Monthly Archives: December 2016

Making sure that our employees use complex and diverse passwords, both in and out of the workplace, is of vital importance. Not least because multitudes of confidential data could be at risk because of flimsy credentials, ones that are obvious and oft-repeated.

To demonstrate the necessity of adequate protection that also allows for the handling of many distinct passwords, a group of researchers has created a software that is capable of guessing passwords with only a small number of attempts. Specifically, with a little bit of the victim’s personal information, the tool would be able to hit upon the correct password testing fewer than a hundred possibilities.

It’s called TarGuess and was created by researchers at the Universities of Beijing and Fujian in China, and the University of Lancaster in the UK. According to their study, an attacker with sufficient personal information (username, a pet, family members, date of birth, or the destination of their most recent vacations) has a one in five chance of guessing their password in fewer than a hundred attempts.

All they’ve done with TarGuess is to automate the process with a tool that scours social networks for personal information that could later be used in its attempts.

Using this tool, the researches successfully guessed 20% of passwords of those participating in the study with only one hundred attempts. More strikingly, the success rate increases proportionally with the number of guesses. So with a thousand attempts TarGuess is able to get 25% of passwords, and with a million the success rate can climb up to 50%.

Moving beyond the controversial data breaches of platforms such as Yahoo or Dropbox, the main conclusion that this study draws is that many users’ passwords are not robust enough to withstand this kind of attack. And as if that wasn’t enough, these breaches have brought to light another risk: TarGuess reportedly detected that many of these credentials are used in other services, or at best have many similarities (constituting what they call “sister passwords”).

This investigation demonstrates once again the necessity of controlling what kind of information is published on social networks. An employee that ‘shares’ every moment of their life may be inadvertently helping a cyber attacker to learn their password, putting corporate data at risk.

via:  pandasecurity.

A critical vulnerability has been discovered in PHPMailer, which is one of the most popular open source PHP libraries to send emails used by more than 9 Million users worldwide.
Millions of PHP websites and popular open source web applications, including WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla comes with PHPMailer library for sending emails using a variety of methods, including SMTP to their users.

Discovered by Polish security researcher Dawid Golunski of Legal Hackers, the critical vulnerability (CVE-2016-10033) allows an attacker to remotely execute arbitrary code in the context of the web server and compromise the target web application.

“To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class,” Golunski writes in the advisory published today.

Golunski responsibly reported the vulnerability to the developers, who have patched the vulnerability in their new release, PHPMailer 5.2.18.

All versions of PHPMailer before the critical release of PHPMailer 5.2.18 are affected, so web administrators and developers are strongly recommended to update to the patched release.

Since The Hacker News is making the first public disclosure of the vulnerability in the news following Golunski advisory and millions of websites remain unpatched, the researcher has put on hold more technical details about the flaw.

However, Golunski has promised to release more technical details about the vulnerability in coming days, including a proof-of-concept exploit code and video demonstration that will show the attack in action.

We will update this article with additional information on the PHPMailer vulnerability, exploit code and video demonstration, once the researcher makes it public.

Update: Exploit Code for PHPMailer RCE Released

Golunski has released Proof-of-Concept (PoC) exploit code for PHPMailer remote code execution vulnerability.

“A successful exploitation could let remote attackers gain access to the target server in the context of the web server account which could lead to a full compromise of the web application,” Golunski said.

You can find exploit code here.

via:  thehackernews

By now you probably have received a small gift from your bank or credit-card company or both: a card with a visible little chip embedded in the plastic. This is the year we’ve welcomed them into our financial lives, but have they solved every problem? Not quite, and not for travelers.

Previously, we swiped cards that had only a magnetic stripe. Those cards were an easier target for thieves, who could steal and duplicate sensitive financial information. Several large merchants suffered enormous problems.

Chipped cards, also known as EMV (for Europay, Mastercard, Visa), are standard in many countries and were designed to address credit-card fraud. A code that’s unique to the transaction changes each time, CreditCards.com reported in its FAQs about the cards.

That’s important, because credit-card fraud in 2015 totaled more than $21 billion worldwide, about $8 billion of that in the U.S., according to the Nilson Report, which covers payment systems.

