Jan 19 2010

Long Awaited ISO/IEC 20000

Category: Information SecurityDISC @ 12:31 am

The long awaited international standard on scoping a Service Management System, ISO/IEC TR 20000-3, is now available.

It’s a must have –

Buy the hard copy here:

or the download here:

It may seem a little backwards buying part 3 of the ISO 20000 series ahead of parts 1 and 2 but this makes perfect sense, let me explain…
This part of ISO/IEC 20000 will help you if you are considering using ISO/IEC 20000-1 for implementing a service management system (SMS). It will also be of aid if you need specific advice on whether ISO/IEC 20000-1 is applicable to your organisation.
It shows you how to define the scope of your SMS based on practical examples, for assessment, irrespective of whether you have previous experience with other management system standards.

Key Features and Benefits:
 Will assist those looking to define a scope statement for implementing an SMS that is fully aligned with ISO/IEC 20000-1. Saving time and money over hiring expensive IT service management consultants to help you with you SMS paperwork.
 Explanations, guidance, and recommendations shed light on implementing an ISO/IEC 20000-1 SMS. Providing information which is complementary to that in ISO/IEC 20000-2.
 The information in this standard is generic, thus it is applicable no matter the size, type or location of the organisation.

Get your copy today >>

Buy the hard copy here:

or the download here:

Tags: ISO 20000, ISO/IEC 20000, Service Management System

Jan 12 2010

Pop-Up Security Warnings Pose Threats

Category: MalwareDISC @ 4:10 pm

FBI Warning
Image by Travelin’ Librarian via Flickr

Malware: Fighting Malicious Code

By FBI NPO

The FBI warned consumers today about an ongoing threat involving pop-up security messages that appear while they are on the Internet. The messages may contain a virus that could harm your computer, cause costly repairs or, even worse, lead to identity theft. The messages contain scareware, fake or rogue anti-virus software that looks authentic.

The message may display what appears to be a real-time, anti-virus scan of your hard drive. The scareware will show a list of reputable software icons; however, you can’t click a link to go to the real site to review or see recommendations. Cyber criminals use botnets—collections of compromised computers—to push the software, and advertisements on websites deliver it. This is known as malicious advertising or “malvertising.”

Once the pop-up warning appears, it can’t be easily closed by clicking the “close” or “X” buttons. If you click the pop-up to purchase the software, a form to collect payment information for the bogus product launches. In some instances, the scareware can install malicious code onto your computer, whether you click the warning or not. This is more likely to happen if your computer has an account that has rights to install software.

Downloading the software could result in viruses, malicious software called Trojans, and/or keyloggers—hardware that records passwords and sensitive data—being installed on your computer. Malicious software can cause costly damages for individual users and financial institutions. The FBI estimates scareware has cost victims more than $150 million.

Cyber criminals use easy-to-remember names and associate them with known applications. Beware of pop-up warnings that are a variation of recognized security software. You should research the exact name of the software being offered. Take precautions to ensure operating systems are updated and security software is current. If you receive these anti-virus pop-ups, close the browser or shut down your computer system. You should run a full anti-virus scan whenever the computer is turned back on.

If you have experienced the anti-virus pop-ups or a similar scam, notify the Internet Crime Complaint Center (IC3) by filing a complaint at www.ic3.gov.

Related articles by Zemanta

Tags: anti virus, crime, FBI, Federal Bureau of Investigation, Identity Theft, Internet Crime Complaint Center, Malicious Software, Malware, pop-up, Security, Theft, trojan, United States

Jan 11 2010

Long Awaited ISO/IEC 27004:2009

Category: ISO 27kDISC @ 12:49 pm

Security Metrics: Replacing Fear, Uncertainty, and Doubt

The long awaited international standard on Information Security Measurement, ISO/IEC27004:2009, is now available.

It’s a must have –
To Download a copy of ISO27004 – Information Security Metrics

Key Features and Benefits:

• Provides guidance on the development, implementation use of metrics to measure the effectiveness of an ISO 27001-compliant ISMS, controls or groups of controls. Helping you to quantify the payback to your organisation of implementing an ISMS.
• Covers not just the development, implementation and use of metrics, but also the communication of the results. Helping you to ensure management buy-in for future projects.
• The use of this standard provides opportunities to identify areas in need of improvement, facilitating continual improvement. Thus leading more secure information, cost savings and increases in efficiency.

If you have not claibrated the model with measurement, only one thing is certain: You will either overspend or under-protect.

Get your copy today >>
To Download a copy of ISO27004 – Information Security Metrics

Tags: Individual Standards, International Organization for Standardization, ISO, ISO 27004, ISO 27k, iso measurement, iso27004, Policy, Security, under-protect

Jan 11 2010

Hackers deface 5th govt Web site, mock automated polls

Category: Security BreachDISC @ 1:45 am

By Jerrie Abella, GMANews.TV

Another government Web site was found defaced Sunday night – the fifth attack since last month.

Hackers of the Technical Education and Skills Development Authority (Tesda) Web site, however, took on a bolder approach by leaving a message that seemed to mock the upcoming automated elections.

“Ano ba gagamitin sa Election? Blade server? Juniper Firewall (what is going to be used in the elections? Blade server? Juniper firewall)?” the message read.

HACK YOU. A screen capture of the defaced Tesda Web site as of 11:12 p.m. Sunday.Before Tesda’s, hackers had also victimized the Web sites of the Department of Health (DOH), Department of Social Welfare and Development (DSWD), National Disaster Coordinating Council (NDCC), and Department of Labor and Employment (DOLE).

Malacañang has expressed alarm over the series of hacking attacks on government Web sites, saying it raises new concerns about the security of the automated elections in May.

“Of course we are concerned. This is not just a problem in our country, this is not just something that has happened just recently, it’s happening all over the country so this is certainly something that we are sensitive to as a matter of information policy within government,” said deputy presidential spokesman Gary Olivar at a press conference last week.

Dirty finger

The hacked Tesda Web site also showed a black and white illustration of a man giving the “dirty finger” supposedly directed against several “abusive” military and police units.

A pair of bulging eyeballs also followed the pointer anywhere on the page, and background music was also set up on the site’s second web page to which it automatically transfers.

Aside from the derisive reference to the May elections, message of sympathy to a slain communist rebel and a potshot against an alleged abusive police officer also replaced the original contents of the site.

“Nakikiramay kami sa Iskolar ng Bayan, Freedom Fighter na si Kimay” (We sympathize with the death of scholar of the people, freedom fighter Kimay)” the hackers’ message read, referring to Kemberly Jul Luna, a young New People’s Army (NPA) cadre who was killed last December 15 in an encounter with the military in Bukidnon province.

The message also identified a certain PO1 Ramos as an “abusive” police officer.

The hackers also made the site automatically jump into a second page, which featured a background music; a job announcement supposedly from VenturesLink, one of the partners of Smartmatic-TIM in the automation of the elections, inviting technicians across the country to be part of its team; a quote from the Hacker Manifesto, a short essay written by well-known hacker Lloyd Blankenship after he was arrested in 1986.

