Wednesday
Aug192015

There are many different ways to attack Piracy of Movies and Popcorn Time is becoming another source that is being gone after...

Lisa Vaas of naked security at Sophos wrote and interesting post about the law going after people discussing how to access Popcorn Time and even accessing it to view illegally accessed movies.

According to Lisa in the US movie makers have filed a lawsuit against 11 Popcorn users, alleging they used the software to watch the 2014 Adam Sandler comedy The Cobbler.

This is enough to cause me not to use this kind of service, not just because of the moral issues of stealing, but also, one just doesn't need the hassle.

Be careful of even describing how to access or use the service because people doing this our now being prosecuted as well.

 

Thursday
Aug132015

How one school district is monitoring social media of students and teachers

FILED UNDER: FacebookFeaturedLaw & orderPrivacySocial networksTwitter

Florida school district monitoring social media of students and teachers

Does your child ever tweet that she "hates" her math teacher?

Does he write that he's so embarrassed he could jump off a bridge?

Do her posts ever mention being bullied, or does she use them to make fun of other kids?

Are you, as a parent, even aware of everything your kids post?

Even if you aren't on top of everything your child posts, your kid's school well might be, given all the social media monitoring software on the market.

If you live in Florida's Orange County, those kind of posts could mean school officials come looking into whatever's going on.

That's because Orange County is one of the latest school districts to start monitoring all of the thousands of social media posts made by both students and teachers.

It's doing so with a new monitoring software called Snaptrends that monitors social media posts from all accounts in its location.

The school district reportedly paid $14,000 for a one-year Snaptrends license.

That buys the district's schools the ability to search thousands of posts on sites like Twitter, Facebook and Instagram, hunting for keywords that might indicate trouble.

School officials say that the goal is to flag potential dangers including cyberbullying, suicide and crime.

Joie Cadle of the Orange County School Board told WESH TV that the monitoring will alert school administrators to kids sending potentially serious threats via social media:

If they are sitting in a classroom and they are tweeting because they are mad at their teacher or their girlfriend for whatever reason, and there are some threatening words there, we need to be able to know if it is credible.

It's not like the posts are private. As Snaptrends' privacy policy notes, the technology only sifts through public posts.

But opponents of the school's new snooping effort, which was announced in April, say it's not the fact that their kids are being surveilled that's disturbing them.

Rather, it's the unanswered question of just what, exactly the school district plans to do with the information it collects.

WESH TV quotes Cindy Hamilton, co-founder of Opt Out Orlando:

My privacy issues aren't with the fact that they're just out there looking at it, because frankly, with social media it's not private. But what are they going to do with the information they look at? That's what we're concerned about.

When it announced the monitoring, the school district said it will:

[U]se the software to conduct routine monitoring for purposes of prevention or early intervention of potential issues where students or staff could be at risk to themselves or to others.

The company will assist district law enforcement and security personnel in monitoring publicly available social media communications that are relevant to school operations and personnel.

Florida isn't the only state to turn to monitoring in the face of school shootings, violence and bullying.

As CNN reported last year, the school system in Huntsville, Alabama, hired a retired FBI agent for security work, which included reviewing social media "when a high priority tip is received about an emerging threat to a school, student or staff member," as a school district spokesman said.

As well, the Glendale school district in Los Angeles in 2012 made the controversial decision to pay the firm Geo Listening $40,500 to monitor its students' social media activity on sites like Twitter, Facebook and Instagram.

The impetus to look into the technology was the suicides of two students. The final decision to pay for the monitoring was made after a pilot program helped administrators step in when yet another student used social media to talk about "ending his life."

The Orange County School District hasn't detailed how officials will decide what, precisely, to review.

Some technologies might just search social media posts, but others are more akin to tools you might expect to see in the arsenals of government surveillance agencies.

Safe Outlook Corporation's monitoring software CompuGuardian, for example, gives school administrators not only the ability to search keywords connected to cyberbullying and drug use, but also to delve into students' search histories to see if they're researching topics about dangers such as school violence.

CNN quotes Safe Outlook President David Jones:

You can identify a student, and you can jump into their activity logs and see exactly what they've typed, exactly where they've gone, exactly what they've done, and it gives you some history that you can go back to that child and use some disciplinary action.

You can bring in the parent and say, 'Hey, look, this is what your child's doing. You need to talk to them about it.'

Interestingly enough, and hardly surprising, is the fact that Snaptrends is reportedly also in use by the Central Florida Intelligence Exchange, which is the local law enforcement Fusion Center.

Fusion Center is a center set up to "analyze information and identify trends to share timely intelligence with federal, state, and local law enforcement including [Department of Homeland Security], which then further shares this information with other members of the Intelligence Community."

As such, it's not surprising that, just like with the Feds' propensity to amass vast troves of surveillance data about citizens, so too are opponents pointing to monitoring software's collection of anything and everything, including both potentially threatening or perfectly innocent content.

From a post against the surveillance, written by Florida attorney Scott Martin:

Snaptrends is a type of social media scraper/aggregator that collects social media information in mass. The data are scooped up by an automated process without regard to the nature of the content - good, bad, or indifferent.

But what guarantees are there that the social media information collected by the District will be limited to ... benevolent purposes? What policies are in place? Who can access the data? What conclusions are being drawn from the data? Who is drawing those conclusions? What standards are they using in making decisions based on captured data?

All these questions should be answered before any such tool is put in place, Martin says.

