Wednesday 7 May 2014

No credit card required – Swedish shops let you pay in blood

At 15 payment machines dotted around the Swedish city of Lund, people can buy items without needing a card – or a phone equipped with a “Near Field” chip. All that’s required are the correct veins.
Engineering graduate Frederik Leifland says, “I got the idea when I was in line at the supermarket and I saw how complex a process paying is. It takes a lot of time so I thought there must be an easier and quicker way to pay and that was the start of Quixter.”
In a new interview with science website Humans Invent, Leifland explains how he hopes that his start-up may lead to payments without any authentication device. The pattern of veins in a human hand is unique – Leifland’s system uses infrared scans to identify the unique pattern in a finger.
BioMetrics sales site FindBiometrics says that the technology is new, and currently used in high security institutions, saying, “Vein recognition is a fairly recent technological advance in the field of biometrics. It is used in hospitals, law enforcement, military facilities and other applications that require very high levels of security.”
TechCrunch points out that vein recognition technology is already used to secure high-value banking transactions in countries such as Japan, but only as a secondary “layer” of security where other methods of authentication are also used.
Leifland claims that his company, Quixter, is not the only start-up researching the technology – but is the first to market with it. He aims to create a payment system which requires neither physical money, nor phones, nor mobile devices.
There are currently around 1,600 testers of the system, Tech Times reports.
Leifland says that in a retail environment, transactions can be completed in around five seconds.
“When you go to pay in the supermarket you enter the last four digits of your phone number and then you hold your hand above the sensor. The transaction takes less than 5 seconds,” he says.
Leifland says the reason for entering the last four digits of your phone number is done in order to make you look at the terminal and confirm you are paying the correct amount.
Biometric payment systems are a hot topic at the moment, with Samsung’s Galaxy S5 shipping with a PayPal system, and other start-ups are investigating systems using iris scans and other biometric techniques.
A poll of 10,000 iPhone and Android users by network giant Ericsson found that consumer appetite for biometrics was high – and Ericsson predicted that fingerprints would “just be the start.”
“Consumers would rather get rid of passwords completely, and for this reason are showing interest in biometric alternatives,” a spokesman said.
Stephen Cobb, Senior Security Researcher with ESET, we may be on the verge of widespread deployment of biometrics. Cobb says, “Successful implementation of biometrics in a segment leading product could bode well for consumer acceptance.” He adds, “I have been a fan of biometrics as an added authentication factor ever since I first researched multi-factor and 2FA systems 20 years ago, however, user adoption is very sensitive to performance; in other words devices such as the iPhone 5S could advance biometrics, or put a whole lot of people off biometrics.”

Scam Alert: Your Facebook Accounts will be Permanently Disabled

We have seen large numbers of facebook posts that promise something, but it turns out to be a scam.  Fb users are still believing such kind of posts and blindly following the instructions.  So, Cyber criminals are keep coming up with new themes to trick users.
Over the past few days, i have been receiving a facebook notifications informing that one of my friends mentioned me in a comment.  I had a look at the post, it is none other than a facebook scam.
The scam posts says “to all facebook users Your Facebook Accounts will Permanent Disable. you must register your account to avoid permanent disabled . How to register? Go to our pinned post. and follow instructions carefully!” 
It asks you to copy and paste some code in the console of your browser.  By blindly following the instructions of scammers,  users are allowing scammers to do various actions(‘like’, ‘sharing’, ‘tagging friends’ and more) on their behalf.
Earlier this year,  we learned that scammers were tricking users by promising them that following the instructions will help them to hack their friends’ accounts.

Creepy Voice from Baby Monitor Yells at baby

It’s middle of the night and 10-mont-old Adam Schreck’s daugher was asleep in her room.  Adam had a baby monitor that was also equipped with a camera.  Suddenly, there was a creepy voice coming from the baby monitor.
The voice said “Wake up baby.. Wake up baby” and then a long ‘aaaaahhhhh’. Once Adam entered the baby’s room, the camera turned towards Adam and shouted at him.
No, I’m not telling you scary stories and not even talking about the scary baby monitor scene from ‘Insidious’ movie.  It’s real incident occurred in Cincinnati, ohio.
Someone hacked into the Adam’s baby monitor and began shouting at his daughter.  The camera that was hacked is manufactured by Foscam, according to Fox19 report.
The hacker may have exploited some kind of vulnerabilities in the firmware used by Internet-connected baby monitor or somehow managed to find the passwords to access the device.
This is not the first case of hackers taking control of a baby monitor, as a similar incident occurred in Houston last year.
To secure yourself, make sure you have update to date firmware and change the default user name and password of your baby monitor.

