Friday 12 July 2013

Old-school security? Kremlin orders $15,000-worth of electric typewriters

A Kremlin security agency has ordered $15,000-worth of electric typewriters – sparking international gossip about a return to “old school” security measures.
The order, for 48,654,000 roubles-worth of electric typewriters for the Russian Federal Guard Service (FSO), was interpreted by some as a response to current concerns over computer security.
“After scandals surrounding the distribution of secret documents by WikiLeaks, Edward Snowden, and reports about Dmitri Medvedev being listened on during his visit to the G20 summit in London, it has been decided to expand the practice of creating paper documents,” an unnamed source told Russia’s Izvestia newspaper.
“Many documents are still not created in electronic format. This practice continues inside the defense ministry, the emergency situations ministry and the security services,” the source said.
Russia Today said that the move was not evidence of heightened security – rather than the Russian government had always used such measures to keep data safe. The new order was simply to replace existing equipment.
“It’s not something unusual – the time came to change them. Everyone has these typewriters – the Emergencies Ministry, Ministry of Defense, every special service has them,” an FSO officer told Russian Today.
“They are still used to prepare documents, which we do not envisage having an electronic form,” a source told Russia’s Itar-Tass news agency, describing it as, “Normal practice to ensure security of information.”

Guccifer Leaks Sexy Emails of Former US DIA deputy director

Guccifer unidentified hacker who hit high profile targets leak eamils of  Roy Apseloff, former vice deputy director for information management, and deputy chief information officer at the US Defense Intelligence Agency (DIA).

Guccifer has send pictures and files to gawker.com.In one of the emails, the former DIA deputy CIO admits that they “are very involved in the WikiLeaks stuff.”
Assuming Guccifer hooked Apseloff the same way he hooked the rest of his victims, the DIA honcho took some easy bait—likely a phishing email that gathered his passwords by pretending to be a friend or a technology company. One hopes that the DIA future-proofing plan he was coming up with is a little more sophisticated than his own personal security techniques.

New Spam Campaign Exploits Pinterest

Security researchers have discovered a new spam campaign using the Pinterest brand to spread malware via a Blackhole Exploit Kit.
The messages looks like legitimate emails from Pinterest, informing users their passwords have been reset and urging them to click on the included link to see their new ones.
This may fool some users into thinking it’s legit as most know companies will always direct users to their websites rather than ask or show personal details in emails.
However anyone who clicks on the link is sent through a dizzying series of website redirects which ends with the download of TROJ_PIDIEF.USR, a trojan horse that calls to a remote server and downloads another piece of malware called BKDR_KRIDEX.KA.
A member of the Cridex family, it allows a hacker to remotely access an infected PC and take total control over it. This allows them to steal personal info and sensitive documents, use the PC’s internet connection and email accounts to pump out spam and call to a remote server to download more malware, block any anti-virus programs, and more.
Cridex in particular monitors the computer for visits to online banking sites and steals the log on credentials typed in. This data is then used by the hacker to clean out the account, go on a spending spree, or sell on the black market to other hackers.
It’s imperative your employees are continuously educated on how to spot and protect themselves from phishing attacks and malicious spam. Both can seriously compromise your network and the data it holds, costing you your customer’s trust and possibly a great deal of time and money.

Afghan Cyber Army Hacked Pakistan Ministry of Defence

Afghan Cyber Army briefly breached and defaced six Pakistani government websites.
The targeted websites include mod.gov.pk (Ministry of Defence), mpnr.gov.pk (Ministry of Petroleum and Natural Resources), ntb.gov.pk (National Training Bureau), ead.gov.pk (Economic Affairs Division), cabinet.gov.pk (Cabinet Division) and interior.gov.pk (Ministry of Interior).
 Mirror links are posted on Offical facebook page of Afgan Cyber Army
The hackers posted a message on the websites that read: “We do not fear anyone or anything. We are united Alhamdullilah. we fight together, we stand together, we die together. You can just kill innocent people, women and children. But there is no future for you... We are coming with huge speed. Corruption will be under control. Afghans will have money and power.
Then there will be no one to save you and remember: WE ARE AFGHANS, we don’t forget we don’t forgive. We will revenge our brother’s blood today or tomorrow, we or our children.”
Later, the affected web pages were removed and the websites appeared to be working properly. online

Cyberinfocts Ethical Hackers Forum


This forum is a place where people who are interested in IT Security come together and discuss about the latest threats and how they can tackle them. The interactive Professional Forum is designed for professionals working in Information Security and related fields to come to share ideas and experience.
The sessions are practical based with the latest tools, and approach.
The Next Forum Details
Date: 13th July 2013
Time: 10 am Prompt
Venue : No 2 Allen Avenue Buffallo Plaza Ikeja Lagos

