Monthly Archives: February 2014

More Damage Uncovered in Las Vegas Sands casino website hack and defacement


A cyber breach of Las Vegas Sands that caused a six-day website outage appears to have done far more damage than the casino operator previously realized.

Hackers who took credit for the cyber-attack posted images online that suggested the intrusion was carried out by politically-motivated hackers, or hacktivists, angered by Las Vegas Sands CEO Sheldon Adelson’s close ties to Israel. The images also showed the hack compromised some employee data, including Social Security numbers and email addresses.

However, an 11-minute video posted on YouTube also appears to show the attack uncovered the passwords for administrator and slot systems and information from players at the Sands casino in Bethlehem, Pa., according to published reports. The video has since been removed from Google’s YouTube.

“We have now determined that the hackers reached at least some of the company’s internal drives in the U.S. containing some office productivity information made up largely of documents and spreadsheets,” a Las Vegas Sands spokesman said in an emailed statement. “We have seen the video and are continuing to investigate what, if any, customer or additional employee data may have been compromised as part of the hacking.”

In response to the hack, Sands Bethlehem offered all employees free credit monitoring and identity theft protection services.

The intrusion was first revealed last week, preventing guests from using the websites of certain casinos, including the Venetian and Palazzo casinos in Las Vegas and the company’s casinos in Singapore and Macau. Online access was not restored until Monday and the company’s e-mail system was restored last Friday.

Sands said it continues to believe that the company’s “core operating systems have not been impacted.”

It’s not clear who carried out the cyber-attack on Sands, but law enforcement agencies are investigating. The casino operator said it continues to work with state and federal officials as well as outside experts to “determine the identity of the hackers and the overall extent of the hacking.”

Images posted online last week included comments critical of Adelson, the casino giant’s billionaire CEO.

“Encouraging the use of Weapons of Mass Destruction, UNDER ANY CONDITION, is a Crime,” one message read, signed by the “Anti WMD Team.” The message also included a picture of Adelson hugging Israeli Prime Minister Benjamin Netanyahu.

The comments appeared to be in response to remarks made by Adelson last year suggesting a nuclear bomb should be dropped on the Iranian desert in order to facilitate negotiations over the country’s nuclear program.

The Sands breach follows a number of high-profile cyber infiltrations in recent months, including attacks on retailers Neiman Marcus and Target.

The Target breach compromised 40 million payment cards and has cost banks and credit unions more than $200 million, according to estimates from trade groups.

 

via: foxbusiness

 


How to keep your Millennials happy

Managing Gen Y employees requires flexibility and patience.

The much-anticipated wave of Millennials is upon us, with their addiction to social media, their attachment to consumer devices and their merging of work and personal lives.

In fact, Millennials or Generation Y make up more than a third of the U.S. workforce and are quickly moving into management ranks, according to a recent Ernst & Young study. So, what have we learned about managing Millennials, particularly when it comes to IT?

In a nutshell, Millennials are associated with the following work behaviors and mindsets:

  • A collaborative approach to work.
  • The expectation that their opinions count, despite existing hierarchy.
  • Use of consumer-oriented technologies in the workplace, such as apps, mobile devices, social networking.
  • Inclination to work anywhere/anytime rather than set, on-site work hours.
  • The desire to be involved with a mission that’s meaningful to them.

“They are more willing to challenge the norm and look for better ways to do things, but I have also seen some of them who seem to have a sense of entitlement,” says Samuel Satyana, mobile wallet platform architect in the North America region at Ericsson.

Tim Elkins, CIO at Prime Lending, agrees. “One story that comes to mind is when an entry-level employee who had been at the company less than three months found herself in a disagreement with a vice president in technology,” he says. “Instead of going to her manager for guidance and resolution, she confronted the vice president. Despite the obvious hierarchy, she felt she deserved to be heard and respected.”

“They are completely different from their Gen X peers,” agrees Michael Kirven, CEO and founder of IT recruiting firm Mondo, where 80% of employees are Millennials. “I’ve had to make myself more adaptable to attract and retain these folks.” Since they’ll be the majority of the workplace in 10 years, Kirven says, “You can either adapt now or later, but everyone will have to.”

Here are four ways that employers can adapt to the new world of Millennials.

1. Enable Collaboration

No.1 on Kirven’s Millennial to-do list was to eliminate private offices in response to the flat infrastructure and “open” environment preferred by the new generation. “They want to be able to shout out questions they might have and get immediate feedback,” Kirven says. “It’s not the standard protocol of e-mailing the boss and waiting for a response.”

To support their collaborative style of work, Mondo has also implemented Salesforce.com’s Chatter platform, as well as Google Chat, to enable communication across national offices. “Right now, I have 15 chat windows open,” Kirven says. “I can go all day and my phone won’t ring once. It’s a dinosaur sitting on my desk.”

Elkins is also considering new collaboration and chat platforms to support this Millennial preference. “We know that our customers, business partners, and employees are social and collaborate outside of work, and we’re working to figure out how to foster that collaborative nature in-house,” Elkins says. Internally, Prime Lending is using Chatter and Cisco’s Jabber for instant messaging. The company is also building a mobile app for its customers and partners to support better external collaboration and transparency, as well.

