One of our SophosLabs researchers, Anna Szalay, made an interesting discovery recently: a new type of Android malware that slips in through a security hole in the USB debugging feature that allows developers to modify their Android devices. Naked Security expert Paul “Duck” Ducklin reports that this malware can intercept your SMS text messages to steal bank transaction details.

Duck explains in his post that intercepting SMSes from your Android phone allows the attackers to steal information they can use to access, for example, your email accounts or bank accounts:

The crooks want to infect you with malware that knows how to intercept incoming SMSes and redirect their content elsewhere. You can see where this is going: mobile malware that reads your SMSes before you do can steal important data such as the two-factor authentication (2FA) codes sent by your email provider or your bank, giving cybercriminals a way into your account despite the extra layer of protection in place.

SophosLabs detects this SMS-stealing malware as Andr/FakeKRB-H. As Duck explains, this malware gets onto your Android in a multi-step process that starts with your device getting infected by a crafty piece of Windows malware that sneaks in through the USB connection between your Android and a PC. This “helper” malware is a downloader detected by SophosLabs as Troj/DwnlAPK-A.

If you connect your Android to a PC infected by Troj/DwnlAPK-A, the malware sneaks in under the guise of files that “appear to be regular, clean files that enable full USB-to-phone connectivity on Samsung and LG devices,” Duck writes.

Then, once the downloader is installed, it loads the Android malware onto your device in what appears to be an app disguised as a Google-imitating “Google App Store” (the real Google store is simply called “Play Store”).

This is a good reminder that the bad guys continue to develop inventive ways of compromising our security to get at our most valuable data. Read the article at Naked Security to learn more about this malware and how to block it with security settings on your Android.

You can read the original article here and here.

Likewise, the three countries that took their place in the top flight all came up from the 13-24 range. And, just like in your favourite football league, the majority of the high-flyers stayed put at the top. But is it so surprising that the USA is the Man United of the SPAMMIERSHIP, “winning” as often as not, or that China and India are often found near the top? With more than a billion people each and a thirstily-increasing demand for internet access in both countries, where else would you expect to see China and India except in the Dirty Dozen?

Welcome, then, to the SophosLabs SPAMMIERSHIP League Table:

And with more than 300 million people and the lion’s share of the world’s internet connectivity, where else would you expect to see the USA than leading the pack outright? What, then, if we scale the scores up or down in proportion to each country’s population? Now things get interesting, becase a rather different story emerges:

Half of the volume-based culprits are gone, and countries that would usually fly under the radar when measured on spamming volume alone – like Luxembourg and Singapore – suddenly burst onto the scene. Don’t be surprised. This doesn’t mean that usually law-abiding Singapore has turned into a seething swamp of spam-related cybercriminality. Remember that although the Dirty Dozen denotes the extent to which a country’s computers are used for delivering spam, it doesn’t tell us where the spammers themselves are located.

That’s because most spam is sent indirectly these days, especially if it is overtly malevolent, such as:

• Phishing emails. These try to lure you into entering passwords into mock-ups of a real site such as your bank or your webmail account.
• Malware links. These urge you to click links that put you directly in harm’s way by taking your browser to hacked websites.
• Malware deliveries. These use false pretences, such as fake invoices, to trick you into opening infected attachments.
• Identity theft. These invite you to reply with personally identifiable information, often by claiming to offer work from home opportunities.
• Investment scams. These talk up investment plans that are at best unregulated and at worst completely fraudulent.
• Advance fee fraud. These promise wealth or romance, but there are all sorts of fees, bribes and payments to hand over first.

If the crooks behind this sort of cybercrime were to use their own computers, they’d never be able to send the volume of spam they’d like. Also, using their own computers would lead law enforcement to their digital doorsteps. Instead, cybercriminals rely heavily on bots, also known zombies: innocent users’ computers that are infected with malware that regularly calls home to download instructions on what to do next. Those instructions may say something such as “here is a boilerplate email message, and here is a list of email addresses – send a copy to everyone on it.” So, if your country is in the Dirty Dozen, it almost certainly has a much-higher-than-average number of unprotected computers that are actively infected with malware. And if a cybercriminal can secretly tell your computer to send spam to 1000 people you’ve never heard of – leaving you to argue with your ISP why you shouldn’t be thrown off line for antisocial behaviour – then ask yourself this: “What else could he get up to on my account?” In short, the SPAMMIERSHIP League Tables are meant as a light-hearted way of reminding us all of one very serious aspect of computer security: namely that if you put yourself in harm’s way, you’ll probably end up harming lots of other people, too. In other words, getting serious about computer security is the easiest sort of altruism: by protecting yourself, you help to protect everyone else at the same time.

