Monthly Archives: March 2016

Raw Video: Men Place Card Skimmer on ATM Store Machine!

Watch as three men distract the store clerk and place card (reader) skimmer on ATM Point-of-Sale…

In only takes a few seconds.

Victims can either either restore files from a backup or if that’s not possible, pay up.

The latest version of the TeslaCrypt ransomware has tidied up a weakness in previous versions that in some cases allowed victims to recover their files without paying a ransom.

Cisco’s Talos research group found that TeslaCrypt 3.0.1 has improved its implementation of a cryptographic algorithm making it impossible now to decrypt files.

“We cannot say it loud and often enough, ransomware has become the black plague of the Internet,” wrote Andrea Allievi and Holger Unterbrink, both security researchers with Cisco, in a blog post on Wednesday. “The adversaries are modifying and improving it in every version.”

Weaknesses in versions of TeslaCrypt allowed researchers to create tools including TeslaCrack, Tesladecrypt and TeslaDecoder for people to decrypt their files without paying a ransom.

That encryption weakness has now been closed.

“Unfortunately, so far we are not aware of any tool which can do the same for this variant of TeslaCrypt,” the Cisco reseachers wrote.

Ransomware schemes have become one of the most common scams on the Internet. The malware encrypts a user’s files, then displays instructions for how victims can pay to obtain the decryption key.

Although ransomware has been around for more than a decade, the schemes have proliferated in the last couple of years, striking consumers and businesses.

Antivirus programs often miss ransomware, as its authors make minor tweaks to the code to avoid security scanning.

Backing up files is the best defense, but the FBI warned last month that cybercriminals are increasingly aiming “to infect whole networks with ransomware and use persistent access to locate and delete network backups,”according to the Security Ledger.

Via: computerworld

Apple Vs. FBI battle over mobile encryption case is taking more twists and turns with every day pass by.

On one hand, the US Department of Justice (DOJ) is boldly warning Apple that it might compel the company to hand over the source code of its full iOS operating system along with the private electronic signature needed to run a modified iOS version on an iPhone, if…

…Apple does not help the Federal Bureau of Investigation (FBI) unlock iPhone 5C belonging to one of the San Bernardino terrorists.

And on the other hand, Apple CEO Tim Cook is evident on his part, saying that the FBI wants the company to effectively create the “software equivalent of cancer” that would likely open up all iPhones to malicious hackers.

Now, some Apple engineers who actually develop the iPhone encryption technology could refuse to help the law enforcement break security measures on iPhone, even if Apple as a company decides to cooperate with the FBI.

Apple Emplyees to Quit their Jobs

Citing more than a half-dozen current and former Apple engineers, The New York Times report claims that the engineers may refuse the work or even “quit their jobs” if a court order compels them to create a backdoor for the very software they once worked to secure.

“Apple employees are already discussing what they will do if ordered to help law enforcement authorities,” reads the report. “Some say they may balk at the work, while others may even quit their high-paying jobs rather than undermine the security of the software they have already created.”

Apple previously said that building a new backdoored version of iOS to satisfy the FBI’s demand would require up to a month of work and a team of 6-10 engineers, naturally Apple’s top software engineers.

However, Apple employees said they already have “a good idea who those employees would be.” They include:

1. A former aerospace engineer who developed software for the iPhone, iPad and Apple TV.
   
2. A senior quality-assurance engineer who is an expert “bug catcher” with experience in testing Apple products.
   
3. An employee specializes in security architecture for the operating systems powering Apple products including iPhone, Mac and Apple TV.
   

The FBI wants Apple assistant to help the authorities bypass security mechanisms on the San Bernardino shooter Syed Farook’s iPhone 5C so that they can extract data from the phone.

Given that the San Bernardino case is currently working its way through the courts and that no one is prepared to stand down, the possibility that Apple might have to comply with the orders is probably years away.

Via: thehackernews

Imagine this scene: an employee at his desk, in an open-plan office, is reviewing on his notebook some data to prepare a report about the last quarter financial results, or the pre-selling performance evaluation of the organization’s newest product. He receives a telephone call from his boss about a quick last-minute meeting, or simply goes on a break to drink coffee, and leaves his desk.