2. Facilitate the free flow of ideas

Beyond peer collaboration, Millennials also expect to freely share their ideas with higher-ups in the organization, Kirven says. And while not all of these opinions are worthwhile, he says, he has adjusted his own workstyle to ensure he is available to hear them out. “If I listen to eight bad ideas, I’ll get two good ones out of 10, and it might also increase retention,” he says. “When I’m in any of our offices, I plan on doing basically no work in the traditional sense. They don’t have traditional barriers — they just storm in, but it’s OK; I’ve had to adapt.”

One area where Kirven encourages ideas and opinions from Millennial workers is employee benefits. Mondo set up a cross-functional committee to brainstorm benefits they would like to see implemented and then pitch these ideas to the executive staff. One of the committee’s most successful ideas was for Mondo to help pay down employees’ student debt (or for an MBA degree) after one year of tenure.

“The group felt empowered, and the innovation happened from within, which is where it should happen,” Kirven says. “If I can keep someone an extra two years because we’re helping to chip away at their student debt, that sounds great to me,” he adds.

Even while giving Millennial employees lots of airtime, Kirven also has to manage their expectations for moving quickly up the organizational hierarchy. “They have a tendency to want a lot in a really fast timeframe in terms of promotions and more responsibility, and they get impatient if it’s not given to them,” Kirven says. “So part of our job is to govern that by trying to slow them down just a touch and let them know a bigger title and team doesn’t mean you’re more successful and that there’s plenty of time for all that.”

3. Accept the blending of work and life

At Prime Lending, Elkins has noticed the Millennial tendency to operate from an “anytime/anywhere” standpoint. “They’re checking e-mails constantly, regardless of location,” he says. “Work is part of their life and is not necessarily separate.”

This means it’s just as natural for a Millennial employee to conduct personal business at work as it is for her to work at any time of day or night at home. “I could send anybody in the company an e-mail at 11:30 p.m. on a Sunday night, and I’ll get a response in a minute,” Kirven says. “It has nothing to do with the fact that I’m CEO – it’s just their culture.”

The workplace at Mondo has increasingly incorporated elements of private life into the office, Kirven says, including in-office yoga classes and end-of-day beer breaks. “They might take the class from 6:00 to 7:00 p.m. and then jump back on their computers and work from 7:00 to 9:00,” he says. “It’s just one life to them, with personal and business rolled into both, and you can’t draw rigid boundaries,” he says. “I remember the first time I saw someone wearing earbuds while they were working, and I asked, ‘How can you concentrate?’ But now, every single one of them does it.”

At the same time, managers need to apply a filter, Kirven says, such as, “No, you can’t take a 2.5-hour nap in the middle of the day while you’re getting your feet massaged.” And at the company’s 15-minute daily stand-up morning meeting, no one is allowed to bring a phone. “It captures everybody’s attention, but it’s no longer than 15 minutes, so no one starts to drift off,” Kirven says.

4. Recalibrate retention expectations

Even after making workplace changes that suit the Millennial style, businesses still can’t be assured they’ll stick around for very long. According to the U.S. Bureau of Labor Statistics, the tenure of employees aged 20 to 34 is just 2.3 years, compared with the average tenure of all U.S. workers, which is 4.6 years. To Kirven, that’s just something he takes in stride.

“If I can get three to four years of highly productive, positive work from them, great, and when they get tired of working here, I’ll introduce them to people,” he says.  His logic is that if they enjoyed working at Mondo, they’ll function as ambassadors wherever they go. Kirven is even considering developing an “alumni hall of fame” that celebrates where ex-employees work after leaving Mondo.
“It’s counter-intuitive to the traditional ‘turn off their computer access, show them the door and send them a stern legal letter,'” he says. “But you can’t do that anymore – you need to assume they’ll move on.”

Making changes that are attractive to Millennials can be as easy as considering the ideas that employees generate, Kirven says, and responding with small but frequent tweaks to the current culture. “We like to make changes every quarter because we want an evolving blend of cool stuff that makes Mondo an attractive place to work,” Kirven says. “It just takes listening to what they want and moving the needle toward them.”

Even very traditional companies can take heart, he says. “They don’t care necessarily if you’re Google, Facebook, Mondo, a publishing house or an ad firm,” he says. “What they care is that the company is changing and growing, trying new things and not stagnant. They don’t want to work at a place that will do the exact same thing in two or three years. They want to see you’re trying new stuff and on the cutting edge of whatever vertical you’re in.”

 

Via: networkworld

Corporate Hackers Target Weak Link: the Supply Chain

Hackers gained access to Target’s computer systems through the stolen credentials of a heating and refrigeration contractor. Even as companies spend millions to bolster the security of their networks, the access that necessary outside vendors are given doesn’t get nearly enough attention, several information security professionals say.

The cyber thieves who hit Target Corp. took advantage of a widespread and often overlooked weakness in corporate information security : third-party computer connections that can create a virtual back door to customer information.

Digital links with suppliers, contractors or consultants are essential to run a complex business in the Internet age. Yet, even as companies spend millions to bolster the security of their networks, the access vendors are given doesn’t get nearly enough attention, several information security professionals say.

Hackers gained access to Target’s computer systems through the stolen credentials of a heating and refrigeration contractor. Once inside, the thieves were able to move around and ultimately stole payment card data card or personal information of up to 110 million Target customers.