Topics
Hacking Exposed by Adebayo Mofehintoluwa
Bluetooth Hacking by Chidi Obum
Working with Wireshark by Chidi Obum
IT Compliance -- PCI DSS (Credit Card) by Adebayo Mofehintoluwa


Registration Fee: 500
To reserve your seat please call 07037288651 or visit http://cyberinfocts-security.eventbrite.com

Sony gives up £250,000 fine appeal after PlayStation hacks

Sony logo
Sony has given up its appeal over a fine of £250,000 from the Information Commissioner’s Office (ICO) having originally vowed to fight the case. The firm claimed it has done so in order to avoid revealing information on its security procedures rather than because it now agrees with the fine.

The ICO handed the fine to the firm at the start of the year after a hack in 2011 on its PlayStation Network left millions of customers' details exposed, including their addresses, email addresses, dates of birth and account passwords. The ICO said customers' payment card details were also at risk.
The ICO's deputy commissioner David Smith said Sony, as a leading technology company, should have been better prepared. "It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe," he said when announcing the fine.
However, Sony said at the time it would appeal as the breach that exposed the data was the result of a "focused and determined criminal attack".
But, writing on Twitter, the ICO said Sony had now dropped its case on the appeal.
Sony said that it was giving up the appeal because it was wary of revealing more information on its security procedures the process would have required, rather than because of any change of heart.
"After careful consideration we are withdrawing our appeal. This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding. We continue to disagree with the decision on the merits," a spokesperson said.
The ICO said it was pleased the firm had dropped the case: "We welcome Sony Computer Entertainment Europe Limited’s decision not to appeal our penalty notice following a serious breach of the Data Protection Act."
The news comes on the same day that the ICO handed out a substantial penalty to the NHS Surrey Trust of £200,000 for passing computers to a data destruction company that ended up selling the devices at auction still containing the sensitive records of 3,000 individuals.

NHS Surrey hit by £200,000 fine after patient data found on computers sold at auction

NHS doctor using a computer
NHS Surrey has been hit with a £200,000 fine by the Information Commissioner’s Office (ICO) after 3,000 patient records were found on a computer sold at auction, in one of the worst cases of data handling in the health sector seen to date.
The computer was being sold by a ‘data destruction’ company that the Trust had given the device to for wiping and selling. However, when it was bought by a member of public the data was still on the device.

The data related to confidential sensitive personal data and HR records, including patient records relating to approximately 900 adults and 2,000 children.

Once the issue came to light NHS Surrey worked to reclaim 39 other computers sold by the data destruction provider, which worked free on the basis it could keep components to resell once the devices were wiped. Ten computers were recovered, three of which were found to contain sensitive data. 

After investigating the incident the ICO said it found numerous issues with the Trust’s data-handling processes. It had no contract in place with the data destruction company that explained its requirements under law and it failed to monitor or observe the data destruction process. The Trust also mislaid records on the devices that had been sent for wiping and could not confirm how many computers had been sent for processing.

Stephen Eckersley, ICO head of enforcement, said the breach was “truly shocking” and that those processing sensitive data should know better.

“NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online,” he said.

“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice before outsourcing vital services to companies who offer to work for free.”

The Department of Health (DoH) confirmed the fine had been received and was exploring its options.
“We take the loss of personal data very seriously. At the time NHS Surrey contacted patients involved to make them aware of the data breach. This case is currently the subject of legal proceedings.”
In June a basic fax blunder cost Staffordshire NHS Trust £55,000 while the record fine from the ICO – of £325,000 – was handed to NHS Brighton last year.

PRISM: Microsoft denies giving NSA blanket access to Outlook and Skype

New Microsoft logo
Microsoft has defended claims that detailed deep co-operation with the US government, including the circumvention of encryption in its Outlook.com email and access to its SkyDrive cloud storage service and Skype.
Documents leaked to the Guardian by NSA whistle blower Edward Snowden allege "blanket access" was given to US security services by Microsoft, and that Microsoft worked with agents to "understand" an Outlook feature that allows users to create alias email addresses.
The material seen by the Guardian also claims that the NSA had managed to achieve improved monitoring of Skype, which is owned by Microsoft, tripling the amount of video calls they were able to tap.
Agents were also allegedly given "easier access" to SkyDrive, which currently has more than 250 million users worldwide.
A statement issued by Microsoft denied it had provided blanket access of its products to NSA surveillance teams, and reiterated that it only responds to valid requests. "We have clear principles, which guide the response across our entire company to government demands for customer information for both law enforcement and national security issues," the statement said.
It went on to ask for more transparency over surveillance access, so the firm could detail its side of the story. "There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues."
These latest revelations match claims made at the start of the PRISM scandal in June, in which it was alleged that tech companies worldwide were giving – voluntarily or otherwise – the NSA "backdoor" access to user data.

