Likewise, the three countries that took their place in the top flight all came up from the 13-24 range. And, just like in your favourite football league, the majority of the high-flyers stayed put at the top. But is it so surprising that the USA is the Man United of the SPAMMIERSHIP, “winning” as often as not, or that China and India are often found near the top? With more than a billion people each and a thirstily-increasing demand for internet access in both countries, where else would you expect to see China and India except in the Dirty Dozen?

Welcome, then, to the SophosLabs SPAMMIERSHIP League Table:

And with more than 300 million people and the lion’s share of the world’s internet connectivity, where else would you expect to see the USA than leading the pack outright? What, then, if we scale the scores up or down in proportion to each country’s population? Now things get interesting, becase a rather different story emerges:

Half of the volume-based culprits are gone, and countries that would usually fly under the radar when measured on spamming volume alone – like Luxembourg and Singapore – suddenly burst onto the scene. Don’t be surprised. This doesn’t mean that usually law-abiding Singapore has turned into a seething swamp of spam-related cybercriminality. Remember that although the Dirty Dozen denotes the extent to which a country’s computers are used for delivering spam, it doesn’t tell us where the spammers themselves are located.

That’s because most spam is sent indirectly these days, especially if it is overtly malevolent, such as:

• Phishing emails. These try to lure you into entering passwords into mock-ups of a real site such as your bank or your webmail account.
• Malware links. These urge you to click links that put you directly in harm’s way by taking your browser to hacked websites.
• Malware deliveries. These use false pretences, such as fake invoices, to trick you into opening infected attachments.
• Identity theft. These invite you to reply with personally identifiable information, often by claiming to offer work from home opportunities.
• Investment scams. These talk up investment plans that are at best unregulated and at worst completely fraudulent.
• Advance fee fraud. These promise wealth or romance, but there are all sorts of fees, bribes and payments to hand over first.

If the crooks behind this sort of cybercrime were to use their own computers, they’d never be able to send the volume of spam they’d like. Also, using their own computers would lead law enforcement to their digital doorsteps. Instead, cybercriminals rely heavily on bots, also known zombies: innocent users’ computers that are infected with malware that regularly calls home to download instructions on what to do next. Those instructions may say something such as “here is a boilerplate email message, and here is a list of email addresses – send a copy to everyone on it.” So, if your country is in the Dirty Dozen, it almost certainly has a much-higher-than-average number of unprotected computers that are actively infected with malware. And if a cybercriminal can secretly tell your computer to send spam to 1000 people you’ve never heard of – leaving you to argue with your ISP why you shouldn’t be thrown off line for antisocial behaviour – then ask yourself this: “What else could he get up to on my account?” In short, the SPAMMIERSHIP League Tables are meant as a light-hearted way of reminding us all of one very serious aspect of computer security: namely that if you put yourself in harm’s way, you’ll probably end up harming lots of other people, too. In other words, getting serious about computer security is the easiest sort of altruism: by protecting yourself, you help to protect everyone else at the same time.

You can read the original article, here.

One of Negobot’s creators, Dr. Carlos Laorden, told the BBC that past chat bots have tended to be too predictable: “Their behaviour and interest in a conversation are flat, which is a problem when attempting to detect untrustworthy targets like paedophiles.” The most innovative aspect of Negobot may be a key differentiator that makes it appear more lifelike: namely, the incorporation of the advanced decision-making strategies used in game theory. In a paper about their creation, the researchers describe how they’ve taught the robot to consider a conversation itself as a game.

For example, the bot identifies the best strategies to achieve its goal in what its programmers have taught it to understand as a competitive game. Negobot’s goal is to collect the information that can help to determine if a subject involved in a conversation has paedophile tendencies, all the while maintaining a convincing, kid-like prattle, sprinkled with slang and misspellings, so the subject doesn’t get suspicious. Negobot keeps track of its conversations with all users, both for future references and to keep a record that could be sent to the authorities if, in fact, the subject is determined to be a paedophile.

The conversation starts out neutral. The bot gives off only brief, trivial information, including name, age, gender and hometown. If the subject wants to keep talking, the bot may talk about favorite films, music, drugs, or family issues, but it doesn’t get explicit until sex comes into the conversation. The bot provides more personal information at higher levels, and it doesn’t shy away from sexual content. The Negobot will try to string along conversationalists who want to leave, with tactics such as asking for help with family, bullying or other typical adolescent problems. If the subject is sick of the conversation and uses less polite language to try to leave, the bot acts like a victim – a youngster nobody pays attention to and who just wants affection from somebody. Robot. Image courtesy of Shutterstock.From there, if the subject has stopped talking to the bot, the bot tries to exchange sex for affection. Is this starting to sound uncomfortably like entrapment?