Cybercriminals abusing Microsoft Azure for phishing attacks

CyberCriminals usually host fake web pages on hacked websites, free web hosting, more recently they abused Google Docs.  These fake pages(phishing pages) trick unsuspecting users into handing over their personal and financial information.
Now, the cyber criminals have started to abuse the Microsoft’s Azure cloud platform to host their fake websites.
Creating accounts on Azure is very easy and they are also offering a 30-day trial.  Once you are done with account creation, you can easily create your web pages using the main dashboard.
However, Registration process is not easy for criminals.  Because, it needs you to provide a valid phone number and credit card details.
MalwareBytes researchers says the attackers may have stolen the username and passwords from legitimate users that were already registered.
Netcraft has identified several phishing pages targeting users of Paypal, Apple, Visa, American express, Cielo hosted on Azure.
PhishTank records:
http://www.phishtank.com/phish_detail.php?phish_id=2428419
http://www.phishtank.com/phish_detail.php?phish_id=2391951
http://www.phishtank.com/phish_detail.php?phish_id=2342647
http://www.phishtank.com/phish_detail.php?phish_id=2174737

Syrian Electronic Army hacks 4 Wall Street Journal twitter accounts

Wall Street Journal was caught in the crossfire between the Syrian Electronic Army and Ira Winkler who is the CEO of security firm Secure Mentem.
The Syrian Electronic Army(SEA) hijacked four twitter accounts belong to WSJ : @WSJD,  WSJ Europe(@WSJPEurope), WSJ Africa(@WSJAfrica) and WSJ Vintage(@WSJVintage).
SEA posted the message “@Irawinkler is a cockroach” with a picture of Ira Winkler’s head on the body of a cockroach.
The attack was carried out in response to a RSA Conference presentation in which Winkler talked about the hacking methods of the SEA and made fun of them.
In his presentation, Winkler also commented that “these people are like cockroaches of the Internet”.
This is not the first attack carried out by SEA in response to this presentation.  Last month, the group also defaced the RSA Conference website and said “If there is a cockroach in the internet, it would be definitely you ”
Wall Street Journal seems to have recovered the hijacked twitter accounts posted in twitter “We have secured our compromised Twitter accounts and they are now functioning normally.”