The hacking of government Web sites has alarmed Malacañang, considering the attacks’ proximity to the May automated polls.Precautions

Following the attacks on government Web sites by hackers, Olivar urged the Commission on Elections (Comelec) and other agencies to take the necessary precautions to secure their Web sites.

“Other agencies which are not yet hit by this are likewise taking the necessary precautions, especially Comelec because of the automated nature of the next elections,” he said at last week’s briefing.

The Comelec had earlier said that adequate safeguards are in place to protect the election results from hackers. Spokesman James Jimenez said the system to be used in the coming automated polls would operate on a “virtual private network,” making it difficult for hackers to bypass the system’s security mechanisms.

Related articles by Zemanta

Tags: Comelec, Commission on Elections, Department of Health, Department of Labor and Employment, Department of Social Welfare and Development, DOH, DOLE, DSWD, Hacking, National Disaster Coordinating Council, NDCC, Technical Education and Skills Development Authority, Tesda

Jan 06 2010

Automated polls not hack-proof

Category: Information SecurityDISC @ 3:39 pm

6 machines
Image by Valerie Reneé via Flickr

By Andreo Calonzo

The system that will be used in the May 2010 automated elections is not hack-proof, but adequate safeguards are in place to protect the results from hackers, the Commission on Elections (Comelec) assured Wednesday.

“I am not saying that the system cannot be hacked. No system is 100-percent hack-proof. I am just saying that we have made sure that the system will not be hacked,” Comelec spokesperson James Jimenez said.

Jimenez gave the assurance after three government Web sites were hacked in less than two weeks, the latest of which was that of the National Disaster Coordinating Council (NDCC).

Last week, the Web sites of the Department of Health (DOH) and the Department of Social Welfare and Development (DSWD) were also victimized by hackers.

Jimenez said the system to be used in the coming automated elections would operate on a “virtual private network,” making it difficult for hackers to bypass the system’s security mechanisms.

“It’s like trying to rob a house, but you don’t even know where its exact location is,” he said in Filipino.

Jimenez also explained that the “real time” transmission of the results would make hacking more difficult.

“Our machines transmit for only two minutes. That’s too fast. In order to actually decode the data, it will take you something like three years. If you only have two minutes to do it, you do not have enough time,” he said.

But Jimenez conceded that hacking could happen at the municipal level. “The possibility of hacking is greatest at the municipal level, because it is the one most visible to the public.”

He said to prevent this, the poll body would use two other independent servers, one to a central server and another to a server assigned to media groups, accredited citizens’ arm and political parties.

“If you hack the municipal server, and if you hack the municipal server results, you are not hacking the reports of the other servers,” he said.

“If one report is hacked, this doesn’t mean that you have hacked everything. In fact, if one report is hacked, the tampering becomes more evident because there are other reports to contradict it,” he added.

An American company, Systest Laboratories in Colorado, is currently verifying the security and accuracy of the source code to be used in the automated counting machines, according to Comelec commissioner Gregorio Larrazabal. – KBK/RSJ, GMANews.TV

Tags: automated pollling machine, Colorado, Department of Health, Department of Social Welfare and Development, DSWD, hacker, Hacking, National Disaster Coordinating Council, Polling place, Seattle, United States, Voting

Dec 30 2009

ATM bandits hack security

Category: pci dss,Security BreachDISC @ 11:31 pm

ATM at the secretary of state in Portage, MI
Image via Wikipedia

Overseas gangs have cracked the code of ATM anti-skimming devices in Australia just two months after their roll-out.

ATM Security Breach News Video

Overseas gang has cracked the code of ATM using skimming devices in Australia, where bank customers are defenseless against organized crime unless they check ATM themselves against any sign of tempering.

Awesome Aussies in the game of cricket but their banking system still use magnetic stripe rather than magnetic chip which make it as an easy picking for the overseas gangs

Related articles by Zemanta

Tags: Australia, Automated teller machine, Bank, Banking Services, Banks and Institutions, Financial services, Magnetic stripe card

Dec 28 2009

Hackers’ attacks rise in volume, sophistication

Category: Information SecurityDISC @ 6:41 pm

digital-hijack


Year in review for online security attacks – 2009 is going to be known as a year of change in tactics of exploitation, rather than creating more new tools in hacker’s community. They are utilizing social media as a tool to exploit and using built-in trust in social media to their advantage. That’s why stealing social media accounts are considered as a treasure trove in hacker’s community to spread malwares (rogue anti-virus) which helps them to steal personal and private information. This perhaps was another reason why social media community was busy in 2009 changing their security and privacy policy on a frequent basis. Do you think, as social media grow, so does the threat to personal and private information?.

At the same time 2009 comes to an end with a bang with an appointment of Howard Schmidt by Obama’s administration as a cybersecurity coordinator. A great choice indeed but why it took them a whole year to make this important decision. This indecision will cost them, no matter how you look at it. Now hopefully the current administration is going to keep the politics aside and take his recommendations seriously to make up for the lost time.

Alejandro Martínez-Cabrera, SF Chronicle

Security experts describe the typical hacker of 2009 as more sophisticated, prolific and craftier than ever. If anything, criminals will be remembered by the sheer number of attacks they unleashed upon the Web.

While the year didn’t see many technological leaps in the techniques hackers employ, they continued to expand their reach to every corner of the Internet by leveraging social media, infiltrating trusted Web sites, and crafting more convincing and tailored scams.

Although there were a handful of firsts – like the first iPhone worm – most attacks in 2009 were near-identical to tactics used in prior years, changing only in the victims they targeted and their level of sophistication.

One of the most preoccupying trends was personalized attacks designed to steal small and medium business owners’ online banking credentials. The scheme was particularly damaging because banks take less responsibility for the monetary losses of businesses than of individual consumers in identity theft cases.

In October, the FBI estimated small and medium businesses have lost at least $40 million to cyber-crime since 2004.

Attacks continued to plague larger organizations. The Wall Street Journal reported on Tuesday that the FBI was investigating the online theft of tens of millions of dollars from Citigroup, which has denied the incident.

Alan Paller, director of research at the SANS Institute, said criminals shifted the focus of their tactics from developing attack techniques to improving the social engineering of their scams.

“It’s not the tools but the skills. That’s a new idea,” he said.

One example is rogue antivirus schemes, which often trick computer users with a fake infection. Criminals then obtain their victims’ credit card information as they pay for a false product, all the while installing the very malicious software they were seeking to repel.

Even though these scams have been around for several years, they have become more a popular tactic among criminals because they pressure potential victims into making on-the-spot decisions.

“People have been told to look out for viruses and want to do the right thing. There’s security awareness now, but the criminals are taking advantage of their limited knowledge,” said Mike Dausin, a researcher with network security firm TippingPoint’s DVLabs.

