Friday 28 June 2013

FTC cracks down on firms for 'work from home' online scams


FTC Logo
The US Federal Trade Commission (FTC) has agreed to setttle a case against a group of individuals and businesses charged with running a massive marketing scam targeting home workers.
The FTC said that it had a agreed to a series of settlements against the group which had been charged with using deceptive marketing practices to collect money from users looking to start their own web businesses.
The settlement will bar the individuals from continuing with their practices and will also collect a series of fines, though many of the penalties were suspended due to an inability to pay.
According to the complain, first brough forward in May of last year, the scam advertised the opportunity for users to work from home with their own marketing and advertsiing sights. The scam promised users large cash returns by generating referrals and sales commissions from major retailers.
Instead, users were pushed to first invest hundreds of dollars for startup fees and were then solicited a series of advertising packages costing as much as $20,000 with the promise of alrge cash returns which were never generated.
In addition to the ban ending the 'work at home' scheme, the FTC has placed an order barring the group from violating telemarketing regulations and collecting or profiting from the personal data of users under threat of further penalty.
The FTC said that the order was part of aalrger effort to crack down on scams preying on users in financial hardship. With unemployment still high in many areas, users seeking steady employment can often finds themselves more vulnerable to online scams and 'get rich quick' schemes.

Hackers use Opera to sneak spyware onto thousands of Windows machines

opera-browser-logo
Hackers have infected thousands of Windows machines with spyware using a stolen Opera digital signing certificate.
Opera's Sigbjørn VikSigbjorn confirmed the web browser company had lost at least one digital signing certificate during a recent network breach, warning the crooks are using it to mount a defence-dodging spyware campaign on Windows users.
"The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser," wrote VikSigbjorn.
"It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19, may automatically have received and installed the malicious software. To be on the safe side, we will roll out a new version of Opera which will use a new code signing certificate."
VikSigbjorn called for Opera users to update to the latest browser to avoid falling victim to the attack. "Users are strongly urged to update to the latest version of Opera as soon as it is available, keep all computer software up to date, and to use a reputable antivirus product on their computer," wrote VikSigbjorn.
Trend Micro security researcher Alvin Bacani reiterated VikSigbjorn's sentiment, warning the TSPY_FAREIT.ACU malware used in the attack has several advanced spying powers. "Once executed, TSPY_FAREIT.ACU steals crucial information from certain FTP clients or file managers including usernames, passwords and server names. Aside from FTP clients, TSPY_FAREIT.ACU gathers more information from internet browsers," wrote Trend's Bacani.
"The data is typically login credentials for social networking, banking and ecommerce websites. Using the information, the people behind the malware can get hold of your various online accounts or even initiate unauthorised transactions. They can also profit from the stolen data by selling it to the underground market."
The malware is one of many to use legitimate certificates to bypass traditional defence systems. Last year the tactic was used by the infamous Flame malware, which used a spoofed Microsoft update certificate to bypass its victims' defences.

Facebook shells out $20,000 to bug bounty hero for spotting account hijacking flaw

facebook use drops 9 per cent
Facebook has fixed a critical flaw leaving users open to attack by hackers, shelling out a massive $20,000 to the bug bounty hunter that spotted the exploit.
The bug was originally discovered by UK-based security researcher and bug hunter Jack Whitten. It relates to the way Facebook manages updates to mobile devices via SMS, he explained.

"Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can log in using the number rather than your email address. The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to," Whitten noted.
Whitten said that the flaw could potentially be used by criminals to hijack control of unwary users' Facebook accounts. "The thing is, profile_id is set to your account (obviously), but changing it to your target's doesn't trigger an error. To exploit this bug, we first send the letter F to 32665, which is Facebook's SMS shortcode in the UK. We receive an eight-character verification code back. We enter this code into the activation box, and modify the profile_id element inside the fbMobileConfirmationForm form," he wrote.
"Now we can initate a password reset request against the user and get the code via SMS. Another SMS is received with the reset code. We enter this code into the form, choose a new password, and we're done. The account is ours."
A Facebook spokesman confirmed to V3 it has since fixed the flaw, changing it so its systems no longer accept the profile_id parameter listed in Whitten's exploit from the user. The spokesman went on to thank Whitten for his help uncovering the exploit, listing it as a key victory in Facebook's ongoing bug bounty programme. "Facebook's White Hat programme is designed to catch and eradicate bugs before they cause problems. Once again, the system worked and we thank Jack for his contribution," the Facebook spokesman said.
He added the flaw could never have been automatically exploited, meaning its impact, even if targeted by hackers, would be limited. Despite the comment, other bug hunters have attacked Facebook, claiming Whitten has been drastically under-rewarded. Commentator Mohammad Husain wrote on his blog: "This is worth more than $20,000", while fellow blogger Shadôw Hawk added, "This issue is worthy [of a] million dollars".
Bug bounties are an increasingly common tactic used by tech companies to spot flaws in their systems, with big name firms like Google having established programmes. Most recently, security aggregator PacketStorm launched its own bug bounty programme, offering bug hunters as much as $7,000 for uncovering working exploits.

PRISM: David Davis says UK laws to protect citizens from surveillance are ‘completely useless'

The Houses of Parliament in London
The processes in place to protect UK citizens from surveillance by spy agencies such as GCHQ have been branded ‘completely useless' by former shadow home secretary and MP David Davis.
Speaking in the House of Commons at a session on the PRISM and Tempora revelations of the past few weeks, Davis said that it was clear from the level of data claimed to have been gathered by GCHQ that UK citizens had little protection from data-gathering technologies.
"The supervision procedures are completely useless - not just weak, but completely useless," he said at the committee event, attended by V3. "What Tempora has done is raise a red flag that we have to rethink, from scratch, all the oversight arrangements we have."
Davis said he, like everyone else, was only learning about these issues as they are being brought to light by whistleblowers, and said it was unclear why exactly the UK spy agencies were willing to hand so much data to the US. He laid out two main possibilities.
The first, he said, was as a ‘big chip' replacement for the intel the UK used to be able to provide to the US authorities from areas like Hong Kong and Cyprus, areas where the UK's influence has now waned.
The second, he said, was simply to provide information to the US in return for data from across the pond. This would be a "loophole" by which the UK could gather data on its citizens without directly doing so.
Looking to the future, Davis said one silver lining of the uproar from the revelations about PRISM and Tempora is that the Communications Data Bill, the so-called Snoopers' Charter, is unlikely to see the light of day for at least a year, despite calls for its return in the aftermath of the murder of soldier Lee Rigby in Woolwich.
"In the last five days a number of people [other MPs] who were huge sceptics about all this sort of thing have said to me, ‘maybe you are right', so we've probably seen it off for a year or so," he said. "After Woolwich there were calls that perhaps we need it [the Communications Data Bill] but MI5 themselves have admitted it would have made no difference, and it would probably cause more incidents as they'd be wasting time in databases rather than tracking people."

The role of organisational factors in insider cyber activity

Cyber insider is someone who (knowingly or unknowingly) misuses legitimate access to commit a malicious act or damage their employer.
It is widely recognised that the threat to enterprises from insider activities is increasing and that significant costs are being incurred.
Insider act takes place where is often an exploitable weakness with the employer’s own protective security or management practices which enables the insider to act.
The following organisational practices were identified as key enablers to an insider act:

  • Poor management practices
A general lack of management supervision or oversight of employees meant that many of the behaviours,
problems and activities of the insider were noticed but went unaddressed.
Management failure to address individual issues within the workplace (such as poor relationships with
colleagues, absenteeism or anti-social behaviours) often appears to have resulted in the behaviours
becoming more frequent or extreme.
Management failure to manage and resolve workplace issues (such as boredom or lack of work, overwork,
lack of resources or specific grievances) appears to have contributed to the level of employee disaffection.
  • Poor usage of auditing functions
Some organisations had not made regular and systematic use of their own IT or financial auditing functions to be in a position to quickly spot irregularities or unusual behaviours.
This enabled insiders to act in the first place and for some to continue acting without detection for longer than necessary.
  • Lack of protective security controls
Some organisations had not implemented simple systems for controlling how employees could introduce or remove organisational data electronically, and manipulate organisational information remotely even after their employment had been terminated.
Basic ‘need to know’ principles were not rigorously applied, allowing some insiders to acquire knowledge they did not actually need for their job and then use it to commit an insider act.
Lack of segregation of duties was particularly in evidence in process corruption cases, where one individual would be in a position to manipulate systems or data without needing approval or endorsement from a second employee.
  • Poor security culture
The case studies often revealed that a poor security culture existed in areas where insider acts took place, with a general lack of adherence to security policies and practices by employees, and with management being either unaware of these malpractices or failing to deal with them effectively.
Examples of the most common occurrences were the sharing of security passwords amongst employees, not locking computer terminals and allowing others to use logged-on terminals, sensitive materials being left on desks, security containers being left unlocked and pass access to secure areas not being enforced.
  • Lack of adequate role-based personnel security risk assessment prior to employment
In some insider cases organisations had placed individuals in positions without considering their suitability for the role and potential complications that might arise. For example, there were cases where employees had been placed in roles likely to make them more vulnerable to compromise due to their nationality,family connections or ideological sympathies.
There were also cases where the insider simply did not have the skills, experience or aptitude for the role,and without careful management, the employee was easily manipulated by a malicious third party or simply unwittingly committed an insider act.
  • Poor pre-employment screening
In a small number of process corruption cases it was evident that the appropriate level of preemployment screening had not been undertaken; most notably failures to identify that the individual had a history of fraudulent behaviour (such as credit card or benefit fraud) prior to recruitment.
  • Poor communication between business areas
The study has shown that if an organisation does not communicate and share information about threats and risks, but keeps the information in organisational silos, then its ability to mitigate and manage insider activity is severely reduced.
The study found cases where counter-productive workplace behaviour was known in one part of the organisation but had not been shared with others, resulting in delays to the organisation taking mitigating action to reduce the risk.
To fully understand the level of risk an employee poses, an organisation should be able to access information held by Human Resources concerning performance and welfare issues, information held by IT about access to electronic data, and Security for physical breaches of security policies. If information is retained by just one area of the business the organisation may misjudge the risk that it is carrying.
  • Lack of awareness of people risk at a senior level and inadequate governance
A lack of awareness of people risk at a senior level can lead to organisations missing the attention and resources necessary to address the insider threat. There needs to be a single, senior, accountable owner of people risk to whom all managers with a responsibility for people risk report.
Inadequate corporate governance and unclear policies in managing people risk and strengthening compliance can also make it more difficult to prevent and detect insider activity.

Threat Assessment: Italian organised crime

Italian organised crime is known all over the world, to the point that the term ‘Mafia’ is now understood across the globe as referring to the organised criminal underworld. Literature on the subject is abundant, ranging from history, sociology and criminology to fiction and plain entertainment. The distinctive character, looks, habits, idiosyncrasies and jargon of the Mafiosi have been described, analysed, explained and imitated. Apparently, everybody is familiar with Italian organised crime.
Nevertheless, a document analysing the overall scope of Italian organised crime at an international level from the law enforcement (LE) perspective, and the threat it poses in the EU and beyond, does not exist. This document is intended to fill that important information gap.
This is a public report intended for a wide audience, based on a more detailed strategic assessment prepared for law enforcement purposes.
The extreme difficulty in collecting information of the required quality confirmed the particular nature of Italian OC, which tends to operate ‘under the radar’ whenever it acts outside its territory.

