Tuesday 29 October 2013

Artificial intelligence firm claims to have “cracked” CAPTCHAS

An American artificial intelligence company claims to have “cracked” CAPTCHAs – the standard word tests used to tell humans and computers apart online. A program designed by Vicarious is shown “breaking” CAPTCHA text in a video released by the company.
The system, known as Vicarious AI, achieves a success rate of up to 90% against standard CAPTCHAs used by Google, Yahoo and PayPal, its creators claim – using machine learning, rather than massive amounts of computing power.
“This renders text-based CAPTCHAs no longer effective as a Turing test,” the company said in a statement. The security implications of the discovery are less clear. Speaking to the BBC, computer scientist Luis von Ahn, part of the team which developed CAPTCHA, said that it was difficult to verify the results, and that if Vicarious’s claims are true, sites may simply need to increase the distortion used in CAPTCHA images.
“Recent AI systems like IBM’s Watson and deep neural networks rely on brute force: connecting massive computing power to massive datasets,” , said Vicarious co-founder D. Scott Phoenix..
“This is the first time this distinctively human act of perception has been achieved, and it uses relatively minuscule amounts of data and computing power. The Vicarious algorithms achieve a level of effectiveness and efficiency much closer to actual human brains”
“Understanding how brain creates intelligence is the ultimate scientific challenge. Vicarious has a long term strategy for developing human level artificial intelligence, and it starts with building a brain-like vision system. Modern CAPTCHAs provide a snapshot of the challenges of visual perception, and solving those in a general way required us to understand how the brain does it”, said Vicarious co-founder Dr. Dileep George.
Vicarious says that this is just the first public demonstration of its “learning” Recursive Cortical Network (RCN) technology – and says that in future, it may be used in robotics, medical image analysis, image and video search. The company admits, though, that this is “many years” away.
“We should be careful not to underestimate the significance of Vicarious crossing this milestone,” said Facebook co-founder and board member Dustin Moskovitz. “This is an exciting time for artificial intelligence research, and they are at the forefront of building the first truly intelligent machines.”
About Vicarious

Rogue’s gallery? New app aims to “out” cybercriminals who prey on online daters

A new app, Truly.am, aims to put a stop to a fast-growing area of online fraud – online dating scams – by forcing cybercriminals to prove they are who they say they are.
Truly.am was shown off at the TechCrunch Europe Hackathon and aims to provide a safety net for daters who are unsure of online “suitors”.
Daters simply load a picture of their online “lover” into the app, and the app then emails the suitor, and performs a biometric check via webcam. The answer is emailed to both. Dating scams are a fast-growing area of online fraud, according to the FBI, with scams that can last for “months”. Cybercriminals can also use sites to distribute malware.
An earlier We Live Security report on a Nigerian “scam factory” uncovered by security expert Brian Krebs found that malicious software such as keyloggers were often delivered via online dating sites, where the malware is delivered as a “picture” of their beloved.
“Here is how it works: somebody you don’t know sends you a picture,” TechCrunch said, in an interview with the makers of the app. “You then go to Truly.am, upload this picture and enter the person’s email address. That person then gets an email and has to verify his or her identity by using their webcam to take a series of images to train the recognition algorithm.”
“Once those images are uploaded to the Truly.am servers, the facial-recognition service takes over and checks them against the original image. Once the results come back, Truly.am tells the user if the image matched and the requester, of course, also gets an email with the results.”
The same approach may have other applications, the creators told TechCrunch and aim to work on a version for professional networking sites such as LinkedIn.
Dating scams are one of the fastest-growing areas of fraud online, with a 27% rise year-on-year in countries such as the UK. The FBI issued a warning this February, saying that cybercriminals were targeting online daters with scams that can last “months”.
“Their most common targets are women over 40, who are divorced, widowed, and/or disabled, but every age group and demographic is at risk,” the FBI said, “Here’s how the scam usually works. You’re contacted online by someone who appears interested in you. He or she may have a profile you can read or a picture that is emailed to you.”
“For weeks, even months, you may chat back and forth with one another, forming a connection. You may even be sent flowers or other gifts. But ultimately, it’s going to happen – your new-found “friend” is going to ask you for money.”
Criminals start a romance online, then attempt to fool victims into handing over money – sometimes targeting dozens of victims at once, in romances that can last for weeks or months. Another variation of the scam sees criminals collecting messages and photographs, then threatening to post them publicly unless they are paid.