Twitter bot or real, live person? Site picks out fakes instantly

‘Spambots’ are a fact of life on Twitter – fake accounts built to spread everything from infected links to misinformation. Until now, users have had to rely on their instincts, but a tool – “Bot or Not” – helps to uncover fake accounts instantly.
The tool, available free online, instantly offers a verdict on several telling features of accounts – and scores 9.5 out of a possible 10 on a scale of statistical accuracy, the researchers say in their paper.
Bot or Not can be used freely here. It requires a Twitter login, but reports a large range of statistics about an account in graphic form near-instantly – giving away whether it’s human, or a piece of software.
Developed by computer scientists at Indiana University, Bot or Not offers graphs and charts of a Twitter account’s friendship network, the content they have posted, and how people have reacted to it. Bot or Not analyzes more than 1,000 features of a Twitter account’s actions, including their full friendship network, to offer a way to spot fakes, according to Network World.
The research is part of a broader Indiana University research project designed to analyze how large networks of fake accounts or ‘bots’ can be used to spread political misinformation, called Truthy. The project’s current focus is tweets about politicssocial movements and news.”
Fake Twitter followers – and fake news – can also be used to spread malware, or to direct users to spammy pages. When a hacker group briefly seized control of E! News’ Twitter account, a Tweet claiming Justin Bieber was gay was retweeted 1,200 times. A fake news story posted on an AP News account, describing a bomb attack on the White House, wiped 143 points off the Dow Jones. Reports on the damage done by these attacks can be found on We Live Security here.
Bot or Not analyzes the sentiment of Tweets, their timing, and linguistic cues to work out if accounts are real or fake – and whether “news” spreading from these accounts is real, or malicious misinformation.
“We have applied a statistical learning framework to analyze Twitter data, but the ‘secret sauce’ is in the set of more than one thousand predictive features able to discriminate between human users and social bots, based on content and timing of their tweets, and the structure of their networks,” said Alessandro Flammini, an associate professor of informatics and principal investigator on the project.
“The demo that we’ve made available illustrates some of these features and how they contribute to the overall ‘bot or not’ score of a Twitter account.”
By training the software with accounts known to be bots, BotOrNot is scoring 0.95 on a standard statistical measurement, with 1.0 being perfect accuracy.
“Part of the motivation of our research is that we don’t really know how bad the problem is in quantitative terms,” said Fil Menczer, the informatics and computer science professor. “Are there thousands of social bots? Millions? We know there are lots of bots out there, and many are totally benign. But we also found examples of nasty bots used to mislead, exploit and manipulate discourse with rumors, spam, malware, misinformation, political astroturf and slander.”
Flammini and Menczer said it’s their belief that these kinds of social bots could be dangerous for democracy, cause panic during an emergency, affect the stock market, facilitate cybercrime and hinder advancement of public policy. The goal is to support human efforts to counter misinformation with truthful information.
Menczer has been interviewed by The New York Times on the use of social bots to sway elections – by cyclically posting the same fake news story until it “goes viral”.
Previous attempts to find “fake” Twitter followers have used less complex tools – analyzing accounts by low numbers of followers and Tweets – but the number out there is enormous, according to Yahoo News.
Millions of accounts on the network are thought to be fakes – ‘silent’ accounts who rarely if ever Tweet, often created to ‘bulk out’ the following of celebrities, companies, or site users.
The business of selling such fake Twitter followers is now worth between $44 million and $400 million a year.
The figure comes from analysis by two Italian security researchers, Andrea Stroppa and Carlo De Micheli, who spent months investigating the ‘grey market’ where Twitter followers are sold – and found dozens of firms selling followers, and even selling ‘retweets’ to make people appear interesting.
Agencies based in London and abroad will deliver thousands of such ‘followers’ for less than $20 – and boast that their client lists include celebrities, politicians and musicians.

One of the Anonymous Hacker could Face 440 Years in Jail, charged with Cyberstalking


It seems life is getting hard for global hackers of the ‘Anonymous’ group which called for attack on Israeli cyberspace on April 7th this year. Two alleged members of the group from Cambodia were arrested last week. Last year FBI claimed that it had dismantled the leaders of ‘Anonymous’ according to a story filed by Huffington Post. On Tuesday, federal investigators announced that an alleged member of the group, Fidel Salinas, has received a second superseding indictment from a federal grand jury which adds 18 counts of cyberstalking and attempted computer hacking charges.
The 27 year old Salinas is from Donna, Texas, and faces 44 charges of cyber assault in total with each one of them punishable for a maximum of 10 years that could end him up behind the bars for 440 years. Last October, he was found guilty of violating the Computer Fraud and Abuse Act for trying to hack the computer system of Hidalgo County.
“Court documents allege that between the late night and early morning of January 4-5, 2012, Salinas made more than 14,000 hacking attempts to the administration management page of the Hidalgo County website server, resulting in true administrators temporarily not being able to access it. The county allegedly incurred a loss of more than $10,000 in responding to the attack.”
Salinas is also accused of cyberstalking a female for at least 18 times according to the statement issued by the U.S. Attorney’s Office of the Southern District of Texas.
“According to the allegations, between December 23-29, 2011, Salinas had the intent to harass and intimidate a female victim. Allegedly, he repeatedly e-mailed her, attempted to gain unauthorized access to her website, made submissions through a contact form on that site, and tried to open user accounts without her consent.”
“The indictment lists his alleged attempts to stalk her and hack into her website. According to the indictment, he repeatedly did so late at night and early in the morning, with his stalking attempts or messages sometimes occurring less than one minute apart from each other. He allegedly did so as part of a conspiracy or agreement with at least one other person, according to the charges.”
He also tried to hack the computer systems of La Joya Independent School District and a local newspaper, McAllen The Monitor. The document states that he is a member of hacking group ‘Anonymous’ which is just a chat room according to Salinas attorney.
“Salinas allegedly participated in an online chat room for the Operation Anti-Security faction of Anonymous and attempted to enter the IRC Operations server for Anonymous. According to the charges, after his alleged attempt to hack his way into the Hidalgo County web server, he posted a profanity-laced rant on his Facebook page that ended with a quote used by Anonymous members: “We do not forgive, we do not forget, divide by zero we fall, expect us.””