This situation is more common than you can imagine, and may represent a great information risk, because without proper measures, all the information and assets left at the desk by the employee can be accessed, seen, or taken by an unauthorized person. And, if there is an information system left logged on, anyone who has access to the desk can perform activities in the name of the absent employee.

For cases like these, an organization should be prepared to explain to employees and other people handling its information and assets how to proceed properly about information and other material kept in the workspace. ISO 27001, a popular information security framework, and ISO 27002, a detailed code of practice, can provide good orientation, by means of the security control 11.2.9 – Clear desk and clear screen policy. Let’s take a closer look at it.

What is the clear desk and clear policy screen all about?

The clear desk and clear screen policy refers to practices related to ensuring that sensitive information, both in digital and physical format, and assets (e.g., notebooks, cellphones, tablets, etc.) are not left unprotected at personal and public workspaces when they are not in use, or when someone leaves his workstation, either for a short time or at the end of the day.

Since information and assets at a workspace are in one of their most vulnerable places (subject to disclosure or unauthorized use, as previously commented), the adoption of a clear desk and clear screen policy is one of the top strategies to utilize when trying to reduce the risk of security breaches. And, fortunately, most of the practices are low-tech and easy to implement, such as:

Use of locked areas: lockable drawers, archive cabinets, safes, and file rooms should be available to store information media (e.g., paper documents, USB flash drives, memory cards, etc.) or easily transportable devices (e.g., cellphones, tablets, and notebooks) when not required, or when there is no one to take care of them. Beyond the protection against unauthorized access, this measure can also protect information and assets against disasters such as a fire, earthquake, flood, or explosion.

Protection of devices and information systems: computers and similar devices should be positioned in such a way as to avoid people passing by to have a chance to look at their screens, and configured to use time-activated screen savers and password protection to minimize chances that someone takes advantage of unattended equipment. Additionally, information systems should be logged off when not in use. At the end of the day the devices should be shut down, especially those network-connected (the less time a device is on, the less time there is for someone to try to access it).

Restriction on use of copy and printing technology: the use of printers, photocopiers, scanners, and cameras, for example, should be controlled, by reducing their quantity (the fewer units available, the fewer potential data leak points) or by the use of code functions that allow only authorized persons to have access to material sent to them. And, any information sent to printers should be retrieved as soon as practicable.

Adoption of a paperless culture: documents should not be printed unnecessarily, and sticky notes should not be left on monitors or under keyboards. Remember, even little pieces of information may be sufficient for wrongdoers to discover aspects of your life, or of the organizations’ processes, that can help them to compromise information.

Disposal of information remaining in meeting rooms: all information on white boards should be erased and all pieces of papers used during a meeting should be subject to proper disposal (e.g., by using a shredder).

How to implement a clear desk and clear screen policy

According to ISO 27001, control 11.2.9, the main orientation is to adopt a Clear Desk and Clear Screen Policy considering:

• the level of information (e.g., sensitive or confidential) that would require secure handling
  
• legal and contractual requirements that demand information protection
  
• identified organizational risks
  
• cultural aspects
  
• measures that should be adopted to secure desks, devices, and media (as seen in the previous section)
  

Besides that, an organization also should consider periodic training and awareness events to communicate to the employees and other people involved the aspects of the policy. Good examples are posters, email alerts, newsletters, etc.

And, finally, there should be periodic evaluations about the employees’ compliance with the policy practices (let’s say, two times a year).

Do not be victim of prying eyes and unauthorized access

A lack of care with a workspace can lead to compromised personal or organizational information. Passwords, financial data, and sensitive emails can be disclosed, impacting privacy or a competitive edge. A lost document containing information about a contract/proposal due date can cause a tender to be lost and a decrease in the expected revenue.

Whether due to accidents, human error, or malicious actions, these negative results can be avoided by the adoption of accessible low-tech measures related to a clear desk and clear screen policy. So, do not wait for these situations to occur before taking action. In this case, the solution’s cost would hardly be an excuse to not act preventively.

Via: advisera

Fortune reports that George Stathakopoulos, formerly Vice President of Information Security and Corporate IT at Amazon, has joined Apple in the newly created role of Vice President of Corporate Information Security.

Stathakopoulos will report to Chief Financial Officer Luca Maestri and “will be responsible for protecting corporate assets, such as the computers used to design products and develop software, as well as data about customers,” according to Fortune.