I agree. What's your view?

Tuesday
Aug112015

Press Release: Sophos Wins All Three Security Categories in 2015 CRN® Annual Report Card 

OXFORD, U.K. August 10, 2015 – Sophos has won all three security focused categories in The Channel Company's esteemed 2015 CRN® Annual Report Card. Sophos swept the board for the second year running as the winners of "Overall Category: Client Security Software" and "Overall Category: Network Security Appliances," and extended its recognition this year adding "Overall winner: Network Security Software" to its accolades. Sophos is the only vendor to have received top ratings in all client and network security categories, demonstrating the consistency of the channel experience across its portfolio.

The Annual Report Card summarizes results from a comprehensive study that details solution provider satisfaction with hardware, services and software vendors. The vendors with the highest marks are named to the prestigious Annual Report Card list and celebrated as best in class by their partners. The results also provide the IT vendor community with valuable feedback—directly from their solution providers—that can be used to hone product offerings and improve communication with partners.

"Our partner community is absolutely critical to our success in helping businesses and government agencies of all sizes protect their systems and information from cyber-attack," said Mike Valentine, senior vice president of worldwide sales for Sophos. "The unprecedented high marks awarded by our partners for the 2015 Annual Report Card reflects our companywide commitment to the channel. This year, CRN and its readers have recognized many of our key marketing and sales people for their accomplishments and impact within the channel, and now to receive such credit in all client and network security categories, is an honor for our entire company."

This year's elite group of honorees was selected based on the results of an in-depth invitation-only survey by The Channel Company's research team. More than 2,400 solution providers were asked to evaluate their satisfaction with 72 vendor partners in approximately 22 major product categories. The winners will be honored throughout The Channel Company's XChange 2015 event Aug. 9-11 in Washington, D.C., and highlighted in the leading media outlet for the IT channel, CRN. To view the results of the study as well as the list of this year's honorees, visit www.crn.com.

"Today's solution providers are juggling multiple vendors, product lines and customer demands. They are looking for true partnerships with their vendors in order to tailor solutions that will meet and exceed their customers' expectations," said Robert Faletra, CEO of The Channel Company. "CRN's Annual Report Card continues to give solution providers an outlet to deliver feedback to vendors and recognizes those vendors at the top of their game. We join these solution providers in applauding 2015 honoree Sophos and recognize them for their stellar performance."

Monday
Aug102015

Microsoft Makes DVD Player for Windows 10 Free for Some

While many mobile devices today don't have DVD Drives built in anymore, most desktop units still do and if you want to be able to play DVD's on you computer it may cost you to do so on your newly purchased or upgraded Windows 10 machine.

You can download Microsoft's DVD Player for Windows 10 from the Windows Store for free unless...

 

  • Your using Windows Enterprise
  • If you do a clean install of Windows 10 instead of an upgrade, again you don't get it free

 

The player app is free only for Windows 7 or Windows 8/8.1 users that had Media Center on their machines prior to an upgrade to Windows 10. You also need to upgrade during the free period that Microsoft has outlined. Otherwise you will will have to open your wallet and shell out $14.99 in the Windows Store.

If you don't want to pay, try downloading the free VLC media player for Windows. This is an open source product that you can donate to and they currently have a player that supports Windows 10.

Friday
Aug072015

Microsoft Releases Sway to Office 365 and Windows 10 Users

Sway lets you compose text and graphics on the fly that can be used free if you have a Microsoft account. This product is viewed  as a presentation tool to be used primarily by businesses and education users. Subscribers to Microsoft's Office 365 plans that that include "Office Online, Office 365 Business or Office 365 ProPlus" have access to this new Sway commercial release.

Sway users create presentations, called "Sways," from various text and graphics sources. The Sway application sets up the layout based on integrated design principles. Typically, a viewer would scroll vertically or horizontally through a Sway presentation, but a new added feature with this release is the ability to show Sways in an individual slide-by-slide manner.

Also with this release, Microsoft now permits a single device to handle multiple Sway accounts for home and work purposes. Microsoft has also enhanced the Share button in Sway so that presentations can be shared via Docs.com, which is a free Office documents sharing portal.

I would love to hear from anyone that is actually using this product and how you are using it.

Friday
Aug072015

Windows 10

As more resources become available to us I will be posting them up to this site for you to access.

Below is a link for accessing the Windows 10 free location for you to get your very own free update.

windows.com/windows10upgrade

Or download a brochure from Microsoft with all of this information here.

Thursday
Aug062015

Latest Flash hole already exploited to deliver ransomware - update now!

By Paul Ducklinnakedsecurity.sophos.com

Thanks to Andrew O'Donnell and Fraser Howard of SophosLabs for their behind-the-scenes work on this article.

Are you still using Flash in your browser?

If so, make certain you've got the latest update from Adobe, even though it only came out last week.

Ideally, you'll have 18.0.0.194, announced in Adobe Security Bulletin APSB15-14, issued on 2015-06-23.

→ Windows and Mac users can optionally choose the Extended Support Release, which is an old version retrofitted with the latest necessary security fixes. That one is numbered 13.0.0.296. Linux users are stuck back on Flash 11, for which the current update is 11.2.202.468.

Adobe still delivers its routine patches on Update Tuesday, the second Tuesday of every month, so last week's patch was of the unexpected, emergency sort.

Targted attacks to start with

The bug that was fixed is designated CVE-2015-3133, and it is a remote code execution (RCE) bug that Adobe admitted was "being actively exploited in the wild via limited, targeted attacks."