Survey says 77% of Americans reject NSA mass electronic surveillance, of Americans

Thousands of Americans joined the Stop Watching Us protest in Washington, D.C. this past weekend. The event garnered a lot of media attention and delivered 575,000 signatures on a petition demanding that the U.S. Congress reveal “the full extent of the NSA’s spying programs”. But do most Americans oppose the kind of mass electronic surveillance that has been revealed by “the Snowden papers”? The answer is a resounding Yes, according to recent survey commissioned by ESET.*
NSA opinion77% of American adults surveyed disagreed with the following statement: It is okay for my government secretly to monitor all of our communications.
While one third said they simply disagreed, an impressive 44% said they strongly disagreed.
The phrase “monitor all of our communications” is rather broad, and we were particularly interested in how the Snowden/NSA revelations might affect online activity, so we got more specific and asked if people agreed with this statement: It is okay for my government to secretly capture data about everyone’s online activities. A solid 76% were not okay with that.
ESET commissioned this survey at the end of last month, just in time for Andrew Lee’s keynote at Virus Bulletin 2013 in Berlin. As the CEO of ESET North America, Andrew wanted to draw attention to the issues that the Snowden/NSA revelations have raised for the information security industry, without relying solely on subjective perceptions. For example, while everyone in the security business seems to have been following the Snowden story very closely since it first broke in June, what about the general population? Had most people heard about Snowden and revelations of NSA mass surveillance via the Internet? For 86% of the initial survey audience the answer was Yes.

The Terrorism Factor

What about the intelligence community’s efforts to paint the Snowden revelations as damaging to national security? This storyline has been pushed for several months, so have the public bought it? We found opinion on this was split, with a significant number still making up their minds. When asked if the leaks had produced a negative impact on the government’s ability to prevent terrorism 43% disagreed, whereas 40% agreed and a sizable 17% said they didn’t know.
Another government theme, the idea that surveillance is important in the anti-terrorism effort, does have broad support: 65% of respondents agreed that government surveillance helps prevent serious acts of terrorism. However, given some of the other responses, I don’t think that support should be taken as a blanket endorsement of all forms of surveillance.

The Us v. Them Factor

As with every survey, there is never enough time to ask all the questions one would like, so it was not possible to discover whether some types of surveillance are more acceptable than others. What was clear is that surveillance of foreigners is a lot more acceptable to Americans than spying on Americans. By a margin of 57% to 34% people agreed that “it is okay for my government to secretly capture data about the online activities of foreign nationals such as people from Iran or China.” (9% did not weigh in.)
buttle-formAnother interesting finding speaks to a phenomenon many of us have observed in conversations about the NSA revelations: the idea that those who have done nothing wrong have nothing to fear from large-scale state intelligence gathering. I tend to think this belief is held by persons who a. feel that they have done nothing that could be construed as “wrong” and b. have not watched the movie Brazil. (That’s Brazil, the 1985 film by Terry Gilliam, in which an actual bug in a computer system leads anti-terrorist forces to render and interrogate the innocent Mr. Buttle instead of suspect Tuttle; and not Brazil the country whose leader was spied upon by the NSA, the land wherein resides the reporter who broke the Snowden story: Glenn Greenwald.)
Here’s what we found: 52% of respondents said they agreed that “if you have done nothing wrong then you have nothing to fear from government surveillance.” The percentage who disagreed was 44% with 4% undecided.