“It’s that last part that may be particularly interesting in light of Apple’s ongoing fight with the FBI to maintain the integrity of iOS devices,” notes Mac Observer. “The FBI has gotten a court order forcing Apple to create a new operating system — dubbed GovtOS by Apple — that bypasses security protections in iOS. Apple is fighting the order, and both parties will take part in an evidentiary hearing on Tuesday, March 22nd.”

Stathakopoulos reportedly started his new job last week, but Apple has not announced the hire and declined Fortune’s request for comment.

Prior to the 6 years he spent at Amazon, Stathakopoulos was GM of Product Security at Microsoft.

Via: csoonline

Yes, you could earn $100,000 if you have the hacking skills and love to play with electronics and gadgets.

Google has doubled its top bug bounty for hackers who can crack its Chromebook or Chromebox machine over the Web.

So if you want to get a big fat check from Google, you must have the ability to hack a Chromebook remotely, that means your exploit must be delivered via a Web page.

How to Earn $100,000 from Google

The Chrome security team announced Monday that the top Prize for hacking Chromebook remotely has now been increased from $50,000 at $100,000 after nobody managed to successfully hack its Chromebook laptops last year.

The Top bug bounty will be payable to the first person – the one who executes a ‘persistent compromise‘ of the Chromebook while the machine is in Guest Mode.

In other words, the hacker must be able to compromise the Chromebook when the machine is in a locked-down state to ensure its user privacy.

Moreover, the hack must still work even when the system is reset.

“Last year we introduced $50,000 rewards for the persistent compromise of a Chromebook in guest mode,” the Google Security Blog reads.
“Since we introduced the $50,000 reward, we have not had a successful submission. Great research deserves great awards, so we’re putting up a standing [6-figure] sum, available all year round with no quotas and no maximum reward pool.”

Bug bounties have become an essential part of information security and have been offered by major Silicon Valley companies to hackers and security researchers who discover vulnerabilities in their products or services.

Last year, Google paid out more than $2,000,000 in bug bounties overall to hackers and researchers who found bugs across its services – including $12,000 to Sanmay Ved, an Amazon employee, who managed to buy Google.com domain.

So Keep Hunting, Keep Earning!

Via: thehackernews

New Windows 10 Insider beta, build 14291, shows small improvements with Edge’s newfound ability to run Chrome-like extensions.

The latest beta of Windows 10, build 14291, brings two worthwhile new Edge features — extensions and pinnable tabs — as well as a greatly improved Map app, a Japanese one-handed kana touch keyboard, and minor changes to the UI for Alarms & Clock.

If you use the Map app, the latest changes will compensate for the disappearance of Here. But for most people, the key change with build 14921 is Edge’s newfound ability to run Chrome-like extensions. Users have been expecting that capability since last November (some of us were hoping to get it last July), and now it’s here. But the implementation is underwhelming at best.

Users who were expecting a Chrome- or Firefox-like experience will be disappointed. Someday you’ll be able to pick up Edge extensions in the Windows Store, but for the time being you will have to download them from a developer website and sideload them. The instructions are confusing because the screenshots don’t match the product, and it isn’t clear when to switch from dealing with the download to wrestling with Edge’s Ellipsis icon. (Tip: The Run command is at the bottom, with the downloader; the More command is in the upper-right corner of Edge.)

The new Edge ships with three extensions: a page translator, a mouse gesture overlay, and a port of the Reddit Enhancement Suite (RES makes it easier to absorb even more of Reddit at a glance). Each extension works in unique ways.

Microsoft’s Mouse Gesture extension adds right-click navigation to Edge: right-click and swipe down to move the page down, right-click and swipe left to go to the previous page, and many more. You can put a Mouse Gesture icon on your address bar: After sideloading the extension, click on the Ellipsis icon, then Extensions, pick Mouse Gestures, then slide “Show button next to the address bar” to On. Once the button is on the address bar, you can click it and customize the actions taken with any specific gesture.

Once the Microsoft Translator extension is installed, the icon appears next to the address bar whenever you venture to a non-English site. Click on the Translator icon and the whole page is translated. In my experiments with the Thai language, I was pleasantly surprised to find that the Microsoft Translator translation is considerably better than the Bing translator in side-by-side comparisons.

