Monthly Archives: June 2016

New malware targets Office 365 users

A new “zero-day” malware has been discovered in Australia that affects all of Microsoft’s Office 365 products including Word, Excel, PowerPoint and Outlook.

The malware was discovered by the cyber security company Check Point and came in the form of an invoice sent by email. The attack is designed to catch unsuspecting victims according to security analyst Raymond Schippers who said: “The email sent to Office 365 users via Outlook gives the appearance of an invoice in the form of an Office document. When they go to open it, a message will appear telling people the document was created with a previous version of the software, so they will need to click something to enable the content.”

If a user does click on the message it will run ransomware that locks all of their files and in order to unlock them they will have to make a payment of a few hundred Australian dollars. However Schippers strongly recommends against complying and advises anyone who has opened the email to close the document and delete it. Afterwards it will be necessary to restore the computer from a backup if available or entirely reinstall the OS in order to entirely remove the ransomware from the system.

This latest malware could be particularly devastating due to how it is designed to trick everyday users into opening a document that appears to be legitimate. Attachments sent from unknown email addresses should always be viewed with caution and should rarely be opened.

Consistently backing up one’s system is an absolute necessity to prevent the productivity loss that could occur from a malware infection.

via: itproportal

Hard Rock Hotel Notifies Customers of Payment Card Breach

Hard Rock Hotel & Casino in Las Vegas is notifying customers of a data breach that may have compromised their payment card details.

In a statement posted on Monday, the luxury resort explains it detected the incident following an investigation into fraudulent activity involving some payment cards used at Hard Rock Hotel & Casino Las Vegas:

“On May 13, 2016, the investigation identified signs of unauthorized access to the resort’s payment card environment. Further investigation revealed the presence of card scraping malware that was designed to target payment card data as the data was routed through the resort’s payment card system.”

The malware is believed to have compromised customers’ payment card data, including their cardholder name, card number, expiration date, and internal verification code.

The resort says that those who used their payment card in certain restaurants and retail stores at the Hard Rock Hotel & Casino Las Vegas between October 27, 2015 and March 21, 2016, could be affected.

The hotel is currently working with law enforcement to support their investigation, payment card networks to notify banks of the breach, and a security firm to improve its digital security going forward.

This is the second time the hotel has experienced a payment card breach in a little over a year, which along with similar incidents at Trump Hotels and Hyatt Hotels points to the fact that attackers are increasingly targeting the hospitality industry.

Zach Forsyth, director of technology innovation at security firm Comodo, clarifies that point:

“Hospitality organizations are ideal targets for the cybercriminal today because they handle highly valuable personal and financial information – the proverbial goldmine for the cyberthief. Large, well-known chains are even more susceptible targets due to the sheer volume of data that they store and share. Unfortunately, many of these companies have antiquated IT security technology in place, which is an easy workaround for the hackers. It’s a harsh reality that the technology some organizations use today is as effective as installing a home security system that alerts you to a break-in after the robbers have already stolen everything, vandalized the house and left.”

The Hard Rock Hotel & Casino is urging customers to watch out for suspicious transactions on their payment card records and other statements.

Customers who detect any signs of identity theft should contact the Federal Trade Commission or the Attorney General in their state.

Via: tripwire

IRS hacked again – say goodbye to that PIN system!

In the wake of automated attacks speeding up, the US tax overlords – the Internal Revenue Service (IRS) – has likewise sped up plans to deep-six its repeatedly hacked PIN system.

The IRS on Thursday announced that it’s removed its electronic filing PIN tool (e-File PIN), formerly available on or by toll-free phone call, following “additional questionable activity.”

Additional, as in, on top of 800 identity thefts that had already caused the IRS to suspend the PIN system in March 2016 (though it told taxpayers who already had an IP PIN at the time to continue to file their tax returns as they normally would).

The e-File PIN, also known as the Identity Protection (IP) PIN, is a supposedly special, strong form of two-factor authentication (2FA) meant to protect taxpayers from ID fraud: a six-digit number that, oddly enough, the US tax authority only sent to taxpayers who’d already been victimized.

