A researcher released software at the Black Hat conference on Thursday designed to let people test whether their calls on mobile phones can be eavesdropped on.
The public availability of the software, dubbed Airprobe, means that anyone with the right hardware can snoop on other peoples' calls, unless the target telecommunications provider has deployed a patch that was standardized about two years ago by the GSMA, the trade association representing GSM (Global System for Mobile Communications) providers, including AT&T and T-Mobile in the United States.
For more on this story, read Can your calls be intercepted? This tool can tell on CNET News.
ZDNet
A "publicity stunt?" Major threat? Or easily contained?
Executives at AirTight are defending their description of a little-known "vulnerability" in the 802.11 standard in the face of criticism following their demonstration of a Wi-Fi exploit at the Black Hat security conference. One WLAN vendor called the claim a "publicity stunt."
Others are saying the attack, which can only be mounted by an internal authorized WLAN user, is so limited in scope that it would be easier for an attacker to just use the unattended computer in a neighbor's cubicle or even bribe a fellow employee to access data.
"What those limitations really mean is that 'YES' there are much easier ways to get the data," says Jennifer Jabbusch, chief information security officer, Carolina Advanced Digital, a Cary, N.C. IT services company. "In a scenario like this, that data is most likely (more than 99.9% likely) to be [already] unencrypted on the wire. In addition to that, the close physical proximity [required] would mean an attacker could also just as easily walk over to the victim's machine and load a tool to collect data while they're at lunch or getting a soda in the break room. The wireless attack is 'going around your butt to get to your elbow,' as we say in the South."
She analyzed the AirTight exploit previously in her SecurityUncorked blog.
WLAN vendor Aruba Networks issued its own analysis, by Robbie Gill of the company's engineering department, which concluded, "The attack scenario described by AirTight is well known and old news – it was, in short, a publicity stunt."
Yesterday's detailed demonstration at Black Hat Arsenal, a demo area associated with the Black Hat info security conference, confirmed nearly all of the details that Jabbusch and others had been expecting. [See: "Wi-Fi WPA2 vulnerability FAQ".] It did little to convince observers that the exploit constituted a serious threat to enterprise wireless LAN security.
NetworkWorld
Dell is apparently eager to compete with Best Buy and Walmart for the title of most despised retailer in the country. A few months back, a tech support rep got in trouble for turning on a woman's webcam without her permission. Then, last month, the company got nabbed knowingly shipping faulty PCs. And, just this week, the Texas-based manufacturer was caught shipping motherboards infected with malware. Now, a woman from California is alleging that a support technician for Dell stole nude photos of her from her PC and posted them online, and then charged $800 worth of computer gear to her credit card for another woman in Tennessee.
This is not a cut-and-dry case of a misbehaving tech rep, though. This drama has actually been going on for almost a year, and only now is Tara Fitzgerald coming forward with her accusations. Try and follow the sequence of events, and make sense of Fitzgerald's often questionable judgment.
Switched
Did Dell tech support display woman's naked pics?
Fitzgerald wanted to send some pictures of herself to her boyfriend, but she couldn't find them on her Dell computer.
Her urgent need to find these pictures drove her, quite naturally, to call Dell tech support. Her call was answered, she said, by a gentleman in Mumbai, India, named Riyaz Shaikh.
Shaikh, who, by the time you finish this tale, might not turn out to be a gentleman, after all, offered to remotely access her computer so that he could find the pictures for her. Fitzgerald said she watched him as he located her snapshots.
It was another fine day in the helpful history of tech support. However, this success was ruined somewhat, when Fitzgerald allegedly received an e-mail from an unidentified source telling her that her pictures were now freely available for anyone to see on the Web. They were on a site called "bitchtara." [...]
News10 contacted Dell, it received the following reply: "We investigated the issue, which involved a technical representative at one of Dell's vendors. We contacted the vendor about the allegation and can confirm that the representative no longer handles Dell calls. We've been in contact with Ms. Fitzgerald regarding this issue and continue to investigate her claims to best assist in a resolution."
CNET
The largest U.S. websites are installing new and intrusive consumer-tracking technologies on the computers of people visiting their sites—in some cases, more than 100 tracking tools at a time—a Wall Street Journal investigation has found.