Given that the typical Fortune 1000 company likely has thousands of active suppliers, hackers have plenty of ways to infiltrate, said Jeff Hall, a security consultant in the Twin Cities for Overland, Kan.-based Fish Net Security.

“I’ve hacked companies through their elevator contractors,” Hall said.

Most companies don’t view third party vendors as a major security threat , said David Kennedy, founder of the security firm TrustedSec. in Strongsville, Ohio. Vendor management, as he describes it, is “extremely loose.”

Security pros consider the supply chain a critical security risk — ranking with the classic employee insider attack and the traditional hack, where an outsider ferrets a hole in a company’s firewall.

“In the modern world, business-to-business connections are the weakest link,” said Brian Isle, founder of the Minneapolis-based cyber security firm Adventium Labs. “The first thing an attacker will do is look at who you do business with.”

One Door Opens Many

Once a skilled hacker gains entry into a company’s network, they frequently can move around even if there’s segmentation such as firewalls with rules that restrict network traffic , said TrustedSec’s Kennedy. “The rest of it is basically wide open,” he said.

Investigations into Target’s hack, one of the largest recorded data breaches in U.S. history, continue. It’s not yet clear how cyberthieves stole the network access credentials from Fazio Mechanical Services Inc., a heating and refrigeration company in Sharpsburg, Penn., first identified by investigative security blogger Brian Krebs at KrebsonSecurity as the point of entry.

It’s also unclear how they moved from vendor access to the point of sale systems in Target’s stores. That’s where malware was discovered that allowed hackers to collect unencrypted card data.

Isle, Kennedy and others encourage clients to run penetration tests, sometimes called Red Teaming, in which expert crews stage hack attacks to sleuth out vendor vulnerabilities to fix so the bad guys can’t get in.

Until now, however, corporate information security efforts have focused more on the insider attack and the traditional outsider hacker, said Greg Brown, chief technology officer of Cloud and Internet of Things at McAfee, a leading computer security company based in Santa Clara, Calif. They generally haven’t been applied to the chain of third parties companies do business with, he said.

Fazio President Ross Fazio issued a statement last Thursday saying his company, too, was a “victim of a sophisticated cyberattack operation.”

“Fazio Mechanical does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target,” Fazio said.

Citing the ongoing investigations, Target would not discuss its protocol for granting computer access to vendors or what firewalls it built to keep consumers’ credit card and personal data secure .

Target Chief Financial Officer John Mulligan testified in Congressional hearings last week that Target has invested “hundreds of millions of dollars” over the past several years in information security, including segmentation, malware detection, intrusion detection and prevention, and data loss prevention.

Not Enough

Still, it wasn’t enough.

Point of sale systems are particularly vulnerable, TrustedSec’s Kennedy said, because companies typically don’t want to make changes to them, such as adding security enhancements. After all, taking systems down for any length of time can directly affect sales.

“These POS networks are usually Swiss cheese,” Kennedy said. “They’re just terrible.”

McAfee’s Brown said he doesn’t think the industry’s safe-practice guidelines, called the Payment Card Industry Data Security Standards and referred to as PCI, do much to address the data vulnerabilities in a company’s supply chain.

“It doesn’t explicitly call out third-party relationships like we’re talking about,” Brown said.

Bob Russo, general manager of the PCI Security Standards Council, said the guidelines require merchants to use what’s called “two-factor authentication” for all third parties using remote network access to a company’s network, if the access could lead to the area where cardholder data exists. Such login verification requires two out of three things, he said: something you have (such as a smart card), something you know (a password) or something you are (fingerprint or eye scan, for instance.)

Vendors Need Watching

The PCI standards don’t specifically address all vendor connections or require formal vendor risk assessments, Russo said in a written response to questions, but vendor connections should be part of the annual risk assessment companies are required to conduct.

PCI standards don’t require card encryption at the point of sale, which means there’s a millisecond after a swipe when information is out in the open, unencrypted.

“The key message here is to understand the security controls your vendors and business partners have in place when allowing them access to your network,” said Chad Boeckmann, CEO of Secure Digital Solutions in Minneapolis. “I know many big companies conduct those exercises, but sometimes those exercises aren’t conducted frequently enough or they’re not conducted thoroughly enough.”

Cybercrime cost $113 billion in 2013 and exposed 435 million people to information theft, Frank Rosch of the computer security software firm Symantec told the Senate Judiciary Committee in a hearing last week. Targeted attacks on computer systems such as Target’s are expanding, he added.

Isle, at Adventium Labs, says a breach was probably inevitable given the Secret Service’s description of the criminals as relentless, well-organized and sophisticated.

“With unlimited people, time and money, they will get in,” said Isle. “Target may or may not have screwed up, but the people who came at them were good.”

 

 

Via: enterprise-security-today

Worm called The Moon infects Linksys routers

A self-replicating program is infecting Linksys routers by exploiting an authentication bypass vulnerability in various models from the vendor’s E-Series product line.

Researchers from SANS Institute’s Internet Storm Center (ISC) issued an alert Wednesday about incidents where Linksys E1000 and E1200 routers had been compromised and were scanning other IP (Internet Protocol) address ranges on ports 80 and 8080. On Thursday the ISC researchers reported that they managed to capture the malware responsible for the scanning activity in one of their honeypots — systems intentionally left exposed to be attacked.