Those PINs were for victimized taxpayers to include on future tax returns as an extra layer of security, since cybercrooks had already stolen their taxpayer IDs – i.e., their Social Security Numbers (SSNs).

The idea was that without a valid IP PIN, you couldn’t login, even if you were a crook armed with somebody’s SSN.

“Great!” we said, as did the vast majority of readers. “Why can’t everybody get one?

The problem with the PIN retrieval system, presumably, was that it used the same knowledge-based authentication that led to last year’s breach of the agency’s Get Transcript service: a service that allowed taxpayers to retrieve details of their past tax returns.

Applicants had to answer four questions about themselves to get a number, along the lines of “On which of the following streets have you lived?” or “What is your total scheduled monthly mortgage payment?”

But scammers can dig out, guess, or buy personal data like that online. That can enable them to get the PIN, with which they then try to file a bogus return.

Even before last year’s Get Transcript breach, a report by the Government Accountability Office pointed out the weaknesses in the PIN retrieval system.

But for whatever reason, the IRS left it in place.

And along with that status quo came an increase, over recent years, in automated attacks from crooks who’ve gone out of their way to get access to innocent users’ online tax submission accounts.

In February, we got wind of the thieves having struck again. This time, they used a list of known SSNs to repeatedly try to access the IRS’s Get My Electronic Filing PIN portal.

At the time, the crooks were after the PINs corresponding to 464,000 previously stolen SSNs and other taxpayer data. The IRS blocked that automated bot, but not before it had successfully grabbed 100,000 PINs.

The Get Transcript tool only reveals the PIN. It doesn’t reveal taxpayer data.

In the statement put out on Thursday, the IRS said that the criminals stole the SSNs somewhere else, and not from the agency. In addition to the SSNs, the crooks also used taxpayers’ names, addresses, filing status, and dates of birth to access the e-File PIN.

After this history of repeated attacks, why didn’t the IRS throw in the towel on the IP PIN after that February attack?

It says that it couldn’t: links to the tool are woven into “almost all” of the commercial tax software products that consumers use to file their tax returns. The IRS said it did, however, add “additional defenses,” including extra scrutiny for returns with e-File PINs.

But recently, the automated attacks sped up. The increasing frequency of attacks only affected “a small number of e-File PINs,” the IRS said. Those attacks were spotted thanks to additional defenses put in place earlier this year, along with backend protections.

The IRS didn’t give details on the beefed-up security measures, but we already know that the procedures running invisibly in the background include looking for improper/repetitive use of IP numbers, for example, along other measures the IRS outlined last June.

The IRS said that it had already been working with the industry as it mulled pulling the plug on the e-File PIN system later this year.

Scratch that “maybe later this year” timetable. Batten the hatches and arm the torpedoes: it’s happening now.

From the announcement:

The IRS decided to remove the e-File PIN program as a safety measure.

Via: sophos

PunkeyPOS might have already stolen millions of payment card numbers

Experts are continuing to monitor the PunKeyPos malware in the wild, the threat might have already stolen millions of payment card numbers.

Experts are continuing to monitor the PunKeyPos malware in the wild, the threat might have already stolen millions of payment card numbers.

Security experts from PandaLabs spotted a new strain of the PoS malware dubbed PunkeyPos which seems to be used by multiple criminal crews in the wild, likely it could be involved in malware-as-a-service model.

Experts have classified it as the successor of the NewPOSthings malware family of malware, it is designed to scan an infected host to steal payment card data.RAM-scraper.

PunkeyPos was already active in 2015 when experts from Trustwave discovered the threat investigating incidents occurred in a number of organizations.

They noticed the malicious code implements reconnaissance and hacking abilities, including the implementation of a Keylogger module used to steal user data.

PunkeyPOS traffic is encrypted with AES algorithm, it is able to infect machines running all current Windows OSs. According to the experts since its first apparition, the threat already infected many organizations around the US and might have stolen millions of payment card numbers.

The popular investigator Brian Krebs confirmed that the PunkeyPos variant has already stolen over 1.2 million unique payment card data since early April 2016.