18-Year-Old buy arrested for Hacking school systems to change his and four other students’ grades

Arrested Hacker for chaning school grades
One of the student from Miami University who is 18-Year-Old has been found changing his and four other students’ grades, he was able to change the grade after successfully breaching the school’s computer systems.
The Boy named Jose Bautista was arrested on Thursday last week by the Miami School Board Police, after the students reportedly gave a written confession to Principal.
Mayan Dehry, one of the student at Bautista’s school says: “It’s not fair to the people that really try.” Like, I know a lot of kids are in AP classes, and they try really hard to get the grades that they get. I don’t know, if you’re just going to be lazy and then change your grades, that’s not what learning is about.”
On the other hand, one more fellow student Brett Curtis says: “We have almost 3,000 kids here who come to school every single day, who work hard for every single grade that they earn.”
Bautista faces four counts of offenses against intellectual property, public records exemption, and four counts of offenses against computer users and all counts are felonies.
He is a hard-working student and a good kid. “I’m sorry that it happened, but I know that these are super smart kids here and young people are young people. I don’t know that child and I’m sorry that he did that, His aunt and grandfather told media.
After the next day of arrest, he was released on a $20,000 bond. According to the court ruling, he will be on house arrest and will be required to wear a GPS monitor.

Majority of UK firms unprepared for DDoS attacks, study finds

New research released by Neustar suggests that the majority of UK businesses are unprepared to cope with the threat of DDoS attacks.
Distributed Denial of Service (DDoS) attacks are a common method for cyberattacks to disrupt an online businesses. A DDoS attack uses compromised computer systems to attack a single target, sending traffic from multiple points of origin in a flow, which often overwhelms a system, causing it to deny authentic traffic access to services.
According to research released by Neustar, a third of UK businesses estimate losses of £240,000 per day when hit with DDoS attacks. After surveying 331 companies in the United Kingdom across numerous industries including financial services, technology, and the public sector, the analytics provider says larger DDoS attacks are becoming more frequent with a 200 percent increase in attacks affecting bandwidth between 1-20Gbps, in addition to a significant increase in attacks on bandwidth with a magnitude of 100Gbps or more.
Neustar's report, "United Kingdom DDoS Attacks & Impact Report. 2014: The Danger Deepens," also states that DDoS attacks are a "growing threat to organisations with potentially calamitous consequences for companies" without proper protection. Not only can DDoS attacks have an immediate impact on sales and business revenue, they can have long-lasting detrimental effects on brand value, customer trust, and public reputation.
Key findings from the survey include:
  • DDoS attacks often disrupt multiple business units, with public-facing areas like call centres, customer service, and marketing absorbing over 40 percent of DDoS-attack related costs.
  • Over 35 percent more UK companies were hit by DDoS attacks in 2013 compared with 2012.
  • In 2013, there was an increased number of longer attacks, with 28 percent lasting up to two days or more.
  • Once attacked, there is an estimated 69 percent chance of a repeat attack. While 31 percent of these companies were DDoS-attacked once, over 48 percent were targeted two to 10 times.
  • In 2013, attacks requiring over six people to mitigate rose to 39 percent compared to 25 percent in 2012, a 56 percent increase.
In addition, Neustar's research highlights an increase in a trend dubbed "smokescreening." These types of DDoS attacks are used by cybercriminals in order to divert IT department attention while malware and viruses are inserted within a business network, with the overall aim of stealing valuable data or funds.
Rodney Joffe, Senior Vice President and Technology Fellow at Neustar commented:
Organisations must remain constantly vigilant and abreast of the latest threats. As an example, Neustar’s UltraDNS network suffered an attack just last week peaking at over 250Gbps — a massive attack by industry standards. Even with proper mitigations in place, the attack caused an upstream ripple. It is a constantly changing threat landscape.
In February, Web performance company CloudFlare reported the mitigation of a DDoS attack on a French website which reached a record-setting attack of at least 325Gbps, and a potential reach of 400Gbps.