Chester Wisniewski, senior adviser for software security firm Sophos, said social networks also continued to be an important target for attackers. Despite Facebook and Twitter’s efforts to beef up their security, it has become a common tactic for scammers to hijack Facebook accounts and post malicious links on the walls of the victim’s friends or distribute harmful content through tweets.

“We haven’t had this before – a place where all kinds of people go and dump their information, which makes it very valuable for criminals,” Wisniewski said. “It’s kind of a gold mine for identity thieves to get on people’s Facebook account.”

Using PDFs
Another common ploy was malicious software that piggybacked on common third-party applications like Adobe PDFs and Flash animations.

Although Adobe scrambled this year to improve its software update procedures and roll out patches more frequently, criminals have increasingly exploited the coding flaws in Adobe products in particular because of their ubiquity and the abundance of vulnerable old code, said Roel Schouwenberg, senior virus analyst at Kaspersky Lab.

By using ad networks or taking advantage of exploitable Web programming errors to insert malicious content, criminals cemented their presence in legitimate Web sites and made 2009, according to anti-malware firm Dasient, the year of the “drive-by download,” in which users only have to visit a compromised Web site to become infected.

An October report from the San Jose company estimated that 640,000 legitimate Web sites became infected in the third quarter of 2009, compared with 120,000 infected sites during the same period of 2008.

Damaging reputations
The trend was not only a security threat for consumers, but also stood to damage the reputation and traffic of the victimized Web sites. In September, a fake antivirus pop-up made its way into the New York Times’ Web site by infiltrating the company’s ad network.

Researchers also noted a high volume of attacks disguised as content related to popular news items – anything from Michael Jackson to the swine flu – to coax Web users into downloading malicious content. This closing year also saw a handful of notorious politically motivated online attacks, and the issue of national cybersecurity continued to gain prominence.

On Dec. 18, Twitter’s home page was defaced by hackers calling themselves the “Iranian Cyber Army,” although authorities said there was no evidence they were in fact connected to Iran. An August attack on a Georgian blogger also indirectly affected the popular microblogging site and brought it down for several hours.

In July, several U.S. and South Korean government Web sites went offline after being hit by a denial-of-service attack that South Korea has attributed to a North Korean ministry. U.S. defense officials revealed in April that hackers have stolen thousands of files on one of the military’s most advanced fighter aircrafts.

“Now it’s in the agenda of every government to pay attention to the cyberworld,” Schouwenberg said.

Security coordinator
On Tuesday, the White House announced the appointment of Howard A. Schmidt as the Obama administration’s new cybersecurity coordinator. Schmidt occupied a similar post under the Bush administration.

Even though crime continued to evolve into a more organized and compartmentalized operation this year, experts believe a new White House administration conscientious of threats and partnerships between law enforcement agencies and security firms offer encouraging signs for next year.

An example is the Conficker Work Group, an international industry coalition that joined to mitigate the spread of the Conficker worm. The group also collaborates with law enforcement agencies by providing them with forensic information.

“It’s the first time I’ve seen such partnership between countries. Typically it’s the Wild West and nobody is in charge of anything. Now it’s clear there’s a lot more international collaboration,” Dausin said.

Related articles by Zemanta

Tags: antivirus, cybersecurity coordinator, Denial-of-service attack, facebook, hacker, howard schmidt, Identity Theft, iPhone, Law enforcement agency, Malware, Michael Jackson, South Korea, Twitter

Dec 22 2009

FBI Probes Hacks at Citibank

Category: Security BreachDISC @ 4:45 pm

NYC - TriBeCa: Smith Barney-Citigroup Building
Image by wallyg via Flickr

The Wall Street Journal

The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials.

The attack took aim at Citigroup’s Citibank subsidiary, which includes its North American retail bank and other businesses. It couldn’t be learned whether the thieves gained access to Citibank’s systems directly or through third parties.

The attack underscores the blurring of lines between criminal and national-security threats in cyber space. Hackers also assaulted two other entities, at least one of them a U.S. government agency, said people familiar with the attack on Citibank.

The Citibank attack was detected over the summer, but investigators are looking into the possibility the attack may have occurred months or even a year earlier. The FBI and the National Security Agency, along with the Department of Homeland Security and Citigroup, swapped information to counter the attack, according to a person familiar with the case. Press offices of the federal agencies declined to comment.

Joe Petro, managing director of Citigroup’s Security and Investigative services, said, “We had no breach of the system and there were no losses, no customer losses, no bank losses.” He added later: “Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true.”

Citigroup is currently 27%-owned by the federal government.

The threat was initially detected by U.S. investigators who saw suspicious traffic coming from Internet addresses that had been used by the Russian Business Network, a Russian gang that has sold hacking tools and software for accessing U.S. government systems. The group went silent two years ago, but security experts say its alumni have re-emerged in smaller attack groups.

Security officials worry that, beyond stealing money, hackers could try to manipulate or destroy data, wreaking havoc on the banking system. When intruders get into one bank, officials say, they may be able to blaze a trail into others.

Continue reading at The Wall Street Journal

Tags: Business, Citibank, Citigroup, FBI, Federal Bureau of Investigation, Federal government of the United States, Government agency, Russian Business Network, United States, United States Department of Homeland Security, Wall Street Journal

Dec 18 2009

Major security breach

Category: Security BreachDISC @ 2:20 pm

drone
from AFP

Into The Breach

By Josh Rushing in Asia

When I was embedded with the US military in Helmand Province, Afghanistan, in August I wandered into a tent that I immediately recognized from my days in the military. It was an operations tent, but it was far more technologically advanced than any operations center I ever witnessed as a US Marine. There were rows of tables with soldiers at laptops all facing enormous television screens that were filled with video of a family compound in southern Afghanistan. I was amazed at how clear the drone’s video was, even though it was being filmed in the dark of night.

It was easy in that tent, in the middle of what locals call the desert of death, to see how vital drones had become to the US military for both intelligence gathering and for remote-controlled strikes – bombings that Al Jazeera continuously reports on from Pakistan and Afghanistan to Iraq and Somalia.

Standing in the back of the tent gave me cover to observe the video for about 10 minutes before an officer noticed me and escorted me out. He was obviously flummoxed that my embed credentials had allowed me to gain access to such sensitive video. Little did I know at the time, that with a $26 computer programme and a cheap television satellite dish, I could have been seeing everything that the drones were broadcasting. And why not? As the Wall Street Journal reports the signal from drones is unencrypted, a fact militants in Iraq have been taking advantage of and a fact the US military has known about for a decade or more.

Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: Afghanistan, Asia, drone, drone breach, Helmand Province, major security breach, pakistan, Unmanned aerial vehicle, Wall Street Journal, waziristan

Dec 16 2009

Internet security breach found at UCSF

Category: hipaa,Security BreachDISC @ 2:38 pm

University of California, San Francisco
Image via Wikipedia

By Erin Allday, SF Chronicle

Hackers may have had access to personal information for about 600 UCSF patients as a result of an Internet “phishing” scam, campus officials said Tuesday.