The attacks seems to be the result of a worm — a self-replicating program — that compromises Linksys routers and then uses those routers to scan for other vulnerable devices.

“At this point, we are aware of a worm that is spreading among various models of Linksys routers,” said Johannes Ullrich, the chief technology officer at SANS ISC, in a separate blog post. “We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900.”

The worm, which has been dubbed TheMoon because it contains the logo of Lunar Industries, a fictitious company from the 2009 movie “The Moon,” begins by requesting a /HNAP1/ URL from devices behind the scanned IP addresses. HNAP — the Home Network Administration Protocol — was developed by Cisco and allows identification, configuration and management of networking devices.

The worm sends the HNAP request in order to identify the router’s model and firmware version. If it determines that a device is vulnerable, it sends another request to a particular CGI script that allows the execution of local commands on the device.

SANS has not disclosed the name of the CGI script because it contains an authentication bypass vulnerability. “The request does not require authentication,” Ullrich said. “The worm sends random ‘admin’ credentials but they are not checked by the script.”

The worm exploits this vulnerability to download and execute a binary file in ELF (Executable and Linkable) format compiled for the MIPS platform. When executed on a new router, this binary begins scanning for new devices to infect. It also opens an HTTP server on a random low-numbered port and uses it to serve a copy of itself to the newly identified targets.

The binary contains a hardcoded list of over 670 IP address ranges that it scans, Ullrich said. “All appear to be linked to cable or DSL modem ISPs in various countries.”

It’s not clear what the purpose of the malware is other than spreading to additional devices. There are some strings in the binary that suggest the existence of a command-and-control server, which would make the threat a botnet that attackers could control remotely.

Linksys is aware of the vulnerability in some E-Series routers and is working on a fix, said Mike Duin, a spokesman for Linksys owner Belkin, in an email Friday.

Ullrich outlined several mitigation strategies in comments to his blog post. First of all, routers that are not configured for remote administration are not directly exposed to this attack. If a router needs to be administered remotely, restricting access to the administrative interface by IP address will help reduce the risk, Ullrich said. Changing the port of the interface to something other than 80 or 8080, will also prevent this particular attack, he said.

 

Via: csoonline

Toyota recalling nearly 2 million Priuses due to software glitch

The software issues could cause a loss of power in the popular hybrid vehicles.

Toyota is recalling nearly 1.9 million Prius hybrid vehicles around the world in order to fix a software glitch that could damage transistors and cause a loss of power.

Some 700,000 of the Priuses are in the U.S., according to a news release. Another 997,000 are in Japan, 130,000 in Europe and the remainder in other places around the world, according to media reports. Toyota didn’t immediately respond to a request for confirmation of those details on Wednesday.

Toyota plans to tweak software in the Priuses for the motor/generator ECU (engine control unit) and the hybrid control ECU. The current settings “could result in higher thermal stress in certain transistors, potentially causing them to become damaged,” Toyota said. “If this happens, various warning lights will illuminate and the vehicle can enter a failsafe mode. In rare circumstances, the hybrid system might shut down while the vehicle is being driven, resulting in the loss of power and the vehicle coming to a stop.”

Toyota is also recalling about 260,000 2012 RAV4 compact sport utility vehicles, 2012-2013 Tacoma trucks and 2012-2013 Lexus RX 350 SUVs in the U.S., the company said Wednesday.

Toyota will apply an update to skid control ECU software on cars in this recall to fix an “electronic circuit condition” that could cause the vehicles stability control, anti-lock braking systems and traction control function to shut down intermittently, Toyota said. However, in the event of such a failure the standard brakes will still work, according to the company.

No accidents or injuries have been reported in connection with the software problems, Toyota said. The software update will be applied free of charge at local dealers.

 

Via: itworld

Honey, I Lost the Kids! — 6 Tips for Knowing Where Everyone Is with F-Secure Lokki


When was the last time you were late for a date? Or you were not exactly sure where your kids where roaming? Or you were waiting for your friend to show up. This happens weekly and sometimes daily to me; probably to you too. I bet some of you are reading this blog on your phone or iPad — we are carrying these wonderful gadgets with us, they certainly help to make us reachable, sometimes even 24/7, but that doesn’t mean that we’d be in the right place at the right time.

In August last year they launched a free mobile app called Lokki that helps you to know where the people in your life are going. If you know the world of Harry Potter, think about the Marauder’s Map, you see the map and places, and everyone moving on the map. Sounds cool — and a bit creepy. Since we at F-Secure take your privacy seriously, we added a simple button to Lokki so that you can hide your location from others, anytime you want. Kind of like the Marauder’s Map with Invisibility Cloak built-in. How cool is that?

So, how does it work and why should you try it?

1. Lokki is free

You can install Lokki to your phone or tablet, sign up with your email address and start sharing your location with your friends or family members as soon as they have Lokki in their phones. Lokki is a free app and you don’t need to subscribe to any kind of a plan. If you for some reason decide that you don’t want to continue using Lokki, just uninstall the app and it’s gone. No strings attached.