That’s exactly what gets some experts worried. John Carr, a UK government adviser on child protection, told the BBC that overburdened police could be aided by the technology, but the software could well cross the line and entice people to do things they otherwise might not: “Undercover operations are extremely resource-intensive and delicate things to do. It’s absolutely vital that you don’t cross a line into entrapment which will foil any potential prosecution.” The BBC reports that Negobot has been field-tested on Google chat and could be translated into other languages. Its researchers admit that Negobot has limitations – it doesn’t, for example, understand irony.

Still, it sounds like a promising start to address the alarming rate of child sexual abuse on the internet. Hopefully, the researchers will keep it reined in so as to avoid entrapment – a morally questionable road that could, as Carr pointed out, ruin the chances for prosecutorial success. What do you think? Are you comfortable with the premise, or does the chances of entrapment sour the concept for you?

You can read the original article, here.

The new release delivers the first in the industry “IP Centrex for VPS providers“. With this technology, Web Hosting companies can deliver IP PBX services to any size business, all within the Virtualized cPanel management system.

IP Centrex has traditionally been a system for carriers and SIP Trunk solution providers due to the complexity and telecom requirements for setup and delivery of services. “IP Centrex Services” has become a vital part of the evolution to move complex IT services out of the IT closet, to a “centralized” location in the Cloud. VPS hosting providers can now provide valuable services with IP Centrex, in a simple to manage and easy to understand package that runs right inside the Virtualized environment, not requiring any dedicated servers or disruption.

The cPanel Adapter is a totally open source project, managed, maintained, and developed by a community of VPS hosting providers around the globe. The project is hosted at the Google Code site and VPS Hosting companies are encouraged to join and contribute to advance the technology for their own requirements and customer demands.

Features for the IP Centrex system included in the 3.0 release include:

• Setup of phone extensions
• Creation and management of Queues i.e. “support department” or “sales team”
• Certified for SNOM IP Phones with HD Voice
• Encryption for secure calls
• IPv6 support
• Pronto! HTML5 Webmail with WebRTC support for HD Voice calls
• Secure Instant Messaging and Chat rooms
• Email and Calendar services with Encryption features including Certificate Authority
• Pronto! “Native” Mobile Clients available in the Apple App store and Android Store

You can read the original article, here.

This is according to the abstract of a briefing to be given at the upcoming Black Hat USA conference. The attack, dubbed “Mactans“, succeeded in compromising latest generation devices with the latest version of iOS. It led to a persistent infection with software of the attacker’s choice, invisible to the phone’s user thanks to built-in concealment techniques used to hide some of Apple’s own apps.

The researchers, from the Georgia Institute of Technology, say they built their malicious charger in minimal time with little budget, using a credit card-sized BeagleBoard-embedded computer. I’ve always been a little worried when I’ve seen those free charging stations at airports, shopping malls and other public places. OK, so sometimes you just have to get at some power, but the whole idea of plugging my phone into something I have so little reason to trust just seems a little dirty, not to mention unsafe. Now, assuming this is more than the usual pre-conference hype, those fears look more than justified.

Worse, the small scale of this particular device means you wouldn’t even need a big pedestal-sized charging station. While not quite small enough to disguise as a normal Apple USB power converter as it stands, there are still ample opportunities to trick people into trusting a reasonably compact charging device.

With a little more effort and investment, it should be trivial to build a trojanized charger that is almost identical to standard kit. Then we’d really be in trouble. Imagine an eBay shop selling super cheap USB plugs, which could happily take over your phone and make it call premium-rate numbers or harvest passwords from your email or even bank accounts. Not such a bargain all of a sudden. It might be a good time to buy up all the USB chargers you’re going to need – I suspect prices for proven trustworthy hardware might well be going up fairly shortly.

You can read the original article, here.

As it is, Whitten explains, Facebook gives users the option of linking their mobile numbers with their accounts. Users then can receive updates via SMS and can also login using their phone number rather than their email address. Whitten found that when sending the letter F to Facebook’s SMS shortcode – which is 32665 in the UK – Facebook returned an 8-character verification code. After submitting the code into the activation box and fiddling with the profile_id form element, Facebook sent Whitten back a _user value that was different from the profile_id that Whitten modified.

