Archive for category Security News
Big Banks force Weak Security on Members
Posted by Daniel Snyder in Computer Security, Security News on August 17, 2010
Do you bank online? Your account may not be as secure as you’d like to think it is! The other day I was setting up my online account for my television cable provider and was asked to select a password. As I normally do I created a unique complex password for the site and stored it in a master database which is also password protected (by a different password of course!), my passwords are always complex and usually anywhere from 10 to 12 characters in length. I was frustrated when my cable provider rejected my 11 character password by notifying me that I was limited to a maximum of 8 characters and no special characters!
I have not found this uncommon either, I often find myself registering with websites that essentially force me into selecting a weak password. American Banks in particular have been under fire from security professionals for their current lack of strong security. A recent report by the OSCE which is of particular significance to U.S. banking customers reveals that “Bank network security, especially regarding log-on procedures, falls short of consumer expectations. Log-on protocols elsewhere utilize strong authentication. U.S. banks generally fail to meet that standard.” Read more about this on the E-Commerce News website, “Are Banks Short-Changing you on Security?“
Here are a few quick (and somewhat disturbing) facts about the current state of password security…
- 61% of passwords were either only lowercase letters or all digits (examples: iloveyou or 123456).
- 60% of web users only have one password that they use for all of their online accounts, including Facebook, PayPal, email, and banks, according to a recent study.
- An estimated 1 in 9 people use one of the Top 500 passwords posted on WhatsMyPass.com
A study by Trusteer Inc. a New York based online security vendor found that 73% of bank customers use their Internet banking password to access non-financial — and less secure — websites. While Forty-seven percent use both their online banking user ID and password on other websites.
Security Expert Bruce Schneier wrote an article about a British Bank (Lloyd’s) that rejected a man’s password because they felt it was “not appropriate”. The article though not directly applicable to what we are discussing today, does conclude by mentioning that at least that bank allowed more than four characters in their password. Albeit stopping the customer at six characters (which honestly, isn’t any more secure.) You can read all of Bruce’s article here.
How quickly can you be hacked?
Spend a few minutes at the Online Password Generator, and you can find out just how quickly your password could be hacked by brute force. A four character password no matter what special characters or numbers are used can be hacked in less than one second (if unlimited attempts were possible). Add two more simple characters and the time only increases to 53 seconds on a Intel® Core™2 Duo E4500. An eight character password utilizing numbers and letters will take about 19 hours, 19 minutes. Punch in a twelve character password that utilizes upper and lower case, numbers and special characters and it will take a whopping 377283354 years, 7 months to crack.
Not as Secure as the Bank would have you believe
In summary, online banking is simply not yet as secure as banks would like you to believe. Internet Criminals are aggressive and use many methods to steal information which include database hacks, brute force attacks and phishing scams. The majority of these attacks will be performed on social networking sites such as facebook or twitter where the stolen information can then be turned around and used on banks. If you are one of the 47% that uses the same information on a social networking site as you do at your bank, then consider yourself seriously warned. If on the other hand your bank allows complex passwords (like the one mentioned in the above paragraph), and has a secure (HTTPS) login, well then… bank online at your own risk!
Read more on password security as well as some interesting facts at the infocarnivore password archive.
Kaspersky agrees, here comes Microsoft
Posted by Daniel Snyder in Computer Security, Security News on August 9, 2010
In my most recent post: “MSE about to become major player in Antivirus solutions“, I discussed the looming changes that are taking place in the antivirus industry as Microsoft Security Essentials begins to gain recognition and prominence. Shortly after writing that post I got some feedback as well as stumbled upon a few new articles and it looks as though Eugene Kaspersky agrees the anivirus industry is undergoing some big changes right now and in the near future. The information security specialist and founder of Kaspersky Labs is anticipating several big changes that will force antivirus vendors to adapt and one of the biggest changes is that software giant Microsoft is making a push to grab a big portion of the antivirus industries market share.
More criminals on the web
The changes that are taking place in the antivirus industry are not sudden or unexpected, malware writers are getting increasingly more creative and aggressive. The internet grows and therefore the number of criminals on it grows also. Governments and law enforcement agencies are struggling to come to terms with the cyber security plans and security jobs are in high demand and expected to only increase. In years back security vendors had only to focus on viruses and early trojans, malware did not exist for criminal intent until more recently. Now that there are huge profits to be made, malware writers focus their energy more on stealing confidential information and using it to make a profit instead of focusing on notoriety as they once did. Viruses are no longer developed for the express purpose of destroying data or crashing computers as they once were. Major threats today include keyloggers, rogue products, phishing attacks, worms and adware (among many others).