However, Adobe went on to temper that statement by adding, "Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets."

Whether that's because the threat mitigations in Windows 8 and above make this vulnerability too hard to exploit, or simply because the victims being targeted were known in advance to be running older versions of Windows, is not clear.

One thing is for sure, though: there's still a lot of XP about.

The announcement that the US Navy just paid for a year of extended support for XP - more than a year after official support ended anyway - was a blunt reminder of that.

As colleague Chester Wisniewski pointed out [0'43"] in this week's Chet Chat podcast:

After all the news of the breaches in all these different government agencies..., it was a little concerning to think that we're not down to the shortlist of the last 500 machines over here in the corner, but 100,000 [Navy computers] still running XP.

 

(Audio player above not working? Download MP3 or listen on Soundcloud.)

In fact, by some accounts, Windows XP is still more widely used worldwide than all versions of OS X out there, and only a shade behind Windows 8 and 8.1 combined.

Cybercrooks join the attacks

As documented by well-known independent malware researcher Kafeine,attack code using of the CVE-2015-3113 Flash bug has already been packaged by crooks into an exploit kit called Magnitude.

Exploit kits, don't forget, are part of the "pay-per-install" ecosystem of modern crimeware.

Instead of battling to build a specific exploit into your own malware so you can attack unsuspecting users with a drive-by download, you just buy or rent access to an exploit kit (EK).

Typically, that's a server, perhaps "borrowed" from an unsuspecting system administrator whose Linux security isn't up to scratch, that is already rigged up with malicious JavaScript pages designed to unleash any of a number of pre-packaged exploits.

The JavaScript in the EK usually tries to work out which exploits are most likely to work in a victim's browser, for example by checking version numbers and available plug-ins, and then runs the most promising exploits in turn until one of them works.

At that point, if you're the crook, it's up to you what you want the EK to deliver.

Weapon of choice

So far, it looks as though the malware of choice that's pushed out by the crooks behind these attacks is ransomware of the Crypto Defense family.

Cryptoransomware, of course, is a particularly odious sort of malware that leaves your computer running fine, but scrambles your data files and thendemands a fee for the decryption key to unlock them.

If you don't have a backup, and the crooks have done their cryptographic programming correctly, then paying up is about the only way to see your files again.

What to do?

Prevention, obviously, is what you want, especially where the data-scrambling payload of ransomware is concerned.

Here are some tips:

  • If you don't need Flash, don't install it at all. To find out if you actually need it, rather than assuming you need it, try living without it for a week or two. You may get a pleasant surprise.
  • If you need Flash only occasionally, use click-to-play. That's where your browser asks you every time whether you want to let a page use Flash. Or turn the Flash plugin off altogether except for the times you know you need it.
  • If you have Flash, don't lag behind on updates. Even automatic updates can take a while to turn up, becaue Adobe spreads the load randomly amongst its users. You can jump the queue by checking for updates manually.
  • If you're still running Windows XP, please don't. Vulnerabilities that are really difficult for crooks to exploit on Windows 7 and later - as good as impossible, in fact - can often be still turned into working attacksagainst Windows XP.
  • Keep your anti-virus turned on and up-to-date. A good anti-virus can block this sort of attack at multiple points, e.g. by blocking the web page where the EK is hosted; blocking the EK's JavaScript component; blocking the Flash exploit itself; and blocking the ransomware it would grab next.
  • Don't skip making backups. If you don't have a good enough backupto recover from ransomware, you are at risk of any number of other potential data disasters, too. These include accidental deletion, a failed hard drive, and a lost or stolen laptop.

NB. Sophos products block the threat components mentioned above under numerous names. Detections you may see include: Mal/ExpJS-BU (exploit kit JavaScript), Exp/20153113-A (Flash files exploiting CVE-2015-3113) and Troj/Ransom-AXO (ransomware seen in attacks).

 

Free Virus Removal Tool

The Sophos Free Virus Removal Tool works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Click to go to download page...

Wednesday
Aug052015

SSCC 210 - So many cool new Windows 10 features to opt out of [PODCAST]

This weeks Sophos Security Chet Chat Episode 210 - August 5, 2015

I love that Sophos provides this information to us to learn from. It gives you deep understanding about features, issues and things that you need to think about in using and protecting your systems.

LISTEN NOW

(Audio player above not working? Download MP3 or listen on Soundcloud.)

Wednesday
Aug052015

Encrypt like everyone's watching! 60 Sec Security [VIDEO]

Watch this week's 60 Second Security...

 

→ Can't view the video on this page? Watch directly from YouTube. Can't hear the audio? Click on the Captions icon for closed captions.

Wednesday
Aug052015

The "Stagefright" hole in Android - what you need to know

The conference circuit can be a competitive arena, especially when there are multiple parallel streams.

For example, back in 2010, I was at Black Hat in Las Vegas, and I attended the talk next door to the late Barnaby Jack's now legendary "ATM Jackpotting" talk.

Jack famously made unmodified ATMs that he bought off eBay cough up banknotes live on stage.

Those of us next door had to wait until the ovation and commotion died down before our presenter could continue lecturing to his meagre audience. (At least there was a good choice of seats.)

Exploit Disclosure Silly Season

So it's not surprising that July tends to be Exploit Disclosure Silly Season.

Presenters at Black Hat and Def Con try to convince the media to tell the world that theirs is the talk to choose, stressing the severity of the hole they've found without giving too much away.