2. iPhone, iPad, Android, Windows Phone — anything goes

There’s some nifty location apps for the iPhone and some time ago Google ramped down their legendary Latitude for Android devices. However, in real life you don’t really select your friends or family members based on the phones they use. Your friend has a glossy iPhone, your spouse has an Android and your kids may have colorful Nokia Lumias running the Windows Phone OS. That’s why we made the Lokki app available for all of these major smartphone platforms. The phone camps do not matter any more, Lokki works across the board. You can get Lokki from the Apple App Store, Google Play and Windows Phone Store.

3. We take your privacy and security seriously

F-Secure is a security software house so we take your privacy and security very seriously. First of all, Lokki complies with the European privacy laws. You can read our privacy policy here. You need to give permission to your kids before they can use Lokki. In the U.S. Lokki complies with the Children’s Online Privacy Protection Act so children younger than 13 years cannot use Lokki in the U.S. By the way, have you ever checked what the age limits are in some of the wildly popular instant messaging or social media apps your kids may be using?

Being a security software house does not mean we make apps for the Big Brothers. You give the permission to others to see your location. Your location in Lokki is visible only to these people, not to the whole world. Lokki is respectfully liberal so you can anytime switch off your location sharing. Also your kids can do that. If you find this to be inconvenient, please do have a discussion about that topic with your family members. It’s good to talk with them anyway!

Lokki does not store or share your location history. We only store your most recent location. Your data is securely stored in our Lokki servers that are physically located in the European Union.

Oh, and by the way, you will not see ads in Lokki and we are not sharing your usage data with any third parties. We also built Lokki so that you cannot share your exact location to Facebook or other social media sites. We were thinking kids here. If you absolutely want to share your location with the whole world, we are sure you can find ways to do that.

4. See dots on a map, or see people and places

We talked to a number of people when developing the initial ideas for Lokki and one of the themes we heard was that quite a many people said they don’t want to see dots on a map, either because they don’t know how to read a map or because their friends are travelling all over the world, and a world map doesn’t really make sense. Therefore, we built Lokki so that you can choose to see either the people dots on a map, or you can create your favorite places in Lokki, and when your friends or family are in these places, Lokki will show that to you. You can choose if you prefer the Map or the Places view or you can jump between these two. It’s your choice.

5. No more lost phones

Hands up who has never lost his or her phone! With Lokki you can easily locate a missing phone or iPad. Even if the battery has died, Lokki will still show you the last known location of the device.

6. It’s all about battery consumption

We’ve used quite a many location sharing apps over the last year or two. Some of them are pretty cool but eventually useless because they are real battery hogs. Our first versions of Lokki were reporting the phones’ location every 5 to 20 minutes to our secure server but we found that to lead to too high battery consumption so in the new 3.0 version of Lokki we redesigned the location reporting. Now Lokki reports the phones’ location when someone in your Lokki circle is asking. You can see your own current and accurate location on your own Lokki screen whenever you have Lokki up and running, but when the Lokki app is not on your phone display, it does not report its location to our servers unless someone else in your Lokki is requesting the location. If the Lokki server notices that you have not been reporting your location in one hour, it’s often because you may have switched off and on your phone, and in the iPhone or Android applications may not automatically start after the phone wakes up, so then we are sending a location wake-up query to Lokki in your phone but we don’t do this more often than once per hour. It does not make much sense to drain the battery to communicate with the GPS satellites if nobody is interested.

 

Via: safeandsavvy

Online love scams flourish around Valentine’s Day

Online dating and romance sites are obviously popular and because of that, regardless of the millions of admonitions to watch out for con artists, they are also a growing favorite of heartless scammers.

Online dating and romance sites are obviously popular and because of that, regardless of the millions of admonitions to watch out for con artists, they are also a growing favorite of heartless scammers.

The FBI notes that these callous criminals — who also troll social media sites and chat rooms in search of romantic victims — usually claim to be Americans traveling or working abroad. In reality, they often live overseas. Their most common targets are women over 40, who are divorced, widowed, and/or disabled, but every age group and demographic is at risk, the agency stated. The FBI said that as of 2012 the average financial loss from these romance schemes is between $15,000 and $20,000. That number is nearly double what it was a decade ago.

The Federal Trade Commission this week wrote: We hear these stories all the time, and they tend to go a little like this: “I met this really nice woman on [fill in the name of the dating site]. Her membership was about to expire, so we switched to email. She’s from the US, but she’s working in [fill in the name of another country]. We connected right away, and we’re planning to meet. But things are a little tight for her right now because of [fill in reason for no money]. So I wired her the money for the ticket….”

You might think that scenario sounds a little too pedestrian perhaps, but the FBI and FTC say it happens all the time. The scammers in fact count on it.

The FTC says scammers create fake profiles to build online relationships, and eventually convince people to send money in the name of love. Some even make wedding plans before disappearing with the money.

So what to do? The FBI and FTC issued these watch items that they say should make you run away if you hear from you prospective date:

  • An immediate request to leave the site. Many online dating sites have protections in place to help protect you from scammers.
  • Love at first sight. Most of us are hopeful people, but wow love based on a profile and a couple of emails? A Hmm. Sure, explore that, but watch out.
  • Any request for money. ANY request. For any reason: plane tickets, visas, a child’s (mother’s, whoever’s) hospital bill, expenses until their ship comes in…. That is a sure sign of a scam. Block and delete them and move along.
  • Any mention of wiring money. If you wire money, it’s gone. Buh-bye. You’ll never see it again.
  • Sends you a photograph of himself or herself that looks like something from a glamour magazine.
  • Claims to be from the U.S. and is traveling or working overseas.
  • Makes plans to visit you but is then unable to do so because of a tragic event.

