04 Dec Hot Topic in Icy Country Marco
13 Jul How to survive attacks that result in password leaks? Dmitry Bestuzhev
24 Aug Airport Security – On a Different Angle Though … Christian
28 Jun Yet another phishing attack – Tumblr users being targeted Stefan Tanase
15 Jun S.A.P.Z. Botnet, new perspective of attack Jorge Mieres
04 May Lab Matters - Password Security: Dos and Don'ts Ryan Naraine
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
These days Passwords^12 is taking place in Oslo - a conference only dedicated to passwords and pin codes. With temperatures around -15 degrees (Celsius) outside, in the conference rooms of the University in Oslo, Department of Informatics, talks by well known security experts are given.
Every day you use passwords. While logging on to your computer, smartphone or tablet, accessing your emails or your social network site and also for online banking and online shopping. Recent database breaches of user logins show that there is a high demand for more security in this area. During these days talks and discussions only care about this.
Airport kiosks have achieved a wide distribution nowadays. They offer the convenience of having access to all sorts of travel related information, IP-telephony as well as to the Internet while on the road. Which is a good thing!
However, when I travelled back from BlackHat and DefCon 19 and checked in at the Mc Carran airport in Las Vegas, one of these machines caught my eye. It showed a website I know pretty well – Facebook! But it wasn't the Login screen - as it should be - but the profile page of a member. Someone had forgotten to logout of his or her account. Anyone in this airport would now have full access to all data and - of course - be able to write status messages on the profile page of the account owner and all people in the friendlist – which could harm this person‘s reputation. Which is a bad thing!
What a coincidence! The same day I start tumblring, Tumblr users get hit by what seems to be one of the most publicized phishing attacks the social network has seen so far.
Yet another phishing attack has resulted in thousands of accounts being compromised. Nothing new here. Phishing is a game of numbers – so even though many users are aware of this threat, there still are some of them who fall victim to this old social engineering trick. Therefore, even with just a low efficiency rate in terms of percentage, thousands of accounts can still be easily compromised by cybercriminals if the phishing page is seen by enough people.
So – for those of you out there who still don’t know the basics of avoiding becoming a victim of phishing attack, here are a couple of tips:
A few days ago, we have notified you about malicious activities from the S.A.P.Z. botnet. And we provided evidence that this methodology of attack can be used to affect users of any Latin America bank, or any part of the world.
Now the S.A.P.Z. gang, which may be Peruvian, has resorted to another strategy. It is focusing on the theft of sensitive information, by spreading a variant of Palevo worm, detected by Kaspersky Lab as P2P-Worm.Win32.Palevo.cudq.
The key element of this is that with S.A.P.Z., the cyber-criminals have used the functionalities of an old web application created for the administration of stolen data, called Blackshades. As indicated in this image, now they’re not only focusing on Peruvian users, but also others countries such as Chile, Colombia, Spain and USA.
There are countless firms that sell expensive computer security products and gear. But most experts will tell you that the one step you can take to most improve the security of your home or work computer is to have and follow strict password security. But what makes a password strong (or weak)? And what tricks might hackers, malware authors and cyber criminals play to get you to part with yours? Paul Roberts of Threatpost speaks with David Emm of Kaspersky Lab about proper password hygiene and the steps you need to take to secure access to your critical online and offline accounts.
As long-time blog readers may know, I shifted my focus to North American threats some three years ago. Ever since, I've noticed major cultural differences in how security issues get tackled.
One way in which the difference is very clear is the use of secret questions as an added security measure. While secret questions are not overly common in Europe, they're very popular in the USA.
It goes without saying that out-of-band authentication used by many European banks is a much more secure approach than asking a secret qeustion next to a regular password. And banks are just one of many examples. Secret questions are everywhere now.
Enter the Facebook era. Rarely do I encounter a secret question that people wouldn't likely have posted the answer to on Facebook. It's worse with the services that allow users to reset their password based on answering the secret question(s) correctly.
The word ‘leak’ has become rather popular in recent times, but few of us actually realize just how likely it is that our own personal information could be leaked. We protect our computers, our mobile devices, keep up to speed with the latest security issues, but there are still times when we become careless. In particular, I’m speaking about public computers like this one here:
This is a genuine public access computer I came across in a hotel I was staying at last week during a short vacation. I had to use the Internet quite urgently, and of course I understood that my personal data wasn’t completely safe and could end up in someone else’s hands. I decided to try a little experiment and the results clearly demonstrated that any of us could quite easily fall victim to our own personal ‘(Wiki)leaks’:
I’m sure very few people would want their documents, especially of this nature, falling into the hands of strangers, competitors or cybercriminals.
So, if you want to experience your own (Wiki)leaks, all you have to do is use public access computers on a regular basis at airports, in hotels, cafes, libraries etc. If you really have to use a public computer and you know a thing or two about IT security, check first of all to see if the computer is infected. Remember that antivirus scanning results don’t always reflect the real picture.
Secondly, check if the ‘save passwords’ option is activated in the browser.
Thirdly, if you are working with documents or photographs, try not to download them. Many of today’s email services allow you to work with them directly from your email account. If you do download something, don’t forget to delete it afterwards and clear it from the Recycle Bin.
It’s also worth looking at the computer itself to ensure that there are no devices between the port where the keyboard is plugged in and the keyboard itself. These devices can gather information and look something like this:
Other precautionary measures include either cleaning your Internet Activity History or, before going online, switching on the privacy mode that is included in numerous browsers these days.
I cleaned up the aforementioned computer and informed the hotel administration. I didn’t get a discount, but the hotel management was very grateful and promised that no more cybercriminals would be stealing money from their customers (although I’m not so sure about that).
In a long overdue move, Twitter turned off basic authentication for third-party applications, while enforcing OAuth for all apps. This is a move that should be applauded by anyone concerned about the security of their Twitter account.
This latest move covers a potential vulnerability in the process of giving read/write access to third-party applications, which could lead to a Twitter account being compromised. Well, not anymore. You don't need to give your username and password to third-party developers anymore if you want to use their application on your Twitter account.
Being always concerned about security, I salute Twitter's move to enforce OAuth. This lets me use an application without having to share my Twitter username and password with an unknown entity. Also, hats off to all developers that updated their applications in time and made this change as seamless as possible for the majority of users.
However, keep in mind that OAuth doesn't protect against local attacks - stealing passwords straight from the users' machines. Make sure you use a clean computer when you log-in to Twitter. Also, for more tips on staying safe, I invite you to read my quick How to Avoid Getting Your Twitter Account Hacked guide on Threatpost.
The initial Trojan is downloaded to the victim machine by a malicious Java archive file. It has several malicious features, for example: spreading through USB devices; it disables Windows task manager, the regedit application and also notifications from Windows Security Center. Also it creates a copy of itself in the system with the name of Live Messenger. The criminals even included an anti-virtualization feature. The worm checks if the hard drive of infected system is virtualized or not. If found to be in a virtual system, the malicious code won’t be executed.