You can read the original article, here.

In the spirit of sharing our knowledge, we’d like to show you a pretty great infographic that explains in visual format how a web attack works. As you can see in the infographic below, a web attack happens in five stages, and this whole process takes less than a second. The web is the number one source of malware (a term that combines “malicious” and “software”), and the majority of these malware threats come from what is called a drive-by download.

5 Stages of a Web Attack

The term drive-by download describes how malware can infect your computer simply by visiting a website that is running malicious code (Stage 1: entry point).

Most of the time, these are legitimate websites that have been compromised to redirect you to another site controlled by the hackers (Stage 2: distribution).

Today’s cybercriminals use sophisticated malware packaged in an “exploit kit” that can find a vulnerability in your software among thousands of possibilities.

When your browser is redirected to the site hosting an exploit kit, it probes your operating system, web browser and other software (such as your PDF reader or video player) to find a security vulnerability that it can attack (Stage 3: exploit).

Remember — if you are not applying security updates to your operating system and software, you are unprotected against these exploits.

Once the exploit kit has identified a vulnerability, that is where Stage 4: infection begins. In the infection phase of an attack, the exploit kit downloads what is known as a “payload,” which is the malware that installs itself on your computer.

Finally, in Stage 5: execution, the malware does what it was designed to do, which is mainly to make money for its masters.

The malware known as Zbot can access your email or bank accounts. Another type of payload called ransomware can hold your files hostage until you pay to have them released.

This kind of attack happens all the time. But you don’t have to be a victim. Download our checklist of technology, tools and tactics for effective web protection to find out how you can protect your organization from malware attacks at every step of the way. You should also check out our free whitepaper explaining how malware works and offering tips to help you stop it: Five Stages of a Web Malware Attack. (Registration required). 

You can read the original article here.

Of course, it isn’t just film stars who have sensitive data on their Apple devices – employees will often have corporate data on their iPhones and iPads while home users may also have their personal pictures and videos stored on their iOS device.

With that in mind, here are 3 tips to help keep your photos and other data safe:

1. Use a strong password

This is an easy one – it’s important to make sure you use a strong, unique password for your iCloud account, especially as Apple hasn’t yet enabled two-step verification for iCloud. To do this, make the new password long (minimum 14 characters), avoid using real words and switch between UPPER, lower, d1g1t5 and //@ckies. If you have trouble remembering such a complex password, consider using a password manager.

And while we’re here, make sure you use unique passwords for every account on every website that you use. It’s important because if someone gains access to one of your accounts, they can only access that one – not every account you own.

2. Limit what you backup to iCloud

iCloud SettingsNow is a good time to check what exactly is being backed up to your own iCloud account. Go to Settings on your device and then select iCloud. Here you will see a list of all the apps on your device that are being backed up to the cloud. Each can be individually toggled on or off. You need to decide for yourself as to what you want to backup – for example, you may decide to not backup your Photos (especially if they’re a little risque), but keep backing up your Mail and Documents & Data.

It’s a case of weighing up the risk of losing or bricking your device, versus the risk of having your information stolen through the cloud. Of course, there’s always the option of…

3. Turn iCloud off and backup locally

If you feel that the risk of having your iCloud storage hacked outweighs the convenience of the service then you may wish to delete your account entirely. Doing so is very easy. Go to Settings on your iDevice and then select iCloud. Scroll all the way to the bottom of the screen and you will see the option to Delete Account. Of course, that means your device will no longer be backed up, so you’ll need an alternative means of backing up your data. Fortunately, you have that with Apple’s iTunes which offers a manual alternative.

To backup with iTunes:

1. Make sure your computer has the latest version of iTunes

2. Connect your iOS device to your computer

3. Choose File, then Devices and Back up.

If you decide to backup your devices this way, remember to continue backing up on a regular basis. 

You can read the original article, here.

The new line up consists of four rack-mount appliance models with larger internal disk capacities, faster processors, increased memory, and integrated solid state drives (SSDs) to shorten backup time and accelerate data recovery. The bundled WD Arkeia v10.1 software delivers new support for “seed and feed” technology to support hybrid cloud backups. This allows companies to move backups offsite via network replication rather than shipment of tapes.