The security breach occurred in September when a faculty physician in the UCSF School of Medicine provided a user name and password in response to a scam e-mail message. The e-mail had been sent by hackers and made to look as though it came from UCSF workers who are responsible for upgrading security on internal computer servers.

The university is not identifying the physician.

A UCSF audit in October found that e-mails in the physician’s account included personal information about patients, including demographic and clinical data, and the Social Security numbers of four patients. It is unknown whether hackers actually accessed the e-mails.

The patients have all been notified of the security breach.

Phishing scams are designed to get people to reveal private information – such as Social Security numbers, credit card information and passwords – when they reply to e-mails that pretend to come from legitimate organizations.

For years, financial institutions and other corporations have been educating people to be cautious of such scams and wary of revealing private information on the Internet.

In response to the latest scam, UCSF officials said the university has been re-educating employees about protecting their user names and passwords.


Here we have another unnecessary healthcare data breach in a university due to phishing which resulted in a loss of private data demonstrating poor baseline security and lack of security awareness training. Healthcare organizations are not ready for HIPAA (ARRA and HITECH provision) compliance. Checkout why Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.


Considering healthcare standard electronic transaction (compliance date, Jan 1, 2012) and HITECH provision (compliance date, Feb 17, 2010) are in the pipeline for healthcare organizations. Do you think it’s about time for them to get their house in order?

Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: arra and hitech, arra hitech provisions, Computer security, Credit card, Health Insurance Portability and Accountability Act, hipaa, Identity Theft, phishing, social security, Social Security number

Dec 14 2009

Viruses That Leave Victims Red in the Facebook

Category: MalwareDISC @ 3:21 pm

5 Ways to Cultivate an Active Social Network
Image by Intersection Consulting via Flickr

By BRAD STONE – NYTimes.com

It used to be that computer viruses attacked only your hard drive. Now they attack your dignity.

Malicious programs are rampaging through Web sites like Facebook and Twitter, spreading themselves by taking over people’s accounts and sending out messages to all of their friends and followers. The result is that people are inadvertently telling their co-workers and loved ones how to raise their I.Q.’s or make money instantly, or urging them to watch an awesome new video in which they star.

“I wonder what people are thinking of me right now?” said Matt Marquess, an employee at a public relations firm in San Francisco whose Twitter account was recently hijacked, showering his followers with messages that appeared to offer a $500 gift card to Victoria’s Secret.

Mr. Marquess was clueless about the offers until a professional acquaintance asked him about them via e-mail. Confused, he logged in to his account and noticed he had been promoting lingerie for five days.

“No one had said anything to me,” he said. “I thought, how long have I been Twittering about underwear?”

The humiliation sown by these attacks is just collateral damage. In most cases, the perpetrators are hoping to profit from the referral fees they get for directing people to sketchy e-commerce sites.

In other words, even the crooks are on social networks now — because millions of tightly connected potential victims are just waiting for them there.

Often the victims lose control of their accounts after clicking on a link “sent” by a friend. In other cases, the bad guys apparently scan for accounts with easily guessable passwords. (Mr. Marquess gamely concedes that his password at the time was “abc123.”)

After discovering their accounts have been seized, victims typically renounce the unauthorized messages publicly, apologizing for inadvertently bombarding their friends. These messages — one might call them Tweets of shame — convey a distinct mix of guilt, regret and embarrassment.

“I have been hacked; taking evasive maneuvers. Much apology, my friends,” wrote Rocky Barbanica, a producer for Rackspace Hosting, an Internet storage firm, in one such note.

Mr. Barbanica sent that out last month after realizing he had sent messages to 250 Twitter followers with a link and the sentence, “Are you in this picture?” If they clicked, their Twitter accounts were similarly commandeered.

“I took it personally, which I shouldn’t have, but that’s the natural feeling. It’s insulting,” he said.

Earlier malicious programs could also cause a similar measure of embarrassment if they spread themselves through a person’s e-mail address book.

But those messages, traveling from computer to computer, were more likely to be stopped by antivirus or firewall software. On the Web, such measures offer little protection. (Although they are popularly referred to as viruses or worms, the new forms of Web-based malicious programs do not technically fall into those categories, as they are not self-contained programs.)

Getting tangled up in a virus on a social network is also more painfully, and instantaneously, public. “Once it’s delivered to everyone in three seconds, the cat is out of the bag,” said Chet Wisniewski of Sophos, a Web security firm. “When people got viruses on their computers, or fell for scams at home, they were generally the only ones that knew about it and they cleaned it up themselves. It wasn’t broadcast to the whole world.”

Social networks have become prime targets of such programs’ creators for good reason, security experts say. People implicitly trust the messages they receive from friends, and are inclined to overlook the fact that, say, their cousin from Ohio is extremely unlikely to have caught them on a hidden webcam.

Sophos says that 21 percent of Web users report that they have been a target of malicious programs on social networks. Kaspersky Labs, a Russian security firm, says that on some days, one in 500 links on Twitter point to bad sites that can infect an inadequately protected computer with typical viruses that jam hard drives. Kaspersky says many more links are purely spam, frequently leading to dating sites that pay referral fees for traffic.

A worm that spread around Facebook recently featured a photo of a sparsely dressed woman and offered a link to “see more.” Adi Av, a computer developer in Ashkelon, Israel, encountered the image on the Facebook page of a friend he considered to be a reliable source of amusing Internet content.

A couple of clicks later, the image was posted on Mr. Av’s Facebook profile and sent to the “news feed” of his 350 friends.

“It’s an honest mistake,” he said. “The main embarrassment was from the possibility of other people getting into the same trouble from my profile page.”

Others confess to experiencing a more serious discomfiture.

“You feel like a total idiot,” said Jodi Chapman, who last month unwisely clicked on a Twitter message from a fellow vegan, suggesting that she take an online intelligence test.

Ms. Chapman, who sells environmentally friendly gifts with her husband, uses her Twitter account to communicate with thousands of her company’s customers. The hijacking “filled me with a sense of panic,” she said. “I was so worried that I had somehow tainted our company name by asking people to check their I.Q. scores.”

Social networking attacks do not spare the experts. Two weeks ago, Lee Rainie, director of the Pew Internet and American Life Project, a nonprofit research group, accidentally sent messages to dozens of his Twitter followers with a link and the line, “Hi, is this you? LOL.” He said a few people actually clicked.

“I’m worried that people will think I communicate this way,” Mr. Rainie said. “ ‘LOL,’ as my children would tell you, is not the style that I want to engage the world with.”

Related articles by Zemanta

Tags: Antivirus software, Computer virus, facebook, Google, Kaspersky Lab, Malware, malware 2.0, Online Communities, San Francisco, Security, Social network, Social network service, Spyware, Twitter

Dec 10 2009

What is a risk assessment framework

Category: Information Security,Risk AssessmentDISC @ 5:46 pm

Computer security is an ongoing threat?!?
Image by Adam Melancon via Flickr

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

Definition – A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.

A good RAF organizes and presents information in a way that both technical and non-technical personnel can understand. It has three important components: a shared vocabulary, consistent assessment methods and a reporting system.