“Only about half of the 1.2 million stolen accounts appear to have been taken from compromised CiCi’s locations. The majority of the other Internet addresses that appear in the bot logs could not be traced back to specific establishments. Others seem to be tied to individual businesses, including a cinema in Wallingford, Ct., a pizza establishment in Chicago (the famous Lou Malnatis), a hotel in Pennsylvania, and a restaurant at a Holiday Inn hotel in Washington, D.C.” wrote Krebs.

According to PandaLabs, roughly 200 PoS were infected by this variant of PunkeyPoS, with most of the victims in the US, other cases were obserbed in Europe, S. Korea and Australia.

“PunkeyPOS runs seamlessly in all Windows operating systems. The cyber-criminal’s plan is to install the malware in POS terminals in order to steal sensitive information such as account numbers, magnetic strip contents (tracks) from bank cards, etc.” reported an analysis published by PandaLabs. 

The malware experts discovered the C&C address through reverse engineering or analyzing malicious traffic. Below the home page of the PunkeyPoS control panel shared by PandaLabs.

The admin panel appears easy to use and allows attackers to monitor the infections and update the threat agent.

The experts believe that the malware was spread anonymously through the internet, for example through phishing campaigns.

“Taking into account how easy it is to sell this information on the black market, and how convenient it is to compromise these PoS terminals anonymously through the internet, we are certain that cyber-criminals will be increasingly drawn to these terminals,” concluded PandaLabs.

Via: securityaffairs

Netflix finally gets picture-in-picture support on iPad

It’s taken quite some time, but Netflix has finally released a version of its applicationfor iOS that takes advantage of the picture-in-picture feature introduced last year with the debut of iOS 9. Available on select iPads, this option lets you continue watching a video on Netflix after closing the app using the Home button or by switching to a different application.

When you do, the video you’re viewing will shrink to a thumbnail. You can also drag this picture-in-picture video around your screen, or resize the viewing window with a pinch gesture.

This way, you can continue to use other apps on your iPad, while still enjoying your Netflix program. You can respond to an email, text a friend, browse Facebook, or do anything else you want to do. And if you want to return to a full-screen view, you just have to tap the video again.

To take advantage of this option, you’ll need to be running iOS version 9.3.2 or higher, and you’ll need to have a supported iPad – either an iPad Pro, iPad Air or later, or an iPad mini 2 or later. (We understand that the feature isn’t currently functional on the iOS 10 developer beta build, however.)

Support for this functionality has been long overdue.

Apple this week just announced its newest version of iOS – iOS 10, which is now in testing. Picture-in-picture mode, meanwhile, was unveiled as part of Apple’s iOS 9 release a year ago. iOS 9 itself debuted to the public last fall. A number of apps have already implemented this alternative viewing option, including Netflix’s rival Hulu, BBC’s iPlayer, WatchESPN, and others. Apple’s FaceTime also supports it. (YouTube, unfortunately, has held out despite implementing other multi-tasking options.)

For those apps that choose to implement multi-tasking features, the results so far have been positive. For example, MLB reported earlier this year that since its rollout of multi-tasking functionality, including also Split View and Slide Over modes, its user base spent 20 percent more minutes per day, on average, watching live video in its app compared with the previous year. Video viewing in total also increased 86 percent to 162 minutes from the prior year, it said.

The impact of adding picture-in-picture mode to Netflix will likely follow a similar course when it comes to video viewing on iPad.

The feature is live now in the updated application on iTunes.

Via: techcrunch

Apple Maps will remember where you parked your car

Apple has yet to confirm rumors it’s building a car but it is aiming to make drivers’ lives a little easier thanks to a new feature coming to Apple Maps in iOS 10 which will help people remember where they parked their car.

The forthcoming parking reminder, spotted by an AppleInsider reader, will automatically drop a pin to locate the car’s stationary location when a journey terminates somewhere other than the user’s home address.

A parked car icon will apparently also show in Apple Maps, including with an option to get directions to the car and an estimated time to get there. There’s also an edit option to tweak the accuracy of the pin drop if needed.

The Apple Maps parking reminder will be treading on the territory of the myriad existing parking reminder/car locator apps already in the App Store, as is often the case with new Apple features.