The Economic Factor

online-banking-dropESET was certainly not the first to wonder what impact the NSA revelations would have on the Internet economy, which in turn plays a large role in the world economy.
For example, the allegations that some American companies were cooperating, with varying levels of reluctance, with the some of the NSA’s mass surveillance efforts quickly elicited estimates of how much cloud hosting business could be lost. (See ZDNet: U.S. cloud industry stands to lose $35 billion amid PRISM fallout.)
As a company that sells software designed to make the Internet safer for people, ESET wondered whether people were modifying their behavior in light of the Snowden/NSA revelations.
What we found could be troubling for some industries. We put the question like this: based on what you have learned about government surveillance, do you agree with these statements:
  • I have done less banking online: Yes 19%
  • I have done less shopping online: Yes 14%
  • I am less inclined to use email: Yes 19%
I’m inclined to think that those numbers are bad news for the digital economy, where many business models are predicated on growing levels of activity and engagement over time, not static levels or slowdowns, which those answers represent. In this survey we did not get granular enough to ask if the news of mass surveillance had deterred people from specific actions, like opening a new online account or going paperless with their statements or billing. But I can’t see banks or credit card companies cheering the news that roughly one in five adult Internet users people are now doing less online banking, thanks to the actions of the federal government.
If you have thoughts on this topic or want to share any changes you’ve made to your online activity in light of the coverage of mass surveillance, please leave a comment. There will be more survey stats, and further thoughts on the commercial impact of the Snowden/NSA revelations, in a follow-up blog post later this week.

US Reigning Spampions

Spampionship Prepare yourself for the results of the latest Spampionship. SophosLabs conducted a study calculating the "Dirty Dozen" spam sending countries.
How Do Spammers Get Into My Device?
United States, Belarus, and India take the leading three spots on the "Dirty Dozen" list for countries that send the most amount of spam; consistent with what SophosLabs has seen this past year. Countries on this list aren't necessarily spammers, but they are spam senders. Spam senders and spammers are two different things.
Spammers usually don't send their own spam in bulk because it makes them easy to identify. Out of the ten million unwanted emails they attempt to send, one million could get sent before either recipients or data centers start resisting. At this point, spammers are blocked from using the servers and sending the remaining emails.
Not surprisingly, spammers have gotten smarter in orchestrating their campaigns. Spam is circulated through the botnet, or robot network. The botnet is an unsuspecting group of sneakily cooperating "zombie" computers that receive instructions from servers that crooks control. These criminals send a list of emails to all the bots in the network and order the botnet to start a spam campaign. This method allows spammers to send a greater number of emails at a less obvious pattern to those wary of spam in the first place.
Some users may consciously participate in spamming activity, but most spam senders have no idea they're involved. There's an important lesson to be learned here: inaction in the face of spam threats only helps spammers make money. To be part of the solution to this problem, you have to clean up the spambot malware on your own computer first.
And The Winner Is…
The US has consistently topped the charts for the Spampionship. Italy and China are also within the top five "Dirty Dozen." The study argues that countries with the highest rankings have large populations, so you'd expect to see them at the top.
SophosLabs also released a per capita comparison of spam-sending countries to the United States. It divided each country's spam total by its population and subsequently divided every country's spam-per-person value by the figure for America. Several smaller countries are in spotlight in the per capita chart. For instance, the average computer in Belarus is eleven times more likely to send spam if it were in the US, while Uruguay is almost five times more likely.
What to Do in the Face of Spam
Go ahead and chuckle at the Spampionship—I certainly did. However, the takeaway from this is a serious one. It's crucial to protect your information from cybercriminals and prevent your data from getting hacked. Invest in and regularly update antivirus software, such as our Editors' Choices Bitdefender Antivirus Plus (2014) or Norton AntiVirus (2014). Set up your home Wi-Fi to WPA or WPA2 to secure your wireless computer networks. Utilize password managers, such as LastPass 2.0 or Dashlane 2.0, in order to generate and store strong passwords for every website. Don't be lazy about security; perpetrators will take any chance they get to steal your data.

