on Queensland's Gold Coast later this week, we'll also be publishing the puzzle for you to solve and enter online.

There are prizes, as usual: geeky toys at the show, and a bunch of T-shirts for those who solve it online.

In previous years, the puzzles typically had multiple stages, with the shirt decoding to a URL, and the URL taking you to the next level, and so on.

Many of you asked us to make the 2013 puzzle a little more self-contained, notably so that those who are attending the conference don't need to spend hours on their computers working their way through it.

Instead of three stages, this year we've given the puzzle three dimensions (OK, technically it's an isometric projection into two dimensions, but bear with us here), and just one stage.

So you can solve this puzzle straight from the shirt, using nothing but pencil, paper and intellect.

Of course, you can still throw some home-hacked scripts at the problem if you want: a little bit of brute force goes a long way, and you can leave your scripts running while you attend the conference parties.

We'll fill in the real letters in the squares of the Rubik's Cube when the puzzle proper starts. (No, the answer isn't "UTM". Well, not this answer, anyway.)

The real thing, complete with handy hints, will be published on Naked Security to coincide with the official opening of the conference, on the evening of Tuesday 21 May 2013, at 2013-05-21T18:00+10.

That's 6pm Queensland time, 4pm Singapore time, 10am in Berlin, 9am in the UK, 4am in New York and 1am in California.

It'll also be half past five in the morning in Newfoundland, and quarter to two in the afternoon in Kathmandu, for those of you who doubt the need to take fractional timezones into account when programming.

Just so you know, the puzzle is a cryptogram, which means that the letters on the cube have been scrambled using an encryption algorithm.

It's a slightly wacky and unusual cipher, with both substitution and transposition, but the substitution always replaces each plaintext letter with the same encrypted letter.

So you shouldn't need a computer to solve it.

As usual, you'll be able to follow the puzzle on Twitter using the hashtag #sophospuzzle.

Sophos Australia will feed you hints on the @Sophos_ANZ Twitter feed, so follow the SophOz team for some extra help.

And I'll be keeping a watchful eye on proceedings via @duckblog.

Hope you can join us online, even if you won't be there to pick up a shirt!

Follow @Sophos_ANZ

Follow @duckblog

View the original article here

Threats to Indian IT industry and two faces of hacking

New Delhi, May 18 (ANI): The recent data theft by hackers from two Indian companies processing prepaid cards for several overseas banks, which led to a global fraud of 45 million dollars, has made India's 100 billion dollar IT industry a primary target of spam, phishing and viruses. The security breach has reopened the debate on IT security norms followed by Indian firms and the role played by 'ethical' hackers.

A gang of cyber-criminals operating in 26 countries stole USD 45 million by hacking their way into a database in the second week of May 2013. Another incident which happened recently is of Rs 2.4 crore heist by cyber criminals who hacked into the Mumbai-based current account of the RPG Group of companies.

There have been many attempts by 'ethical' hackers going rogue, resulting in the breach of cyber security of companies as well as individuals, causing financial loss and damage of reputation. The 45 million dollars heist, the News International phone hacking scandal, Indian hackers' retaliatory attack against Brazilian or Bangladeshi counterparts, etc., leaves the victims defaced and robbed.

Reportedly, a group of anonymous hackers from India hacked and defaced 37 Brazilian websites. The attacks were apparently in retaliation to the April 6 cyber attacks on Indian government websites supposedly by Brazil-based hackers. Although there is a nationalistic tinge to the whole scenario, it could prove disastrous if not monitored and channelised.

Lords of Dharmaraja is also alleged to have hacked and posted a threat by uploading the secret documents, memos, and source code of Symantec's product on Pastebin.

It is indeed tough to define something as diverse as hacking. Is it ethical for any computer expert to infiltrate into another person's websites and e mail accounts? Yes, if it is a trustful 'hacker' who uses his ethics and software expertise to strengthen his employers' security apparatus from the hackers with mal intentions. Also, if done for the cause national security. But, if a computer wizard illegally gains access to someone's computer by pretending to be a bonafide entity for fulfilling a personal agenda, then that is a cause for serious concern.

