WebProNews

Tag: Cyber-Security

  • PSA: Cybercriminals Preying On Nest Users With ‘Sextortion’ Scheme

    PSA: Cybercriminals Preying On Nest Users With ‘Sextortion’ Scheme

    Following reports of connected security cameras, such as Ring and Nest, being targeted by hackers, scammers are preying on people’s fears with a “sextortion” scheme, according to CNBC.

    The scam relies on “social engineering,” or the ability to convince an unsuspecting victim do something they wouldn’t normally do, through the use of charm, guilt, shame or authority. The scammer has usually done enough research and has enough information and half-truths to make the scam seem credible.

    According to CNBC, IT security firm Mimecast saw “a huge spike in the new tactic, with more than 1,600 scam emails intercepted in just a two-day period from Jan. 2 to Jan. 3.”

    When describing this particular scam Kiri Addison, head of data science, said “this one is a bit different. It stood out, because it’s really convoluted in a way. It starts out with a single email saying ‘we’ve got some nude photos of you.’”

    The email will include a link to a website showing Nest footage from an innocent area the person could have visited, such as a bar or restaurant. The idea is to make the person believe they’ve been monitored and recorded over a long period of time, in any number of situations, making it more believable they may have been recorded in a compromising position.

    Ultimately, the victim is walked through the process of establishing a bitcoin wallet and paying the scammers $500 to keep their photos and videos from being released on porn sites. It’s important to understand there aren’t actually any photos or videos.

    As CNBC points out, “if you receive a sextortion email, the best thing you can do is ignore it.

    “Although internet-connected cameras and smartphones can be hacked, this is a very rare event. It’s practically non-existent for such a hack to be combined with an extortion demand.”

  • Ashley Madison Hackers: Will They Release Personal Info Of Clients?

    Ashley Madison customers are sweating bullets right now as the public waits to see whether or not hackers who stole customer information from the site are going to make it public.

    Ashley Madison is the hook-up site for married people looking for affairs. In fact their slogan is “Life is short. Have an affair.”

    So, it’s no surprise that the list of client info from Ashley Madison has caused such a stir. Is your spouse registered? Are there any famous or powerful people included?

    A group of hackers known as The Impact Team reportedly attacked Ashley Madison to prove that, while the site charges $19.99 to delete your information, they keep it all anyway.

    After the breach, Ashley Madison released a statement saying that they had taken care of the problem.

    The statement read, “We were recently made aware of an attempt by an unauthorized party to gain access to our systems. At this time, we have been able to secure our sites, and close the unauthorized access points.”

    The statment continued, “We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber terrorism will be held responsible.”

    Wow, cyber terrorism. That’s pretty serious.

    But, likely, victims of this crime are less upset at having their private information stolen than they are at the possibility of it being released to the public.

    The kind of information stolen from Ashley Madison includes real names, addresses, credit card transactions, internal documents and even emails.

    Ashley Madison is owned by Avid Life Media, the Toronto-based company that also owns CougarLife.com and EstablishedMen.com.

    Do you think hackers should make public the information they stole from Ashley Madison? What if your spouse is on the list?

  • Obama Creates New Cyber Intelligence Agency

    It’s official – the US has a new agency to help combat cyber attacks.

    Through a new memorandum, President Obama has established the Cyber Threat Intelligence Integration Center (CTIIC), a brand new agency tasked with centralizing and organizing intelligence related to cyber threats. The CTIIC was first announced earlier this month by Assistant to the President for Homeland Security and Counterterrorism Lisa Monaco.

    “Cyber threats are among the gravest national security dangers to the United States. Our citizens, our private sector, and our government are increasingly confronted by a range of actors attempting to do us harm through identity theft, cyber-enabled economic espionage, politically motivated cyber attacks, and other malicious activity,” says The White House. “As with our counterterrorism efforts, the United States Government is taking a “whole-of-government” approach to defend against and respond to these threats. In creating the CTIIC, the Administration is applying some of the hard-won lessons from our counterterrorism efforts to augment that “whole-of-government” approach by providing policymakers with a cross-agency view of foreign cyber threats, their severity, and potential attribution.”

    The CTIIC will not be an intelligence-gathering agency, instead it’ll act in a supporting role (hence the “integration”).

    “The CTIIC will not be an operational center,” says The White House. “It will not collect intelligence, manage incident response efforts, direct investigations, or replace other functions currently performed by existing departments, agencies, or government cyber centers. Instead, the CTIIC will support the National Cybersecurity and Communications Integration Center (NCCIC) in its network defense and incident response mission; the National Cyber Investigative Joint Task Force (NCIJTF) in its mission to coordinate, integrate, and share information related to domestic cyber threat investigations; and U.S. Cyber Command in its mission to defend the nation from significant attacks in cyberspace. The CTIIC will provide these entities, as well as other departments and agencies, with intelligence needed to carry out their cybersecurity missions.”

    The new agency will start off with a $35 million budget and about 50 people on staff, and will fall under the Office of the Director of National Intelligence.