The FBI noted a recent dating extortion scam, where victims usually met someone on an online dating site and then were asked to move the conversation to a particular social networking site, where the talk often turned intimate. Victims were later sent a link to a website where those conversations were posted, along with photos, their phone numbers, and claims that they were “cheaters.” In order to have that information removed, victims were told they could make a $99 payment — but there is no indication that the other side of the bargain was upheld.

According to the FBI’s Internet Crime Complaint Center (IC3), scammers use poetry, flowers, and other gifts to reel in victims, the entire time declaring their “undying love.” These criminals also use stories of severe life circumstances, tragedies, deaths in the family, injuries to themselves, or other hardships to keep their victims concerned and involved in their schemes. Scammers also ask victims to send money to help overcome a financial situation they claim to be experiencing. These are all lies intended to take money from unsuspecting victims, the IC3 says.

A study from 2011 said perhaps as many as 200,000 people had been victims of online romance scams and the same study says over 1 million people personally know someone who has been scammed by one of these heartless fraudsters.

The online research was conducted by the UK’s University of Leicester found that 52% of people surveyed online had heard of the online romance scam when it was explained to them and that one in every 50 online adults know someone personally who had fallen victim to it. The results confirm the law enforcement belief that this type of crime is often not reported by those affected, in many cases due to embarrassment at having been duped, or through a continuing hope that there will eventually be a genuine romance, the study found.

The romance scam is particularly cruel in that perpetrators spend long periods of time grooming their victims, working out their vulnerabilities and when the time is right to ask for money. “It is our view that the trauma caused by this scam is worse than any other, because of the ‘double hit’ experienced by the victims – loss of monies and a ‘romantic relationship’. It may well be that the shame and upset experienced by the victims deters them from reporting the crime. We thus believe new methods of reporting the crime are needed,” said the authors of the study.

According to the UK’s Serious Organized Crime Agency (SOCA) romance fraud is organized crime, usually operating from outside the UK. Criminal groups make initial contact with potential victims through online dating sites and social networking sites, and will try to move the ‘relationship’ away from monitored online space before defrauding people of what can amount to large sums of money, the researchers said. In some cases, even when victims cannot, or will not, send money, scammers involve them instead in money laundering by asking them to accept money into their bank accounts.

IC3 complainants most often report Nigeria, Ghana, England, and Canada as the location of the many scammers.

 

Via: csoonline

6 failures that led to Target hack

The storyline that a single point of failure allowed a sophisticated attacker to steal millions of card numbers from Target just doesn’t hold up.

A recent edition of the Computerworld Security Daily Newsletter contained no fewer than four articles discussing the data breach at Target, which was first disclosed way back in December. What exactly happened to Target remains a matter of great interest.

What’s being said about the hack is that it was enabled by a single point of failure. The blame is pinned on unstoppable malware on the point-of-sale (POS) systems or, alternatively, on a compromise of an HVAC contractor’s credentials. Either way, Target wants you to believe that the chain was exactly what its name implies: the target of a highly sophisticated attacker.

But the truth is that systematic failures, and not a single point of failure, led to the Target hack. No single vulnerability was exploited. There were vulnerabilities throughout Target’s security architecture that led to the theft of 110 million payment card numbers, along with the personally identifiable information of most of the affected cardholders.

Let’s assume that Target’s assertion is correct and that its network was compromised because its HVAC vendor was hacked. If that indeed led to the theft of millions of card numbers, then it suggests that Target’s network was not properly segregated to allow the HVAC vendor to have access only to required systems. So that was the first failure.

Once the attackers were on the network, they clearly had to perform reconnaissance for an extensive period of time to find systems that would enable the distribution of their malware. That suggests that Target had inadequate or perhaps even no intrusion detection deployed that could identify extensive probing of the network, especially critical network segments where the POS systems reside. That was the second failure.

It appears that the intruders were able to get the malware on the POS systems via Target’s own software distribution system, through worm-like methods of distribution, or by some combination of both. The attackers are thought to have tested the malicious software in a limited distribution, as a proof of concept, prior to wide-scale distribution. Either method should have been detected. Worm-like activity should have been picked up by network monitors. And if the attackers exploited Target’s internal software distribution system, then Target should have had practices in place to verify any additions to the standard software being pushed out. Failure No. 3.

Most POS systems enable whitelisting, which lets only approved software run on the system. Malware introduced to a POS system with whitelisting enabled would be rendered inoperable, even if it hadn’t been picked up by antivirus software. So not enabling whitelisting was the fourth failure.

The criminals had to exfiltrate the information they had garnered out of Target’s network. That incredibly involved process would require the hacking of multiple systems to both store and forward captured information. Target should have had software and processes in place to look for unusual network traffic. Likewise, the hacking of all of the systems used to exfiltrate the data should have been uncovered. Failures five and six.

These are not the only likely points of failures, but they are the most obvious ones.

Retailers targeted in attacks such as the one that hit Target like to claim that they were the victims of sophisticated attackers, with the implication that the attack was somehow unstoppable. But there was nothing particularly sophisticated about the Target attack. The attackers appeared to be persistent and disciplined more than technologically advanced. That is exactly how most attacks are perpetrated.