In India, according to Microsoft, 'ethical' hacking is synonymous with prominent names like Ankit Fadia, Sunny Vaghela, Pranav Mistry, Vivek Ramachandran, Koushik Dutta, Aseem Jakhar and a few more.

Ankit Fadia, a world-renowned 'ethical' Indian hacker, described the cyber security threat as a menace. "Identity theft of Indian IT firms is rather common. Hackers have the potential to damage the reputation of a bonafide IT firm by stealing their identity and engaging in unscrupulous activities under the corporate's garb that can have disastrous consequence and tarnish reputation. In fact, such misdemeanours could go unnoticed for years together if not detected and rectified in time," he said.

There are quite a few ethical hacking groups in India, like the Indian Cyber Army aka Indishell, Team NUTS, Team Gray Hat, Lords of Dharmaraja and the Indian Cyber Devils, that have reportedly been working to safeguards India's cyber space.

An ethical hacking group, on conditions of anonymity, revealed that even while working on a national cause, they may masquerade as an information security company to register domains or create malware in order to protect themselves and get back at their arch-rivals - Information Security and anti-virus companies.

Imparting ethical hacking training is like treading on dangerous grounds, as it raises questions like are these activities justified? Can there be a guarantee that these groups will refrain from crossing the line of mandate? And, is anyone safe in this scenario?

In India, there are a number of training institutes that empower the youth in latest ethical hacking tools and techniques. Institutes like Techdefence, K-Secure CEH, IntelleSecure Network Solutions, Crezone and Kyrion are few of them. However, the most popular certification is CEH (Certified Ethical Hacker) by an American organisation called EC Council, and training material of almost every institute is shaped around its curriculum.

Ethical hacking ensures that the cyber security infrastructure of a private organization as well as government bodies is robust and secure. Although ethical hackers are fast becoming a tribe in India, it is critical to monitor them along with their training institutes. Trainers need to be conscious of imparting this knowledge while setting up the curriculum. Perhaps, it would be prudent for the government to intervene in designing the curriculum and set a minimum age of 18 to shoulder responsibility of such potent knowledge. By Praful Kumar Singh(ANI)

View the original article here

China calls U.S. the "real hacking empire" after Pentagon report

BEIJING (Reuters) - China on Wednesday accused the United States of sowing discord between China and its neighbors after the Pentagon said Beijing is using espionage to fuel its military modernization, branding Washington the "real hacking empire".

The latest salvo came a day after China's foreign ministry dismissed as groundless a Pentagon report which accused China for the first time of trying to break into U.S. defense computer networks.

The Pentagon also cited progress in Beijing's effort to develop advanced-technology stealth aircraft and build an aircraft carrier fleet to project power further offshore.

The People's Liberation Army Daily called the report a "gross interference in China's internal affairs".

"Promoting the 'China military threat theory' can sow discord between China and other countries, especially its relationship with its neighboring countries, to contain China and profit from it," the newspaper said in a commentary that was carried on China's Defense Ministry's website.

The United States is "trumpeting China's military threat to promote its domestic interests groups and arms dealers", the newspaper said, adding that it expects "U.S. arms manufacturers are gearing up to start counting their money".

The remarks in the newspaper underscore the escalating mistrust between China and the United States over hacking, now a top point of contention between Washington and Beijing.

A U.S. computer security company, Mandiant, said in February a secretive Chinese military unit was likely behind a series of hacking attacks that targeted the United States and stole data from more than 100 companies.

That set off a war of words between Washington and Beijing.

China has said repeatedly that it does not condone hacking and is the victim of hacking attacks -- most of which it claims come from the United States.