New Breed of Banking Malware Hijacks Text Messages

Out of band authentication  communicating with a customer outside of his mobile banking app to verify his identity or a specific transaction  is a generally respected means of deflecting mobile banking fraud.
But RSA's Anti-Fraud Command Center on Monday found and reported on a Trojan called Bugat that has been updated to hijack out-of-band authentication codes sent to bank customers via SMS. This doesn't mean out-of-band authentication via text messaging is useless, but it can be compromised using a dated, unsophisticated piece of malware.
In the first step of this type of cyberattack, the online banking customer's computer is infected with a banking Trojan. This typically happens in one of two ways. In one, the customer receives an email with an attachment that he feels compelled to open — it might be from an online merchant from whom he has recently purchased a product, for instance. When he opens the attachment, he realizes the order is bogus. He may or may not realize his computer is infected.
The second way the Trojan enters the customer's computer is through a link to a familiar website in a social media post or an instant message. "When you get there, it looks like nothing is wrong, but you've just had a drive-by download," says Limor S. Kessem, cybercrime and online fraud communications specialist at RSA.
Kessem sees social media increasingly being used in such attacks. "Criminals are like, everybody is there, let's go there, too  whatever's popular," she says. Banking Trojans will steal Facebook credentials to infect the user's computer or the machines of other people on that user's contact list. "It's a very social trend," Kessem says.
When the customer logs into his online banking account from the infected machine, the Trojan will pop up a screen created via web injection. One created by the Bugat Trojan will tell the victim he needs to install security for his phone to protect his mobile banking transactions. It will ask him for his phone number and the type of mobile platform he uses (Android, iOS, BlackBerry, etc.) The customer is then provided with a link to download the security application on a third-party site.
"If you have an iPhone, that's not going to happen," Kessem points out. "Apple won't let you download apps from somewhere else. The way Apple does things has managed to keep it pretty malware-free in that sense."
The Android operating system discourages, but does not completely block, the downloading of third-party apps. The default setting on an Android phone prevents the installation of apps from unknown sources (any source other than the Google Play store). With that setting adjusted, the user can install apps from any location. When the user allows the downloading of apps from unknown sources, he receives a message warning him that his phone and personal data are more vulnerable to attack.
Android users who allow the installation of third-party applications and who click on the mischievous link are sent to the cybercriminals’ site and install the fake security application on their phone.
The app asks for permission to use SMS messaging, the customer will authorize it, and an SMS forwarder starts running in the background on that person's phone.
The next step for the attacker is to match the victim's mobile device with his computer. He'll present the victim with a code on his phone screen and ask him to type it into his the computer screen to pair the two devices.
Now, when the bank sends an SMS code to the victim's infected phone, the attacker grabs it. The cyberthieves are careful to not steal all text messages. "That would be too suspicious and too much data," says Kessem. "'I love you honey, I'm coming home,' is not necessary for the attacker, they just want things with a number." If a bank tends to use 12-digit codes, the malware will use an if-then script to pick out only SMS messages that contain those. The customer never knows what he missed.
The attacker receiving the SMS message then attempts to complete a transaction, impersonating the victim.
The Bugat Trojan is private malware developed by Russian-speaking developers for a closed gang, Kessem says. It's been in operation since 2010, but the nature of the attacks it's used for has changed and the SMS component is new.
"They used to go after business accounts and big money," she says. Recently, the operators built an SMS forwarder for it to target mobile banking.
"We're impressed by how they built it," she says. "They have this whole infrastructure that pulls the forwarders for each of the banks they target. They're very organized and very professional, they've made this special webinject to look very real and very colorful. It specifically matches the bank's total messaging."
One thing banks can do to prevent falling for this fraud is to educate their customers, Kessem says. They should tell customers to never download anything to do with their bank account from a third-party site. If they have any doubt about a link or application, they should call their bank.
To thwart the SMS-forwarder aspect of these attacks, Kessem recommends contracting anti-Trojan services like RSA's. "We disable the communication points of Trojans, make sure the whole clientele doesn't get infected or transmit their data to the attackers," she says. "Instead of going on the end point device, which is almost impossible, we disable all the information streaming to the botmaster. Without the Trojan itself, the SMS forwarder won't be that useful anymore."
Banks can also step up their fraud analytics and risk analytics, to challenge more of those transactions that look fishy or strange, even where they use out-of-band authentication using SMS messages. They could block such transactions or require a phone call to the customer.