The common view an RAF provides helps an organization see which of its systems are at low risk for abuse or attack and which are at high risk. The data an RAF provides is useful for addressing potential threats pro-actively, planning budgets and creating a culture in which the value of data is understood and appreciated.

There are several risk assessment frameworks that are accepted as industry standards including:

Risk Management Guide for Information Technology Systems (NIST guide) from the National Institute of Standards.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from the Computer Emergency Readiness Team.

Control Objectives for Information and related Technology (COBIT) from the Information Systems Audit and Control Association.

To create a risk management framework, an organization can use or modify the NIST guide, OCTAVE or COBIT or create a framework inhouse that fits the organization’s business requirements. However the framework is built, it should:

1. Inventory and categorize all IT assets.
Assets include hardware, software, data, processes and interfaces to external systems.

2. Identify threats.
Natural disasters or power outages should be considered in addition to threats such as malicious access to systems or malware attacks.

3. Identify corresponding vulnerabilities.
Data about vulnerabilities can be obtained from security testing and system scans. Anecdotal information about known software and/or vendor issues should also be considered.

4. Prioritize potential risks.
Prioritization has three sub-phases: evaluating existing security controls, determining the likelihood and impact of a breach based on those controls, and assigning risk levels.

5. Document risks and determine action.
This is an on-going process, with a pre-determined schedule for issuing reports. The report should document the risk level for all IT assests, define what level of risk an organization is willing to tolerate and accept and identify procedures at each risk level for implementing and maintaining security controls.

Related articles by Zemanta

Tags: Business, COBIT, Computer security, Data, Fire and Security, Information Technology, iso 27001, iso 27002, National Institute of Standards and Technology, NIST, OCTAVE, Risk management, Security, security controls, Technology

Dec 04 2009

Five ways to lose your identity

Category: Identity TheftDISC @ 2:42 pm

beconstructive12

By Jaikumar Vijayan
The rush by shoppers to the Web makes the season a great time for online retailers. It’s also a great time for hackers looking to steal data and money from the unwary millions expected to search for great deals online.

Checkout huge savings on Today’s Hot Deals on Information Security Solutions for the holidays

The growth of holiday hackers has annually prompted security analysts, identity theft awareness groups, and various government agencies to come up with lists of precautions that consumers can take to avoid becoming a victim of online fraud. Such lists can prove a benefit to consumers, but unfortunately some people ignore it.

Below are the identity theft awareness tips which can help maximize your exposure to online fraud.

Tip No. 1: Open all attachments from strangers and click on all embedded links in such e-mail messages. Such actions remain one of the most effective ways to provide thieves with personal information and financial data. All a hacker needs to do is find computer users who instinctively open e-mail messages from strangers, even those who write in a foreign language. The action can open the door to keystroke loggers, rootkits, or Trojan horse programs. Crooks can also easily install backdoors to easily steal data without attracting any attention. Once installed, hackers gain unfettered access to personal data and can even remotely control and administer systems from anywhere.

Tip No. 2: Respond to Dr. (Mrs.) Mariam Abacha, whose name is used by many hackers who say they have close friends and relatives in Nigeria who have recently been widowed or deposed in a military coup and need your help to get their millions of dollars out of the country. Users are told they will undoubtedly be rewarded for helping to get their “well-packed trunk boxes” full of cash out of Nigeria. And to make sure to provide bank account information, login credentials, date of birth, and mother’s maiden name so that they can wire the reward directly into a checking account in time for the holidays.

Tip No. 3: Install a peer-to-peer file-sharing client on your PC and configure it so all files, including bank account, Social Security, and credit card numbers, along with copies of mortgage and tax return documents, are easily available to anyone on the same P2P network. Your personal data will stream over the Internet while you check out what songs you can download for free without getting sued by the RIAA.

Tip No. 4: Come up with passwords that are easy to crack. It saves hackers from spending too much time and effort trying to access your PC. Clever sequences such as “123456” and “abcdef” and your firstname.lastname all make fine, easy-to-remember default passwords for you and for hackers. For maximum exposure, keep passwords short, don’t mix alphabets and numerals, and use the same password for all accounts.

Tip No. 5: Avoid installing the latest anti-malware tools and security updates. Keeping operating systems properly patched and anti-virus and anti-spyware tools updated make life hard for hackers. Users can help them out by making sure their anti-virus software and anti-spyware tools are at least 18 months out of date or by not using them at all. Either way, it’s very likely that your computer will be infected with a full spectrum of malware.

For additional tips on how to shop securely on Christmas and holidays season:
How to shop safely online this Christmas
Identity theft tip-off countermeasure and consequence | DISC

Please comment below regarding any other new and emerging threat which needs to be addressed during holiday’s season?

Reblog this post [with Zemanta]

Tags: antivirus, Christmas and holiday season, Computer security, Credit card, File sharing, hacker, Identity Theft, Malicious Software, Malware, Online shopping, Personal computer, Security, shop safely, shop securely, Spyware, threats, trojan, Trojan horse

Dec 03 2009

2010 Compliance Laws

Category: pci dss,Security ComplianceDISC @ 2:13 am

Information Security Wordle: PCI Data Security...
Image by purpleslog via Flickr
In 2010 there will be two important compliance laws introduced which will affect the majority of North American organizations and many global organization too.

45 US States followed California when they introduced “SB1386“, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.


  • From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

  • Every organization who collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 (The Massachusetts Data Protection Law) on or before March 1, 2010.



    • Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!
    To help you comply with these impending laws ITG have developed a range of solutions which are aim to make the process as cost effective and simple as possible:

    The Nevada PCI DSS Law:

    The PCI DSS requires you to:

  • apply a number of specific controls, or safeguards.

  • These include documented policies and procedures; as well as

  • a number of technical IT and network configurations.

  • You will also have to provide staff with appropriate training; and

  • You will have to have quarterly scans.



    • PCI DSS v1.2 Documentation Compliance Toolkit
    toolkit-book-pci-dss

    This PCI DSS v1.2 compliance toolkit is specifically designed to help payment card-accepting organizations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2).


    201 CMR 17.00 – The Massachusetts Data Protection Law:

    201 CMR 17.00 & ISO 27001 Toolkit
    mass_dpa_law

    will save you months of work, help you avoid costly trial-and-error dead-ends, and ensure everything is covered to current 201 CMR 17.00 / ISO 27001 standard.

    This version of the ISMS Documentation Toolkit is ideal for those who owns or licenses personal information about a resident of the Commonwealth.