The tracking files represent the leading edge of a lightly regulated, emerging industry of data-gatherers who are in effect establishing a new business model for the Internet: one based on intensive surveillance of people to sell data about, and predictions of, their interests and activities, in real time.
The Journal's study shows the extent to which Web users are in effect exchanging personal data for the broad access to information and services that is a defining feature of the Internet.
In an effort to quantify the reach and sophistication of the tracking industry, the Journal examined the 50 most popular websites in the U.S. to measure the quantity and capabilities of the "cookies," "beacons" and other trackers installed on a visitor's computer by each site. Together, the 50 sites account for roughly 40% of U.S. page-views.
The 50 sites installed a total of 3,180 tracking files on a test computer used to conduct the study. Only one site, the encyclopedia Wikipedia.org, installed none. Twelve sites, including IAC/InterActive Corp.'s Dictionary.com, Comcast Corp.'s Comcast.net and Microsoft Corp.'s MSN.com, installed more than 100 tracking tools apiece in the course of the Journal's test.
The Journal also surveyed its own site, WSJ.com, which doesn't rank among the top 50 by visitors. WSJ.com installed 60 tracking files, slightly below the 64 average for the top 50 sites.
The Wall Street Journal
If you use IE, enable "InPrivate Filtering"
Use Hosts file to block ads. Use Adblock Plus for FF or use AdBlock IE for IE
The latest independent survey of 1,000 workers from business ISP Star UK has found that 72% of British workers spend their lunch hour online and performing activities like shopping, banking, catching up with the latest sport or chatting to their friends on email or Facebook.
The research was conducted after Star noticed that the network bandwidth usage for business Internet traffic in their data centres was consistently peaking between 12:00 – 14:00hrs, which is normally when British workers should be enjoying their lunch breaks.
The most popular lunchtime habits for 63% of people are checking their personal email accounts, engaging in online shopping and banking (62%), and 31% catch up with friends on social networking sites like Facebook – unsurprisingly this trend was higher ( 40%) for younger workers between the ages of 16 to 34 years.
ISPReview
Farmville is arguably the biggest social game the world has seen. Well, maybe that's a bit much, but it is a popular game. It so popular in fact, that many people will play it at work. However, doing so might get you into trouble with the IT police.
According to a security report by Cisco, employees are breaking company policies by playing social networking games, and, by doing so, could be opening up networks to outside attacks.
Cisco's 2010 Midyear Report found that 7-percent of those who admitted to using Facebook at work also fessed up to spending an average of 68 minutes each day playing 'FarmVille.'
FarmVille isn't the only game Facebookers play, as they are also sucked up into playing 'Mafia Wars' (5-percent for 52 minutes each day) and 'Cafe World' (4-percent for 36 minutes each day).
Technorati
Guard Dog, Inc. today announces a significant advance in its mission to protect consumers with a truly complete level of security against threats of identity theft through a recent partnership with Javacool Software LLC (JCS). In keeping with the company’s commitment to provide the best protection and solutions against online identity theft threats JCS’s popular software, SpywareBlaster, will be provided to all Guard Dog members to help protect them online.
“It has always been our primary objective to provide both current and future members of our identity theft protection service with the most comprehensive protection,” states Guard Dog Inc. Chief Executive Officer James Watson. “This partnership is one of many clear strategic moves towards Guard Dog achieving that objective. This is a never-ending process of building layers of protection and it is critical to include online partners in that process. SpywareBlaster is a proven anti-spyware, anti-malware system and when combined with Guard Dog’s unique, full-featured pro-active approach; the combination provides serious protection against identity theft.”
There are many key features that make SpywareBlaster a perfect fit for the Guard Dog product line. SpywareBlaster works alongside any existing security software on a PC to help provide a strong “layered defense” against spyware, malware and other threats. It also prevents the installation of ActiveX-based spyware and other dangerous programs, blocks spying and tracking via cookies, and restricts the actions of potentially unwanted Web sites. Unlike many other security tools, the performance-friendly SpywareBlaster software does not remain running in the background to slow down your PC.
“We are extremely pleased to announce our cooperative agreement with Guard Dog ID,” said a Javacool company spokesperson. “Over the years we have been approached by numerous companies that wanted to enter into a partnership program. The only one that was clearly in the best interests of our customers and our SpywareBlaster product was Guard Dog. We have been in talks with Guard Dog over the last three months and have a good understanding of their product and how SpywareBlaster fits into the equation. We are very excited to be a part of it.”