The new fourth-generation appliances offer:

•    Increased Backup and Recovery Speed: New features include integrated LTO5 tape drives, processor upgrades to a maximum of 2 hex-core Intel Xeon, integrated SSDs on select models, and memory up to 96 GB to allow for increased data backup and recovery speeds of both files and disk images. WD Arkeia’s patented Progressive Deduplication™ technology accelerates backups by compressing data at source computers before transfer over local area networks (LANs) or wide area networks (WANs).
•    Higher Storage Capacity: Storage capacity doubles from the third generation, with raw capacity now ranging up to 48 TB, configured in RAID-6.
•    Improved Ease-of-Use: Version 10.1 of WD Arkeia software, delivered with the new generation, includes an on-boarding wizard to streamline the appliance setup process.
•    Storage Reliability: All new WD Arkeia appliances feature WD enterprise-class WD RE™ hard drives for maximum data integrity.
•    Simplified Tape-free, Offsite Storage: Version 10.1 of WD Arkeia software extends support for hybrid cloud backup capabilities to the full line of WD Arkeia appliances. “Seed and feed” capabilities allow administrators to supplement network replication of backup sets offsite by using USB-connected hard drives to transfer initial and large backup sets and also to size WAN bandwidth for the replication of nightly incremental backups.  

WD Arkeia fourth generation network backup appliances – models RA4300, RA4300T, RA5300, RA6300 – will be available in July 2013 through select DMR’s and WD-authorized value-added resellers (VARs) in the US, Canada, and Europe.  Manufacturer’s Suggested Retail Price, including hardware and software, begins at $9,990 USD.  WD Arkeia network backup appliances are covered by one year of unlimited access to technical support, one year of software updates, and a one-year limited hardware warranty.

The authentication system, based on a new material for the home button and a metal sensor ring around it, has been the subject of numerous rumours and leaked photos and specs already. Speculation about Apple’s interest in fingerprints goes back at least as far as 2009, resurfaces each time a new version of the iPhone is launched, and has grown steadily ever since Apple’s pricey acquisiton of fingerprint tech firm AuthenTec last summer. Today’s confirmation at the iPhone 5s/5c launch ceremony makes it all official at last. According to Apple’s promotional material, the sensor:
“uses advanced capacative touch to take, in essence, a high-resolution image of your fingerprint from the sub-epidermal layers of your skin. It then intelligently analyses this information with a remarkable degree of detail and precision“.

As well as unlocking the phone, the sensor will be able to approve purchases at the Apple store. Fingerprint authentication has been a common sight in laptops for some time, with major vendors including Dell, Lenovo and Toshiba pushing their own built-in variations, usually available as an option alongside more traditional login methods. There are also a range of other implementations available, including many smartphone apps and external readers supported by the Windows Biometric Framework and some leading password managers.

Fingerprints thus probably rank a little above facial recognition as the most widely-deployed biometric authentication technique at the moment. In the past, however, they have proven rather unreliable, plagued with security worries, although suspected flaws are not always proven. Nevertheless, many fingerprint scanners seem to be open to spoofing. Fingerprints are not secret: we leave copies of them wherever we go, even if we’re trying hard not to, as cop show afficionados will be well aware. Once someone devious has got hold of a copy, purely visual sensors can be fooled by photographs, while more sophisticated techniques which measure textures, temperatures and even pulses are still open to cheating using flesh-like materials, or even gelatin snacks. Just how hard it will be to defeat Apple’s recognition system remains to be seen, but as crypto guru Bruce Schneier has pointed out, there’s a big danger in using fingerprints to access online services: the temptation to store the fingerprint info in a central database. Unlike passwords, of course, if your fingerprint data is lifted from a hacked database, you can’t simply change it, short of getting mediaeval on your hands with acid, sandpaper or some other hardened-gangster technique.

So, as expected, Apple has opted to keep all information local to the iPhone – indeed, it is apparently kept in a “secure enclave” on the new A7 chip and can only be accessed by the print sensor itself. Expect this storage area and the connections to it to become the subject of frenzied investigations by hackers of all persuasions. Of course, Apple is not alone in looking into fingerprints, with arch-rivals Samsung also rumoured to be making moves in that direction. (Samsung was a major customer of AuthenTec before it was acquired.) In the long term, how similar their approaches are may be a significant issue for all of us, whatever our smartphone affiliation and whether or not we worry much about privacy, and not just thanks to the inevitable legal rumpus. There are two basic approaches to security: either the way things work is kept proprietary and secret, as far as possible, or it’s made open for general consumption, and more importantly for verification. A cross-vertical group, the FIDO Alliance, was set up earlier this year to develop open specifications for biometric authentication standards, with members including Google, PayPal, hardware makers like Lenovo and LG, and a raft of biometrics and authentication specialists. Beleaguered phonemaker BlackBerry is the latest big-name inductee. The alliance’s aim, to create a universal approach to implementing biometrics in combination with existing passwords and two-factor dongles, is a noble goal. Sadly, given Apple’s history of playing well with others, it’s pretty likely that, as with their connector cables and DRM systems, their fingerprint setup will remain aloof from any attempts to build a truly universal consensus.