The RES extension automatically kicks in RES whenever you go to the Reddit website. I can’t find a way to change that behavior, short of uninstalling the extension. I didn’t see any difference between the new RES in Edge and the old RES in Chrome, although Microsoft lists four known bugs in the downloaded readme file. This is the only extension of the three that was developed by a team outside Microsoft.

Via: infoworld

LastPass makes two-factor authentication easier, Apple Watch saves heart attack victim, Instagram jumbles up your feed, YouTube was originally an online dating site, and Siri helps the Cookie Monster bake cookies.

LastPass Takes 2FA Mainstream

LastPass, which is already responsible for one of the best and most popular password managers on the market, has released a new app called LastPass Authenticator. As its name suggests, this app is all about two-factor authentication (2FA), which adds an extra layer of security beyond the humble password.

LastPass Authenticator is a standalone app which makes it easy to add 2FA to a multitude of different accounts. Two-factor authentication is usually achieved through a code being sent to your smartphone, and LastPass Authenticator offers that alongside automatically generated passcodes and automated push notifications.

While this is meant primarily for LastPass users, it can also be turned on for any service or app that supports Google Authenticator or TOTP-based two-factor authentication. Which includes Facebook, Microsoft, and, of course, Google. LastPass Authenticator is available for free on Android and on iOS.

Via: makeuseof

ProtonMail, a Switzerland-based encrypted email service, has announced that it will be leaving beta and that it is now accepting open registrations for the first time in two years.

A group of scientists who met at CERN and MIT first created the email service back in May 2014. Since then, the company has raised $500K in crowd-funding, a record when it comes to software technology, and it has received $2 million in financing from a number of different entities including the government of Switzerland.

ProtonMail features end-to-end encryption, which makes it difficult for governments and other prying eyes to gain access to user messages. ProtonMail co-founder Dr. Andy Yen feels it is this feature that makes the email service an integral component in the fight for email users’ security and privacy.

“Strong encryption and privacy are a social and economic necessity, not only does this technology protect activists and dissidents, it is also key to securing the world’s digital infrastructure,” says Yen in a press release on the company’s blog. “This is why all things considered, strong encryption is absolutely necessary for the greater good.”

Three days after ProtonMail first launched, it instituted a waiting list after it began receiving requests for 10,000 new usernames a day.

Even so, the reputation of the service has continued to grow, with the email service even being featured on the American television show Mr. Robot.

This reputation attracted the attention of bad actors in the fall of 2015 when ProtonMail experienced two sustained distributed denial-of-service (DDoS) attacks.

Though the email service was forced to go temporarily offline, Alex Rosier, Head of Communications at ProtonMail, explains that the DDoS campaigns only made the company stronger.

“With the support of our user community which raised over $50,000 in 3 days, we were able to successfully defeat the DDoS attack against us, which was one of the largest in Europe, even impacting the Internet in distant places like Moscow,” Rosier notes in an email to The State of Security. “The DDoS attacks did not manage to do permanent damage to ProtonMail, and we have learned from the experience to greatly strength our infrastructure.”

To learn more about ProtonMail, including how to register for a free account, click here.

Via: tripwire

American Express is notifying some customers that their card member information may have been compromised, including names, account numbers and expiration dates.

The global payments and travel company, also known as Amex, reportedly filed a notice to customers with the Office of the Attorney General in California on March 10, 2016.

Signed by American Express Chief Privacy Officer (CPO) Stefanie Ash, the notice explained the corporation became aware that a certain third party service provider, which engages with numerous merchants, experienced unauthorized access to its systems.

“It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure,” said Ash.

The company noted it is “vigilantly monitoring” customer accounts for fraud, and told customers they would not be held liable for fraudulent charges, if they should occur.

The notice stated customers could receive more than one letter regarding the incident if more than one of their American Express Card accounts were affected.

Cardholders are also advised to carefully review their account statements and sign up to receive instant notifications of potential suspicious activity.

Amex did not disclose details on the number of records compromised or the third party involved.

“Especially in today’s environment, we understand that your security is paramount,” said Ash.

“We are strongly committed to protecting the privacy and security of your information and regret any concern this may have caused you. As always, thank you for your trust in us, and for your continued Card Membership,” read the notice.

Via: tripwire