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: 201 CMR 17.00, california, iso 27001, ISO/IEC 27001, Law, Massachusetts, Massachusetts Data Protection Law, Nevada, Nevada PCI DSS Law, Payment Card Industry Data Security Standard, PCI Express, privacy, sb 1386

    Nov 30 2009

    Hackers steal credit-card numbers from restaurant customers

    Category: pci dss,Security BreachDISC @ 2:44 am


    Here we have another unnecessary credit card data breach in a small organization which resulted in a loss of customers data demonstrating poor baseline security of small organization in this case a restaurant. Small organizations are not ready for PCI Compliance. Checkout why PCI Compliance is essential and why small merchants have to comply. Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.
    Contact DISC for any question

    By Theodore Decker
    THE COLUMBUS DISPATCH

    Diners who frequent a popular Downtown restaurant should review their charge-card statements because hackers broke into its computer system to loot debit- and credit-card numbers, police said today.

    Between 30 and 50 people have reported fraudulent charges on their accounts, and Columbus detectives said that anyone who used a charge card at Tip Top Kitchen and Cocktails in July or August is at risk.

    Detective Wyatt Wilson of the Columbus police fraud/forgery unit said police began linking reports of credit-card fraud in October. Cross-checking the victims’ accounts revealed Tip Top, which is on E. Gay Street, as a common denominator, he said.

    The hackers have been traced to an overseas Internet address, and no Tip Top employees are involved, police said. Wilson said the business was as much a victim as its customers were.

    The hackers found a weak point in the restaurant’s computer defenses, wormed their way in, and installed “malware” that stripped the numbers, he said.

    The restaurant has fixed the problem, but customers who charged anything there in July or August should contact their credit-card companies or banks, cancel their cards and get new ones, even if they haven’t been victimized yet, police said.

    New fraud reports have rolled in periodically until a few days ago, Wilson said, indicating that the card numbers are still in criminal circulation.

    Elizabeth Lessner, the restaurant’s owner, said she has been told by investigators that the breach might have been the work of high-level hackers in Russia, and she wondered whether it was connected to a global case that surfaced this year.


    Most of the small companies have trouble justifying their investments when it comes to security. At the same time PCI DSS for the “brick & mortar” merchants have been a blessing for security firms who sell hardware solutions to small merchants. The problem is these hardware point solution does not address the business issues of a small merchant on daily basis.
    This is why small merchants need to build a security program and the in-house expertise with training and help of outside consultant to understand business issues related to information security clearly. You mature this process over time with an ongoing effort and full management support.
    Do you think it’s time for small merchants to take information security seriously as a business limiting risk?

    Related articles by Zemanta

    Prevent and Protect from Credit Card Fraud and Scams

    httpv://www.youtube.com/watch?v=YS_jCET-YFA&feature=related

    Reblog this post [with Zemanta]

    Tags: Banking Services, Business, Credit card, crime, Financial services, fraud, hacker, Information Security, Malware, Payment Card Industry Data Security Standard, Point of sale, Police, Security

    Nov 25 2009

    ENISA Cloud Computing Risk Assessment

    Category: Cloud computingDISC @ 4:22 pm

    Network and Information Security Agency
    Image via Wikipedia

    Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance

    The ENISA (European Network and Information Security Agency) released the Cloud Computing Risk Assessment document.

    The document does well by including a focus on SMEs (Small and Medium sized Enterprises) because, as the report says, “Given the reduced cost and flexibility it brings, a migration to cloud computing is compelling for many SMEs”.

    Three initial standout items for me are:

    1. The document’s stated Risk Number One is Lock-In. “This makes it extremely difficult for a customer to migrate from one provider to another, or to migrate data and services to or from an in-house IT environment. Furthermore, cloud providers may have an incentive to prevent (directly or indirectly) the portability of their customers services and data.”

    Remember that the document identified SMEs as a major market for cloud computing. What can they do about the lock-in? Let’s see what the document says:

    The document identifies SaaS lock-in:

    Customer data is typically stored in a custom database schema designed by the SaaS provider. Most SaaS providers offer API calls to read (and thereby ‘export’) data records. However, if the provider does not offer a readymade data ‘export’ routine, the customer will need to develop a program to extract their data and write it to file ready for import to another provider. It should be noted that there are few formal agreements on the structure of business records (e.g., a customer record at one SaaS provider may have different fields than at another provider), although there are common underlying file formats for the export and import of data, e.g., XML. The new provider can normally help with this work at a negotiated cost. However, if the data is to be brought back in-house, the customer will need to write import routines that take care of any required data mapping unless the CP offers such a routine. As customers will evaluate this aspect before making important migration decisions, it is in the long-term business interest of CPs to make data portability as easy, complete and cost-effective as possible.

    And what about PaaS Lock-In?:

    PaaS lock-in occurs at both the API layer (ie, platform specific API calls) and at the component level. For example, the PaaS provider may offer a highly efficient back-end data store. Not only must the customer develop code using the custom APIs offered by the provider, but they must also code data access routines in a way that is compatible with the back-end data store. This code will not necessarily be portable across PaaS providers, even if a seemingly compatible API is offered, as the data access model may be different (e.g., relational v hashing).

    In each case, the ENISA document says that the customer must develop code to get around the lock-in, in order to bridge APIs and to bridge data formats. However, SME’s generally do not have developers on staff to write this code. “Writing code” is not usually an option for an SME. I know – I worked for an EDI service provider who serviced SMEs in Europe – we would provide the code development services for the SMEs when they needed data transformation done at the client side.

    But there is another answer. This bridging is the job of a Cloud Service Broker. The Cloud Service Broker addresses the cloud lock-in problem head-on by bridging APIs and bridging data formats (which, as the ENISA document mentions, are often XML). It is unreasonable to expect an SME to write custom code to bridge together cloud APIs when an off-the-shelf Cloud Service Broker can do the job for them with no coding involved, while providing value-added services such as monitoring the cloud provider’s availability, encrypting data before it goes up to the cloud provider, and scanning data for privacy leaks. Read the Cloud Service Broker White Paper here.

    2. “Customers should not be tempted to use custom implementations of authentication, authorisation and accounting (AAA) as these can become weak if not properly implemented.”

    Yes! Totally agree. There is already a tendency to look at Amazon’s HMAC-signature-over-QueryString authentication scheme and implement a similar scheme which is similar but not exactly like it. For example, an organization may decide “Let’s do like Amazon do and make sure all incoming REST requests to our PaaS service are signed by a trusted client using HMAC authentication”, but omit to include any timestamp in the signed data. I can certainly imagine this, because this would happen all the time in the SOA / Web Services world (an organization would decide “Let’s make sure requests are signed using XML Signature by trusted clients”, but leave the system open to a simple capture-replay attack). Cloud PaaS providers should not make these same mistakes.

    3. STRIDE and DREAD
    Lastly, the document’s approach of examining the system in terms of data-at-rest and data-in-motion, identifying risks at each point (such as information disclosure, eavesdropping, or Denial-of-Service), then applying a probability and impact to the risks, is very reminiscent of the “STRIDE and DREAD” model. However I do not see the STRIDE and DREAD model mentioned anywhere in the document. I know it’s a bit long in the tooth now, and finessed a bit since the initial book, but it’s still a good approach. It would have been worth mentioning here, since it’s clearly an inspiration.