Whitten says that trying the exploit might have led to having to reauthorize after submitting the request, but he could do that with his own password instead of trying to guess at his target’s password.

After that point, Facebook was sending an SMS confirmation. From there, Whitten said, an intruder could initiate a password reset request on his targeted user’s account and get the code back, again via SMS. After a reset code is sent via SMS, the account is hijacked, Whitten wrote: We enter this code into the form, choose a new password, and we’re done. The account is ours.

Facebook closed the security hole by no longer accepting the profile_id parameter from users. This could have been a valuable flaw were it to fall into the hands of attackers who might have used it to steal personal data or send out spam. As it is, one commenter on Whitten’s post who obviously didn’t understand the “it’s now fixed” part of the story made the bug’s value clear with his or her eagerness to figure out how to exploit it: ›khalil0777 • a day ago
someone explain me how to exploit it i am realyy need it i wait your helps friends :/
:/ oh well, ›khalil0777, looks like you’re too late for that party.
I’d say better luck next time, but perhaps instead I’ll save my good wishes for Mr. Whitten.
May he enjoy his $20,000.
It was well-earned, and it’s a bargain for Facebook even were the reward to be doubled, considering the grief that could have been caused by such an easy exploit.

Click here to see the original article.

The new line up consists of four rack-mount appliance models with larger internal disk capacities, faster processors, increased memory, and integrated solid state drives (SSDs) to shorten backup time and accelerate data recovery. The bundled WD Arkeia v10.1 software delivers new support for “seed and feed” technology to support hybrid cloud backups. This allows companies to move backups offsite via network replication rather than shipment of tapes.

The new fourth-generation appliances offer:

•    Increased Backup and Recovery Speed: New features include integrated LTO5 tape drives, processor upgrades to a maximum of 2 hex-core Intel Xeon, integrated SSDs on select models, and memory up to 96 GB to allow for increased data backup and recovery speeds of both files and disk images. WD Arkeia’s patented Progressive Deduplication™ technology accelerates backups by compressing data at source computers before transfer over local area networks (LANs) or wide area networks (WANs).
•    Higher Storage Capacity: Storage capacity doubles from the third generation, with raw capacity now ranging up to 48 TB, configured in RAID-6.
•    Improved Ease-of-Use: Version 10.1 of WD Arkeia software, delivered with the new generation, includes an on-boarding wizard to streamline the appliance setup process.
•    Storage Reliability: All new WD Arkeia appliances feature WD enterprise-class WD RE™ hard drives for maximum data integrity.
•    Simplified Tape-free, Offsite Storage: Version 10.1 of WD Arkeia software extends support for hybrid cloud backup capabilities to the full line of WD Arkeia appliances. “Seed and feed” capabilities allow administrators to supplement network replication of backup sets offsite by using USB-connected hard drives to transfer initial and large backup sets and also to size WAN bandwidth for the replication of nightly incremental backups.  

WD Arkeia fourth generation network backup appliances – models RA4300, RA4300T, RA5300, RA6300 – will be available in July 2013 through select DMR’s and WD-authorized value-added resellers (VARs) in the US, Canada, and Europe.  Manufacturer’s Suggested Retail Price, including hardware and software, begins at $9,990 USD.  WD Arkeia network backup appliances are covered by one year of unlimited access to technical support, one year of software updates, and a one-year limited hardware warranty.

Sophos received top marks in the latest report from AV-Comparatives, a leading international testing lab. The report, titled “Impact of Anti-Virus Software on System Performance,” evaluated twenty one of the world’s leading security products on a PC running under Windows 7.

The testing lab prepared a total of 545 infection scenarios, and Sophos’ antivirus offering tied for the highest score among the products reviewed. It also received an “Advanced +” award, based on the lab’s assessment of the overall results.

“We value the work of independent testing labs like AV-Comparatives, as they help vendors like Sophos to strengthen our offerings, while providing consumers and businesses great insight so that they can make better informed decisions,” said Mark Harris, vice president, engineering, Sophos. “This latest recognition validates the great work of our team, which is committed to developing complete security solutions to combat advanced threats.”

In related testing news, Virus Bulletin, another leading independent lab awarded Sophos with a VBSpam award for its comparative anti-spam testing. This marks the 20th time that Sophos has received this honor for its Sophos Email Appliance. Additionally, Sophos recently received a VB100 award for Sophos Endpoint Security and Control as part of Virus Bulletin’s comparative review on Windows XP Professional SP3.

Click here to see the original article.