Cyber Jihadists battle governments from south Algeria to Nigeria

In Nouakchott, a dusty city wedged between the Atlantic ocean and western dunes of the Sahara, a young hip-hop fan coordinates a diverse group of hackers targeting websites worldwide in the name of Islam.
Logging on to his computer, he greets his Facebook followers with a "good morning all" in English before posting links to 746 websites they have hacked in the last 48 hours along with his digital calling card: a half-skull, half-cyborg Guy Fawkes mask.
He calls himself Mauritania Attacker, after the remote Islamic republic in west Africa from which he leads a youthful group scattered across the Maghreb, southeast Asia and the West.
As jihadists battle regional governments from the deserts of southern Algeria to the scrubland of north Nigeria, Mauritania Attacker says the hacking collective which he founded, AnonGhost, is fighting for Islam using peaceful means.
"We're not extremists," he said, via a Facebook account which a cyber security expert identified as his. "AnonGhost is a team that hacks for a cause. We defend the dignity of Muslims."
During a series of conversations via Facebook, the 23-year-old spoke of his love of house music and hip hop, and the aims of his collective, whose targets have included U.S. and British small businesses and the oil industry.
He represents a new generation of Western-style Islamists who promote religious conservatism and traditional values, and oppose those they see as backing Zionism and Western hegemony.
In April, AnonGhost launched a cyber attack dubbed OpIsrael that disrupted access to several Israeli government websites, attracting the attention of security experts worldwide.
"AnonGhost is considered one of the most active groups of hacktivists of the first quarter of 2013," said Pierluigi Paganini, security analyst and editor of Cyber Defense magazine.
An online archive of hacked Web sites, Hack DB, lists more than 10,400 domains AnonGhost defaced in the past seven months.
Mauritania, a poor desert nation straddling the Arab Maghreb and black sub-Saharan Africa, is an unlikely hacker base. It has 3.5 million inhabitants spread across an area the size of France and Germany, and only 3 percent of them have Internet access.
Much of the population lives in the capital Nouakchott, which has boomed from a town of less than 10,000 people 40 years ago to a sprawling, ramshackle city of a million inhabitants. In its suburbs, tin and cinderblock shanties battle the Sahara's encroaching dunes and desert nomads stop to water their camels.
In the past six months experts have noted an increase in hacking activity from Mauritania and neighbouring countries. In part, that reflects Mauritania Attacker's role in connecting pockets of hackers, said Carl Herberger, vice president of security solutions at Radware.
"This one figure, Mauritania Attacker, is kind a figure who brings many of these groups together," Herberger told Reuters.
MODERN TECHNOLOGY, ANCIENT MISSION
Mauritania Attacker says his activities are split between cyber cafes and his home, punctuated by the five daily Muslim prayers.
Well-educated, he speaks French and Arabic among other languages and updates his social media accounts regularly with details of the latest defacements and email hacks. He would not say how he made a living.
His cyber threats are often accented with smiley faces and programmer slang, and he posts links to dancefloor hits and amusing Youtube videos. But his message is a centuries-old Islamist call for return to religious purity.
"Today Islam is divisive and corrupt," he said in an online exchange. "We have abandoned the Koran."
Mauritanian Attacker aims to promote "correct Islam" by striking at servers hosted by countries they see as hostile to sharia law. "There is no Islam without sharia," he said.
Mauritania is renowned for its strict Islamic law. The sale of alcohol is forbidden and it is one of only a handful of states where homosexuality and atheism are punished by death.
The quality of Mauritania's religious scholars and koranic schools, or madrassas, attract students from around the world. Mauritanians have risen to prominent positions in regional jihadist groups, including al Qaeda's north African branch AQIM.
As hackers from the region organise into groups, the Maghreb is emerging as a haven for hacktivism as it lacks the laws and means to prosecute cyber criminals, Herberger said.
"There's a great degree of anonymity and there's a great degree of implied impunity," he said.
Security sources in Nouakchott said they were not aware of the activities of Mauritania Attacker.
He says he supports Islamists in Mauritania but opposes his government's support for the West, which sees the country as one of its main allies in its fight against al Qaeda in the region.
With tech-savy young Muslims in the Maghreb chafing under repressive regimes, analysts anticipate a rise in hacktivism.
Hacking is a way for young people to express religious and political views without being censored, says Aaron Zelin, fellow at the Washington Institute.
"These societies are relatively closed in terms of people's ability to openly discuss topics that are taboo," he said.
For disillusioned youth in countries like Mauritania, where General Mohamed Ould Abdel Aziz seized power in a 2008 coup before winning elections the next year, hacking has become "a way of expressing their distaste with status quo," Zelin said.
JURY OUT ON GROUP'S REACH
AnonGhost's global reach is its greatest weapon, but it has yet to stage a major attack on a Western economic target.
Most of AnonGhost's campaigns have simply defaced Web sites, ranging from kosher dieting sites to American weapon aficionado blogs, with messages about Islam and anti-Zionism.
It has attacked servers, often hosting small business websites, located in the United States, Brazil, France, Israel and Germany among others.
Mauritania Attacker and the AnonGhost crew say these countries have "betrayed Muslims" by supporting Israel and by participating in the wars in Afghanistan and Iraq.
"We are the new generation of Muslims and we are not stupid," read a message posted on the Web site of a party supply business in Italy. "We represent Islam. We fight together. We stand together. We die together."
The team has also leaked email credentials, some belonging to government workers from the United States and elsewhere.
As part of a June 20 operation against the oil industry, carried out alongside the international hacking network Anonymous, Mauritania Attacker released what he said were the email addresses and passwords for employees of Total.
A spokesperson for the French oil major did not immediately respond to requests for comment.
One security expert said AnonGhost's attacks exploited "well-known vulnerabilities in configurations of servers" in target countries rather than going after high-profile companies.
Carl Herberger, vice president of security solutions at Radware, remains unconvinced AnonGhost has the technical skills to wage full-scale cyber terrorism by harming operational capabilities of companies or government agencies.
"The jury is still out," he said, but cautioned against underestimating the emerging group. "You're never quite sure what they're going to do on the offensive, so they have to be right only once and you have to be right always."