    Image via dni.gov

  • The US Is Getting a New Anti-Cyberattack Agency

    Today, Assistant to the President for Homeland Security and Counterterrorism Lisa Monaco will give a speech at the Wilson Center at an event on cyber threats. According to the Center, Monaco will “preview plans for preventing the most pernicious state and non-state digital intrusions and Administration efforts to provide early warning about cyber attacks.”

    And apparently, one way to prevent these sort of attacks, which are becoming more and more prevalent, is to create a new government agency devoted to the sharing of intelligence on cyberattacks.

    The Washington Post is reporting that Monaco will announce the creation of the Cyber Threat Intelligence Integration Center.

    “The cyberthreat is one of the greatest threats we face, and policymakers and operators will benefit from having a rapid source of intelligence,” Monaco told the Post. “It will help ensure that we have the same integrated, all-tools approach to the cyberthreat that we have developed to combat terrorism.”

    According to the Post, the new agency will start off with a $35 million budget and about 50 people on staff, and will fall under the Office of the Director of National Intelligence.

    The idea behind the creation of a specialized cyber threat agency is to make sure the government has a centralized place to share intelligence. Apparently, the Cyber Threat Intelligence Integration Center is “modeled after the National Counterterrorism Center, which was launched in the wake of the Sept. 11, 2001, attacks amid criticism that the government failed to share intelligence that could have unraveled the al-Qaeda plot.”

    The recent hack of Sony Pictures most likely had an impact on the decision to create the new agency. According to the FBI, there was enough evidence to suggest that North Korea was, at least in part, responsible for the attack.

    Image via dni.gov

  • HP Releases Cyber Security Risk Report, Organizes Its Security Research

    Though the focus of the tech press this week will certainly be on the Mobile World Congress in Barcelona, security researchers are having their own RSA conference this week in San Francisco.

    HP has managed to find itself at both conferences, straddling the line between its classic form as a hardware manufacturer and the enterprise products it sees as its future. While the newly announced HP Slate 7 might not have the hardware to truly compete in the mini-tablet market, HP is still hoping that its enterprise security offerings might be just the thing businesses are looking for.

    At the RSA conference today, HP has released its 2012 Cyber Security Risk Report. The report shows, predictably, that total security vulnerabilities are rising, keeping pace with the growing technology infrastructure. Although the report also shows that “critical vulnerabilities” are down, it warns that the existing vulnerabilities are getting harder to fight.

    The report looked at 100,000 different URLs and found that well-known vulnerabilities (such as cross frame scripting) are still common throughout the web. In fact, 40% of the vulnerabilities found could be placed into just four different categories.

    Mobile vulnerabilities were found to have risen significantly (68%) from 2011 to 2012, mirroring the growth of mobile applications. Of the mobile applications tested by HP, 48% of them were found to have unauthorized access vulnerabilities.

    The report’s statistics are reminiscent of other recent security reports, such as the HP-sponsored 2012 Cost of Cyber Crime Study or Verizon’s 2012 Data Breach Investigation Report, which found that anonymous “hacktivism” is on the rise. Though it may seem that such reports are, literally, trying to scare up business, its clear from many sources that the security risks faced by businesses and governments of all sizes are complicated and increasing.

    The security report is part of a new initiative within HP to organize its security investments under the banner of the HP Security Research (HPSR) group. HP security products such as DVLabs, which finds and analyzes vulnerabilities, and the Zero Day Initiative, which investigates cyber attacks and security breaches.

    “It’s a way of combining intelligence research that was already happening at HP,” said Mark Painter, product marketing manager at HP. “Really what we’re trying to do is give organizations actionable intelligence research.”

    That “actionable intelligence” phrase is one that came up repeatedly when Painter spoke with WebProNews. It’s one of the goals of HPSR, along with trying to “drive innovation” and publish security research. To that end, the group will be providing free bi-weekly threat intelligence briefings that are available to the public. The HPSR will also seek to publish white papers and intelligence research, and will be releasing podcasts in conjunction with the threat briefings.

  • McAfee CEO to Deliver Speech at White House

    Co-president of McAfee Security Solutions, Michael DeCesare, will be delivering a speech at the White House tomorrow titled, “Building Cybersecurity Partnerships and Promoting Voluntary Action: Stopping Botnets”. The event, held in the Indian Treaty Room from 8:30 PM to 9:45 PM, will be hosted by White House Cybersecurity coordinator, Howard Schmidt.

    The White House, in conjunction with the US Department of Commerce (DOC) and Department of Homeland Security (DHS), is committed to solving cybersecurity problems like the Botnet via a successful voluntary public-private partnership. Partnering with companies like McAfee allows them the ability to coordinate action and identify the biggest problems from multiple angles.

    Botnets are currently considered to be one of the biggest threats to internet security and have grown in the first portion of 2012 to now include over 5 million cases. McAfee is a member of the Industry Botnet Group (IBG) and works fighting botnets both in government and industry.