Enter the EMV. It isn’t swiped like the old striped cards; it’s dipped, which usually means inserting the card in the “reader” for about 15 seconds until a grating beep bids you remove it. The “liability shift” — that is, making merchants who don’t accept chipped cards responsible for fraud, not the credit-card company — took place Oct. 1 in the U.S.

When we say “liability,” you should understand that it’s not yours. “Consumers are never liable for fraud,” said Sean McQuay, a credit and banking expert with NerdWallet.com, a financial advice website. “That’s the really good news.”

But McQuay noted that EMVs don’t completely solve fraud issues, and that’s important for travelers to know.

There are, he said, three kinds of fraud:

— Duplication fraud. With magnetic stripe cards, thieves copied the information, but the chip makes that less likely.

NerdWallet reported that such fraud dropped by nearly two-thirds when Britain introduced chipped cards more than a decade ago.

— Stolen card. Chipped cards from most U.S. issuers generally don’t solve that problem. Abroad, cards are often used with a personal identification number. In the U.S., a signature is required; a PIN is less common. Of course, a PIN can be stolen by a thief crafty enough to look over your shoulder (then he or she would have to grab your card), but a signature is fairly easy to fake.

— Online fraud. “EMV has nothing to do with that,” McQuay said. And that may be the biggest issue for travelers, who accounted for more than half-a-trillion dollars in online travel-related purchases in 2015, according to Statista.com. If you’re a traveler who pays for hotels or airline tickets online, be especially careful.

In Britain, fraud for what’s called “card not present” transactions increased 120% from 2004 to 2014, NerdWallet reported, adding, “It’s likely that a similar trend will occur in the U.S. after the EMV liability shift.”

Again, you’re not liable, but fraud can be inconvenient. About $600 in airline tickets showed up recently on my everyday “go-to” chipped charge card, which I use for online purchases. The card company alerted me immediately and the card was canceled, a new card was sent and the accounts I regularly pay (I like collecting airline miles by paying, say, the cellphone bill online) were notified.

All good but for this: The new card was sent to my home. I was traveling. Fortunately, I had other cards with me. Rule No. 1: Carry at least one extra card and maybe two. (You might tuck a second card in a secret place just in case of physical theft.)

Second problem: Not every merchant got the memo about the change in my account number. That took a few phone calls to straighten out. Rule No. 2: See Rule No. 1.

As for online purchase safety, “The advice hasn’t changed,” McQuay said.

— Watch out for websites that feel “skeevy,” he said. “If you feel uncomfortable during the checkout process, go to another store,” he said.

— Use a known payment system. If you’re a user of PayPal or Amazon, for instance, and those are options at checkout, that may be a solution when you’re not familiar with the site, he said.

— Monitor your credit-card bill. You generally have 60 days to dispute a charge, but the earlier you catch it, the less likely the bad guys (or gals) will catch on to the vulnerability of your card info.

Credit and debit cards provide great freedom, but there’s a small price to pay for that freedom. Just make sure you don’t unwittingly overpay.

via:  enterprise-security-today

After a week of blocking the secure messaging app Signal in Egypt the service is back online thanks to new features added by its parent company Open Whisper Systems.

Last week Egyptian users raised the alarm about their inability to access the highly encrypted app popular among activists, including important whistleblower Edward Snowden.

Egypt has been increasingly tightening controls on speech all year, and the move against Signal is just the latest attempt to stifle dissent and impede open journalism.

“Signal is important as a means of secure communications without third parties knowing who I’m contacting,” said prominent Egyptian blogger and Global Voices board member Mohamed ElGohary.

ElGohary was one of the first activists to report the lack of access on Twitter.

“I was trying to message a friend on Signal, and it said ‘unable to send’. I tried other friends, same issue. The failing to send also happened on another ISP. When I tried to use it on VPN, it worked. So I concluded that something happened in the scope of Egypt,” ElGohary told TechCrunch.

The app, available on IOS, Android and Desktop, uses built-in end-to-end encryption to prevent third parties (like governments) from seeing the content being sent. It is popular among Egyptian activists and journalists in protecting their sources.

Egypt has blocked other VoIP apps such as Skype and Whatsapp before, but these for-profit communications services didn’t offer quite the same level of encryption and privacy features as Signal.