There’s definitely an update coming next Tuesday, 18 June 2013, and you might as well get ready for it now if you haven’t already. The details of what will be fixed aren’t a matter of public record yet, so we can’t spell them out for you in detail. Nevertheless, Oracle has published a very brief pre-announcement to remind us of the importance of this month’s fixes. The good news is that lots of security vulnerabilities have been repaired – 40 in total, of which all but three are RCEs, or remote code execution holes.

That’s where untrusted content sent over the network might be able to trick Java into performing operations that really ought to be limited to already-installed, trusted code. In short, an RCE means that you could get infected by malware simply by looking around online, without explicitly downloading, authorising or even noticing the malware being installed.

There are two handy ways to reduce this RCE risk:

·    Apply Oracle’s patches as soon as practicable. You can turn on fully-automatic updating if you like.
·    Turn off Java in your browser, so that web-based Java applets can’t run at all.

Click here to see the original article.

The research evaluated thousands of website URLs of organizations that utilized the GlobalSign SSL Configuration Checker; many of these organizations were looking to assess the strength and quality of their SSL configurations. Statistics revealed that in the first quarter of 2013 over 6,000 sites used the tool to evaluate the effectiveness of their SSL, and 269 of those sites used the remediation guidance provided by GlobalSign to improve and, in some cases, strengthen the security of their sites within a matter of minutes.

Upon visiting GlobalSign’s SSL Configuration Checker, powered by Qualys SSL Labs, organizations enter their website addresses and instantly receive a letter grade for their configuration. The grading system has three steps. First, the site’s SSL certificate is examined to confirm that it is trusted and valid. If a server fails this step it is automatically given a zero. Next, the server configuration is tested in three categories:

1) protocol support,
2) key exchange support and
3) cipher support.

Finally, a score between 0 and 100 is assigned to the site. The grading scale is as follows:

• score ≥ 80 A
• 65 ≤ score ≤ 79 B
• 50 ≤ score ≤ 64 C
• 35 ≤ score ≤ 49 D
• 20 ≤ score ≤ 34 E
• score

The research revealed that 50 percent of 269 websites that used the GlobalSign SSL Configuration Checker strengthened the effectiveness of their SSL configuration grades in 30 minutes or less. Fifteen percent improved from a B, C, D or F to an A grade in less than two hours.
Notable statistics for the 269 improved websites:

• 172 organizations improved their grade to an A overall – 63%
• 13 organizations improved their F grade to an A, B, or C – 42%
• 95 organizations improved their B grade to an A – 35%

“The improvement in website security is certainly encouraging for us to see, but this is the absolute tip of a very big, fast-moving and dangerous iceberg,” said Ryan Hurst, chief technology officer of GlobalSign. “Administrators can use the SSL Configuration Checker to greatly improve and remediate the security of poorly configured sites, but it is the awareness of this free and easy tool that we are trying to drive. Both small and large organizations with websites must adopt best practices, but first they have to identify the strengths and weaknesses of their sites’ SSL configuration.”
Alexa 100 Sites Evaluated:

In addition to the findings derived from inbound SSL Configuration Checker use, GlobalSign evaluated the SSL effectiveness of the Alexa Top 100 websites. The research revealed the following:

• Over half (51%) of the websites received an A.
• Twenty-five percent received a B and 5 percent scored a C.

These grades are proof that while just over half of the world’s top sites, and the enterprises behind them, are providing effective security, there is ample room for improvement.

Overall SSL Configuration Checker Evaluation results of the Alexa Top 100:

Click here to see the original article.

a bogus message supposedly sent from Facebook Security.

According to Hoax-Slayer, the scam claims that Facebook is rolling out a new security feature to protect Page owners.

This supposed new security feature is dubbed the “Fan Page Verification Program”.

It does a nice job of flattering suck-up to entice victims into coughing up their Facebook login details, telling targets that they’ve had ever so many stolen Pages lately, and they simply can’t think of what to do about it except just, well, throw up their hands and Delete them all – yes, Delete those bad, bad Pages, with a capital “D”.

All the stolen Pages, that is, except yours, which, gosh, is so popular with its “High Quality Content”.

The message tells victims that they have to click a link and choose a 10-digit security code to complete the process.

Those who don’t comply will see their Page suspended permanently if the process isn’t completed by May 30, 2013, they go on to say.

Here’s an example of this scammy letter that Hoax Slayer posted on Friday: 

Dear Facebook User,

You are receiving this message to notify you about the new security feature from Facebook called “Fan Page Verification Program”.