During its WWDC developer conference keynote earlier this week Apple announced some big changes coming to Maps in iOS 10, including that the app will be opened up to third party developers to allow certain tasks to be performed right from the map, such as booking a restaurant table or hailing a ride via the likes of Uber.

Apple Pay will also be supported within Maps and users will be able to search for a range of services along a particular route. Maps will also be smarter, pulling data from a user’s calendar to automatically suggest a route to the next meeting, for example, as well as pushing nearby suggestions, such as restaurants. So knowing where your parked car is will just be another string to its bow.

Via: techcrunch

Carbonite Resets Users’ Passwords After Password Reuse Attacks

Online backup service Carbonite is requiring all users to change their passwords after it observed password reuse attacks targeting their accounts.

On Tuesday, the company announced the password reset in a statement posted to its website:

“As part of our ongoing security monitoring, we recently became aware of unauthorized attempts to access a number of Carbonite accounts. This activity appears to be the result of a third party attacker using compromised email addresses and passwords obtained from other companies that were previously attacked. The attackers then tried to use the stolen information to access Carbonite accounts. Based on our security reviews, there is no evidence to suggest that Carbonite has been hacked or compromised.”

Carbonite does not specifically mention any companies that might have been attacked, though it is likely referring to the data breaches at LinkedInTumblr, and several others that compromised hundreds of millions of users’ login credentials.

While some users have changed their passwords for those accounts affected by the breaches, many of which occurred several years ago, others have not. Still others have reused their compromised credentials across multiple web accounts, allowing attackers to test the same set of credentials across multiple services.

Those password reuse attacks have already motivated a number of other companies including GitHubGoToMyPC, and TeamViewer to reset their users’ passwords.

Carbonite is urging all users to be on the lookout for an email sent from that leads them to a page where they can reset their passwords.

A list of instructions on how users can complete the password reset process can be found here.

But the online backup service is taking it one step further.

“In addition to our existing monitoring practices, we will be rolling out additional security measures to protect your account, including increased security review and two-factor authentication [which we strongly encourage all customers to use].”

Two-factor authentication will help protect users with an additional layer of security in the event of password reuse attacks.

For tips on how to create a strong password to protect your Carbonite account or other web profiles, please click here.

Via: tripwire

The countries most vulnerable to cyber-attacks : Mapped

50 countries ranked by Rapid7’s National Exposure Index

has identified and ranked the 50 countries most vulnerable to hacking, based on the prevalence of insecure networks and internet channels around the world.

Rapid7 found that Belgium was the most susceptible country based on a “National Exposure Index” of unsafe or potentially vulnerable internet services. The UK was ranked 23rd most exposed, the US 14th and Australia 4th.

Rapid7’s  Project Sonar software scans millions of internet channels for vulnerabilities such as unencrypted, plain text services, and by comparing this to more secure ones, can determine the chances of coming across an at-risk channel.

Channels that are not encrypted are not necessarily passing sensitive data, but many are likely to be, so their prevalence at a national level is a good indicator of how secure the internet is in each country. By identifying vulnerabilities at the IP address level, the researchers were able to identify what country they are in.

Rapid7 warned that the world’s biggest economies would face “dire consequences” if the current state of affairs continued, as the rise of the internet of things creates billions of new connections.

The vulnerabilities measured by Project Sonar included out-of-date email encryption and server ports that expose databases directly to the internet rather than being locked. In Belgium’s case, 31 per cent of systems or devices had at least 30 ports exposed. Unencrypted ports mean people snooping on a network can possibly gain access to private information.

“In the days when the internet was a shared resource among a very few academic and military institutions, exposing databases and connecting directly to them across the internet made some sense,” the report’s authors said. “However, even in a case where encryption and strong authentication is possible, exposing a database directly to the 3.5 billion human internet population is no longer a sensible act.

“These results all speak to a fundamental failure in modern internet engineering. Despite calls from the Internet Architecture Board, the Internet Engineering Task Force, and virtually every security company and security advocacy organization on Earth, compulsory encryption is not a default, standard feature in internet protocol design.”