Facebook Users Fall Victim to Social Empires Cheat Scam

Social Empires Fraud Facebook games have amassed huge audiences with their broad, social appeal. However, among these expanding user bases are some more casual players who aren't necessarily the world's most tech-savvy people. Case in point, 135,000 players of the popular Facebook strategy game Social Empires have recently been scammed through a fake cheat according to Bitdefender's Hot for Security blog.
Finding the Marks
Like many in Facebook games, the economy of Social Empires, from Spanish developer Social Point, works by making its over six million monthly users wait or pay real money for the resources needed to proceed. The purposefully frustrating yet addicting mechanic controls the pace of play keeping players locked into the system. Knowing this, the scam entices players by offering maxed out food, gold, wood, stone and cash reserves. All they have to do is Like and spread the page by sharing it on other Facebook walls. It sounds like a steal, but the real theft is happening to the user.
After ensnaring someone new in its trap, the fraud's Blogspot domain then promotes itself through the victim's Facebook page. Meanwhile, the victim is redirected through an endless Hell of surveys, fake downloads, real malware downloads, horoscopes, palm readings, and imitation virus scans including fake versions of Bitdefender itself. Bianca Stanescu of Bitdefender notes that the fraud tellingly uses a three-year-old, woefully out of date version of their logo.
All of these sites then assault the user with constant questions trying to wring as much personal information out of them as they can. According to Stanescu, the fraudsters can read a computer's IP address to present pages in the appropriate language, and "they also try to lure people with what the scammers apparently believe are the victims' national interests."
The Killing Fields
Some may immediately recognize this cheat as the naked and easily avoidable attempt at identity theft that it is. However, when dealing with an audience as huge and popular as Facebook, there are enough vulnerable people unaware of the threat of thieves to make the scam worthwhile for the perpetrators. Security researchers like Andrew Conway of Cloudmark have explained how social networking services like Facebook, Twitter, Skype, and text messaging present virtually infinite amounts of targets for even the most obvious hackers, spammers and scammers.
It's not just on social media though. Recently many Grand Theft Auto fans, another massive source of potential victims, fell for a scam offering a leaked version of the franchise's latest and greatest installment GTA V for the PC. While no such product has actually been announced yet, the game is currently only available for consoles, fans expecting 18 GB of the open-world crime simulator on their computers were instead fed 18 GB of pure malware courtesy of actual criminals.
So the security lesson here for gaming fans of all kinds is that if a cheat or download on the internet looks too good to be true it probably is. Just stick with the Konami code. That'll always be safe.

Researchers Isolate Blackhole Exploit Kit Symptoms, Pinpoint Infected Twitter Accounts

Blackhole Study Cluster Graph
If you wanted to research how a program could distinguish malicious email messages from ordinary mail, you'd want to analyze millions of real-world samples, bad and good. However, unless you have a friend at the NSA you'd have a hard time getting those samples. Twitter, on the other hand, is a broadcast medium. Virtually every tweet is visible to anyone who's interested. Professor Jeanna Matthews and Ph.D. student Joshua White at Clarkson University leveraged this fact to discover a reliable identifier for tweets generated by the Blackhole Exploit Kit. Their presentation was recognized as the best paper at the 8th International Conference on Malicious and Unwanted Software (Malware 2013 for short).
Anybody with an urge to send spam, create an army of bots, or steal personal information can get started by purchasing the Blackhole Exploit Kit. Matthews reported that one estimate suggest the BEK was involved in more than half of all malware infestations in 2012. Another report ties the BEK to 29 percent of all malicious URLs. Despite the recent arrest of Blackhole's alleged author the kit is a significant problem, and one of its many ways of spreading involves taking over Twitter accounts. The infected accounts send tweets containing links that, if clicked, claim their next victim.
Below the Line
Matthews and White collected multiple terabytes of data from Twitter over the course of 2012. She estimates that their data set contains from 50 to 80 percent of all tweets during that time. What they got was much more than just 140 characters per tweet. Each tweet's JSON header contains a wealth of information about the sender, the tweet, and its connection with other accounts.
They started with a simple fact: some BEK-generated tweets include specific phrases like "It's you on photo?" or more provocative phrases like "You were nude at party) cool photo)." By mining the huge dataset for these known phrases, they identified infected accounts. This in turn let them turn up new phrases and other markers of BEK-generated tweets.
The paper itself is scholarly and complete, but the end result is quite simple. They developed a relatively simple metric that, when applied to the output of a given Twitter account, could reliably separate infected accounts from clean ones. If the account scores above a certain line, the account is fine; below the line, it's infected.
Who Infected Who?
With this clear method for distinguishing infected accounts in place, they went on to analyze the contagion process. Suppose account B, which is clean, follows account A, which is infected. If account B becomes infected shortly after a BEK post by account A, chances are very good that account A was the source. The researchers modeled these relationships in a cluster graph that very clearly showed a small number of accounts causing huge numbers of infections. These are accounts set up by a Blackhole Exploit Kit owner specifically for the purpose of spreading infection.
Matthews noted that at this point they had the capability to notify users whose accounts are infected, but they felt this could be seen as too invasive. She's working on getting together with Twitter to see what can be done.
Modern data mining and big-data analysis techniques allow researchers to find patterns and relationships that would have been simply impossible to reach just a few years ago. Not every quest for knowledge pays off, but this one did, in spades. I sincerely hope Professor Matthews manages to get Twitter interested in a practical application of this research.

