Lisa Vaas( nakedsecurity - July 21, 2014 )
How’s this for irony? A pair of fraudsters phished bank account details out of over 150 Apple users by sending them hairy-scary messages about their accounts having been compromised. Naturally, those accounts weren’t compromised before the messages came, but they sure were compromised in short order after the crooks coerced people into sending account details to a bogus website. London’s Metropolitan Police said in a release that the duo sent emails claiming to be from Apple. The emails directed victims to update details for the purportedly compromised accounts by clicking on a link to a bogus website. When the unsuspecting victims complied, sending data that included bank details, an email was sent directly to the defendants. They used the details to siphon off money. Then, they turned around and used that money to buy tickets for more foreign national criminals - in effect, importing people to commit crime in the UK.
Lisa Vaas( nakedsecurity - July 21, 2014 )
Dan Goodin( ARS Technica - July 18, 2014 )
In 2010, elite hackers, most likely from Russia, used at least two zero-day vulnerabilities to penetrate the computer network operated by Nasdaq Stock Market, a hack that allowed them to roam unmolested for months and plant destructive malware designed to cause disruptions, according to a media report published Thursday. The intrusion initially caught the attention of officials inside the National Security Agency, the Central Intelligence Agency, and departments of Defense, Treasury, and Homeland Security for two reasons, Bloomberg Businessweek journalist Michael Riley reported in an article headlined How Russian Hackers Stole the Nasdaq. One, it appeared to be the work of hackers sponsored by Russia or another powerful nation-state. Two, far from the typical espionage campaigns that merely siphon out secret data, the malware involved in the attack contained what early on appeared to be a digital bomb that could cause serious damage.
Jef Cozza( NewsFactor - July 18, 2014 )
NTP attacks provide hackers with the ability to generate high-volume DDoS traffic to target Web sites or public-facing devices in order to disrupt services. In an NTP attack, bot computers are enlisted to send a request for the correct time from an NTP server, but the return address is spoofed with the targeted Web server’s address.The number of distributed denial-of-service (DDoS) attacks set a record in the first half of 2014, according to a report by Arbor Networks. The number of attacks over 20 GB/sec doubled compared with the same period in 2013.Although the first quarter saw the most concentrated burst of large volumetric attacks in history, things calmed down somewhat in the second quarter. The largest reported attack in the second quarter was 154.69 GB/sec, down 52 percent from Q1. That was a Network Time Protocol (NTP) reflection attack targeting a destination in Spain, Arbor Networks said.
Talbot Boggs( Brandonsun - July 16, 2014 )
Identity theft is a very real and present danger. In the past 12 months some seven million Canadians became victims of identity theft with an average direct cost per victim of US$372.00, according to internet/computer security company Norton. Identity theft is the result of an unconsented or unknown use of an individual’s personal information. It often occurs in conjunction with crimes such as fraud, forgery, or theft. Likely targets for an identity thief can include a Social Insurance Number (SIN), driver’s licence number, credit cards, debit cards, cheques, phone cards, passwords, and pin numbers. In general, identity thieves look for the opportunity to make a transaction and obtain cash, merchandise, or services before their identity can be found or the true information owner can be notified. Although it may sound simple, the main way of combatting identity theft is to use caution when making any purchase or when otherwise safeguarding your personal information.
Lamont Wood( Computerworld - July 16, 2014 )
Getting employees to take security seriously when security is not their job is an old challenge that now has a new answer: Gamification. That’s right; game-like elements are used to enhance security awareness and modify users’ behaviors. The results are tightly connected to the real world. “Participants in our program were 50% less likely to click on a phishing link and 82% more likely to report a phishing email,” reports Patrick Heim, chief trust officer at Salesforce.com, describing the results after 18 months of an ongoing security awareness gamification effort, based on positive recognition rather than negative reinforcement, at that firm of 13,000. Building awareness of physical security was also part of the effort. A campaign to test “tailgating” (an unauthorized person following an authorized person through a secured door) drew 300 volunteers, who were rewarded if they got through a door and took something.
Andrea Peterson( Washington Post - July 16, 2014 )
Tech giant Google announced a new team of security researchers aimed at making the web a safer place by discovering “zero day” vulnerabilities Tuesday. But if you’re not a security researcher, you might be asking what exactly zero day vulnerabilities are. Don’t worry, we’re here to help.
What is a zero day vulnerability? Essentially, it’s an unknown bug in a computer application. Software companies are pretty much constantly working to find and fix problems in their programs, but coding can be a messy business and mistakes often slip through. When a company finds a problem, they release a patch for it
Steve Ragan( Network World - July 15, 2014 )
E-ZPass Group, a toll collection program consisting of 25 agencies in 15 states, has issued a warning to customers concerning a Phishing scam that is posing as a collection notice.In a notice to customers, E-ZPass stated that the messages being reported are not authorized communications, even if a person’s account is behind on payments. If that happens to be the case, payment notices are invoiced and sent to the customer directly via the United States Postal Service. “We advise you not to open or respond to such a message should you receive one,” the E-ZPass warning stated. MORE ON NETWORK WORLD: Free security tools you should try: The emails are coming from compromised WordPress installations, and have been sent in batches since July 8. The messages use the E-ZPass brand’s colors (a bold purple that is present on all toll signs in the states were the service is used), and contain a subject related to driving on toll roads. More than likely, the E-ZPass warning notes, the mes
sage is an attempt to steal sensitive information, including usernames, passwords, and financial data. However, Gary Warner, Chief Technologist and Co-Founder of Malcovery, tested the Phishing emails and discovered that the links were pointing to malware that will connect the infected host to the ASProx botnet. Based on information he has received, the infected systems are primarily being used for advertising click-fraud.