The most vulnerable countries

  1. Belgium
  2. Tajikistan
  3. Samoa
  4. Australia
  5. China
  6. Hong Kong
  7. Dominican Republic
  8. Afghanistan
  9. South Africa
  10. Ethiopia
  11. Kenya
  12. Gabon
  13. France
  14. United States
  15. Mozambique
  16. Japan
  17. Qatar
  18. Yemen
  19. Russia
  20. Argentina
  21. Maldives
  22. Azerbaijan
  23. United Kingdom
  24. Turkmenistan
  25. Algeria
  26. South Korea
  27. Peru
  28. Nigeria
  29. Turkey
  30. Hungary
  31. Malaysia
  32. Congo
  33. Taiwan
  34. Czech Republic
  35. Bahamas
  36. Latvia
  37. Ukraine
  38. Slovenia
  39. Austria
  40. Croatia
  41. Denmark
  42. Luxembourg
  43. Israel
  44. Macedonia
  45. Pakistan
  46. Cyprus
  47. Germany
  48. Switzerland
  49. Singapore
  50. Vietnam

    Via: telegraph

What happens to those free Windows 10 upgrades after July 29, 2016?

We’re nearing the end of Microsoft’s unprecedented free upgrade offer for Windows 10. The offer officially expires July 29, 2016, on the one-year anniversary of the operating system’s initial release. But what happens then?

Microsoft’s ambitious plan to get Windows 10 running on a billion devices within the next few years depends to a large extent on the success of its free upgrade offer.

When the company first announced the terms of that offer in May 2015, it literally included an asterisk and fine print. Those terms have changed slightly over the intervening months, but one element has remained constant: The offer is good for one year after the availability of Windows 10.

Here’s the actual wording of the offer, as it appears today:

Get the best Windows experience. Ever.

Ready for Windows 10? Qualified Windows 7 or Windows 8.1 devices can upgrade for free. Offer ends July 29, 2016.

The text that appears in the fine print at the bottom of that page has changed slightly over the past year. Here’s how it now reads (emphasis added):

                           The fine print on the Windows 10 upgrade offer, as of June 2016.

Here’s the tl;dr (Too long; didn’t read) version if you don’t want to keep reading:

1. The free upgrade offer ends on July 29 and will not be extended.

2. Any upgrades completed before that date will be valid for as long as the device lasts.

3. There is a possibility that Microsoft will introduce some new upgrade offers after July 29, but don’t count on it.

In fact, Microsoft’s real goal with this upgrade offer isn’t just to get its installed Windows 10 base to a billion. The long-term goal is to help close the books on Windows 7 in an orderly fashion before its extended support commitment ends on January 14, 2020.

Some of those Windows 7 PCs will simply be retired, of course. But what about those that are only a few years old and have more than four years of usable life ahead of them? For Microsoft executives, the prospect that hundreds of millions of PCs will still be running Windows 7 on New Year’s Day 2020 has to bring back unpleasant flashbacks of Windows XP’s messy end.

After nearly a year, Microsoft says a total of 300 million devices are running Windows 10. Many of those, perhaps one-third or more, represent new PCs. Another big chunk represents newer devices originally sold with Windows 8 or 8.1, Windows 10 has succeeded in cutting the share of devices running those versions nearly in half over the past year, and the share of PCs running Windows 8.1 should be in the low single digits by the end of 2017.

But what about Windows 7? As measured by the U.S. Government’s Digital Analytics Program, the percentage of Windows PCs running that version has dropped significantly in the past year, going from 71.1 percent in the first quarter of 2015, before the release of Windows 10, to less than 60 percent at the end of May 2016.

That’s still a lot of Windows 7 PCs, and there’s not much evidence that even the carrot of a free upgrade will be enough to move more than another few percent as the deadline approaches.

Which explains why the offer won’t be extended. In early May 2016, the company made it official. If you want to upgrade a PC from Windows 7 or Windows 8.1 after July 29, you’ll have to pay for the privilege.

There’s plenty of precedent for this, based on past behavior. For Windows 7 and 8, Microsoft offered significant introductory discounts and then ended them on schedule after a few months, with no extensions.