With more than 60 million free downloads since the company’s launch in 2002, having this agreement with Javacool furthers the distance between Guard Dog ID and its competitors. The company now truly offers a full suite of comprehensive identity theft protection, including key protection against online threats.
EarthTimes
Amendments to Telemarketing Sales Rule Prohibiting Debt Relief Companies From Collecting Advance Fees Will Take Effect in October 2010
Starting on October 27, 2010, for-profit companies that sell debt relief services over the telephone may no longer charge a fee before they settle or reduce a customer’s credit card or other unsecured debt.
“At the FTC we strive every day to make sure America’s middle class families get straight deals for their dollars,” Chairman Jon Leibowitz said. “This rule will stop companies who offer consumers false promises of reducing credit card debts by half or more in exchange for large, up-front fees. Too many of these companies pick the last dollar out of consumers’ pockets – and far from leaving them better off, push them deeper into debt, even bankruptcy.”
Three other Telemarketing Sales Rule provisions to take effect on September 27, 2010, will:
require debt relief companies to make specific disclosures to consumers;
prohibit them from making misrepresentations; an
extend the Telemarketing Sales Rule to cover calls consumers make to these firms in response to debt relief advertising.
FTC
The FTC yesterday published a list of companies that used unfair, deceptive, false or misleading claims about consumer privacy that caused “substantial consumer injury,” and the names on it will surprise you. Sure, many of the companies are mortgage scammers and spam phishers. But lots of them are household and blue-chip brands such as Twitter, TJ Maxx (TJX), Microsoft (MSFT) and Dave & Busters.
The list proves that advertisers cannot be trusted to regulate themselves when it comes to tracking and targeting consumers on the web or on mobile devices. There are currently few rules controlling how advertisers can use personal information gathered from consumers electronically, and if self regulation worked the FTC would not have brought action against these companies for privacy abuses (see pages 7 and 8):
- Twitter
- Dave & Buster’s
- LifeLock
- ValueClick
- CVS Caremark
- The TJX Cos. (TJ Maxx)
- Reed Elsevier
- DSW
- BJ’s Wholesale Club, Inc.
- Nationwide Mortgage Group
- Petco Animal Supplies
- Guess?
- Microsoft Corp.
- Lexis Nexis
In addition, the FTC has brought:
… 15 actions charging website operators with collecting information from children without parents’ consent, as well as 15 spyware cases and dozens of actions challenging illegal spam, …
BNET
Mobile app developer Jackeey Wu defended himself against claims of producing Android spyware apps today while also underscoring some of the risks of Google's mobile OS. He noted that some of the permissions his Wallpapers allegedly requested, such as for the web browser history and SMS message records, aren't in the actual app. As requesting private information automatically flags the app in Android Market before the install, it's virtually impossible to collect such information in secret, Wu said.
What few permissions Wu needs, such as basic phone access, are to help make features such as favorites work properly as a user changes devices. There's no connection to user data, he said.
Lookout, the research team that had first made the accusations, has since scaled back its claims and in an update said there wasn't any evidence of rogue behavior.
Electronista
Commtouch today announced that it has signed a definitive Asset Purchase Agreement to acquire the assets, products, licenses, and operations of the Command antivirus division of Authentium, Inc., a Florida-based company.
Command antivirus -- which also includes technology to protect against spyware, Trojan downloaders, and other threats -- is strongly synergetic with the rest of Commtouch's product portfolio. With the addition of antivirus technology as a new, third product line, Commtouch will be offering a comprehensive set of solutions for inbound and outbound messaging and Web security to its customers, which are networking and security vendors and service providers.
The Command antivirus division currently provides its technology to a notable number of leading service providers and vendors, including Google, McAfee, and Microsoft. Certified by Checkmark, West Coast Labs, and a winner of multiple Virus Bulletin awards, Authentium's Command antivirus technology boasts a small footprint and a highly efficient event-processing system.
Commtouch is expected to pay $4.6 million in cash and an additional "earnout" contingent upon the achievement of certain revenue milestones through December 31, 2011, which may bring the total amount to approximately $8 million.
The acquisition is expected to be accretive starting the first quarter post-closing, and should contribute positively to Commtouch's non-GAAP top and bottom line in 2011.