UK man arrested for hacking US military and government networks

Hacker
The UK’s new National Crime Agency (NCA) has arrested a man on suspicion of hacking into the networks of the US army, military and government.
The 28-year-old man was arrested in Suffolk under the Computer Misuse Act (CMA) and has now been released on bail until February 2014. The NCA said he was suspected of "network intrusion offences" against the US army, US military and the US government.
Andy Archibald, head of the NCA's National Cyber Crime Unit (NCCU) said the arrest underlined the efforts the NCA would go to in order to track down those intent on causing cyber harm.
"This arrest is the culmination of close joint working by the NCA, Police Scotland and our international partners," he said.
"Cyber-criminals should be aware that no matter where in the world you commit cyber crime, even from remote places, you can and will be identified and held accountable for your actions. The NCA has well developed law enforcement alliances globally and we will pursue and deal robustly with cyber-criminals"
The arrest is another notable incident for the NCA in its brief time in existence as part of a more determined and focused effort to tackle cyber crime and its effects within the UK. It has already boasted of securing the conviction of a phishing criminal to a five-year sentence.
Last week the NCA announced it would be hiring 400 cyber crime fighters in an effort to boost the UK's defence capabilities, including the possible use of former convicted hackers to ensure it has the necessary skills for the digital age.

Understanding the Threats in Cyberspace

The primary difficulty of cyber security isn't technology -- it's policy. The Internet mirrors real-world society, which makes security policy online as complicated as it is in the real world. Protecting critical infrastructure against cyber-attack is just one of cyberspace's many security challenges, so it's important to understand them all before any one of them can be solved.
The list of bad actors in cyberspace is long, and spans a wide range of motives and capabilities. At the extreme end there's cyberwar: destructive actions by governments during a war. When government policymakers like David Omand think of cyber-attacks, that's what comes to mind. Cyberwar is conducted by capable and well-funded groups and involves military operations against both military and civilian targets. Along much the same lines are non-nation state actors who conduct terrorist operations. Although less capable and well-funded, they are often talked about in the same breath as true cyberwar.
Much more common are the domestic and international criminals who run the gamut from lone individuals to organized crime. They can be very capable and well-funded and will continue to inflict significant economic damage.
Threats from peacetime governments have been seen increasingly in the news. The US worries about Chinese espionage against Western targets, and we're also seeing US surveillance of pretty much everyone in the world, including Americans inside the US. The National Security Agency (NSA) is probably the most capable and well-funded espionage organization in the world, and we're still learning about the full extent of its sometimes illegal operations.
Hacktivists are a different threat. Their actions range from Internet-age acts of civil disobedience to the inflicting of actual damage. This is hard to generalize about because the individuals and groups in this category vary so much in skill, funding and motivation. Hackers falling under the "anonymous" aegis -- it really isn't correct to call them a group -- come under this category, as does WikiLeaks. Most of these attackers are outside the organization, although whistleblowing -- the civil disobedience of the information age -- generally involves insiders like Edward Snowden.
This list of potential network attackers isn't exhaustive. Depending on who you are and what your organization does, you might be also concerned with espionage cyber-attacks by the media, rival corporations or even the corporations we entrust with our data.
The issue here, and why it affects policy, is that protecting against these various threats can lead to contradictory requirements. In the US, the NSA's post-9/11 mission to protect the country from terrorists has transformed it into a domestic surveillance organization. The NSA's need to protect its own information systems from outside attack opened it up to attacks from within. Do the corporate security products we buy to protect ourselves against cybercrime contain backdoors that allow for government spying? European countries may condemn the US for spying on its own citizens, but do they do the same thing?
All these questions are especially difficult because military and security organizations along with corporations tend to hype particular threats. For example, cyberwar and cyberterrorism are greatly overblown as threats -- because they result in massive government programs with huge budgets and power -- while cybercrime is largely downplayed.
We need greater transparency, oversight and accountability on both the government and corporate sides before we can move forward. With the secrecy that surrounds cyber-attack and cyberdefense it's hard to be optimistic.