Even if a two-culture system prevails, widespread deployment in mass-market handhelds may well be a gamechanger for the adoption of biometric authentication. Touch ID and its inevitable followers could be a major part of all our futures.

You can read the original article, here.

What’s a CSR?

If you have ordered an SSL Certificate before, you were most likely asked to provide a CSR. The CSR is used to deliver the public key that your server will use to identify itself. Generating a CSR can be a hurdle for non-technical staff that aren’t always familiar with the command lines that need to be created and today still remains a time-consuming process even for more experienced users.

CSR Creation Made Easy

Our new CSR creation tool makes it easy to generate the CSR for your server by simply inputting your certificate information (e.g. domain name, organization details, etc.) in the fields provided. The tool will automatically generate the command lines required to create the CSR on your webserver, so you don’t need to write them yourself.

The CSR tool provides command lines for most popular webservers, including OpenSSL, Exchange 2007, IIS and F5 Big-IP.

Bonus Features: Advice on Best Practices

To ensure your SSL Certificates are compliant with the latest security best practices, the CSR tool automatically defaults to the most secure algorithm (RSA) and only offers key length options in line with the latest CA/B Forum guidelines (2048 bit minimum).
Use The Tool

The CSR tool is available in multiple languages at https://csrhelp.globalsign.com and includes support information and FAQs for additional help with the CSR generation process. Secure you website today with SSL the easy way.

You can read the original article here.

The email reads:

    Hello,
    A Secure Document was sent to you by your financial institute using Google Docs.
    Follow the link below to visit Google Docs webpage to view your Document
    Follow Here. The Document is said to be important.
    Regards.
    Happy Emailing,
    The Gmail Team

Phishing emails aren’t exactly rare, but this one caught my eye. In addition to being a somewhat plausible lure, it is an equal opportunity exploit. If you click the link you are presented with a phishing page hosted in Thailand. The page not only asks for your Google credentials, it also suggests it will accept Yahoo!, Outlook.com, Hotmail, AOL, Comcast, Verizon, 163.com or any other email account.

Of course, filling out this form can only end in tears. Your details are sent off to the compromised servers for whatever purposes these thieves desire.  You might think, “So what? My Gmail isn’t full of secrets that will destroy my nation/life/career.” You would likely be wrong, because your email is the key to unlocking much of your online identity. Forget your banking password? No worries, they will email you a password reset link. Does your company utilize cloud services? Your email account is likely key to accessing these systems. Phishing is an amazingly successful technique. Just ask the Syrian Electronic Army, who with little technical talent have been able to compromise some of the most powerful media organizations in the world. As an IT administrator, these are opportunities to educate your staff on the risks.

This might not be the most convincing of the phishes that are out there, but it is a useful tool to educate your staff. Many organizations are using Google and other cloud service providers to provide critical IT services. At first glance this could be very believable. What do I do to avoid being a victim? I create shortcuts in my browser for all sensitive services. If I need to access my email, bank or other online service, I don’t click the link; I click the favourite.

You can read the original article, here.

Imagine a system that can alert you when it starts to rain, not only warning to get out your umbrella, but also putting more trains on the Metro to cope with the extra passengers, monitoring the cafes to ensure there is sufficient coffee, or alerting when a vending machine needs restocking. A tool that gives you a sharp overview of vast and complex infrastructure, combined with the intelligence to review and comprehend what is happening – well, that’s not merely SIEM. That’s LogPoint.

SIEM – or Security Information and Event Management. Quite a mouthful. So what does it mean?
Metaphorically speaking, SIEM is the Information Technology version of Closed Circuit Television (CCTV). In short: a surveillance system of all data within an entire IT landscape in order to catch intrusions, provide insight into operations and report on functioning.

The First CCTV
Originally developed in the 1930’s to monitor rocket launches, CCTV began to be used to remotely monitor people and equipment in the 1970’s. A very basic instrument at the time, it could not record, replay, keep or store images.
Unless you were watching it live, the event would be missed.