Other countries in the Middle East and North Africa (like Morocco) have also limited access to anonymous messaging services and Turkey in recent days has blocked social media in light of the recent assassination of the Russian ambassador.

“These disruptions are not uniform and the causes behind them are not clear,” said Rasha Abdulla, professor of communications at American University in Cairo, who authored a book on the internet in the Arab world. She uses Signal herself and was able to access the app when other users could not.

The Ministry of Communications & Information Technology has not confirmed or denied its block of Signal. TechCrunch reached out to the ministry several times to no avail.

With the recent targeting of Signal, security fears have been raised over what the San Francisco-based service provider Open Whisper Systems has termed “censoring access.”

In an update of the status of the app, Open Whisper Systems included “support for censorship circumvention in Egypt and the UAE” as a new feature using domain fronting.

“The idea is that to block the target traffic, the censors would also have to block those entire services. With enough large scale services acting as domain fronts, disabling Signal starts to look like disabling the internet,” according to a technical note issued by the company.

Authorities famously cut internet access in the midst of the 2011 revolution that toppled 30 years of autocratic rule under former president Hosni Mubarak.

“Attempts to curtail freedom online, whether by blocking content or by user violations, is an obvious way to fight the effect of social media that was demonstrated in 2011 and in the couple of years after. The online world provided a free space for people to discuss and organize in a way that was unprecedented,” Abdulla said.

Digital rights group Privacy International claimed in a report issued earlier this year that at the height of the Arab revolutions Egypt bought surveillance technologies from European companies, including the Italian firm Hacking Team.

The disruption of Signal’s service comes at a time especially when freedom of expression is regularly curbed. A Facebook page administrator was arrested for “publishing false news” and authorities shut down 163 Facebook pages for their incitement to violence.

Egypt has intensified its cyber crackdown under president Abdel Fattah el-Sisi. In recent years authorities have blocked Facebook’s controversial Free Basics program for not allowing it to spy on users, imprisoned citizens for satirical Facebook posts and reportedly used Deep Packet Inspection technology allowing for extensive surveillance of Egyptians’ online activities.

In the wake of the Islamic State (IS) terrorist attack earlier this month on a cathedral in Cairo killing 27 people, Egyptian political parties have renewed calls for parliament to pass a repressive cybersecurity law that can carry the death sentence in some cases.

“Unfortunately, most legislation in the Arab world is done with the intention of control rather than regulation” explained Abdulla of the law’s severity.

“It also places part of the responsibility on ISPs, so that every layer of the society is policing another,” Abdulla said.

via:  techcrunch

Communication is always important, but during a disaster it becomes paramount.

Hard phone lines are an afterthought, if they’re still standing. If phone lines go down, we’re left with cellular networks that quickly become overloaded.

Indeed, the internet is the backbone of contemporary communications, from email and Twitter to Instagram and WhatsApp. If we suffer an internet outage, we’re at a loss for how to communicate with the connected world.

During the aftermath of the Boston Marathon bombing, which didn’t affect hard phone lines in the area, mobile networks couldn’t handle the surge in activity. One provider went so far as to suggest sticking to texts and emails. I can’t think of anyone who would bother to email during such a crisis. In any disaster, man-made or natural, power can go out, servers can go offline and systems like cellular networks can get overloaded. This communication outage effectively means isolation — the last thing anyone in a disaster zone wants.

When cellular networks and internet infrastructure are impaired, the current solution is to jerry-rig hardware replacements to act as a kind of stop-gap until the infrastructure can be restored to its original state. This approach to communication restoration has several faults, though.

It takes time to implement these provisional solutions. The equipment needs to be transported, deployed and initialized. Until this happens, communications throughout the disaster area are incapacitated.

Even if the deployment is a success, i.e. it was initialized without a problem, the solutions themselves can be faulty. Sometimes the solutions that are deployed interfere with communications more than they actually repair communications. After the Haiti earthquake in 2010, local ISPs restored 90 percent of the network, but NGOs broke the same network by taking over the wireless spectrum.

Even if jerry-rigged solutions do work, they still take time to implement. In a disaster zone, there needs to be an immediate, dynamic and reactive way to communicate when the internet goes down. The solution might be right in front of us — or at least on our wrists.