Steam Gaming portal: Open redirect vulnerability could hit COD: Ghosts fanatics

There are just a couple of hours remaining before the new Call of Duty game named “Ghosts” will be available for purchase on the game portal Steam, but there is something lurking in the dark, that can be used by malicious users to scam the people on Steam.
It is an open-redirect vulnerability that has been reported by Claes Spett to the gaming portal Steam. The vulnerability that can be classified as a vulnerability of high importance allows malicious users to redirect Steam users to a malicious website that for example, could sell fake COD: Ghosts accounts.
Vulnerability link
[redacted]
Claes Spett took the responsibility to report this to Steam, but as we can see Steam didn’t do jack about it. As Steam did not take Claes Spett seriously, we are going to send them a URL that they have to take seriously (The link to this article =) ) .
Steam Vulnerability: Open redirect
Steam VulnerabilitySteam Vulnerability

Syrian Electronic Army hacked President Obama website and social media

Syrian Electronic Army Targeted President Obama’s website, Twitter and Facebook accounts and email account linked to his non-profit activities.

Once again Syrian Electronic Army, the pro-Assad group claims it has hacked the President Barack Obama’s website, the social media accounts belonging to him on Twitter and Facebook and it violated the email accounts linked to a non-profit offshoot of Obama For America, Organizing For Action. The following image posted by SEA is the proof of the hack of the Obama Campaign email account
obama emails hacked
The attack started this night when the Syrian Electronic Army redirected donate.barackobama.com visitors to the website of the group of hacktivists (sea.sy/indexs/) that displayed an eloquent message:

Hacked by SEA
At the time of writing, the donate.barackobama.com was restored and it no longer redirects users to the website of the Syrian Electronic Army.
Once again I remark that Syrian Electronic Army is a structured and fearsome hacking group pro the Syrian President Bashar al-Assad that conducted numerous high profile attacks against media agencies, government organizations and private companies, the last campaign in order of time hit most Qatar websites.
The SEA mission is to defend the President from the attack of enemies especially based on disinformation campaign promoted by Western governments.
It was just the beginning because the Syrian Electronic Army has also taken over another donation page still present on the site and it has posted fake tweets and updates from Obama’s Facebook Page and Twitter accounts.
All the links that Barack Obama account tweeted it and post it on Facebook was redirected to a video showing the truth about Syria” stated the group to Mashable.
obama twitter hacked
obama facebook account hacked
At this moment the links posted on President social media accounts had not been fixed.
The group has published on twitter a message to its follower motivating the attack with following statement:
“Obama doesn’t have any ethical issues with spying on the world, so we took it upon ourself to return the favor. #SEA”
SEA tweet 1
SEA tweet 2
Well, despite the incident hasn’t had serious repercussion it is fundamental to highlight that similar incidents could cause serious problems, let’s remind the effect on stock market observed just after the SEA has hacked months ago the Twitter account of AP.
How is it possible that these guys succeeded so easily to hack official Presidential accounts? IMHO this is very serious, this time they hit a website, next time it could be the SCADA of a critical infrastructure, do not underestimate the incident.