I have no reason to believe that Target’s technical employees are anything but well intentioned. But not ensuring that a high-level risk and architecture assessment was in place that could look for exactly those points of failure was in itself a failure. I’m not talking about a penetration test, but a thorough assessment of the overall network architecture to look for security vulnerabilities and the best places to install detection tools.

For example, Target should have reviewed the access architecture to verify that vendors were segregated and monitored. Given widely publicized breaches at other retailers, Target should have looked for covert channels with network monitoring tools. And it certainly should have assured the integrity of the POS systems, looking at best practices such as whitelisting software and verifying the applications that are pushed out to those systems.

A company like Target, with billions in revenue, can certainly allocate the appropriate resources to stop an attacker, sophisticated or otherwise. In fact, companies with considerably less in revenue should do the same, since an attack of this nature puts that revenue at risk. But don’t tell us how you are at the mercy of sophisticated attackers when you haven’t covered the basics. Target’s attackers exploited predictable vulnerabilities. They were tenacious and formidable, but they weren’t unstoppable. These attacks should have been detected and prevented.

 

Via: itworld

Comcast, Time Warner Cable reach $45B deal

Comcast and Time Warner Cable confirmed Thursday that they will enter into a $45.2 billion deal to combine the nation’s two largest cable companies, a mammoth proposal that will trigger close scrutiny from federal regulators.

Swooping in to top a competing bid by Charter Communications, Comcast will pay 2.875 of its shares to TWC shareholders. The companies’ respective board of directors have approved the all-stock agreement, which will see all of TWC’s 284.9 million shares acquired at a value of about $158.82 per share. Current TWC shareholders will own about 23% of Comcast’s common stock.

ANY LEGAL ROADBLOCKS? Probably not, antitrust experts say

“The combination of Time Warner Cable and Comcast creates an exciting opportunity for our company, for our customers, and for our shareholders,” said Comcast Chairman and CEO Brian Roberts, in a statement. “In addition to creating a world-class company, this is a compelling financial and strategic transaction for our shareholders.”

BEHIND THE SCENES: How the media deal came together

LOOKING AHEAD: Comcast CEO has vision beyond cable and broadband

CUSTOMER SERVICE: Cable TV customers can’t get no satisfaction

Comcast shares were down approximately 3.2% at $53.47 shortly after markets opened Thursday. Shares of time Warner Cable were up more than 7% at $144.96.

The transaction will generate about $1.5 billion in “operating efficiencies” that will add to Comcast’s cash flow per share. With the shares exchanged, the merger will be tax free to TWC shareholders, the companies noted. The companies expect to close the deal by the end of 2014.

Consolidation in the cable industry has been anticipated in recent years, as pay-TV operators face challenges from content suppliers seeking higher fees and consumers emboldened by new video options online. TWC has had numerous customer service and operational issues that have hampered its reputation, exacerbated last year by its high-profile fight with and decision to drop CBS over retransmission fees.

On Thursday, Comcast sought to frame the deal as one in which customers will benefit from improved technology, enhanced resources and better execution. The combined company plans to bring “a superior customer experience within the highly competitive and dynamic marketplace in which we operate,” Roberts said.

In most U.S. markets, consumers have an option of one cable service provider and/or satellite operators, Dish Network and DirecTV. Comcast and TWC’s service markets generally don’t overlap. But the combined company would serve nearly one-third of the U.S. pay-TV households and have enhanced leverage against cable networks, TV stations and independent content creators that want to be included in its lineup of offerings.

To assuage antitrust regulators, Comcast said it’ll acquire TWC’s 11 million cable TV subscribers but “divest systems serving” about 3 million. It’ll result in Comcast adding about 8 million subscribers in the deal, bringing its subscriber total to about 30 million, it said.

TWC, whose markets include New York City, Southern California, Texas and the Carolinas, has about 15 million total customers, including those with video, data, business services, advertising clients and others that it supports through a partnership with BrightHouse Networks.

“A company of that size would arguably have de facto control of what content could and couldn’t exist in the U.S.,” wrote Craig Moffett, an industry analyst at Moffett Nathanson Research, in a report last year in anticipation of the two companies’ merger. “A programmer that failed to get a distribution deal with Comcast arguably wouldn’t be economically viable.”

Comcast, which owns about 20% of the U.S. pay-TV market, is already the nation’s largest Internet and cable TV provider, but it also owns NBCUniversal, a movie studio and several cable channels.

Critics of the merger were quick to voice their opposition. “It is simply dangerous for a large proportion of our nation’s critical communications infrastructure to be in the hands of just one provider,” said John Bergmayer, senior staff attorney at Public Knowledge, a consumer technology advocacy organization. “If Comcast takes over Time Warner Cable, it would yield unprecedented gatekeeper power in several important markets. An enlarged Comcast would be the bully in the schoolyard.”

In addition to their own “TV Everywhere” platforms, Comcast and Time Warner Cable each have millions of broadband Internet customers, too. The new company might even have the power to sway new technologies developed in networking because of its size, Bergmayer says.