    Read the source entry…

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: Application programming interface, Business, Cloud computing, Platform as a service, Service-oriented architecture, Small and medium enterprises, Software as a service, Web service

    Nov 19 2009

    Health Net healthcare data breach affects1.5 million

    Category: hipaa,Security BreachDISC @ 2:10 pm

    Health Net, Inc.
    Image via Wikipedia


    Here we have another unnecessary major security breach in a large healthcare organization which resulted in a loss of patient data demonstrating poor baseline security. They clearly are not ready for the new HIPAA provision ARRA and HITECH. Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.
    Contact DISC for any question or high level risk assessment.

    The Practical Guide to HIPAA Privacy and Security Compliance

    By Robert Westervelt, News Editor
    19 Nov 2009 | SearchSecurity.com

    Health Net Inc. announced Wednesday that it is investigating a healthcare data security breach that resulted in the loss of patient data, affecting 1.5 million customers.

    The Woodland Hills, Calif.-based managed healthcare provider said the lost files, a mixture of medical data, Social Security numbers and other personally identifiable information, were collected over the past seven years and contained on a portable external hard drive, which was lost six months ago. The company said the healthcare data was not encrypted, but was formatted as images and required a specific software application to be viewed. The hard drive contained data on 446,000 Connecticut patients.

    The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification letters the week of Nov. 30.

    Connecticut Attorney General Richard Blumenthal said he was investigating the matter and why it took Health Net six months to report the healthcare breach.

    “My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”

    Blumenthal said the hard drive also contained financial data, including bank account numbers. He is seeking coverage for comprehensive, long-term identity theft protection for those customers affected by the breach.

    Health Net provides medical coverage for approximately 6.6 million people and its subsidiaries operate in all 50 states. In a statement, the company said the breach took place in its Connecticut office. So far there have not been any reports of fraud tied to the missing data..

    “Health Net will provide credit monitoring for over two years – free of charge – to all impacted members who elect this service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment with our identity protection service,” the company said.

    It is the second time in a month that a healthcare provider lost customer data. Anthem Blue Cross and Blue Shield of Connecticut reported a stolen laptop was to blame for a breach compromising the personal information of 850,000 doctors, therapists and other healthcare professionals.

    Security experts have long been advocating that enterprises deploy encryption on laptops and other devices that contain sensitive data. Still, all the technology in the world won’t end employee mistakes and carelessness, said Mike Rothman an analyst with Security Incite.

    “You can do full disk encryption and all sorts of things to protect the device, but you are still fairly constrained by user sophistication,” Rothman said. “You have to start asking questions from a process standpoint relative to why this stuff was on an external drive in the first place.”

    In reality you could turn off all USB ports on your devices, but that could hinder employee productivity, Rothman said. Security always gets back to making sure you have the right processes and policies in place and the right training and awareness so that employees understand what those policies are and ways to audit those processes, he said.

    Experts say encryption should be used as a last resort when all other security policies and processes fail. While many enterprises have focused on encrypting laptops at the endpoint, encryption can be a bit trickier for portable hard drives and other removable media. If the drive is being shared between different systems people need to have some way to access the key, said Ramon Krikken, an analyst at the Burton Group.

    “A lot of these portable hard drives are older without built-in encryption and to the extent to which you can easily deploy encryption has been a challenge for enterprises,” Krikken said.

    Some USB makers market the devices with built-in encryption software. In 2008, Seate Technology extended full disk encryption technology to all its enterprise-class hard drives. The company also began pushing for standards for hard drive encryption in storage systems.

    Nagraj Seshadri, head of product marketing at Utimaco the encryption software division of Sophos Plc, said healthcare organizations need to be just as responsible as financial firms when it comes to protecting data.


    Perhaps healthcare management still doesn’t realize that they might be potentially liable for lack of reasonable safeguards to protect organization assets. Do you think it’s time for healthcare management to take information security seriously as a potential business risk?

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: arra and hitech, data loss prevention, data security, disk encryption and file encryption, Health care, Health Insurance Portability and Accountability Act, Identity Theft, identity theft and data security breaches, Personally identifiable information, Security, security awareness training

    Nov 16 2009

    Online gangs cash in on swine flu

    Category: CybercrimeDISC @ 2:33 pm

    4 28 09 Bearman Cartoon Porky Pig Swine Flu
    Image by Bearman2007 via Flickr

    The problem is not just buying a fake medicine on the internet, it has a potential of hurting people two ways – it is not the real Tamiflu and we don’t know what’s being falsely market as Tamiflu. DISC

    By Kate Kelland Kate
    LONDON (Reuters) – Criminal gangs are making millions of dollars out of the H1N1 flu pandemic by selling fake flu drugs over the internet, a web security firm said on Monday.

    Sophos, a British security software firm said it had intercepted hundreds of millions of fake pharmaceutical spam adverts and websites this year, many of them trying to sell counterfeit antiviral drugs like Tamiflu to worried customers.

    Tamiflu, an antiviral marketed by Switzerland’s Roche Holding and known generically as oseltamivir, is the frontline drug recommended by the World Health Organization to treat and slow the progression of flu symptoms. GlaxoSmithKline makes another antiviral for flu, known as Relenza.

    Sophos said many of the gangs behind the sites were based in Russia and the top five countries buying fake Tamiflu and other medicines on the internet were the United States, Germany, Britain, Canada and France.

    Sophos spokesman Graham Cluley said a “worrying trend” toward stockpiling Tamiflu had already been seen in Britain — Europe’s worst-hit country in the H1N1 pandemic so far.

    “As more and more cases of swine flu….come to light, it is essential that we all resist the panic-induced temptation to purchase Tamiflu online,” he said.

    “The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers’ health, personal information and credit card details at risk.”

    The Geneva-based WHO, which declared H1N1 swine flu a pandemic in June, updated its guidance to doctors last week to say that antiviral drugs should be given even before tests conclude that an at-risk patient has the pandemic virus.

    Sophos said criminal gangs were operating medicines websites branded as the “Canadian Pharmacy” to try to appear genuine.

    It said its research showed that on one network operated out of Russia, called Glavmed, it was possible to earn an average of $16,000 a day promoting pharmaceutical websites.

    “But the criminals can be members of more than one affiliate network, and some have boasted of earning more than $100,000 per day,” it said in a statement.

    The pandemic H1N1 flu virus has now spread to 206 countries since it was first discovered in March. There have been more than 6,250 deaths to date, mostly in the Americas region, according to the latest WHO toll.

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: Antiviral drug, GlaxoSmithKline, h1n1, H1N1 swine flu, Health, Influenza, Influenza A virus subtype H1N1, pandemic, Relenza, Sophos, Tamiflu, WHO, World Health Organization

    Nov 13 2009

    Cyber criminals deface 50 to 60 Indian websites a day

    Category: CybercrimeDISC @ 2:52 pm

    microsoft_fr_hacked
    Image by Clopin via Flickr

    Webnewwire.com report submitted on November 11, 2009

    Has your girlfriend blocked you and you cant see her on-line? Wondering how to keep your email account protected? Or want to hide files from your annoying siblings? MTV’s got Ankit Fadia – the coolest Ethical Hacker in the world to give you everything from tips, tricks to cheat codes that will help make your life on the world wide web a whole lot simpler. Learn cool stuff that you can with your computers, Internet, mobile and other technology in your life!