Turkish Hacker Cyber Attacks On Serbian Gov Websites To Mark Srebrenica Massacre


A cyber attack was carried out by Turkish hacker group "Ayyildiz" (Crescent-star) on the websites of some Serbian institutions to mark the 18th anniversary of the Serebrenica massacre.
The Ayyildiz group hacked the websites of some Serbian civil and governmental institutions to draw attention to the Srebrenica massacre, the worst atrocity in Europe since the end of World War II, where more than eight thousand Bosniak men were murdered by Serbian forces.
Turkish hackers placed a "The world will never forget the Serbian massacre" titled banner that popped up with the Turkish Janissary march, alongside a photo from the commemoration ceremony in Srebrenica, an Ataturk portrait and a Turkish flag.
The hacker group released a statement on social media and said the cyber attack was carried out in support of their "Bosniak brothers" massacred in 1995.
July 11, 1995 marked the slaying of more than 8,000 Bosniak (Bosnian Muslim) boys and men, perpetrated by Bosnian Serb forces in Srebrenica, a town in eastern Bosnia-Herzegovina. In addition to the killings, more than 20,000 civilians were expelled from the area—a process known as ethnic cleansing.
The genocide as the worst episode of mass murder within Europe since World War II, helped galvanize the West to press for a cease-fire that ended three years of warfare on the Bosnian territory. However, it left deep emotional scars on survivors and enduring obstacles to political reconciliation between Bosnia-Herzegovina and Serbia.

Time for united EU to be global security player

Henry Kissinger once requested the dialing code for Europe. As a global security partner, the EU must answer the phone as one when the foreign policy challenges of the 21st century come calling, argues Swedish Foreign Minister Carl Bildt alongside his Italian, Polish and Spanish counterparts.
The European Union is step by step setting up new structures to deal with the foreign policy challenges of the 21st century. We have created a new European External Action Service (EEAS) to serve the overall EU interest abroad, effectively underpinning our role as a global player. We have sent additional national diplomats to reinforced EU delegations.
Later this year, a review of the EEAS led by Catherine Ashton will hopefully allow us to upgrade these new structures to a 2,0 version in time for the new crew entering the institutions after the 2014 European Parliament election.
The famous question posed by Henry Kissinger, the former US national security adviser and secretary of state, about the dialling code for Europe has, by now, by and large, been answered. Not that there is necessarily only one connection from the EEAS switchboard in Brussels, but at least the telephone number for Europe is in place.
The critical question is no longer how to reach us, but instead what Europe should say when the phone rings. Or, to put in another way, if we now have the hardware of institutions in place, we need to focus on the software of policies that makes the entire thing operate in a clear and credible way.
When we foreign ministers meet in the EU's foreign affairs council every month, it is usually the issues of the day that dominate the agenda. Foreign policy is, as the late British prime minister Harold Macmillan once put it, "events, dear boy, events".
But what Europe needs to deal with the challenges of today and tomorrow is a strategic framework to help it navigate a more complex world.
The ongoing economic crisis and the ever accelerating process of globalization pose an unprecedented dual challenge for Europe. In global competition with other economies, ideas and models of society, the countries of Europe will uphold their values and pursue their interests successfully only if we stand united.
The European Security Strategy from 2003 was a good document, which has provided EU external action with actionable guidelines. But it was a document still focused mainly on traditional foreign policy, not the broader competencies and capabilities envisaged in the Lisbon treaty. Since its adoption, the world has entered a period of profound transformations.
The time has come to engage in a new strategic discussion, taking into account the immense changes in Europe and the rest of the world during the last decade. And in a world moving towards hyper-connectivity in the entire realm between outer space and cyber-space, and with age-old sectarian tensions resurfacing, we need to think broader and afresh. The EU must take decisive steps to strengthen its act on the world stage.
What we need now is a more comprehensive and integrated approach to all components of the EU's global profile, doing away with the artificial distinction between internal and external security.
To name just a few themes among many possible ones, we badly need a common strategic approach to issues concerning energy security, climate negotiations, the management of migration flows and cyber issues.
This is why Poland, Italy, Spain and Sweden asked national think-tanks to come up with elements for a European Global Strategy. These four think-tanks went on to buildt a network of 24 associated institutes, conducted seminars and conferences, and stimulated discussion all over Europe.
Their report, which was recently presented in Brussels is a contribution to the strategic debate within the EU. At the same time, it is not the final answer. Bringing together all strands of European Union external action into one strategic framework is no easy task, especially as we are not always used to thinking about external opportunities and challenges in European terms.
The debate , which is useful in and of itself, should continue. New ideas and concepts should be presented and discussed. We therefore welcome the idea of a conference, organized towards the end of this year under the auspices of Lithuania's presidency of the Council of Ministers. This conference will bring together the proponents for strengthening Europe's global role in the world.
The work on EU hardware is important. But it should go hand in hand with efforts to update the software of the European Global Strategy, so that as we emerge hopefully from the doldrums of the aftershocks of the 2008 financial crisis, we will have a Europe better fitting the global century that we have already entered.

