The BBC has published an excellent article on attacks to avoid, as this is a peak season of year for scams and ecommerce crime
QUOTE: This Christmas looks like being a bumper one for online shopping but not everyone is filled with the festive spirit and some have already set online traps they hope you will fall into. Here are twelve cyber-scams to watch out for this Christmas:
The first scam of Christmas is phishing
The second scam of Christmas is the fake virus checker
The third scam of Christmas is the fake upgrade
The fourth scam of Christmas is the "current news scam"
The fifth scam of Christmas is the illegal "cracked" download
The sixth scam of Christmas is the drive-by download
The seventh scam of Christmas is the fake free wi-fi
The eighth scam of Christmas is the wi-fi probe
The ninth scam of Christmas is a combination of the last two
The 10th scam of Christmas is the insecure website
The 11th scam of Christmas is the Man In The Middle
The 12th scam of Christmas is the nastiest of them all: the phone call
Kim Komando shares 3 major Holiday Scams currently circulating as reported by FBI
1, Fake Gift cards (graphics seem real in email and malware/scam can occur when attempting to cash in during online purchase)
2. Child Identity Theft (criminals are increasingly targeting kids and teens for ID theft)
3. Holiday charity scams (scammers take advantage of holiday goodwill by setting up charity scams)
Kim Komando also shares 3 safety tips for email, Facebook, and website visitation:
1. Scammers use phishing schemes to steal your information - and your money. Click here to avoid losing your identity to a phishing scam.
2. Hackers can steal your personal information right from your Internet connection. Click here for one simple step to keep hackers from snooping on you.
3. Something you post on Facebook can end up in the hands of identity thieves. Click here for 3 big Facebook privacy changes you need to know about.
An open letter recommending improved balances between national security and privacy concerns was recently promoted by major companies in computer industry
QUOTE: In an open letter to Washington, eight major technology companies are calling for sweeping changes in the way the U.S. government collects information on citizens. The letter was signed by AOL Inc., Apple Inc., Facebook Inc., Google Inc., LinkedIn Corp., Microsoft Corp., Twitter Inc. and Yahoo! Inc. In documents leaked by former defense contractor Edward Snowden, most of these companies have been listed as being among the targets where the U.S. government is extracting digital information as part of a massive surveillance effort.
"We understand that governments have a duty to protect their citizens. But this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide," the companies say in the letter to President Obama and members of Congress. "The balance in many countries has tipped too far in favor of the state and away from the rights of the individual rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for change."
Earlier this year, the Australian dating service "Cupid Media" was compromised and recent articles document this, along with importance of using differing passwords, as same password could lead to compromises in email, banking, ecommerce and other websites
QUOTE: An intrusion at online dating service Cupid Media earlier this year exposed more than 42 million consumer records, including names, email addresses, unencrypted passwords and birthdays, according to information obtained by KrebsOnSecurity. The data stolen from Southport, Australia-based niche dating service Cupid Media was found on the same server where hackers had amassed tens of millions of records stolen from Adobe, PR Newswire and the National White Collar Crime Center (NW3C), among others. The danger with such a large breach is that far too many people reuse the same passwords at multiple sites, meaning a compromise like this can give thieves instant access to tens of thousands of email inboxes and other sensitive sites tied to a user’s email address.
Cupid Media actions - “In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts,” Bolton said. “We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”
Corporate and business users should track this important change and it's availability in early 2014:
QUOTE: Microsoft is planning to deliver Service Pack (SP) 1 for Office 2013, SharePoint 2013 and Exchange 2013 in early 2014, company officials said on November 20. Microsoft shared a partial list of some of the updates that will be part of the SP1 via blog posts on the Office and Exchange Team blogs. On that list:
* Improved compatibility with Windows 8.1
* Support for Windows Server 2012 R2 for Exchange and SharePoint
* Support for S/MIME in OWA will be brought back in SP1. With SP1 customers will have S/MIME support across Outlook, Exchange ActiveSync clients, and OWA
* Inclusion of the Edge Transport server role for Exchange Server 2013
* General performance enhancements and feature updates for all the Office 2013 products
McAfee's Q3 Threats report focuses on Digital Trust concerns:
QUOTE: Most important was the issue of whether we question the validity of our digital trust mechanisms upon which our software-driven Digital Age has relied for years. Every organization on the face of the earth relies on security controls, be they on the endpoint or the perimeter, to accept downloaded binaries if they are digitally signed. These digital signatures signify that code originated from a given manufacturer and should be allowed… Security industry leaders have long predicted that it would only be a matter of time before cybercriminals would use compromised certificates at scale to camouflage large numbers of malware. McAfee Labs’ third quarter report suggests that we could, in fact, be approaching that state of “at scale” signed malware.