IoT for disaster communication

The adoption of IoT has led to more than 5 billion connected devices (wearables, sensors, implantables, etc.) in use today. There are varying accounts of how quickly these devices will proliferate, but everyone agrees the number is poised to increase rapidly over the next few years. These devices are perfect candidates to communicate with the outside world in isolated disaster zones.

Low-power IoT devices and sensors have the potential to communicate with each other through Bluetooth, meaning they won’t have to go through the public internet to connect with each other. The possibility exists that these devices can form their own network — a sensor-based network that can, at the very least, provide some basic functionality during periods of extreme network stress.

IoT devices can retain the capacity for low-bandwidth communication in the event that internet and power are cut off to the user, making the devices resilient in a disaster. Because they run on battery power, they aren’t affected by blackouts like many wired communication devices. And broken wiring won’t affect their ability to communicate with other wireless communication devices. While they certainly don’t have staggering amounts of power, they can enable basic communication in a pinch. Bluetooth Low Energy can handle more than 1,100 tweets per second, giving users a way to quickly communicate with a large group of people outside the disaster zone.

Even nodes in the IoT that are exclusively sensors can help in the event of severed lines of communication. Large portions of the IoT are sensors that monitor the environment they’re in. These sensors can be used to relay information about the nature of the disaster, extracting data from temperature and radiation sensors to give responders a better idea of what they’re dealing with. In the event that a wide swath of sensors have been destroyed, that information also gives responders valuable, if harrowing knowledge.

Using SDN to help IoT in a disaster

The devices that make up the IoT are an eclectic bunch, so managing them effectively is a complex task. The diversity of devices will increase the chances that some will survive, but without a way for them to talk to each other, they’ll be useless. Differences in networking hardware and software need to be overcome, and the only way to do that is to put the data traffic controls in the capable hands of software-defined networking (SDN). SDN separates the data plane from the control plane, and with a standard SDN protocol, IoT devices will be able to communicate with each other, even between disparate devices.

IoT devices need to dynamically respond to the sudden lack of internet with compulsive wireless networking. SDN software can be built into these devices so they can search and re-route based on the information they have. This routing information can be sent to responders, as well, so they have a better understanding of the communication pathways that remain. The dynamic IoT network can use cell phones as SDN routers. If SDN protocols are programmed into the cell phones and the devices, a responsive and automated network can respond to the needs of its users.

Cell phones and tablets have multiple network interfaces (like Wi-Fi and Bluetooth), so they should be able to bridge gaps between radio technologies. Every device in the disaster zone can be repurposed to form a geo-locating mesh network, funneling data out of (and into) the disaster zone while giving precise locations for the people who need help. The phones and tablets become mobile routers, giving preference to critical information and allowing for the local caching of data, which reduces the load on the (already strained) network.

Mesh networks for disaster relief

IoT has built-in redundancy — it’s basically a mesh network of very low-bandwidth devices. If you lose nodes in the mesh, it will still function, especially with the added direction of SDN routing that optimizes node hopping through the mesh. It’s possible for responders to track the number of nodes and how they’re moving to gain insight into the disaster and how the people in the disaster zone are reacting. This is all for low-power, IoT mesh networks. For a more robust post-disaster network, software-defined wireless mesh networks might be a more versatile solution.

Mesh networks reconfigure the typical hub-and-spoke model of the internet into a more diffuse method of internet access. This diffusion avoids any single point of failure by allowing the network to dynamically reroute data through the mesh. Multi-hop routing is easy to implement, but the hardware involved is not.

Wireless mesh networks need line-of-sight communication pathways, which is why they’re usually deployed on the tops of buildings. It’s possible to use this requirement to our advantage following a disaster. Battery-powered mesh routers can be dropped on top of buildings. Once they’re in place, we can use them to communicate with the ground network of mobile phones and IoT devices. Only a few nodes need to be connected to the internet, so effective deployment comes down to extending the reach of the internet throughout the disaster zone.

The main appeal of a mesh network is its versatility. Network nodes can be nearly any wireless-enabled device, from wireless routers to mobile devices like laptops or smartphones. These networks also can be set up quickly and easily because they don’t require a fixed infrastructure. What this all comes down to is that, in a disaster, people prefer to communicate with the devices they’re accustomed to using. Maybe it’s the comfort factor of a familiar device — we almost always have at least one mobile device on us — but people reach for their mobile phones first when disaster strikes.