PR-USA.net
When Web pages are infected with malicious code, the current security practice is to block the entire page and warn users not to go there. But what if the infected page is on a legitimate site that needs that page up in order to do business?
In a presentation here Wednesday, a Black Hat speaker proposed a new technology that strips out malware from infected Web pages, effectively allowing sites to continue to serve Web content even after a page has been infected.
The new "mod_antimalware" Web server module, which is outlined in a white paper at Black Hat, is designed to recognize malware by its behavior on a website, says Neil Daswani, CTO of upstart security vendor Dasient and co-author of the paper.
"When a PC gets infected with malware, you don't tell the user to stop using it," Daswani says. "But that's basically what happens to Web pages that get infected -- the whole page is blocked, and your site may even be blacklisted, all because one element on one page is infected."
Mod_antimalware monitors Websites for malicious behavior, such as redirecting users to other sites or attempting to download Trojan horses, Daswani explains. It then identifies the code that instigated the malicious behavior and strips it off the page, allowing the rest of the Web content to continue being served safely.
DarkReading
Government to persevere with browser despite high-profile vulnerabilities and advice from France and Germany
The government has ruled out scrapping the use of Internet Explorer 6 on department computers, saying it will persevere with the bullet-riddled browser despite its high-profile vulnerabilities.
Responding to an online petition with more than 6,000 signatures urging government departments to upgrade away from IE6, the government said such a move would be "a very large operation" potentially at "significant potential cost to the taxpayer".
"It is therefore more cost-effective in many cases to continue to use IE6 and rely on other measures, such as firewalls and malware-scanning software, to further protect public sector internet users," reads the statement.
The petition, set up by Dan Frydman, director of Inigo Media, launched the day after Google announced it would be phasing out support for the Microsoft browser after the company's corporate network was broken into by Chinese hackers using a vulnerability in IE6. The (pre-election) cabinet office signalled its intention to stick with IE6 in January this year, despite governments in both France and Germany advising people to stop using it.
Frydman responded to today's government decision on his blog, expressing disappointment that the possibility of an upgrade across any department was ruled out so off-handedly. "What I was looking for was a recommendation to upgrade away from IE6," he says. "A recommendation isn't hard, it's cheap and easy and isn't an admission of guilt. It puts the onus on the government departments to modernise, to innovate and to take care of [on] their own.
Guardian.co.uk
Well, you are putting your organization or department at RISK.
Millions have downloaded 'suspicious' wallpaper apps, says mobile security firm
Between one and four million users of Android phones have downloaded wallpaper apps that swipe personal data from the phone and transmit it to a Chinese-owned server, a mobile security firm said today.
According to San Francisco-based Lookout, a large number of free wallpaper apps in the Android Market scrape the phone number; the user-specific subscriber identifier, also know as the IMSI (International Mobile Subscriber Identity); the phone's SIM card's serial number; and the currently-entered voicemail number from the phone.
That information is then transmitted to a server that Internet records show is registered to a resident of Shenzhen, a city in China's Guangdong province, just north of Hong Kong.
Over 80 wallpaper apps created by a pair of developers -- "callmejack" and "IceskYsl@1sters!" -- include code that accesses users' personal data, said Kevin Mahaffey, chief technology officer and a co-founder of Lookout.
"All that is sent to a Chinese server in clear text," said Mahaffey in an interview prior to Black Hat, where he and CEO John Hering presented findings of what the company called the "App Genome Project," an attempt to analyze the code of some 300,000 applications available in the Android Market and Apple's iPhone App Store.
In a Friday entry on Lookout's blog, Mahaffrey published pieces of the data-scraping code found in the wallpaper apps, as well as an example of the HTML request made to the Chinese server by those programs.
ComputerWorld
Barracuda Networks is out this week with new research attempting to quantify how much malicious activity occurs on Twitter. Barracuda defines the Twitter "crime rate" as the percentage of accounts created per month that are eventually suspended by the company.
Barracuda presented its research here at the BSides event, down the Strip from the Black Hat security conference.
In total, Barracuda looked at more than 25 million accounts and found that the crime rate for the first half of 2010 is only 1.67 percent. Barracuda saw the crime rate on Twitter fluctuate from month to month, peaking in October 2009 when the rate checked in at 12 percent.