While the leading code signing certificate authorities (CAs) have worked hard to validate the legitimacy of the customers to whom they sell their certificates, the evolution and commoditization of the certificate authority market has spawned an ecosystem of CAs who are decidedly unconcerned with such reputation measures, as well as a web of retailer relationships that make verification and validation difficult for the top root certificate authorities.
Symantec documents several fake AV update email or website messages
QUOTE: A new clever way of social engineering spam is going around today that attempts to trick users into running malware on their computers. The methods malware authors are using include emails pretending to be from various antivirus software companies with an important system update required to be installed by the end user, along with attaching a fake hotfix patch file for their antivirus software. The email plays on end user concern over the lack of detection, especially in the face of the latest threats showcased in the media recently, such as the Cryptolocker Trojan. This type of social engineering entices users to open and install the hotfix without using much discretion as to what they may be actually installing.
Symantec shares safety awareness tips for Cyber Monday ...
QUOTE: December 2, 2013 marks Cyber Monday, the day when Internet retailers expect to experience a major surge in traffic thanks to people shopping online for the holiday season. The concept of Cyber Monday, or Mega Monday as it’s known in Europe, was introduced back in 2005. It takes place after the Thanksgiving holiday weekend, when people return to the office and buy Christmas presents from their work computers, according to retailers. Some dismissed Cyber Monday as marketing hype but over time, the day has grown in significance, thanks to competitive deals on offer from many major retailers. In 2012, the 500 biggest retailers in the US took more than US$206.8 million on Cyber Monday while in Europe, approximately €565 million was spent on this day. This year, experts believe that Cyber Monday sales will grow by 13.1 percent as consumers increasingly move from buying presents in bricks-and-mortar stores to shopping online.
However, considering the hype surrounding Cyber Monday and the expected traffic on ecommerce sites on this date, there could be a chance that attackers will take advantage of the day to target both consumers and retailers
. According to a recent study from RSA Security and the Ponemon Institute
, 64 percent of retail-focused IT professionals have seen an increase in attacks and fraud attempts during high traffic days such as Cyber Monday
. But just one third of these IT professionals take special precautions to ensure high availability and integrity of websites on these days. Worse still, the estimated direct cost of a cyberattack around the holiday season is believed to be US$8,000 a minute.
F-Secure shares an informative article related to cybercrime attacks against digital currency
QUOTE: Bitcoin, and other digital currencies such as Litecoin and Peercoin, will change the way we exchange money. But they come with a major flaw: they can also be used to turn infected computers into devices that "print" money. The beauty of the algorithm behind Bitcoin is that it solves two main challenges for cryptocurrencies - confirming transactions and generating money without causing inflation - by joining them together. Confirmations are given by other members of the peer-to-peer network, who in return are given new Bitcoins for their labour. The whole process is known as "mining".
When Bitcoin was young, mining was easy. You could earn Bitcoins by mining on a home computer. However, as the currency's value grew (from $8 to $1000 during 2013) - more people applied to do it, and, in response, mining became (mathematically) harder and required more powerful computers. Unfortunately, those computers don't have to be your own. Some of the largest botnets run by online criminals today are monetized by mining. Any infected home computer could be mining Bitcoins for a cybercrime gang.