After the Tōhoku earthquake in 2011, 50 percent of the photos related to the disaster were uploaded to Flickr in less than 24 hours. The reflex to capture evidence of disaster and inform other people of it has two purposes: it informs people in the area of the risk of staying nearby, but it also helps rescue teams identify particularly affected or precarious regions within the larger disaster zone, which helps them make informed decisions about next steps in the rescue effort.

The general public, equipped with billions of connected devices, is our best weapon to mitigate disaster. The network should evolve with this in mind, injecting SDN protocols into IoT and mobile devices to take advantage of the undulating sea of potential mesh nodes already out in the world.

via:  techcrunch

In simple terms, a VPN, or Virtual Private Network, is a connection between a group of discrete networks that exchanges encrypted data between your computer and a distant server.

Sounds like boring technical jargon? Well, VPN’s can actually be used to perform some pretty neat tricks online that you’ll be missing out on if you don’t employ the services of these privacy boosting devices:

Safely access a work or home network from far away

VPN’s are an essential tool for professionals out there who travel and have to access important files from a distance. Individuals can use a VPN to access network resources even if they’re not physically connected to the same LAN (local area network).

Why are they perfect for dealing with important data from afar? Well, a VPN is also an efficient and easy way to maintain your privacy when you’re surfing the web. In fact, many experts recommend the use of a VPN when browsing the Internet on a public Wi-Fi hotspot as they guarantee that all the data you’re sending and receiving is encrypted and inaccessible to hackers.

If anyone tries to pry on your internet activity, all they’ll see is the VPN connection, all other data will remain anonymous.

Avoid censorship and detection online

A controversial function of the VPN for sure, they can be used to bypass government censorship anonymously. Whether you agree or not with censorship online, it’s an undeniable fact that certain websites are blocked for legal reasons, almost every government worldwide blocking certain websites within their country.

Meanwhile, the ability that a VPN gives its user to go undetected online has been highlighted in the news recently as police in Holland confiscated 2 servers from VPN provider Perfect Privacy without releasing a public statement.

The German and French governments also want to controversially force mobile operating systems, by law, to allow them to access encrypted content if they deem it necessary in federal investigations.

Watch your favorite shows online wherever you are

Here’s where the fun begins! Many, many people are using VPN’s merely for entertainment purposes. The reason for this? Companies like Netflix, Youtube and Hulu use geo-blocking mechanisms to make some of their content unavailable outside of certain countries due to legal requirements appertaining to arguably outdated content laws in this age of free information.

In fact some people argue that, though this is only speculation, the content laws being so outdated, recent attempts by companies like Netflix to crack down on VPN usage have only been for show. In other words, the streaming giant wants to keep Hollywood distribution companies, who are responsible for creating a great deal of the content shown on Netflix, happy whilst harboring no real desire for making it harder to access their shows worldwide.

As an example of the numbers, in the US, Netflix offers the full experience of roughly 7000 shows, whereas in the UK slightly more than 4000 are available. Countries that have only been reached by Netflix recently are far behind.

Netflix though, has recently been trying to crack down on VPN usage, whilst also admitting that it is almost impossible to do so effectively.

The company’s Chief Product officer recently said that “since the goal of the proxy guys is to hide the source, it’s not obvious how to stop VPN Users. It’s likely to always be a cat-and-mouse game.”

Though the streaming company have blocked certain VPN users from accessing the site, providers like Express VPN and Buffered VPN claim to have great success at getting around these measures.

via:  pandasecurity

This will be only the ninth Christmas when you could receive a full touchscreen smartphone as a gift but smartphone penetration has already reached 81 percent in the UK. But every year people are using phones less for talking and more for the internet-connected features. Over 30 percent of users say they make no calls on their devices in a week – that’s up from 4 percent in 2012. And the two-thirds of adults who have access to a tablet in the UK are definitely doing a ton of connecting to the internet.

Mikko Hypponen — F-Secure’s Chief Research Officer – recently coined “Hypponen’s Law”, which states: “Whenever an appliance is described as being ‘smart’, it’s vulnerable.”

Yes, your phone is smart – but it’s also vulnerable. Thus so are you. That’s why you should start thinking about security from the moment you unbox your latest digital treasure.