Microsoft seriously focused on security solutions
Along comes Microsoft, Kaspersky acknowledges “Microsoft is going to be seriously focusing on the security solutions market; this will include developing antivirus solutions.” Enter, Microsoft Security Essentials. Kaspersky goes on to say “The software giant’s entry will undoubtedly have an impact on the best-known industry players and the current market share of antivirus companies is likely to change radically. Naturally, each company will be affected in a different way. For some, it will come as a heavy blow, while others will barely be affected and yet others will welcome Microsoft’s arrival on the market.” Companies will adapt of course and pursue different technologies as they continue to compete, as sandbox technology becomes more popular we are likely to see it breaking into mainstream as well. Everything changes and marketing still plays a huge role in who’s product is most popular. People are naturally brand loyal, so we will see what the future holds.
For myself I found it initially hard to trust a product like Microsoft Security Essentials since security has not been one of Microsoft’s strengths in the past. However this is clearly changing as we see endless positive reviews of MSE and the integrity and strength of Windows 7 are clearly strengthening Microsoft’s reputation in this area. If you’d like to read more about Eugene Kaspersky’s anticipated changes in the antivirus industry (which are happening now) you can read his article here.
Perhaps you have an opinion or observation about the current changes that the antivirus industry is undergoing, feel free to share your opinion openly here, your comments are appreciated.
Some stats on Internet Crime
Posted by Daniel Snyder in Security News on June 21, 2010
In 2009 the Internet Crime Complaint Center (IC3) Web site received 336,655 complaint submissions. This was a 22.3% increase over 2008. The total dollar loss from all referred cases was $559.7 million with a median dollar loss of $575.
During 2009, email scams that used the FBI’s name was the offense most often reported to IC3, comprising 16.6% of all crime complaints. Non-delivery of merchandise and/or payment represented 11.9% of complaints. Advance fee fraud made up an additional 9.8% of complaints. Other top 10 complaint categories included identity theft (8.2%), overpayment fraud (7.3%), miscellaneous fraud (6.3%), spam (6.2%), credit card fraud (6.0%), auction fraud (5.7%), and destruction/damage/vandalism of computer property, (i.e.,“computer damage,” 4.5%)
Not surprising USA ranked highest with the number of perpetrators of cyber crime at 65.4%, the UK followed at 9.9%, and interestingly enough Nigeria was in third with 8.0% (looks like the old Nigerian email scam is still going strong!)
Hitman Scam
One of the more intriguing scams of 2009 was the “Hitman Scam,” a type of email extortion scheme. Victims are reportedly being threatened in an attempt to extort money. The victim receives an email from a member of an organization such as the “Ishmael Ghost Islamic Group.” The emailer claims to have been sent to assassinate the victim and the victim’s family members. The emailer asserts that the reason for the impending assassination resulted from an alleged offense, by the victim, against a member of the emailer’s gang. In a bizarre twist however, the emailer reveals that upon obtaining the victim’s information, another member of the gang (purported to know a member of the victim’s extended family) pleaded for the victim’s pardon. The emailer alleges that an agreement was reached with the pleading gang member to allow the victim pardon from assassination, if the victim takes some action such as sending $800 to a receiver in the United Kingdom for the migration of Islamic expatriates from the United States. Victims of this email are typically instructed to send the money via Western Union® or Money Gram® to a receiver in the United Kingdom. The emailer often gives the victim 72 hours to send the money or else pay with his/her life.
Fake Antivirus (Rogue products)
Of course high on the list was pop-up ads for fake antivirus software. Victims reportedly receive ads warning them of the existence of threatening viruses and/or illegal content allegedly found on the victim’s computer. When victims click on the fake pop-ups, malicious code is downloaded onto their computers. Victims are directed to purchase anti-virus software to repair their computers, but in some instances this resulted in viruses, Trojans, or key loggers downloaded onto their computers. Attempts to contact the anti-virus software companies were unsuccessful
Don’t be an internet crime victim, to test your practices check out: LooksTooGoodToBeTrue.com Here you can learn about all the different types of online frauds you may be susceptible to.
All statistics in this post taken from the 2009 IC3 Report. (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA).
Do the authorities plant torrents?