Heartbleed, Open Source and Open Sores ---Dwayne Melancon (Trip Wire)


Now that things are settling down after Heartbleed, I think about some of the conversations I’ve had about OpenSSL and open source software over the past couple of weeks. There is a persistent misconception that open source is automatically trustworthy because it is open and more transparent than proprietary (aka closed source) software.
This is clearly a case of necessary, but not sufficient.  Yes, it is true that there is plenty of opportunity (and maybe even motive) for people to review open source software, but that doesn’t mean anyone expends the effort to do so.
This flaw was sitting there out in the open, yet went unnoticed for a couple of years.  The issue is that programmers are human and can sometimes make mistakes that go unnoticed.  This is not just an open source problem, by the way: Apple’s code recently had a major security flaw in their OS software (the infamous “goto fail” bug).  This bug was present in Apple’s shipping code in spite of a rigorous testing process and a large QA budget.

Trust, But Verify

These two issues underscore an old mantra, often applied to security: Trust, but verify.  What does that mean to us? Here are a few of the things I took away from these incidents:
  • Trust is not a control, and hope is not a strategy.  If the “stuff” you’re securing is important to you or your organization, don’t rely on someone else’s statement that it is secure.  You may be able to build enough confidence by studying their test plans and procedures, and scrutinizing their test results.  If that doesn’t appease you, spend time testing it for yourself and ensure that you’ve validated that the code or component you’re using is secure against the most common or most concerning threats you expect to face
  • Design with resilience in mind.  Assume that any component can fail or suddenly become inadequate or insufficient. Build your security in a way that you can swap out components without superhuman effort, and understand the dependencies between components
  • Show your work, and leverage others.  Document your assumptions, your test processes, etc. and share it with others in your team.  This increases the odds that someone will notice things you’d miss if you did everything yourself.
It’s also important to remember not to get so caught up in the minutiae that you miss something big.  Which leads me to…

Zoom Out

When you’re too close to something, it can be easy to lose perspective or miss flaws in the big picture. Beyond the principles above, I also encourage security teams to zoom out and look at the overall system of security — not just the individual components.
If you zoom out so you can consider not only the components, but the interactions between them and the overall flow of information through your system, you can often discover flaws in assumptions, data flow, handoffs between functions, and other issues that can come back and bite you later.
The need to consider the overall system of security is another manifestation of “Trust, but verify.”  Some of the recent, high-profile breaches were at least partially attributable to organizations that didn’t appropriately identify weaknesses at a macro scale, or who didn’t properly safeguard handoffs from one process, team, application, etc. to another.
What have you learned?  What have I missed?  Please share – we can all get better by sharing what we’ve discovered.

ANZ Bank coughs up as Broome biz fleeced in man-in-the-middle diddle

Fraudsters have nicked $50,000 from a Broome Real Estate business after breaking into the agency's ANZ Bank account and altering payment details.
The cons pulled off a man-in-the-middle attack to gain access to the company's account and change the Pay Anyone bank details associated with a client.
Hutchinson Real Estate general manager Mandy Reed told The Register tech teams were unaware how the fleecing was pulled off.
"They said it was a man-in-the-middle attack but no one can tell us anything else about it," Reed said.
"[Attackers] changed the Pay Anyone bank account details of one of our clients so that the name was normal but the account numbers were different."
The cash was then paid into what appeared to be the client account.
She was unsure if malware such as Citadel, the underground's tool of choice for raiding Oz bank accounts, was installed on a staffer's machine or if an employee fell for a phishing email.
Tech teams were upgrading security measures at the agency but together with police did not know further information about the March attack.
The agency was reimbursed $50,000 by ANZ about 10 days after the attack took place.
In January, Aussie property manager Bob Walters had $50,000 moved out of his account via BPAY by an unknown identity thief.
The crim ported his mobile phone number by exploiting weak identity checks in place at Australian telcos, but was unsuccessful in a bid to furry $145,000 out of Walters' bank account.
Perhaps the most absurb case of Perth real estate rorts occurred in 2010 when audacious hackers sold a man's house using his stolen identity credentials.
Scammers were thought to have stolen Roger Mildenhall's email credentials and title deed documents before contacting his property manager by phone, fax and email and eventually selling his house for half a million dollars.