There's nothing wrong with that: good talks based on solid reverse engineering aren't easy to put together, and if you're prepared to do a live demo to go with it, you're entitled to your "jackpot" moment.

So, imagine that you've got exploit talks accepted at Black Hat and Def Con, that your hack is a remote code execution hole in the world's most widespread mobile operating system, and, best of all...

...that the operating system component in which you found the bug is called "Stagefright".

That's a better name for an exploit than POODLE or LOGJAM – heck, it's a better name than Heartbleed' (although the bugs don't really compare at all, whatever you may have read).

You can use a name like "Stagefright" in your press releases without being accused of hyperbole.

Unsurprisingly, then, that's what researchers at Zimperium have done.

They found a bunch of security holes, now designated with seven different CVE numbers (CVE-2015-1538, -1539, -3824, -3826, -3827, -3828 and -3829).

It's become the "Stagefright" hole.

Multimedia Messaging System

The bugs are in an unfortunate part of Android: a part that is used by the Multimedia Messaging System, or MMS.

Remember MMS?

Like SMS but with videos, sounds, pictures, and no annoying 160-character limit?

It's an aging system that doesn't get a lot of attention these days, because internet-based programs like WhatsApp, Snapchat and Instagram have swept it aside.

But most Android phones are still set up to receive MMS messages, and will process them automatically by default.

Technically speaking, an MMS arrives as a link, so that the actual content of the message (which might cost you money) is fetched only later on, when you decide that you want to look at it

That's a bit like email clients that fetch only subject lines at first, so you can ignore or delete unimportant messages without racking up download charges.

But the default SMS/MMS apps in Android 4.4 (KitKat) and 5.x (Lollipop) are Messaging and Hangouts respectively, and their default configuration is to download MMS content in the background as soon as the messages arrive.

Remote Code Execution

Unfortunately, the bugs found by Zimperium allow shellcode – executable instructions disguised as harmless multimedia data – to take control of your device as soon as the content of a booby-trapped message is downloaded.

So, you may be able to trigger malicious activity as soon as a victim's device receives your poisoned message, even if they later decide to delete it.

That's what's known as a Remote Code Execution (RCE) vulnerability, almost always the worst sort.

The bug has been around for some time, and Zimperium is claiming that 950,000,000 devices may be at risk.

(That precise sounding number seems to be simply a 95% vulnerability rate multiplied by a round one billion Androids.)

Patches coming

Google knows about the bugs, and has prepared patches.

Indeed, if you have a Google Nexus, and you have updated recently, it sounds as though you are already safe.

Sadly, we can't be sure which other device vendors have already patched, unless they choose to say so, because Zimperium is keeping the exploits under wraps until Black Hat, when the whole world will find out about them (and presumably, how to exploit them) at the same time.

It also sounds as though rebuilding Android from the open source project (AOSP) won't help yet.

Google told The Guardian:

This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users.

As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we'll be releasing it in open source when the details are made public by the researcher at BlackHat.

In short, this sounds like a serious bug, and you should be looking for a patch as soon as you can get one.

What to do?

  • Try asking your device vendor whether a patch is available already. You may be able to get ahead of the game.
  • If you can't get a patch right now, find out when to expect it so that you can apply it as soon as you can.
  • If your messaging app supports it (Messaging and Hangouts both do), turn off Automatically retrieve MMS messages.
  • If your device supports it, consider blocking messages from unknown senders if you haven't already.
  • If your SMS/MMS app doesn't allow you to turn off Automatically retrieve messages, consider simply switching back to Android Messaging, which does.

Unless your digital lifestyle hinges on MMS, we think that you will be able to live without it, and that blocking the auto-download of potentially booby-trapped MMS content is a great start.

Of course, even if you've turned MMS auto-downloading off, you still need to avoid clicking on suspicious MMSes – doing so would initiate the potentially dangerous download anyway.

So, if you see an MMS from a sender who's never communicated with you before, consider deleting it.

And don't forget that "Stagefright" isn't specific to MMS messaging, but rather to the way Android renders the sort of content typically delivered by MMS.

Firefox for Android, for example, has recently been updated; it too was apparently vulnerable via web pages containing booby-trapped videos.

So, keep your eyes peeled for those patches!

Tuesday
Aug042015

Yet Another Encryption Scam

ZDNet reports that another encryption scheme has arisen to rear its ugly head using Windows 10 upgrade as the teaser. Hackers are targeting users attempting to upgrade to Windows 10 with ransomeware malware that encrypts files until a ransom is paid. The "bad guys" appear to be impersonating Microsoft in and an attempt to grab your money. 

Emails are being sent out tempting the email recipient with an attachment that is an installer that will allow them to get the new Windows 10 operating system sooner. What is making this scheme work is the fact that Microsoft is making users wait in queue for their turn to upgrade their systems. Impatience on the part of waiting users is causing plenty of heartache for those that succomb to the tempation of running the installer.

Once you download and open the attached executable file, the malware payload opens, and begins encypting data on the affected computer and locking you out of those files.

Typically you are required to pay the ransom using bitcoin which is much harder to track. And to make it even harder to track the bad guys, they are usually using the TOR network which makes it nearly impossible to trace.

Cisco research Nick Biasini said the malware payload, called CTB-Locker, is being delivered at a "high rate." "The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user's files without having the decryption key reside on the infected system." 