US spy device 'tested on NZ public'

A high-tech United States surveillance tool which sweeps up all communications without a warrant was sent to New Zealand for testing on the public, according to an espionage expert.
The tool was called ThinThread and it worked by automatically intercepting phone, email and internet information.
ThinThread was highly valued by those who created it because it could handle massive amounts of intercepted information. It then used snippets of data to automatically build a detailed picture of targets, their contacts and their habits for the spy organisation using it.
Those organisations were likely to include the Government Communications Security Bureau (GCSB) after Washington, DC-based author Tim Shorrock revealed ThinThread was sent to New Zealand for testing in 2000-2001.
Mr Shorrock, who has written on intelligence issues for 35 years, said the revolutionary ThinThread surveillance tool was sent to New Zealand by the US National Security Agency. The GCSB is the US agency's intelligence partner - currently under pressure for potentially illegal wide-spread spying on the public.
The claim ThinThread was sent to New Zealand has brought fresh calls for the bureau to explain what it does.
A spokesman said the bureau was currently reviewing how much it did tell the public - but it would not be making comment on the ThinThread test. He said the intelligence agency "won't confirm or deny" the claim because it was an "operational" matter.
A spokeswoman for Prime Minister John Key also refused to comment saying it was an operational matter.
The claim emerged in an article by Mr Shorrock which ran in a magazine last month and featured whistleblower William Binney - a former high-ranking NSA official who designed ThinThread.
Mr Shorrock said the "ThinThread prototype" was installed at two NSA listening posts in late 2000 and at Fort Meade where the NSA is based.
"In addition, several allied foreign intelligence agencies were given the program to conduct lawful surveillance in their own corners of the world. Those recipients included Canada, Germany, Britain, Australia and New Zealand."
The "lawful" aspect was due to the software's ability to mask the identities of those whose information was being intercepted - a technical work around of the legal barrier which prohibits New Zealand and the US from spying on its own citizens.
Mr Shorrock said ThinThread operated in three phases. It began by intercepting call, email and internet traffic on a network and automatically assessing it for interest. The scale of the traffic was such that it narrowed down targets of interest by focusing on patterns of information rather than the content of the information.
Secondly, ThinThread automatically anonymised the collected data so the identities stayed hidden "until there was sufficient evidence to obtain a warrant".
The magic was in the back end of the system which used the raw data "to create graphs showing relationships and patterns that could tell analysts which targets they should look at and which calls should be listened to" using "metadata" - the same type of "information about information" which featured in about 60 of the 88 potentially illegal spying cases identified in the GCSB review.
The Greens and Labour both said it showed the need for an inquiry into the GCSB - an investigation which both have repeatedly demanded. Greens' co-leader Russel Norman said the Prime Minister and GCSB needed to explain to the public whether it was spied on by ThinThread.
"It reinforces why there is a different set of rules for the GCSB - they are integrated into this global spy network," he said.