Here are a few steps you should take to protect your new devices:

Use a strong passcode/password
Obviously, you should pick a passcode to lock your phone that can’t be guessed, even by someone who knows you. So don’t use your birth year, your address or 1234. Better yet, use a password or a passphrase. And make sure it’s one you don’t use anywhere else.

And always use a unique password for all of your important accounts
We’re going to repeat this one because it’s so important: NEVER reuse the passwords you use for your important accounts – especially your email accounts. Let’s say you’re one of the approximately one billion users who had your Yahoo account breached recently. If you’re using that same password for any other account, it may be vulnerable – even if you don’t even remember that you ever had a Yahoo account! Using a password manager makes this much easier. F-Secure KEY is free on one device or use Lastpass which is free.

Use official apps whenever possible and delete apps you’re not using
Instead of using your browser to access Facebook or Twitter, use the apps for these sites, which have built-in encryption technology. And stick to the official stores of your mobile platform and check user reviews to make sure the apps you’re downloading are safe.

Disable Wi-Fi and Bluetooth when you aren’t using them
Both of these connection protocols make it easier to track you. So protect your privacy and preserve your battery. Keep them off unless you know you’re using them.

Write down your new phone’s IMEI (International Mobile Station Equipment Identity)
If your smartphone is ever stolen and you ask the police to help find it, they will likely ask for your IMEI. It’s unique to your phone (or 3G/4G tablets) and you can likely find it on the phone’s box, battery or in its settings.

Set up your photos and videos to back up automatically
Either use the service your mobile platform offers or a third-party so you don’t have to worry about losing the contents of your device, which will soon be more valuable than the device itself.

Put security software on all your new devices
Up-to-date security software is a must on all your devices. F-Secure SAFE not only protects all of your PCs, Macs, smartphones and tablets it includes features like Network Checker, which silently verifies if your Internet connection is safe whether you’re at home or on a Wi-Fi network, and Browsing and Banking Protection that keeps you from landing on fake banking sites built to steal your private information. SAFE also offers Family Protection so you can set the same sort of digital boundaries for your kids that you set in the real world.

via:  f-secure

While 2016 may have been one of the worst years in history for network security, there is at least one silver lining for enterprise IT departments: insurance companies are becoming increasingly skilled at underwriting cybersecurity risks.

According to the Insurance Information Institute, more than 60 different insurance companies are now offering standalone cyber insurance policies, with an estimated U.S. market of more than $3.25 billion in gross written premiums this year.

That figure is the direct result of two related trends. First, data breaches are becoming more expensive for enterprises, with the average breach in 2016 costing $7 million and representing the third-costliest business risk this year. That increase has given rise to the second trend, which is that businesses are becoming much more concerned about protecting themselves against potential financial losses as the result of hacks that are becoming almost inevitable.

A New Challenge

Historically, the insurance industry has successfully managed to adapt to the risks posed by new technologies, including automotive and air travel tech. Nonetheless, insuring against data breaches and other attacks presents its own set of challenges and complications.

In particular, the constantly changing range of perpetrators, targets and exposure values, a lack of historical actuarial data and the interconnected nature of cyberspace, combine to make it difficult for insurers to assess the likely severity of future cyberattacks.

While most traditional commercial general liability policies do not cover cyber risks, standalone cyber insurance policies typically address a number of risks associated with data breaches or attacks.

About Time

Chief among these is liability insurance to help companies cover costs, such as legal fees and court judgments, that may be incurred following the theft of enterprises data and the unintentional transmission of a computer virus that causes financial harm to a third party.

Crisis management is another aspect of standalone cyber insurance, covering the cost of notifying consumers about data breaches that resulted in the release of private information and providing them with credit monitoring services. Cyber insurance also covers the cost of retaining a public relations firm or launching an advertising campaign to rebuild a company’s reputation.

Some policies will also cover liabilities incurred by directors, corporate officers or other members of management who might be at risk due to decisions made on behalf of the company. Business interruption stemming from an attack can also lead to a loss of income, another risk insurers are increasingly starting to underwrite.