Ransomeware attacks have been on an increase since 2014 and is a quick and easy near-untraceable way to generate a lot of money in a very short time. So hackers are going to keep coming up with new ways to attack your systems. So beware of what you are clicking on and accepting, you may their very next victim!

Wednesday
Jul292015

Logitech H800 Wireless Headset

I was looking for a simple wireless headset replacement for the headset I used on my home system. I thought would be nice to be able to work on projects while still being able to move around my office hands-free. My first test for sound quality was to get connected using Skype. I called home to my wife she reported to me that the sound quality was excellent and she didn't hear any background noise as well. This was very important because I use Skype quite often to call out when I am at home. Skype has great integration with our client management system and this makes it very easy for me to reach out and touch someone.
This is a Bluetooth headphone set so it can be paired not only with the tiny Bluetooth nano receiver that you plug into a USB port, but may also be connected to a smart phone or tablet by pairing it to those devices. I should be able to move up to 40 feet from the Bluetooth connection which is what I am testing right now. It appears that I don't have to have line of sight, but going through several sets of walls does attenuate enough to stop the connection.
There is a button on the side of the headset that allows you to switch between the Bluetooth circuit and the nano receiver so you can switch between devices using that type of function. By holding in the plus key on the right ear piece you begin the pairing process with any Bluetooth device. I paired it with my Microsoft Surface inside of two minutes. It was a very simple process.
The battery is rated to last six hours so there is plenty of talk and listening time between charges. If you are running low just plug the headset into a USB port and they recharge will begin and you can continue using the headset at the same time. The only issue that I'm going to have over time is that all batteries have a limited number of times that you can charge them and eventually I will have to dispose of the headset when it no longer can hold a charge. If you need replacement ear pads or a replacement battery you can get them on the Logitech website. Your pads and the battery are both five dollars apiece. If you loose your nano receiver you can get another one for $15. 
It does have a noise canceling microphone so it should work fairly well even in a noisy environment. It only took me seconds to get connected to my Dragon NaturallySpeaking software and I didn't have to train it at all begin dictating to it accurately.
The nano receiver is a 2.4 GHz wireless connection and allows you to move up to 40 feet away from your PC without losing the connection. 
The documentation states that it has a fold it go design but even though it does get smaller because of its heavy construction it does not fold as tight as my Plantronics unit did. But it does get a little bit smaller so it will fit into a backpack without a problem. The left ear piece opens up for access to the battery and also doubles as a storage compartment for the nano receiver so is available on your travels.
This unit retails for about $100. The warranty for the unit is two years. Sure to go to the Logitech website to register your unit after you have purchased it.
Wednesday
Jul152015

CryptoWall ransomware cost US victims at least $18 million, FBI says

by John Zorabedian on June 25, 2015

 

ransomware-note-1200Malware that encrypts all of a victim's files and holds them for ransom - what's commonly called crypto-ransomware or cryptoware - continues to be hugely successful in making money for the criminal gangs who perpetuate it.

According to a public service announcement from the FBI's Internet Crime Complaint Center (IC3), the CryptoWall variant of crypto-ransomware cost US businesses and consumers at least $18 million between April 2014 and June 2015.

That figure is based on complaints from 992 CryptoWall victims, and includes related damages such as the cost of network mitigation, loss of productivity, legal fees, IT services and credit monitoring services.

It's not clear how much of the $18 million was paid out in ransom fees to the CryptoWall criminals, but the FBI said that the ransom demanded typically ranged from $200 to $10,000.

The FBI called CryptoWall the "most current and significant ransomware threat" in the US.

Although the FBI's report of financial damages caused by CryptoWall is significant, it's likely those figures represent only a tiny minority of the cost to victims worldwide.

It's difficult to determine the exact number of crypto-ransomware victims, in part because many businesses caught in the ransomware trap don't want to come out and say so (public sector organizations like police departmentshaven't had the same luxury).

Equally hard is figuring out how much money the crooks have hauled in from their ransomware enterprises.

What we do know is that crypto-ransomware is highly effective, and lucrative enough for criminals to keep coming up with new forms of it - one survey found that 3% of UK citizens had been victims, and 40% of those had paid the ransom.

CryptoWall's predecessor, CryptoLocker, was extremely successful - the crew behind CryptoLocker raked in an estimated $27 million in the first two months after it was unleashed in September 2013.

Although CryptoLocker was fatally damaged by a law enforcement take-down of its server infrastructure in May 2014, cybercriminals soon began spreading other dangerous forms of ransomware based on CryptoLocker's successful model.

We began seeing CryptoWall in April 2014, along with another similar variant called CryptoDefense.

Since then, other copycats have emerged that have proved to be just as dangerous, some even borrowing the CryptoLocker name.

Recently we even saw crypto-ransomware that borrowed themes and imagery from the popular television series "Breaking Bad."

The crooks have figured out some fiendish ways to get people to pay up: by making their illicit software "consumer-friendly" with easy-to-follow instructions on how to pay with bitcoins or other forms of untraceable e-payment, and offering "user support."

Crypto-ransomware crooks have also figured out that they can earn their victim's trust (more or less) by offering to decrypt one file for "free" - so you'll know the crooks will follow through on their promise to decrypt the rest of your files once you pay them.

If the crooks have implemented the encryption process properly - and they often have - you're left with a choice of losing your files, or paying for a copy of the decryption key.

It presents an ethical dilemma - one which Sophos security expert and fellow Naked Security writer Paul Ducklin captured well in his excellent post "Ransomware - should you pay?"