Trend Labs share an informative article that this holiday season is most dangerous times of year, due to heavy e-commerce and gift giving. Cybercriminals see as "prime opportunity to steal"
QUOTE: For many, the holiday season is a season for shopping and spending. But cybercriminals see it in a different light—they see it as a prime opportunity to steal. Take, for example, online shopping. Malicious websites to try and trick online shoppers into giving them their money instead of the legitimate shopping websites. These sites are often made to look exactly like the website they’re mimicking, and feature a login screen that asks the user to enter their personal information. They are interested in any and all kinds of login information – for example, we recently saw phishing sites that stole the Apple IDs of users. We have kept track of the number phishing sites created since 2008. We pay particular attention to those that target Christmas shoppers and/or have holiday themes. There are plenty of these, and they persist all year. Unsurprisingly, they rise towards the end of the year
Trend shares awareness of new targeted attacks circulating in Asia-Pacific region
QUOTE: We recently came across some malware of the SOGOMOT and MIRYAGO families that update themselves in an unusual way: they download JPEG files that contain encrypted configuration files/binaries. Not only that, we believe that this activity has been ongoing since at least the middle of 2010. A notable detail of the malware we came across is that these malware hide their configuration files. These JPEGs are located on sites hosted in the Asia-Pacific region, and we believe that these malware families are used in targeted attacks in the region as well.
More details on Windows XP zero day exploit circulating ... Ensuring Adobe Acrobat reader is patched will help mitigate dangers and all users have until April 2014 to move to later versions of Windows.
QUOTE (Trend Labs): We acquired this sample from a targeted attack. In this incident, a malicious PDF (detected as TROJ_PIDEF.GUD) exploits an Adobe vulnerability (CVE-2013-3346) referenced in APSB13-15, which was released in May of this year. This vulnerability is used in tandem with the Windows zero-day vulnerability (CVE-2013-5065), resulting in a backdoor being dropped into the system. The backdoor, detected as BKDR_TAVDIG.GUD, performs several routines including downloading and executing files and posting system information to its command-and-control server. This incident also serves as a reminder to users of the importance of shifting to the newer versions of Windows. Last April, Microsoft announced that they will discontinue its support of Windows XP by April 2014. For users, this may mean that they will no longer receive security updates provided by the software vendor. Those who are using Windows XP will be vulnerable to attacks using exploits targeting the OS version.
Home and corporate users will benefit greatly in phasing out Windows XP, for the more secure kernel and browser architectures offered by Windows 7 and 8.1 ... PC Magazine shares awareness of new vulnerability affecting older Windows XP version only.
QUOTE: Microsoft confirmed a zero-day vulnerability in Windows XP and Windows Server 2003 is currently being exploited in active attacks. If you are still running XP, why don't you put a new computer on your wish list? Originally reported by researchers at FireEye, the the issue is an elevation of privilege flaw which allows an attacker to run arbitrary code in kernel mode. By exploiting this bug, an attacker could install additional programs, view or modify data, or create new administrator accounts on the computer, Microsoft said in its security advisory, released on Wednesday. Microsoft also said the attackers must first log in with valid account credentials to launch the exploit, and the vulnerability cannot be triggered remotely or by anonymous users. "It is being abused in the wild in conjunction with an Adobe Reader vulnerability that had a fix published in August 2013," said Wolfgang Kandek, CTO of Qualys. Users running outdated versions of Adobe Reader 9, 10, and 11 on Windows XP SP3, FireEye researchers Xiaobo Chen and Dan Caselden wrote on the company blog. Chen and Caselden recommended. Later versions of Windows are not affected.
PC Magazine shares awareness of extensive connectivity to Twitter, Facebook, Instagram and other social networks. Users need to think ahead of security risk especially with large # of malicious applications in circulation
QUOTE: They’re so popular, those ubiquitous mobile devices. For better or worse, we’ve evolved into a society that is a texting, Facebooking, Snapchatting, online-banking, TMI-ing, forever-connected, 24/7-kind of world. And 85% of users are connecting to social media sites via public WiFi! There’s positives to that, for sure, and is a great way to stay connected. But have you ever considered the negatives when you’re doing all that in a public wireless hotspot? After all, identity theft is a huge epidemic — have you ever thought about the risks to your personal life by using a “free” Internet connection? What information are you (over)sharing? Is that data protected and encrypted from prying eyes? What security tools do you use regularly?