Ransomware and Data Destruction

Cyber extortion has also been a major concern this year, with the San Francisco transit system falling victim to an attempt to extort it for millions of dollars. That attack caused the system to offer free rides to patrons over Thanksgiving weekend. Cyber extortion coverage helps cover the settlement of an extortion threat as well as the cost of hiring a security firm to track down the blackmailers.

Insurance companies are also beginning to cover damages resulting in the destruction of data or other valuable assets stemming from viruses, malicious code and Trojan horses, as well as the cost of posting criminal rewards for information leading to the arrest and conviction of malicious hackers.

If 2016 was any indication of what lies ahead, these kinds of insurance policies should be in even greater demand in 2017.

via:  enterprise-security-today

Barnes & Noble began outsourcing its Nook e-readers a few years ago after a partnership with Samsung and their latest $50 Nook 7 android tablet, announced last month, shows us how that has worked out for them. Their latest e-reader includes ADUPS, a firmware that sends user data back to the manufacturer or an interested hacker. This is the same malware that researchers found on cheap Blu tablets and phones last month.

The manufacturer claims to have patched the malware in current products but it seems the new B&N Nooks are still running the old software. ADUPS allows for full data access on the device and command and control privileges including remote software installation and automatic updates without use permission.

How bad is it?

These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices… The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users’ consent and, in some versions of the software, the transmission of fine-grained device location information.

The Digital Reader is recommending that users return their Nooks and notes that B&N has a holiday return policy that lets you send items back until January 31.

via:  techcrunch

If you’ve ever wondered when, where or how a digital hack originates, look no further than our team’s latest Wi-Fi hack demo. In the video below, we simulate an unfortunate case that could happen to anyone when surfing on public Wi-Fi without using protection, such as an encrypted connection or VPN app. In the demo, F-Secure Partner Sales Manager, Olli, plays the role of a malicious hacker who hacks a “victim” named Timo while the two of them are sitting in their local coffee shop.

The hacking process begins with Timo switching on his iPad with the intent of checking his email. An open hotspot named “Hot Free Internet” appears on his tablet’s list of available networks, and he connects to it without needing to provide a password. What the victim doesn’t know is this: the Wi-Fi network to which he has connected is a hoax, and there’s a hacker sitting in a nearby corner of the coffee shop who has set it up using his own router. Using this fake hotspot, the hacker is on a mission to “sniff”, or steal, some of the victim’s most vital personal data.

We watch as Timo navigates to Safari and signs into Gmail on his device. Simultaneously, the hacker uses software that follows all of Timo’s online traffic starting from the moment that he logs in to the hacker’s Wi-Fi hotspot. Timo enters in his login credentials and immediately encounters a screen saying that Google’s server is down. Although this message could already be recognized as being suspicious, our victim thinks nothing of it and decides to wait until the server returns online while sipping his cup of coffee. Little does he know that his data is being sent directly to the hacker’s software.

Now that our hacker has effortlessly obtained the victim’s Gmail credentials, as well as his full name, he’s now busy at work hacking into Timo’s Gmail account in order to collect the personal data that he needs in order to monetize his efforts. Remember, this has all been made possible by the fact that the victim submitted his personal information over an open, unprotected Wi-Fi network. The hacker accesses the victim’s Gmail account with ease, while the victim remains oblivious to what’s happening online. Timo’s emails reveal that he’s a frequent Amazon customer, so the hacker tries to use Timo’s email address and full name to reset his Amazon password and access his account — and he succeeds! In the span of a few minutes, the hacker has obtained access to the victim’s credit card information, which is live within his Amazon account, and he’s now able to purchase anything he’d like. The hacker decides to go for a Samsung 4K Smart TV, and with a click of a button, he adds it to the shopping cart and makes his purchase.

This is how easy it is to steal login credentials over an open, public Wi-Fi network. This demo provides just one example of the bad things that can happen when your data is sniffed – in real life, this could be your Facebook or LinkedIn account, both of which are tied to many of your other digital accounts and services. When you fail to encrypt your Internet connection, this information becomes easy pickings for hackers.

In this demo’s scenario, had the victim been using a virtual private network (VPN) many of which are free, all of his personal data would have been encrypted, making it completely protected against the prying eyes of hackers.

Note: For the purpose of this demo, we built a webpage designed to look like Gmail. Authentic Google webpages were not used within our simulation.

via:  safeandsavvy