His spot-on and simple advice is summed up here:

  1. Don't pay if you can possibly avoid it, even if it means some personal hassle.
  2. Take precautions today (e.g., backups, proactive anti-virus, web and email filtering) so that you avoid getting into a position where you ever need to pay.
Friday
Jul032015

Hundreds of Dark Web sites cloned and "booby trapped"

 

TrapsThe founder of one of the Dark Web's fledgling search engines is warning Tor users about the presence of hundreds of fake and booby trapped .onion websites.

Sites with addresses that end in .onion are anonymous, Dark Web websites (properly called hidden services) that can only be accessed using the Tor browser.

The fake sites were discovered by Juha Nurmi, a founding member of the ahmia.fi project, an open source search engine that aims to search, index and catalogue all the content present on the Tor network.

Nurmi first noticed a fake of his own site before discovering that there are multiple clones of hundreds of other Dark Web sites, including a fake of the .onion version of the popular DuckDuckGo search engine.

Nurmi raised his concerns on Monday, on the Tor-Talk mailing list and published a full list of fake or booby trapped sites to Pastebin.

I noticed a while ago that there is a clone onion site for Ahmia. Now I realized that someone is actually generated similar onion domains to all popular onion sites and is re-writing some of the content.

In his post to the mailing list he claims that there are multiple copies of each target site with similar-looking addresses.

Tor sites are often found through directories rather than search engines and they have addresses that are quite difficult to read, which probably makes it easier to plant fakes than on the regular World Wide Web.

For example, the real and fake addresses for DuckDuckGo are the equally immemorable:

http://3g2upl4pq6kufc4m.onion/ (real)
http://3g2up5afx6n5miu4.onion/ (fake)

Nurmi also claims that the fake sites aren't just duplicates of the real sites but proxies for them (he could presumably verify this for his own site but he doesn't state how or if he tested it for the others).

If he's correct then the proxies would allow the attacker to launch so-called Man-in-the-Middle attacks, stealing or modifying data as it passes through the fake site.

These sites are actually working as a transparent proxy to real sites. However, the attacker works as MITM [Man-in-the-Middle] and rewrites some content. It is possible that the attacker is gathering information, including user names and passwords.

In another sinister twist user 'garpamp', who claims that such activity has been "going on for years", states that he's seen pages that list .onion addresses being modified by malicious Tor exit nodes.

This is a completely different attack from the one identified by Nurmi and it occurs on the regular web, not the Dark Web, but it's aimed at achieving the same thing - getting you to visit a fake Dark Web service instead of a real one.

It works like this:

The Tor browser can be used to browse hidden services on the so-called Dark Web, where both the browser and the site are completely anonymous, or the regular World Wide Web, where only the user with a Tor browser is anonymous.

When it's used on the regular web, Tor encrypts your traffic and sends it on an eccentric journey between a number of Tor nodes before it's decrypted again before making the final hop to its destination like any other internet traffic.

This decryption (and the encryption of responses) is performed by a special Tor node called an exit node. Anyone can set up an exit node and because they deal with unencrypted information they are an excellent place to spy on traffic, or even to modify it on-the-wire (you can read more about exit nodes in my recent article Can you trust Tor's exit nodes?).

What garpamp claims to have seen is malicious exit nodes being used to rewrite regular web pages.

In other words, if you looked at this page through Tor and you happened to get a malicious exit node in your circuit you might not see the legitimate DuckDuckGo address at the top of this page, you might see two fake ones instead.

During the course of the discussion, garpamp noticed that a bad exit node was actually rewriting the addresses on the pastebin page posted by Nurmi!

...I've also seen exits [1] rewriting onion addresses found on clearnet.

[1] Like the ****** behind this piece of **** is doing to that pastebin url... Arag0n 185.77.129.189 dc914d754b27e1a0f196330bec599bc9d640f30c

The thread closed with Roger Dingledine, one of the original Tor developers, reporting that the bad exit node discovered by garpamp has now been given the BadExit flag which should prevent it from acting as an exit node.

The battle to shut down bad exit nodes is ongoing.

We don't know who is behind the fake sites, who is behind the exit nodes rewriting real addresses for fake ones or why they're doing it, but there are no shortage of suspects.

The Dark Web is an online safe haven for dissidents, journalists and champions of free speech but it is also a small and highly concentrated den of the very worst criminality.

So, not only is there is an abundance of thieves on the Dark Web, and no honour amongst them, there is no shortage of government hackers or undercover agents either.

Saturday
Jun272015

What is Office Mix?

A new PowerPoint addin that is free from Microsoft. Follow the download directions to install it into your PowerPoint program. Once it is installed you will see a new tab called Mix that will give you the abilty to create your Mix media.

So what is Mix? If you are aware of TechSmith's Camtasia and the way that it works with PowerPoint Presentations, then my explanation is simple. It is Microsoft's version of that function. Mix allows you to automate your PowerPoint presentation and save it as a video for sharing. It has many other features built into it but one of the things that it does that is useful in classroom situations, is to allow you to create quizzes with in the presentation. It also provides screen and sound capture that you can insert in a slide, insert other video files, insert audio and then do playback/recording your narration of your slideshow. You can then publish this recording to your online onedrive storage area and share it with whomever you wish.

It's pretty slick. Once you get the general function of it, then it becomes very easy to use. All you have to do is dream up and produce your content and then deliver it to the world.