  • Cyber Security and Advanced Malware [Infographic]

    I’m sure this is not news, but over 60% of security and IT professionals think their organization will be the victims of some type of cyber attack within the next six months. That’s an awful large group of people who are worried about the integrity of the systems they work on everyday. Either we have an enormous and growing criminal element at work here or we have some pretty shoddy systems that we’re all using? Or, could it all be just a lot of hype and scare tactics from the media?

    The answer is that it is all of these things. Many of our organizations don’t have very good security, there are lots of folks who like to hack in and steal information, and there’s a lot of hype about security threats in the media everyday.

    This next infographic from Bit9.Com gives us some powerful insight and statistical analysis about what’s really going on out there with cyber security. It appears there’s a lot that can be done to make it less likely your organization will be victims of an attack, and most of it is just about being proactive.

    I think this graphic is relevant to almost everyone today. Take as look at it and decide for yourself if you’re doing everything you can to stay protected. It’s filled with great facts and useful information.

    Cyber security

  • Proposed EU Law Wants To Make Possession of Hacking Tools A Crime

    The European Union is looking to update and standardize its anti-hacking legislation. Under a draft law backed by the EU Civil Liberties Committee on Tuesday, hacking IT systems, as well as the possession or distribution of hacking tools, would be a criminal offence throughout the EU, one punishable by 2-5 years in prison.

    This latter restriction would be the equivalent of the UK’s “going equipped” statute, whereby suspects are in violation of the law merely by possessing implements necessary to commit an offence. By criminalizing the possession of hacking tools, the proposed law could also hinder the efforts of white and grey hats working on the legal side of the infosec industry. Cyber security expert Mikko Hyppönen, Chief Research Officer at F-Secure in Helsinki, tweeted his disapproval of the draft legislation:

    @mikko
    Mikko Hypponen    Did I understand this correctly? EU wants to improve computer security…by making penetration testing illegal? What? http://t.co/yLWKlN52 7 hours ago via Twitterrific ·  Reply ·  Retweet ·  Favorite · powered by @socialditto

    Meanwhile, Senator Leia Organa of the EU member state Alderaan’s Pirate Party, issued this statement about the proposal:

    (Kidding.)

    Also under the proposal, companies would be liable for cyber attacks committed for their benefit, regardless of whether those attacks were committed deliberately or through a lack of supervision. “We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations. The financial damage caused for companies, private users and the public side amounts to several billions each year,” said rapporteur Monika Hohlmeier, of Germany. “No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world,” she added.

    With all due respect to Madame Rapporteur, the seatbelt analogy doesn’t exactly fit the legislation. I think the proposal she was meaning to support with that analogy is the one that would hold corporations criminally liable for having with inadequate security systems that allowed a security breach which compromises individuals’ personal data. Oh, but that proposal doesn’t exist. It should, though. It would really fit the analogy, and it would be a surefire way to beef up corporate cyber security. But I digress; on with the legislation:

    The maximum penalty to be imposed by EU states for violation of the law would be at least two years’ imprisonment, and at least five years where there are aggravating circumstances. “Aggravating circumstances” could include the use of a tool specifically designed to for large-scale (e.g. “botnet”) attacks, or attacks cause considerable damage (e.g. by disrupting system service), financial costs or loss of financial data. IP spoofing, the practice of covering one’s tracks by stealing someone else’s electronic identity, would also be an aggravating circumstance, as would attacks committed by a criminal organization or targeting critical infrastructure.

    In liability cases, MEPs say member states should set a maximum penalty of at least three years.

    The proposal to update existing EU cyber attack legislation was approved with by 50 votes in favor, 1 against, and 3 abstentions. Rapporteur Hohlmeier aims for a political agreement between the Parliament and Council on the proposed legislation by this summer.

  • Is Harry Reid Slipping SOPA Into A New Cyber-Security Bill?

    Is Harry Reid Slipping SOPA Into A New Cyber-Security Bill?

    While details about a proposed cyber-security bill remain elusive, one frightful speculation seems to be making the rounds lately: Senate Majority Leader Harry Reid has not abandoned his effort to shackle the Internet.

    After Internet commoners and companies alike pushed back in a determined way last month against the Stop Online Piracy Act and Protect IP Act, many were content to pat themselves on the back for defeating the bill. The bills, though, while delayed, were not convincingly defeated.

    Harry Reid appears unwilling to let SOPA go quietly into the night. An article published last night on RT reports that Reid may be trying to resurrect SOPA by couching it within a new cyber-security bill. Worse, the new bill would also reawaken the proposed Kill Switch bill from last year. Kill Switch, another Internet-regulating bill that was lobbied by Sen. Joe Lieberman, would instill the White House with the executive power to shut down the Internet in response to a cyber threat. Awesome, right?

    Last month, it was hard to imagine that any legislature could be worse for the Internet than SOPA. Now that Reid may be attempting to include Kill Switch with his renewed efforts to pass the bill, he may officially become the Dr. Frankenstein of monstrous bills that seek to muzzle the Internet.

    Watch this space for updates on what new horrors the Democrats in the Senate attempt to unleash on the Internet.