After many Fan Pages have been stolen lately leaving us no choice but Deleting them forever, we had to come up with an original solution about the Fan Page’s Security.

Luckily, your Fan Page, has a lot of likes and provides High Quality Content, which qualify it for this program.
To complete this process you must choose a 10-digit number (it can be any number) and that number will be assigned as your Security code”. This code will be the new passphrase for changing anything important for your Fan Page, like the Admin roles or other important settings.

Please be aware that this process it’s open only until 30.05.2013 and it’s mandatory to complete it. If you don’t, your Fan Page will be suspended permanently since it is not considered safe for the wide audience.
Please visit the link below to complete the process:

[Malicius Link]

Facebook Security

Anybody who falls for it and clicks on the link will be whisked away to a spot where they’re told to submit Facebook login details and the so-called 10-digit “Transferring Code”.

Click here to see the original article.

information security to the status of the most crucial factor that should be taken into account in the adoption of new technologies in the IT environment. The conference aims to present IT professionals with the landscape of new threats and how those threats will be addressed effectively through the implementation of specific policies and the use of modern technology.

Click here to register for the Infocom Security 2013 event
Click here to navigate to Infocom Security 2013 Official Website

Στο διάγραμμα που δημοσιοποιήθηκε από ανεξάρτητη εταιρεία ερευνών, και περιλαμβάνει τους Δείκτες Υπόσχεσης και Εκπλήρωσης, μπορείτε να δείτε και να συγκρίνετε την αποτελεσματικότητα ορισμένων από τις σπουδαιότερες εταιρείες της βιομηχανίας των υπολογιστών στο marketing αλλά και στην εκτέλεση.

Ένας κατασκευαστής, που βρίσκεται στο πάνω δεξί τεταρτημόριο του διαγράμματος, έχει βαθμολογηθεί με υψηλή βαθμολογία τόσο στο τομέα της υπόσχεσης όσο και στο τομέα της εκπλήρωσης αυτής της υπόσχεσης. Με βάση τα ίδια κριτήρια, μία εταιρεία στο κάτω αριστερό τεταρτημόριο, δεν τα καταφέρνει ούτε στο επίπεδο της υπόσχεσης, ούτε στο επίπεδο εκτέλεσης.

O “Δείκτης Εταιρικής Υπόσχεσης” (Vendor Promise Index) σχεδιάστηκε κατά τέτοιο τρόπο ώστε να μετράει την αποτελεσματικότητα του marketing. Χρησιμοποιεί τέσσερα από τα δεκατέσσερα σημεία αξιολόγησης πελατών (Θέση ανταγωνιστικότητας, Τεχνολογική Καινοτομία, το Στρατηγικό Όραμα του management της εταιρείας καθώς και η Μάρκα/ Φήμη) που σχετίζονται με ιδέες και concepts που μεταφέρονται σε πιθανούς πελάτες σε παγκόσμιο επίπεδο πριν το πραγματικό προϊόν ή κάποια υπηρεσία παραδοθεί προς χρήση.

Ο “Δείκτης Εταιρικής Ικανοποίησης” (Vendor Fulfillment Index) σχεδιάστηκε ως μέτρο για την εκτελεστική αποτελεσματικότητα. Χρησιμοποιούνται και σε αυτή τη περίπτωση τέσσερα από τα δεκατέσσερα κριτήρια  βαθμολόγησης πελατών  (Απόδοση/ Τιμή, Ποιότητα προϊόντος, Παράδοση σύμφωνα με την Υπόσχεση και Ποιότητα τεχνικής υποστήριξης) τα οποία σχετίζονται με το φυσικό προϊόν και την υπηρεσία που έχει παραδοθεί και την εμπειρία που είχε ο πελάτης από τη χρήση του συγκεκριμένου προϊόντος ή της υπηρεσίας.

Το μέγεθος του κύκλου που βλέπετε στο διάγραμμα επίσης δείχνει τη σχετικότητα μεταξύ των βαθμολογιών που έλαβε κάποια εταιρεία. Οι γραμμές που τέμνονται δείχνουν το μέσο όρο βαθμολογίας που έλαβε κάθε εταιρεία, συμπεριλαμβανομένων και εταιρειών που δεν βρίσκονται στο διάγραμμα. Όπως μπορείτε να δείτε, η Sophos έχει αποσπάσει εξαιρετική βαθμολογία, τόσο στο τομέα του marketing, όσο και στο τομέα του να κάνει πραγματικότητα όλα όσα υπόσχεται για τους πελάτες της.