Log Files
IT Systems create log files for every activity, be it purely informational, or failures, or even successes. Log Files can also trace who performed the activity, when was it done, etc. However, log files are stored locally on each system, and unless someone can review each and every system, it is almost impossible to find everything. Just like the first CCTV, unless you are watching these logs in real time, the event will be missed.

CCTV Evolves
CCTV evolved throughout the 80’s and 90’s, gaining the ability to record and replay videos of people and activity – and this could then be used for investigation and criminal prosecution within the courts. Slowly, CCTV cameras began to appear everywhere. Today, there are 207,431 CCTV cameras covering a large percentage of the city of London – a similar story for most European cities.

Log Management
This is the basis for the Log Management software from which SIEM has evolved – software that enables log collection from an entire infrastructure, storing them centrally, and time-stamping them for analysis. This offers better insight into how “the crime” happened and took place, who was involved, and how can it be prevented in the future. But this still isn’t SIEM as we know it today.

Modern CCTV
CCTV has developed at an amazing speed since the turn of the century. Not only can it now record and store data from hundreds of thousands of cameras, it can also recognize auto registrations and even faces – enabling real-time alerts that can:
• Be sent to emergency operators.
• Dispatch police – e.g., when specific people enters a city or area where they have been banned.
• Track and alert suspicious behavior and movements, such as with crowd control, loitering in street theft hot spots, or troublemakers entering a bar.

SIEM
Like the modern CCTV, LogPoint is the most advanced form of SIEM – capable of monitoring millions of log files every second, from every device in an infrastructure, detecting log patterns as they evolve.
LogPoint can:
• Regularly report on general activities.
• Identify bottlenecks and monitor the health of your IT infrastructure.
• Replay events to identify when, what and who was involved – providing evidence in criminal prosecution.
• Reveal how to prevent incidents from happening again.
• Alert administrators to security threats and system failures – before they even happen.

LogPoint, is the best SIEM, ever.

One of Negobot’s creators, Dr. Carlos Laorden, told the BBC that past chat bots have tended to be too predictable: “Their behaviour and interest in a conversation are flat, which is a problem when attempting to detect untrustworthy targets like paedophiles.” The most innovative aspect of Negobot may be a key differentiator that makes it appear more lifelike: namely, the incorporation of the advanced decision-making strategies used in game theory. In a paper about their creation, the researchers describe how they’ve taught the robot to consider a conversation itself as a game.

For example, the bot identifies the best strategies to achieve its goal in what its programmers have taught it to understand as a competitive game. Negobot’s goal is to collect the information that can help to determine if a subject involved in a conversation has paedophile tendencies, all the while maintaining a convincing, kid-like prattle, sprinkled with slang and misspellings, so the subject doesn’t get suspicious. Negobot keeps track of its conversations with all users, both for future references and to keep a record that could be sent to the authorities if, in fact, the subject is determined to be a paedophile.

The conversation starts out neutral. The bot gives off only brief, trivial information, including name, age, gender and hometown. If the subject wants to keep talking, the bot may talk about favorite films, music, drugs, or family issues, but it doesn’t get explicit until sex comes into the conversation. The bot provides more personal information at higher levels, and it doesn’t shy away from sexual content. The Negobot will try to string along conversationalists who want to leave, with tactics such as asking for help with family, bullying or other typical adolescent problems. If the subject is sick of the conversation and uses less polite language to try to leave, the bot acts like a victim – a youngster nobody pays attention to and who just wants affection from somebody. Robot. Image courtesy of Shutterstock.From there, if the subject has stopped talking to the bot, the bot tries to exchange sex for affection. Is this starting to sound uncomfortably like entrapment?

That’s exactly what gets some experts worried. John Carr, a UK government adviser on child protection, told the BBC that overburdened police could be aided by the technology, but the software could well cross the line and entice people to do things they otherwise might not: “Undercover operations are extremely resource-intensive and delicate things to do. It’s absolutely vital that you don’t cross a line into entrapment which will foil any potential prosecution.” The BBC reports that Negobot has been field-tested on Google chat and could be translated into other languages. Its researchers admit that Negobot has limitations – it doesn’t, for example, understand irony.

Still, it sounds like a promising start to address the alarming rate of child sexual abuse on the internet. Hopefully, the researchers will keep it reined in so as to avoid entrapment – a morally questionable road that could, as Carr pointed out, ruin the chances for prosecutorial success. What do you think? Are you comfortable with the premise, or does the chances of entrapment sour the concept for you?

You can read the original article, here.