"As we all know, the United States is the real 'hacking empire' and has an extensive espionage network," the People's Daily, a newspaper regarded as a mouthpiece of the Chinese Communist Party, said in a commentary.

The article -- which was published under the pen name "Zhong Sheng", meaning "Voice of China" -- said "in recent years, the United States has continued to strengthen its network tools for political subversion against other countries".

"Cyber weapons are more frightening than nuclear weapons," the People's Daily said. "To establish military hegemony on the Internet by repeatedly smearing other countries is a dangerous and wrong path to take and will ultimately end up in shooting themselves in the foot."

(Reporting by Sui-Lee Wee; Editing by Michael Perry)

View the original article here

Interview with 'We are Anonymous' author Parmy Olson [PODCAST]

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

I had the privilege of interviewing Forbes journalist and author Parmy Olson after the RSA Conference in San Francisco in February.

We sat down in the beautiful Yerba Buena Gardens to discuss her book "We are Anonymous" and her thoughts on the upcoming (at the time) sentencing of the LulzSec hackers.

We also discussed her recent visit to Mobile World Congress in Barcelona and her thoughts on Firefox OS.

It might seem a bit late to publish this podcast, but there was a press embargo in the UK at the time it was recorded and we decided to be respectful of that and wait to publish until the accused were convicted and sentenced.

You may notice some odd noises in the background -- a dog barking, a shopping cart and birds tweeting. I interviewed Parmy in the middle of the park, so you should consider any extraneous noises as ambiance.

(If this is your first time listening to a Sophos podcast they are ideal for your daily commute or for a spot of lunchtime listening. There's an archive of previous podcasts - you can also get our podcasts via RSS or iTunes.)

http://twitter.com/chetwisniewski

Tags: anonymous, Firefox OS, Forbes, interview, Jake Davis, LulzSec, Lust for Lulz, Parmy Olson, Podcast, Sabu, Topiary

View the original article here

FT hacked. Syrian Electronic Army hijacks Financial Times blogs and Twitter accounts

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The Syrian Electronic Army has struck again - this time adding the scalp of the prestigious Financial Times to its collection of hijacked accounts belonging to well-known media organisations.

Hackers from the Syrian Electronic Army appear to have stolen the usernames and passwords of FT staff with access to the newspaper's social media accounts, and posted unauthorised blog entries and tweets earlier today.

Here are some examples of the damage caused by the hackers:

Of course, the hacking of such a prestigious target doesn't go unnoticed - and the FT's security team scrambled into action, warning readers about the issue and deleting offending messages as they were found.

The Syrian Electronic Army isn't above rubbing salt into the wounds, clearly finding it amusing to publish the email address and password of at least one FT staff member who seemingly (we won't republish it here) chose a rather silly password.

In recent weeks Syrian Electronic Army hackers have successfully broken into online accounts belonging to the likes of The Guardian, the BBC, NPR, and CBS with apparent ease, prompting Twitter take the unusual step of reaching out to news and media organisations to warn them about the current attacks, and offer advice on defensive measures.

The problem is compounded by Twitter's current system of insisting that every Twitter account only has one username/password connected with it.

This is unlike the way Facebook pages work where individual users can be assigned different rights for managing and administering their firm's online presence. Combined with two factor authentication (known as Login Approvals on Facebook) this provides a higher level of security, and greater granularity about what users can do.

Twitter's approach inevitably leads to media agencies, who are pressured to tweet breaking stories around the clock, to share Twitter passwords with many staff worldwide - and hold their breath that none of them get hacked or have their credentials phished.

It would be great if Twitter could introduce two factor authentication. It would be great if Twitter could introduce a way for firms to give different staffers separate logins for the same account.

And it would be great if media companies could train their staff to be suspicious of unsolicited emails, be wary of clicking on unknown links, and of unwittingly handing their passwords over to criminals.

The blame for the hackers' success, after all, shouldn't entirely fall on Twitter's doorstep. Ultimately it was a human, working for the media organisation, who made a mistake and was tricked into giving the keys to the castle to a bunch of hackers.