Facebook Graph Search: How to keep your data private

Facebook’s Graph Search is quietly rolling out to U.S. users this week – a powerful new tool which can reveal information people might have forgotten they ever “shared”. Now is a good time to review your profile and ensure that anything you want to stay private is kept safe from prying eyes.
The search tool – built using Microsoft’s Bing – allows detailed searches using people’s names, and can find posts, images and information that are hidden from Timeline.
Crucially, some of Facebook’s existing privacy tools are focused on Timeline – the profile page for each user – and do not affect posts’ visibility to Graph Search. One hacker has already shown off how the function can be used to create a “phone directory” of Facebook users.
Other information – such as “Likes”, and tagged posts that don’t appear on your own Timeline – are now far more easily accessible to people you may not know. Below are some tips on how to ensure your private data stays safe.
Check your Activity Log for tagged posts
Photos and posts where you have been “tagged” are the key privacy concern with Graph Search – these can now be found near-instantly using a search of your name. Previously, “hiding” these posts on your Profile was enough – but those posts and images may now be searchable, dependent on your privacy settings, and (more worryingly) those of your friends. Visit Facebook’s Activity Log (on your profile) and manually review photos that might be visible to others, setting those to “Friends” or “Only Me”.
Which privacy menu should you visit?
Confusingly, some of the options in Facebook’s main “Privacy” menu do little to hide posts from Graph Search – they are focused on Timeline.  Instead, adjust settings for photos on Activity Log (found on your profile page). You will have to do this manually. Graph Search will not show off any photos or posts that are set to be private – ie ones that can be seen by “Only Me” or “Friends” – so choose these to be safe.
Switch off “Friends of Friends” now
If any of your content is set to be viewable by “Friends of Friends”, it will be seen by people you do not know. Ensure private information, posts and photographs are set to “Friends Only” or “Only Me”, otherwise it may pop up in Graph Search.
Timeline is not your friend
Your Timeline is not a reliable indicator of what someone can find using Graph Search. Posts you have hidden may well be visible. The only tool which works to keep information private is Activity Log, which requires you to adjust privacy settings manually for each post. It’s worth doing  - otherwise, site users can simply search your name, and “Photographs” to see every post that you are tagged in, regardless of whether it is on your Timeline or not.
“Likes” can come back and bite you
People can also search for “Likes” on Graph Search – using terms such as “People who live in New York and like coffee.” Visit your Activity Log and make sure you haven’t “Liked” any companies, products or sites you wouldn’t want the world to know about.
Profiles are now much more public
Information that people share on Profile pages – such as their home town – can be searched via Graph Search. This includes information that could be used by cybercriminals to steal identities. Avoid showing up in location searches by policing your Profile – and being wary of location-based apps.

“Cyber-mercenaries” pose serious new threat, British government warns

Governments around the world are recruiting “cyber-mercenaries” – groups of skilled professionals who target institutions such as banks and energy companies, British politicians have warned.
The Intelligence and Security Committee, which consults with intelligence agencies such as MI5 and MI6, said in its report that, “The threat from cyber attacks is at its highest level ever – and is expected to rise further still with the identification of new actors and more evidence of serious hostile cyber activity.”
The report describes groups of “skilled cyber professionals, undertaking attacks on diverse targets such as financial institutions and energy companies. These groups pose a threat in their own right, but it is the combination of their capability and the objectives of their state backers which makes them of particular concern.”
The Committee also said that professional service firms, such as lawyers and accountants, were increasingly being targeted by cybercriminals.
Britain’s Foreign Secretary William Hague described the trend as “worrying” in an FT report, saying that such firms could offer, “a route into a defence company, a high-tech manufacturer. A lot of their data are sitting with their lawyers or their accountants and if they are soft targets, well, then it becomes quite easy to get that data a different way.”
The group’s report said that government agencies were working to convince private companies that they faced a serious threat – and that the financial damage caused by such attacks worked as an “incentive to improve their defences.”
The former Director General of the Security Service was quoted as saying, “One of them… concluded that they had lost at least £800 million as a result of  cyber attacks, and that’s quite a lot of money, even for a major company. But it’s very helpful, because otherwise you are just saying, ‘Well, some information has gone. So what?’”