David Maynor, a research scientist at Barracuda Networks, told InternetNews.com that Twitter has not published a rigid set of guidelines specifying why accounts are deleted, though spammers and phishers are likely candidates for deletion.
While some Twitter accounts may have been set up by those with malicious intent, others may have been compromised by third-party applications, a situation Twitter is trying to address by moving to the OAuth. Maynor said that OAuth can be helpful, but won't necessarily make much of a difference to the Twitter crime rate.
"OAuth is the first step toward building a more secure infrastructure," Maynor said. [...]
Compared to other forms of online communications, Twitter's crime rate ranks somewhere in the middle.
"The crime rate on Twitter is more than it is on Facebook but less than it is on e-mail," Judge said.
InternetNews
According to a newly released report by Barracuda Labs, based on a two-month study reviewing more than 25,000 trending topics and 5.5 million search results, Google remains the most popular search engine used by malicious attackers, relying on poisoned keywords.
The company, which also sampled Yahoo Search, Bing, and Twitter, contributes Google’s leading position to the fact that Google remains the market share leader in online search, and consequently the most targeted search engine.
Key highlights of the study:
- Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
- The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
- Over half of the malware found was between the hours of 4:00 a.m. and 10:00 a.m. GMT. The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.
Interestingly, based on the data gathered, the most popular topic of choice for cybercriminals were spyware related searches, followed by entertainment news, with hosting sites, P2P and proxies related searches showing a significant growth. What’s worth highlighting while interpreting the data, is that it’s only valid for a specific period of time. How come? [...]
Zero Day Blog at ZDNet
From Graham Cluley's Blog at Sophos:
Yesterday my colleague Pablo Teijeira, who is based in our Madrid office, logged into Facebook as normal and was confronted with a rather unusual message in place of the usual reminder of whose birthday it was today:
Rather than "Hoy es cumple de" ("Today is the birthday of") the Spanish language version of Facebook was saying "f*ck you bitches". Charming.
Pablo dropped me a line, wondering if I knew if Facebook had been hacked or if there was some other sinister explanation.
Well, the good news is that it wasn't malware and it was more done as a prank than with malicious intent. Facebook has relied upon volunteers to translate its site, and if enough people vote for an incorrect translation it can automatically replace the legitimate wording.
It's all very well harnessing the power of the net to get your website translated, but maybe Facebook should put a few more checks in place before the system is abused again in future - perhaps with more malicious intentions.
By the way, the Turkish translation version of Facebook was also abused in a similar way [...]
A security expert found a way to catch the talks at Black Hat for free, thanks to bugs in the video streaming service used by the security conference.
Michael Coates, the head of Web security for Mozilla, said he discovered several problems while trying to sign up for the US$395 service. As he went through the sign-up procedure, he was "quickly sidetracked by a few oddities in the design," he wrote in a blog post describing the incident.
He poked around a bit more and discovered that he could register an account without providing anything more than an e-mail address, and then use that account on a test login page to access the videos for free.
"Now, to be fair, Black Hat didn't operate this video service themselves," Coates wrote. "But its still a bit ironic that the largest hacking conference in the world has this security hole in their video streaming service."
Black Hat's video streaming was provided by Inxpo this year.
ComputerWorld
Quicktime Player (version 7.6.6) allows movie files to trigger download of files, and cybercriminals are using this to download malware from malicious websites.
Trend Micro Threat Research Engineer Benson Sy encountered two .MOV files (001 Dvdrip Salt.mov, salt dvdrpi [btjunkie][xtrancex].mov) that both used the recent movie, Salt of Angelina Jolie. It looks suspicious enough because of its relatively small size compared to regular movie files.
When the movie files are loaded to Quicktime player, it doesn’t show any live action scenes but leads users to download malware pretending to be either an update codec or another player installation. It is still under investigation whether the malware is using vulnerability or a known functionality to download the malware.
TrendLabs Malware Blog
Details from 100 million Facebook profiles posted online
Why it happened?
1. The user did not lock/secure their info? Maybe.
2. The user really allow sharing their info? Possible since it's called sharing and they want it shared. Their choice.
3. They know what is FB for and they know the catch? Maybe or No. You know... not every user reads privacy agreements/terms/policies.
What's the catch? Data mining. Profilers/Scammers/Thieves has easy targets. Yours is theirs. Theirs is theirs.