Follow @gcluley

View the original article here

Congress asks Google if and how it's protecting privacy with Glass

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The US Congress on Thursday sent Google a letter [PDF] listing eight specific privacy areas concerning Glass that legislators would like to know quite a bit more about.

Congress members aren't the only ones.

Since the emergence of Glass - Google's uber-geeky, internet-enabled head gear that's worn like discrete, photo-snapping/video-grabbing eyeglasses - the technology has:

Congress - specifically, eight members of the privacy caucus - has thus risen from the swirl of speculation around Glass and asked Google to answer a specific list of questions.

Here they are, reiterated and unfolded (Congress packed multiple questions into one question in a few spots):

How will Glass not be like WiSpy? As in, how is Google going to prevent Glass from unintentionally collecting data about users or non-users without consent? As it is, Congress pointed out, the company was fined $7 million for its StreetView cars having sucked up information via unsecured wireless networks. How will Google avoid a similar mess with Glass? How will Google proactively protect non-users who get ogled? Is Google building in product lifecycle guidelines? One such framework is Privacy by Design, which covers the embedding of privacy and data protection throughout a technology's lifecycle, from the early design stage to its deployment, use and ultimate disposal. Specifically, Congress wants to know what happens when a customer resells or otherwise disposes of Glass and whether Google has baked in capabilities to keep the original owner's personal information secure. Will Glass use facial recognition? If so, how do users get that information? How do non-users opt out of this personal data collection? If they can't opt out, why is that?Under what circumstances does Google refuse requests from Glass that invade the privacy of others? Congress here references Google's Privacy Policy, which states that it may reject requests that are:

"... unreasonably repetitive, require disproportionate technical effort, ... risk the privacy of others, or would be extremely impractical..."

Is Google tweaking its privacy policy to reflect the sensory and processing capabilities of Google Glass? If not, why not? What device-specific information is Google collecting from Glass? Here, Congress is referencing Google Privacy Policy as it pertains to collecting hardware models, operating system versions, unique device identifiers, and mobile network information, including phone numbers. Is Google collecting data about the user without the user's knowledge? To what extent was privacy considered when approving the first app for Google Glass, rolled out by the New York Times? How is Google ensuring that privacy's a priority for the other app developers who've since followed suit? Is Glass storing data on the device itself? If so, will it be protected, and if so, via what type of user authentication or other means?

Congress is looking for answers by Friday, June 14.

These are great questions, and Congress is to be lauded for asking them.

Some Congress members - well, one, at any rate - actually think highly enough of Google's past respect for privacy to take hope in Glass being rolled out with all due care.

Here's how Sen. Al Franken a Democrat from Minnesota, put it to Ars Technica:

"In the past, Google has taken a principled position in making facial recognition an opt-in service for its social network, Google+... This gives me hope that this same kind of thoughtfulness will be applied to its roll-out of Glass. I’m looking forward to talking to Google more about its deployment of Glass and what it means for privacy."

Senator, let us hope that *your* hope is not misplaced.

Mine tends to be shredded whenever I contemplate Google's voluminous Privacy Rap Sheet.

Follow @LisaVaas
Follow @NakedSecurity

Image of "No Google Glass" courtesy of Stop the Cyborgs.

View the original article here

22 million user IDs may be in the hands of hackers, after Yahoo Japan security breach

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The call has gone out to Yahoo Japan's 200 million users to change their passwords, after the company warned that it suspected hackers had managed to access a file containing 22 million user IDs.

Yahoo Japan says that it detected an attempt to gain unauthorised access to its administrative systems on Thursday at approximately 9pm local time.

Although the information taken from Yahoo Japan's servers is said not to contain passwords, or other personal identifying information required to hijack an account (such as the answers to secret questions), the site has decided that users should reset their passwords regardless.