    This is India’s first tech show which does not review tech gadgets, websites or software instead it gives viewers a low down (or download!) on cool stuff that they can do with technology that will make their every day life cooler, simpler and stylish!

    I am hosting “MTV What the Hack!” show with MTV VJ Jose, informed Ankit Fadia who was in city on a private visit. Watch it on MTV India every Saturday @ 8:20 PM. Repeat Telecasts every day, he appealed to the people

    The show is a guy show with lots of typical MTV style humour. VJ Jose and Ankit Fadia shoot the episodes without a script and just naturally jam in front of camera and talk about technology. The show has got a very good response so far as it is being different from other shows. Most of the tech shows in India are review based shows where gadgets, software and websites are reviewed. This is the India’s first reach show that actually teaches viewers something. The show is on as part of MTV’s move to beyond music and beyond television. Since October 17 this year dropped ‘Music Television’ baseline which has been there in India for the past 13 years. Music contributes about 40 per cent of its programming and soon will go down to 25 per cent. This is happening as part of repositioning exercise MTV kicked off two years back. MTV is born of music, inspired by music, driven by music –but not limited by music. IT is now about new ideas, new formats, new ways of reaching people in new places they choose to live in.

    Addressing the press conference Ankit Fadia spoke on various issues concerning Cyber Security in India. Speaking about Cyber security issues India is facing today he said Pakistani cyber criminals are able to deface 50 to 60 Indian websites a day, but, in retaliation only 10 to 15 Pakistani websites are defaced. And this has been going on since 2001. Nodoubt, India is IT capital of the world, but, as far as security is concerned India is far lagging behind, informed Ankit.

    Speaking further he added that Terrorists are using most advanced technologies for communication. Which include mainly VOIP(Voice Over Internet Protocol) Chats, hiding messages inside photographs, draft emails, encrypted pen drives etc are some of the techniques to communicate with each other, he informed.

    Cyber laws in India are quite good, b ut the problem is that the police who enforce those laws are ill equipped and are not trained properly. And he challenged media to visit the nearest police station and lodge a cyber crime complaint. And you will shocked that 9 out of 10 times, the officials attending you won’t follow what you are saying, said Ankit.

    The biggest problem that the police worldwide face while solving cyber crime is the fact that the Internet has no boundaries, however, while investigating a cyber crime case a number of geographical, political, social and diplomatic boundaries come into the picture.

    The next big security threat could be from Social Networking, Ankit declared. Everybody in India is on the social networking bandwagon. Even Karan Johar, Priyanka Chopra, Aishwarya Rai, Shashi Tharoor, Barack Obama and many other celebrities are updating Twitter daily. The latest viruses, worms, spyware and malware spread through social networking websites like Twitter, Facebook, Orkut and Myspace.

    You will receive a private message from one of your friend (who is already infected) containing a link to a Youtube video. Halfway through the video, it will prompt you to download some Video Plugin or Code. Since the message came from your friend, most people tend to trust it and get infected!, said Ankit.

    There are many financial scams and frauds happening on social networking websites. Get rich quick schemes, Earn Money Online Scams and various money laundering attacks now come to you through a Twitter update or a Facebook wall post!. Since Social Networking websites are all about your friends, many people are susceptible to the attack, Ankit said and added that Antivirus companies need to gear up to have a social networking aspect to them. People need to be made aware of the threats of social networking!

    Another next big security threat could be People Hacking, he informed. People Hacking is all about sweet talking people to get things done. Especially things that they would normally don’t do or should not do!. People Hacking happens around us all the time. In the office, with your friends, at the check in counters at the airport or on the phone with the call centre. To carry out People Hacking you need to know what to say to whom and more importantly how to say it. Inducing fear, guilt, sympathy or just overpowering the victim with your words can lead to People Hacking, informed Ankit Fadia.

    When asked about advise like Dos and Don’ts for average internet user he listed out the following.

    – Use an Antivirus. More importantly, update it every week.

    – Use an Anti Spyware. Update it every week.

    – Use a Firewall. They are not as technical as they sound. A very good firewall that I recommend is Zone Alarm. Just do a Google search to download it.

    – Use a strong password for all your accounts—a combination of alphabets, numbers and special characters. Use both lowercase and uppercase.

    – Use Windows Update every fortnight to patch Windows.

    – Use a Key Scrambler—a software the scrambles your keys in such a way that key loggers & other spying tools cant record what you type on your computer.

    – Use a password on your Wi Fi network.

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: Aishwarya Rai, Ankit Fadia, Barack Obama, cyber security, facebook, Google, MySpace, pakistan, Priyanka Chopra, Security, social engineering, Social Networking, Twitter, World Wide Web, YouTube

    Nov 10 2009

    Facebook, MySpace users hit by cyber attacks

    Category: CybercrimeDISC @ 1:27 am

    facebook
    Image by sitmonkeysupreme via Flickr

    NZ HERALD reported that Facebook users – already being targeted in a malware campaign – are now under threat from a phishing scam.

    Security specialists Symantec report that the company’s systems have picked up fake messages that appear to be sent by the social networking service.

    Users will receive an email that looks like an official Facebook invite or a password reset confirmation.

    If a duped user clicks on the ‘update’ button they will be redirected a fake Facebook site. They will then be asked to enter a password to complete the updating process.

    As soon as the unwitting Facebook user does this, their password is in the hands of cybercriminals.

    Dodgy subject lines for the phishing emails are: ‘Facebook account update,’ New login system’ or ‘Facebook update tool’.

    The malware campaign that is still targeting Facebook is also propagated via email. This time, the message looks like a Facebook notification that the recipient’s password has been reset.

    It includes a zip file that, if opened, launches an .exe file, which Symantec’s Security Response centre says is a net nasty called Trojan.Bredolab.

    Once a users’ machine is infected by this malware, it secretly dials back to a Russian domain and, Symantec says, “is most likely becoming part of a Bredolab botnet.”

    But it isn’t just Facebook that is being lined up by cybercriminals, News Corp’s MySpace is also under attack.

    Potentially dangerous email subject lines to look out for are: ‘Myspace Password Reset Confirmation,’ ‘Myspace office on fire’ and ‘Myspace was ruined’.

    Symantec believes their will be another attack on MySpace in the next day or two. “We also think that social networking sites with huge user bases are currently being targeted to infect maximum machines or gather passwords for more malicious activities in future,” the security team said in a statement.

    It advised users to be extra-careful of suspicious attachments, especially those including password reset requests. Legitimate websites will not send an attachment for resetting a password, it said.

    – NZ HERALD STAFF

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: botnet, facebook, Malware, MySpace, News Corporation, phishing, Social network, Social network service, trojan, Website

    « Previous PageNext Page »