Wednesday
Jun242015

Practical IT: What is encryption and how can I use it to protect my corporate data?

by Ross McKerchar on May 21, 2015    from nakedscurity

There’s been a lot of talk about encryption in the media lately.

You hear about who uses encryption, and who doesn’t (lots of companies don’t, to their own detriment).

And you hear about who wants to be able to bypass encryption (some law enforcement and national security agencies), and who doesn’t (Google, Apple, privacy advocates, etc.).

The encryption debate is important, but unfortunately, encryption is complex and the discussion can be hard to follow for people outside of the security community.

Businesses often don't realise why encryption is important, and how they can use it to protect their data.

In this article I will seek to answer some common questions about encryption by covering two areas: 1) a very brief explanation of encryption, and 2) a couple of the most common use-cases which business needs to be aware of.

What is encryption?

Encryption is a method of scrambling messages in a format that is unreadable by unauthorised users - it is, simply put, the best way to keep data secure from spies, thieves or accidental exposure. (Not to be confused with steganography, which is all about hiding messages, rather than making them unreadable).

Cryptography - the art and science behind encryption - uses algorithms to turn readable data (plaintext) into unreadable format (ciphertext).

Without getting too deep into the details, it's helpful to think about it like this: when you encrypt data you are storing it like you would money in a safe - you need a key to unlock the safe to get the money out (my apologies to any cryptographers reading this for the gross over-simplification!).

(If you want to learn more, I recommend my fellow Naked Security writer Paul Ducklin's great explanation of public-private key encryption.)

There are loads of ways to use encryption, but for organisations concerned about data loss, two very important areas to understand are full-disk encryption and file-level encryption.

Full-disk encryption vs. file-level encryption

Encryption can be used in many different ways.

Say your employee accidentally loses a USB drive with valuable data on a train, or their laptop gets stolen when they leave it alone in a coffee shop while they go to the bathroom (it happens).

The physical kit can be replaced, but the data on them could end up in the wrong hands and cause considerable harm - you might face financial penalties (depending on your local laws and industry regulations).

Or you might lose customers when word gets out that their personal data was leaked. You may very well be legally obliged to tell them. Of course, morally, telling them is always the right thing to do, regardless of legality.

However, if the laptop or USB drive was strongly encrypted, the data is unreadable to someone without they key and you likely won’t have legal issues to worry about.

Laptops, USB drives, and even smartphones can be encrypted using what is known as full-disk encryption. That means the entire hard drive of the device and everything on it is protected by encryption - from the operating system to program files all the way down to temporary files.

Full-disk encryption is also relatively simple to implement - laptops and smartphones now come with the capability built in, what’s called native encryption.

However, full-disk encryption can only keep your stuff secure when it's on the device. The second anything leaves the encrypted device, it is "magically" decrypted and readable by all. This has important implications for your backups or files you've uploaded to a cloud service or attached to an email.

If you think about the analogy of money in a safe, the encrypted disk is the safe, and the money is your data. Once you take your money out of the safe it is no longer protected.

Conversely, if you have file-level encryption, every file has a "padlock."

With file-level encryption, your data is protected when it is in transit, or stored somewhere in the cloud.

But there is a downside - file-level encryption is harder to manage than full-disk encryption, because whenever you want to access the data, you need the key. As you may want access from many devices and many places, this requires careful key management.

When and how should you use encryption?

Full-disk encryption barely affects system performance at all, but if you try to encrypt everything at the file level, it will quickly become unmanageable.

You need to think a bit more about what data you want to encrypt and why. You'll likely want to focus on file-level encryption for sensitive data and/or data that you copy to other places - for example, documents you want to access on your phone as well as your desktop, or from a service like Dropbox.

It's important to understand that file-level encryption doesn't replace full-disk encryption. They complement each other. If you only encrypt your own files and not the full disk then it's very easy to miss something. Chances are your computer stores copies of your data in all sorts of places you didn't think about.

Most companies will also want the IT department to carefully manage the encryption keys across various devices. Without this central management, data could easily be lost if a person leaves the company or loses their decryption password. Unlike passwords used for access, passwords used for encryption can't simply be reset by a sysadmin if they're forgotten.

A smart company will make sure the master decryption keys are very well protected. Even smarter companies will ensure that no single person has full access to the powerful key. One way of doing this is designing a system such that two or more people need to contribute towards the decryption process (segregation of duties).

Good encryption software will have capabilities to make key management and segregation of duties relatively simple.

Wednesday
Jun172015

Original Surface Pro

I just picked up an original Microsoft Surface Pro and even with it's limitations I have been fairly impressed with it. So much so that I am now eyeing up the Surface Pro 3 as my next laptop computer. Of course, I'll wait until I find a good deal on that as well. The one I picked up has 64gb of storage and 4gb of RAM. It is an i5 so it is pretty snappy. My biggest issue with it is the screen size and the storage. I just upgraded it to Windows 8.1 and that gave me a bit back but I have 20GB's free with my basic load on it. I am running Office 2013 (Office 365 Load), Connectwise (this is our service management program, Netflix, Hulu Plus, Kindle, Plex, Readiy, Facebook Apps. 

However, before I upgraded, I was all the way down to 8GB so that was a little worrysome, especially when I didn't have enough space to install the upgrade to 8.1. 

It is snappy, runs well and I am beginning to really like the 8.1 interface. I have found a few programs that don't like the new operating system but for the most part I am running fine. I have signed up for the Windows 10 upgrade that should be availablle late July and this will give me a chance to work more with it as well.