In a press statement published on Yahoo Japan's website, the number one search engine in Japan stressed that it had not confirmed that the data had definitely leaked to the outside world, but that it deeply apologised for any inconvenience caused.

Fingers crossed, only user IDs were exposed during the security breach and nothing more serious. But even user IDs should be private, and kept out of the hands of cybercriminals.

Potentially, online criminals now have a database of 22 million Yahoo Japan email addresses - and there are surely slimebags out there who would get a real kick out of spewing out a spam campaign, sending a phishing attack to Yahoo users, posing as a legitimate email from the company, or launching a targeted malware attack.

Hopefully Yahoo Japan will be investigating how the security breach occurred, and putting strong defences in place to prevent it - or anything worse - happening in future.

Follow @gcluley

View the original article here

LulzSec case in UK brings sentences for four men

Four members of the LulzSec hacking group were sentenced in court on Thursday after pleading guilty to various computer hacking-related charges.

(Credit: CNET)

Ryan Ackroyd, 26, Jake Davis, 20, and Mustafa al-Bassam, 18, were all sentenced together with Ryan Cleary, 21, over a two-day hearing at Southwark Crown Court, London.

Each member of the LulzSec hacktivist group admitted to various hacking charges, including taking down corporate and government websites between February and September 2011.

Presiding Judge Deborah Taylor sentenced Ackroyd to 30 months - serving half - and Davis 24 months in a young offenders institution, serving at least 12 months. Bassam received a suspended sentence of 20 months, and Cleary was ordered to serve half of a 32-month sentence.

Judge Taylor commented:

You sought to amuse yourselves and wreaked destruction and havoc. You cared nothing about the privacy of others, but kept your own identities hidden.

Former soldier Ackroyd, who had used the alias of a 16-year-old girl named "Kayla", admitted to hacking into a number of websites in 2011, including those of Sony, Nintendo, News Corp and the Arizona State Police. The 26-year-old sat across from his lawyer with a pensive, wide-eyed look, as he was branded the "most sophisticated" defendant, and responsible for researching vulnerabilities and exploits as well as executing hacks.

The prosecution said that Sony suffered US$20 million in damages, and revenue loss due to the security breach is "incalculable". An estimated 24.6 million customer accounts were compromised.

Davis and Bassam pleaded guilty to counts of conspiring to access and impair a computer without authorization, including launching attacks against the CIA and the UK's Serious Organised Crime Agency (SOCA).

Dressed in a sweatshirt and jeans, he could not be more of a contrast to Bassam, who was suited and booted with a serious but resigned look on his face. Davis, the last to arrive, chewed gum and appeared relatively unconcerned.

As the day wore on, however, the strain showed in the eyes of each member of the hacktivist group as they sat behind a glass wall and watched their fates being bargained for.

According to the prosecution, Davis was responsible for releasing press statements, controlling the LulzSec Twitter feed and defacing website pages.

Bassam was said to have controlled the group's website, published stolen information to sites including Pastebin and helped with stolen data distribution - including through the use of BitTorrent technology and mirror websites. In addition, the LulzSec member allegedly researched computer system vulnerabilities ripe for exploitation.

Cleary, otherwise known by his internet alias "Viral", pleaded guilty to the same hacking charges, in addition to counts of supplying articles with intent to impair computer systems and breaking into US Air Force systems. Cleary spent over five years building a sophisticated botnet - with a minimum of 100,000 computers at its disposal at any one time - which in turn was used for both Anonymous and LulzSec campaigns.

Aside from hacking charges, an additional indictment against Ryan Cleary was delayed due to a court miscommunication. After the seizure of Cleary's computer and subsequent recovery of deleted files, the hacker was charged with downloading and possessing indecent images of children following a second arrest on 4 October 2012.

Under the UK COPINE scale - a measure of the severity of images - the images in question were classified as child "erotica" and deliberate sexual posing. Forty six images showed children aged between six and 18 months, whereas others included children aged between 10 and 15 years.