PC Magazine awarded Editor’s Choice rating on this advanced new gaming system
QUOTE: Well, Microsoft’s ambition has paid off. Not only is the Xbox One $499.99 at Microsoft Store a powerful game system that rivals the PlayStation 4, it really is the comprehensive entertainment hub Microsoft envisioned. (And it turns out that it doesn’t require an always-on Web connection and you can turn off the camera.) Kinect voice controls, television integration, and multitasking features make the Xbox One an ideal combination of game system, media hub, universal remote, program guide, and Blu-ray player. The Xbox One’s voice controls and TV integration are revolutionary and could pave the way for game systems to become true all-in-one entertainment centers. …but it does so much so well that its flaws and price can be forgiven, making it an Editors’ Choice.
Interesting head-to-head comparison of latest two advanced gaming console systems.
QUOTE: Now that the PlayStation 4 and the Xbox One are both on sale, we are officially in the next-generation of console gaming. For many of you, deciding which one to buy is going to be the toughest shopping decision you’ll make this holiday season. Buying a console is a highly personal decision, but it’s worth outlining the specific use cases that might tip you one way or the other. While I don’t have a deep loyalty to either Sony or Microsoft, you should know that I bought an Xbox One because it best fit my overall gaming/entertainment needs. You can also check out our occasional gamer guides for the PS4 and the Xbox One if you need more help deciding.
The Xbox One is designed to serve as your living room’s primary media device, so it may be the better option if you’re looking for an all-in-one system. Unlike the PS4, the new Xbox has an HDMI input that can be used for watching live TV. The conversation around the next-gen consoles has centered around the PS4 being best for gamers and the Xbox One is being tailored for users who want an all-in-one package. That characterization may feel reductive, but, based on the time we’ve spent with both systems, it’s also pretty accurate.
This article warns of possible mis-use in this legitimate tracking where parents monitor cell phone usage by their kids
QUOTE: Those of you interested in preserving your privacy will want to watch out for the mSpy app. When installed on an Android or iOS device, it can track phone calls, location data and keyboard strokes in the background without your knowledge. The app is ostensibly intended for legal monitoring use, and there are certainly legitimate reasons to install the software. Companies, for instance, could inform their employees that they’re surveilling company phones for security purposes, or concerned parents could include the software on devices they give to their kids.
Thankfully, the app requires physical access for installation. The iOS version requires that the client device is jailbroken, and it isn’t currently compatible with iOS 7 and recent versions of iOS 6 (6.1.3 and 6.1.4). mSpy for Android works with some of the platform’s most popular devices, including the Galaxy S4, Moto X and the HTC One, but spying on apps like Facebook, Skype, Viber and Whatsapp requires the phone to be rooted. Older BlackBerry and Symbian phones are also supported.
PC Magazine awarded Editor's Choice rating on this advanced new gaming system http://www.pcmag.com/article2/0,2817,2420311,00.asp QUOTE: Well, Microsoft's ambition has paid off. Not only is the Xbox One $499.99 at Microsoft Store a powerful game...
McAfee reports of new Android attacks circulating and targeting Korean users
PC Magazine offers numerous safety tips to reduce risks while traveling
QUOTE: If you are among the 43 million Americans planning to travel over the next days, you are most likely not leaving your electronics behind. Make sure you secure your data before you hit the road (or the air). ... KEY BEST PRACTICES include:
1. Protect the Device - The fewer devices you are carrying, the smaller the chances of losing or breaking them. Password protect, encrypt data, and set up anti-theft applications on mobile devices
2. Backup Your Data - Before you leave, take the time to back up all the files on the devices. That's ebooks, documents, pictures, videos, everything. Do it again before coming home. Back up those pictures you took and the files you created before you head out again. Upload those images and files to Flickr, Dropbox or any cloud storage service of your choice
3. Beware of Public Networks - Beware of public networks, even if they aren't free. You may think you are hopping on to the hotel wireless, or the one belonging to the airport, but it may actually be a rogue network set up to trap unsuspecting users.
More Posts Next page »