Financially, this decision is unlikely to have much of an impact. Retail upgrades have historically represented a microscopic share of Microsoft’s revenue (see the chart in this article), and most customers who might have been willing to pay for an upgrade will have taken advantage of the free offer by the time the Anniversary Update rolls around.

Asking existing Windows 7 users to pay $99 or more after they’ve spent a year avoiding the free upgrade seems like a surefire way to guarantee that they never upgrade. That significantly increases the risk of an XP-style mess come 2020.

On the other hand, the free upgrade offer never really applied to large businesses that run Windows Enterprise editions. For those customers who also have purchased Software Assurance for those volume licenses, the Windows 10 upgrade offer is, if not free, at least already paid for. The decision of whether and when to upgrade is driven by business needs, not by the cost of an upgrade license.

In the new “Windows as a Service” model, Microsoft says it plans to deliver two or three new releases each year. The Anniversary Update is the first release in the Redstone update series, and it’s scheduled to arrive at more or less the same time that the original upgrade offer ends. Another Redstone feature update is scheduled to arrive in the first half of 2017.

In the last few weeks before July 29, Microsoft will no doubt brag a bit about the success of the upgrade offer so far and encourage holdouts to upgrade. (Remember, the point of the deadline is to add urgency.)

And, of course, the end of this upgrade offer doesn’t eliminate the possibility of a new offer. If not free, then perhaps a discounted in-place upgrade. But an extension of the current offer is not going to happen.

One important date to watch is October 31, 2016. That’s when OEM sales of new PCs with Windows 7 Professional officially end. That means more than three years in which the population of Windows 7 PCs will presumably shrink as old PCs die and are replaced by newer models running Windows 10 (or aren’t replaced at all).

Anyone who has taken Microsoft up on its free Windows 10 upgrade offer before the expiration date has a “digital entitlement” tied to that hardware. That upgrade doesn’t expire.

A few logistical questions remain unanswered. For example, you can currently use a product key for Windows 7, 8, or 8.1 to activate the corresponding edition of Windows 10. Come July 30, Microsoft’s activation servers should stop accepting those keys. But we won’t know until that day comes.

As of that anniversary, Microsoft also says it plans to begin uninstalling its controversial Get Windows 10 software. But there are no plans to remove the Windows 10 download page, which is useful for anyone who needs the Windows 10 bits to do a recovery or a clean install on a machine that already has a Windows 10 license. But will the Upgrade Now button still work without requiring payment upfront?

It would be nice if Microsoft would publish details about how this transition will work, but after watching the company’s communications over the past year, I’m not betting on that.

Via: zdnet

YouTube’s new Director tools allow small businesses to create video ads on their phones

YouTube is launching a new suite of products for advertisers under the umbrella name of YouTube Director. Collectively, these products are supposed to make it easier for businesses (particularly the smaller ones that don’t have their own production capabilities and aren’t going to hire an ad agency) to shoot and edit video ads that can run on YouTube.

One of the new products is a YouTube Director mobile app, which offers the ability to create a video ad directly from your phone. It’s supposed to be usable even if you don’t have any editing experience. For example, YouTube says Woody Lovell Jr., owner of the The Barber Shop Club in Los Angeles, used the app to shoot and edit the video below:

Mr. Lovell Jr. shot and edited a video ad by himself, uploaded it to YouTube, and worked with an AdWords expert to run a campaign. As a result, Woody’s business saw an increase in potential customers being able to remember and recognize his ad: his video drove a 73% increase in ad recall among target customers on YouTube, and a 56% lift in brand awareness.

If businesses don’t want to make the ads themselves, YouTube has created a program where it sends professionals to do the shooting and editing, at no extra cost to the business — they just have to spend at least $150 on YouTube ads. (This “onsite” service is currently available in Atlanta, Boston, Chicago, Los Angeles, San Francisco and Washington D.C.)

Or, if they’re trying to promote an app, businesses can just provide the logo, screenshots and other assets, and YouTube will automatically use them to create a video ad.

Via: techcrunch