Comcast-TWC could also steer subscribers to their own content, and perhaps away from streaming services such as Netflix. Or it could simply demand more money from Netflix and other services — a concern of many consumer advocates after a federal court struck down the Federal Communications Commission’s open Internet rules last month.

And the combined company will have more clout in making deals for programming from the HBOs and Showtimes of the world. That could, in turn, cause retransmission fees for competitors to go up. “Basically, the deal will give Comcast unprecedented power in the media world,” says Phil Swann, president of TVPredictions.com. “It will be able to dictate terms to both consumers and companies.”

After the deal closes, the combined company’s cable operations, to be led by current Comcast executive Neil Smit, will extend some current Comcast products to TWC customers in key markets, including its cloud-based set-top box and 50,000 video on demand TV titles.

 

Via: usatoday

Windows XP isn’t the only software getting the knife in 8 weeks

Microsoft will also end support for Office 2003 and Exchange 2003.

Microsoft will call it quits not only on Windows XP in less than two months, but will also pull the plug on Office 2003 the same day.

After April 8, Office 2003, which debuted on Oct. 21, 2003, will no longer receive security updates, no matter which flavor of Windows it’s running on.

Although Microsoft has made noise about ditching Windows XP, it has spoken infrequently about Office 2003’s deadline. One of the few places on its website where it has talked about the latter’s end-of-life, or EOL, is here.

“We’re seeing the same kind of pockets as with XP,” said Wes Miller, an analyst with Directions on Microsoft, of Office 2003 users in business. “A lot of people were on holding patterns with XP and didn’t upgrade from Office 2003 to Office 2007.”

Michael Silver of Gartner agreed. “There’s a correlation between the success of Windows and the success of the Office that came out around it,” he said. “Because of Vista, because of the timing, because of the costs, a lot of organizations skipped Office 2007.”

When companies began migrating from XP to Windows 7 — a process that continues even as the former’s retirement deadline looms — they also migrated from Office 2003 to Office 2010, even though a newer version of the latter has been available for more than a year.

“You might say the same [about a correlation] about Windows 8 and Office 2013,” Silver said, adding that uptake for Office 2013 has been slow in enterprises. “It’s because so many organizations are still in the midst of their Windows 7 migration [that they’ve ignored Office 2103]. They didn’t want to change that Windows 7-Office 2010 plan, and decided to continue that.”

But Silver pegged the prevalence of Office 2003 as more than the pockets Miller portrayed. “It’s probably in the 30% to 40% range,” Silver said.

Office 2003’s successor, Office 2007, was bypassed for another reason: Some customers detested its new “Ribbon”-style interface, which was championed by Julie Larson-Green, then with the Office engineering group but subsequently an important executive in the Windows 7 and Windows 8 teams. She is now head of the company’s Devices and Studios, responsible for the Surface line of hardware.

The Ribbon-ized Office 2007, and its follow-ups, Office 2010 and Office 2013, have continued to earn scorn from some long-time users. But the initial criticism about the user interface (UI) change died down much more quickly than that aimed at Windows Vista, which launched around the same time as Office 2007, or the UI complaints aimed now at Windows 8.

With the end of public support, Microsoft will no longer provide security patches for Office 2003. And Microsoft has been aggressively patching Office 2003: In 2013, it released 10 security bulletins for the edition. It has shipped one so far this year.

“But folks don’t worry as much about support for Office as they do for an operating system,” said Silver. “There’s definitely a risk in running Office 2003 [after patches stop] but you can do a lot of things to reduce the risk significantly, such as turning macros off by default.”

The lack of security updates will present special problems to consumers and small business customers running Windows XP and Vista, as the newest editions of the suite, Office 2013 and Office 365, run only on Windows 7 or Windows 8/8.1.

(Large organizations with enterprise and Software Assurance agreements can upgrade from Office 2003 — if they are still running the 11-year-old suite — to any newer Office edition.)

Microsoft no longer sells Office 2007 or 2010, the latest versions that run on XP and Vista, either direct or to distributors, but online retailers still have the latter in stock. Newegg, for example, sells Office 2010 for between $100 and $480, depending on the SKU (stock keeping unit) and whether installation media is included.

Other alternatives include the free Apache OpenOffice and LibreOffice, both of which run on XP and Vista.

Miller pointed out that Office 2003 and Windows XP were not the only pieces of Microsoft’s portfolio to roll into retirement on April 8.

“It’s not just Office 2003, it’s not just the front end but it’s also the back end. Exchange [Server] 2003 also leaves support that day,” Miller said.

As happened to Windows XP and Office 2003, users hung on to Exchange Server 2003, skipping the next edition, Exchange Server 2007. Most enterprises migrated to Windows 7, Office 2010 and Exchange Server 2010 around the same time.

“We’re seeing more Exchange holdouts because [the software] was often installed on Windows Server 2003,” said Miller, referring to the server-side software that leaves support mid-July 2015. “This could end up being a big thing this year and next, because it’s a bigger transition. Some customers are still running Windows Server 2003 on 32-bit hardware, but since that version, it’s been all 64-bit. So they may not have the hardware.”

For Miller, the migration-from-Server 2003 story will be one to watch carefully.

Coincidentally, Microsoft will also stop serving patches to Office for Mac 2011 Service Pack 2 (SP2) on April 8, and require all users of the OS X edition to run Service Pack 3 to receive and install security updates.

 

Via: itworld