Posted by Daniel Snyder in Security News on June 21, 2010
This is a thought I’ve heard very little about, but I have heard about it, and it makes me wonder – do the authorities plant torrents on sites and trace IPs? The FBI Cyber Investigations unit is responsible for investigating piracy and intellectual property theft, so if anyone was planting torrents it would be them. In 2004, 23 billion dollars was lost as a result of criminals swiping copyright-protected digital copies of music, movies, software and games, and distributing them through websites chat rooms, email, FTP and P2P networks. The FBI calls this “intellectual property theft”. Searching online I was unable to find any posts or anyone talking about actual planted “bait” torrents.
FBI: “P2P users could be asking for big trouble”
The FBI released a “Cyber Education Letter“, in this letter they warn users of P2P networks and express their interest in such networks. I think its safe to assume that with well over 23 billion dollars at stake this year, that the FBI has a vested interest in torrent distribution sites, and is likely putting some money into dealing with them. Does this mean that they are after the end user? I don’t know, it would of course surprise me since the costs, energy, and time to convict an end user are perhaps not the best use of resources. I suspect that those who are more responsible for direct distribution will be the ones targeted by the FBI.
Operation Web Snare:
The FBI openly discloses on their website an operation “Web Snare” in which “Criminal schemes included in this initiative include: …Intellectual Property Rights(IPR)…”. I wonder what current operations the FBI has running to catch those who are distributing pirated software. Do you think the FBI is planting torrents and tracing IPs? It certainly wouldn’t surprise me. Perhaps you have more information or thoughts you could share? Comments are welcome.
To torrent or not to torrent, Are Torrents Safe?
Posted by Daniel Snyder in Malware Info, Security News on June 20, 2010
Are torrents safe?
I’ve been getting asked a lot about torrents lately. Are torrents safe to download? I thought I’d write an ethics aside article about torrents. I’m not interested in giving my opinion on the legal side of torrents, and whether I think it is right or wrong. That is for you to decide. I just wanted to write an article that looks strictly at the safety of torrent downloads in relation to malware and the risk of becoming infected.
Torrents have become increasingly filled with malware over the years. Malware writers latch onto the names of popular torrent uploaders, and spread their nasties about. Popular films, games, and porn are obviously huge targets and unsuspecting users looking for a free product are especially vulnerable. Every kind of malware imaginable has been found on torrent sites, and as much as the owners of these sites attempt to keep them clean it is a huge utterly impossible task. People continually ask, are torrents safe?
One particular risk, malware aside, is that you could have your IP traced, if perhaps authorities have placed ‘bait’ torrents on sites. I’m not sure quite how often this happens, but I have read about it, and heard of recorded incidents. I suspect this could begin to happen more in the near future.
I’ve heard that malware writers can generally assume that torrent users have a lower regard for computer security, this may or may not be true. Of course, I suspect majority of torrent users are a little more tech savvy than that, and are somewhat aware of their computers security.
Bottom line, are torrents safe? I would certainly say NO they’re not, and you’re at a far greater risk for downloading malware there than anywhere else… often the more nasty kinds too, such as keyloggers.
How can I stay safe on torrent sites?
Pretty much the most sure fire method is to pay attention to comments. If a torrent has no comments, simply stay away. Torrents that have been there awhile will have some user feedback, at least mentioning whether it worked, whether it was as described, or whether malware was found in it. These comments can be pretty reliable, as you can be sure only experienced users seem to spend time commenting. For more detailed tips check out my five tips to stay safe on a torrent site.
Some other articles of interest on this topic:
Bogus “New Moon” Torrents lead to malware
Torrents flooded with Malware? on SEO Satellite
Torrent Spam report fake and malware ridden torrents on Torrent Freak
Zeus botnet analysis: Past, present and future threats
Posted by Daniel Snyder in Security News on June 17, 2010
The Zeus botnet has become one of the most dangerous botnets in history because of the targeted crimes that have been committed using the malware it propagates and the ease with which attackers commit the crimes. In this tip, we’ll review what makes Zeus such a unique problem for enterprises and how best to defend against it.
The Zeus botnet is really a criminal toolkit for developing custom, hard-to-detect Trojans. Because of the many different capabilities that can be included in the Trojan and how quickly its executables change, it has been remarkably successful in helping cybercriminals infect local systems, build command-and-control infrastructure and host phishing attack websites. There are even reports of enterprising criminals selling Zeus in a Software-as-a-Service (SaaS) model, making life even easier for criminals.
[Read more] Article posted on: searchsecurity.com
Short history on hacking [infographic]
Posted by Daniel Snyder in Security News on June 14, 2010
Thanks to onlinemba.com
Via: Online MBA
-
You are currently browsing the archives for the Security News category.
Welcome & About Info Carnivore
Top Commenters