Wednesday
Jun172015

New Credit Cards with Chips pose increased costs to venders that accept them

An interesting viewpoint by Joyce Rosenburg from inc.com discusses the associated costs of having to upgrade your credit card readers to work with the new chip based credit cards that were designed to reduce credit card fraud. Businesses are required to update their equipment by October 1st or face the chance of being held liable for transactions made with phony chip cards. Most retailers are going to bear the brunt of these costs.

But that's not all! If your accounting system is connected to the readers they may not work with the new equipment and may require you to upgrade or replace your system to be able to automate the transaction processing. 

What are the alternatives? I can't seem to think of anything but move forward and take the financial hit. Not a pleasant situation to be in for all of us small business owners.

Sunday
Jun142015

Free Wi-Fi - Should you use it?

Sunday, June 14, 2015

With Wi-Fi becoming more and more prevalent in the places that you frequent, are the services safe to use with your mobile devices?

The free connections in cafés and hotels don't encrypt network traffic so others on the network can read your traffic and possibly hijacked your sessions. One of the solutions we try to use, SSL Encryption, has its issues is as well. You initiate this when you insert the HTTPS:// in front of the url that you are wanting to access or in many cases the site itself redirects to an SSL session automatically. This is the case with many financial sites as well as anything that needs to be HIPAA compliant.

Using a VPN Tunnel to your site helps to encrypt the session from your device to the site but you will need to use a proxy service in the cases when you are not connecting back to the corporate or provided VPN controlled site.

While this is a much more secured connection, there is a security hole that can be taken advantage of. In many cases you must open a browser to a "'captive portal", which comes from a local router when you ask to connect to the Internet. You may have to manually accept a terms of service agreement before your session can start.

While this is occurring your VPN has not yet begun and depending upon the software that you run you might be exposed at this point. If you have services running on your mobile device that begin checking for updated data automatically, like email, you are not going through a VPN to access the. The data that is streaming through is potentially available for anyone to see.

While this Coverage may only be a matter of seconds, that could be enough to expose valuable information like logon credentials. So how do you protect yourself?

Shaun Murphy, a founder of PrivateGiant (www.privategiant.com), which makes products to protect the security and privacy of online communications, suggests that you do it with a software firewall, either one that comes with your operating system or a third-party one:

The basic approach is to prevent all inbound and outbound connections on your public networks (or zones) with the exception of a browser that you use to connect to captive portals and such. That browser should be one you only use for this purpose and, perhaps, some lightweight browsing (certainly not email, social, or any other personally identifiable purpose.) Using that same firewall, set up a profile/zone for VPN traffic where inbound / outbound traffic are less restricted (I recommend blocking outbound connections by default and then adding in programs as needed, it's surprising how many programs call home... all the time.) The nice thing about this approach is your email client, primary web browser, and other applications you use will be useless unless you are actively connected to the VPN. 

And the real solution to this problem isn't hacking with firewalls. What we need is encryption being provided by default in public Wi-Fi. We don't see this very often now because that would mean supplying passwords to you the client, and the support overhead would be just too great in a busy environment like a café or restaurant. The result is that we have an insecure environment with bad but adequate usability.

In an article written by Larry Seltzer for arstechnica.com he talks about a solution has been available for years. He goes on to tell us that it is beginning to gain traffic and that hopefully will see this as the go to protocol in the future.

The Wi-Fi Alliance has had a solution for this problem nearly in place for years, called Passpoint. The Passpoint protocol was created to allow for Wi-Fi "roaming" by creating a way for access points to grant access by way of a third-party credential, such as your Google ID or your ISP account. When you connect to a public access point through Passpoint, it authenticates you and establishes a secure connection using WPA2-Enterprise, the gold standard in Wi-Fi security—instead of leaving your traffic unencrypted or visible on the shared wireless LAN.

The reason that you don't yet see Passpoint everywhere is that it requires the Wi-Fi provider—such as a consumer ISP,  Google, or Boingo—to trust certain authentication providers and to advertise a list of them to connecting devices—the longer, the better. And users would need to configure Passpoint on their system to use one or more of their credentials when connecting to such a network. There hasn't been wide adoption of Passpoint yet—while it's been put to use in certain high-volume locations, such as many airports, it's still pretty uncommon.

The Wi-Fi Alliance now says that Passpoint is gaining traction in the enterprise as a way to handle BYOD. That's interesting if true, but it doesn't address the pain point of public Wi-Fi privacy. Passpoint has the potential to close the VPN data leakage window and make public Internet services far more secure. In its absence, there is no good solution.

Wednesday
Jun102015

Instapaper Premium

Instapaper is a great program that I have been using for years in its free version that allows me to capture web articles that I can file in folders to make it easy for later consumption. You can access this information either through a web browser on your PC,  using their iOS or Android apps on your mobile devices.

 

Instapaper has launched a new premium service that costs $2.99 per month or $29.99 per year, a 15% savings by purchasing on an annual basis. The feature list for both services are as follows:

From <https://www.instapaper.com/premium>

 

The ability to have fulltext search and to add notes to the articles that you have saved help to make an interesting argument for moving to the premium service but probably the most compelling is that you are supporting the company for offering the service as well as for any new upgrades to the product. At under three dollars per month doing so will not break your bank.

Page 1 ... 2 3 4 5 6 ... 52 Next 20 Entries »