The defence team said that Cleary is not a "professional pervert" or sexually obsessed, but rather was obsessed with finding data and using his computer - a reason laid at the door of his client's Asperger's syndrome.

A lack of information in psychological reports and pre-hearing files meant that Cleary, who admitted to downloading the images, will not be sentenced this week.

A number of website intrusions were based on vulnerabilities found within the Internet Explorer browser, and websites with high traffic levels were targeted. The 21-year-old maintained that his botnet was only "rented out" 10 or so times for monetary gain - and raised only �£2000 in total - whereas the prosecution stated that it did not believe this was truly the case.

In addition, Cleary's lawyers argued that although he gave botnet access to Anonymous, there is no evidence that he directed or controlled it - therefore, Cleary was guilty of supply rather than actual hacking.

Gideon Cammerman argued that using a botnet is "not brain surgery". Although the result was a sophisticated website take-down attack, the defence lawyer wanted the judge to keep in mind that in the case of the SOCA website, there was no evidence to suggest that the site was infiltrated - it was only taken offline for a short time.

Outside of the courtroom, Cammerman called the LulzSec hackers "a group of talented young boys who hacked particular things for particular reasons."

In contrast, prosecutor Sandip Patel accused the LulzSec members of launching "sophisticated, orchestrated attacks", which caused firms and individuals "millions of pounds' worth" of damage, coupled with the "dire, personal consequences" suffered by individual victims.

Cammerman said the hacktivists were "politically motivated and morally complicated", which made for a complex case. In this manner, both prosecution and defence agreed, as Patel stated in the hearing: "This is not about young, immature men behaving badly."

An indictment based on two counts of encouraging and assisting in an offence were "not in the public interest to pursue". However, as the US has also issued the same indictment, the prosecution had to confirm that currently, there has been "no formal request for extradition". Davis' defence team said that "there is an appetite for this type of prosecution in the United States", and it is not a risk the 20-year-old should be exposed to.

As they were individually led away, Bassam looked relieved, whereas the members of the Anonymous splinter group had resigned expressions.

Cammerman said outside of the courtroom that some of the victims were "thoroughly deserving" of what happened to them.

LulzSec exploded onto the hacking scene in 2011, after targeting Sony Pictures Entertainment, which led to PlayStation network being taken down. LulzSec member Cody Kretsinger, 25, was arrested in relation to the initial cyber attack, and was prosecuted in a Los Angeles court last month.

Kretsinger, also known as "Recursion", admitted to one count each of conspiracy and unauthorised impairment of a protected computer as part of a plea bargain, and was ordered to spend one year behind bars and perform 1000 hours of community service.

LulzSec was politically motivated in the beginning; launching the first "cyberwar" in tandem with Anonymous in retaliation to officials' attempts to shut down WikiLeaks. Target choices then began to move away from purely the political, and the Church of Scientology, Westboro Baptist Church and banking systems found themselves under attack.

However, the "hacktivisit" group was compromised when de facto former leader Hector Monsegur - otherwise known as "Sabu" - turned mole after his own arrest, and spent nine months passing information to US officials.

The hacker-turned-spy's information led to the arrests of alleged members of LulzSec and Anonymous in March 2012.

The ruling follows the arrest of the self-proclaimed "leader" of LulzSec in Australia . Matthew Flannery, 24, who allegedly used the name "Aush0k" in hacking activities, was charged for hacking into two computers after being apprehended in coastal town Point Clare. Flannery appeared briefly before a judge on Wednesday, 15 May, at Sydney Central local court, only to be told his case has been adjourned until 6 August, when it will be held at Woy Woy Local Court.

During the first day of the hearing, Ackroyd wanted closure. His lawyer, John Cooper, counselled that the issue probably wouldn't be over that day, to which the 26-year-old replied, "They won't be done with me for a long time."

No matter the age, the UK justice system is unlikely to be "done" with cybercriminals anytime soon.

View the original article here