Sign up for our Technology Newsletter 
Can Corporations Be Easily Hacked?
Hacking a major corporation is so easy that even an elderly grannie could do it, according to technology industry character John McAfee.
McAfee said that looking at the world’s worst hacks you can see a common pattern – they were not accomplished using the most sophisticated hacking tools.
Writing in IBTImes said that the worst attack was in 2012 attack on Saudi Aramco, one of the world’s largest oil companies. Within hours, nearly 35,000 distinct computer systems had their functionality crippled or destroyed, causing a massive disruption to the world’s oil supply chain. It was made possible by an employee that was fooled into clicking a bogus link sent in an email.
He said 90 per cent of hacking was social engineering, and it is the human elements in your organization that are going to determine how difficult, or how easy, it will be to hack you.
The user is the weakest link in the chain of computing trust, imperfect by nature. And all of the security software and hardware in the world will not keep a door shut if an authorized user can be convinced to open it, he said.
“Experienced hackers don’t concern themselves with firewalls, anti-spyware software, anti-virus software, encryption technology. Instead they want to know whether your management personnel are frequently shuffled; whether your employees are dissatisfied; whether nepotism is tolerated; whether your IT managers have stagnated in their training and self-improvement.”
Muct of this information can be picked up on the dark web and the interernet underground, he added.
“”Are you prepared for a world where grandma or anyone else can quickly obtain, on the wide open web, all of the necessary information for a social engineering hack? Is your organization prepared.
Source- http://www.thegurureview.net/computing-category/can-corporations-be-easily-hacked.html
Apple Removes Data Spying Apps From Store
October 21, 2015 by admin
Filed under Consumer Electronics
Comments Off on Apple Removes Data Spying Apps From Store
Apple has removed several apps from its store that it said could pose a security risk by exposing a person’s Web traffic to untrusted sources.
The company recommended deleting the apps but did not name them, which may make it hard for people to know which apps put their data at risk.
The apps in question installed their own digital certificates on a person’s Apple mobile device. It would enable the apps to terminate an encrypted connection between a device and a service and view the traffic, which is a potential security risk.
Most websites and many apps use SSL/TLS (Secure Socket Layer/Transport Security Layer), a protocol that encrypts data traffic exchanged with a user. SSL/TLS is a cornerstone of Web security, ensuring data traffic that is intercepted is unreadable.
It is possible in some cases to interfere with an encrypted connection. Many enterprises that want to analyze encrypted traffic for security reasons will use SSL proxies to terminate a session at the edge of their network and initiate a new one with their own digital certificate, allowing them to inspect traffic for malicious behavior.
In that scenario, employees would likely be more aware or expect that kind of monitoring. But people downloading something from the App Store probably would have no idea of the access granted to their sensitive data traffic.
Apple checks applications to ensure that malicious ones are not offered in its store. Those checks are in large part the reason why Apple has had fewer problems with malicious mobile applications in its store.
Installing digital certificates isn’t itself a malicious action per se, but Apple may be concerned that users are not fully aware of the consequences of allowing an app to do so.
Source-http://www.thegurureview.net/aroundnet-category/apple-removes-data-spying-apps-from-store.html
Stagefright 2.0 Exploits Android Vulnerabilities
Comments Off on Stagefright 2.0 Exploits Android Vulnerabilities
Newly found vulnerabilities in the way Android handles media files can allow attackers to compromise devices by tricking users into visiting maliciously crafted Web pages.
The vulnerabilities can lead to remote code execution on almost all devices that run Android, starting with version 1.0 of the OS released in 2008 to the latest 5.1.1, researchers from mobile security firm Zimperium said in a report published Thursday.
The flaws are in the way Android processes the metadata of MP3 audio files and MP4 video files, and they can be exploited when the Android system or another app that relies on Android’s media libraries previews such files.
The Zimperium researchers found similar multimedia processing flaws earlier this year in an Android library called Stagefright that could have been exploited by simply sending Android devices a maliciously crafted MMS message.
Those flaws triggered a coordinated patching effort from device manufacturers that Android’s lead security engineer, Adrian Ludwig, called the “single largest unified software update in the world.” It also contributed to Google, Samsung and LG committing to monthly security updates going forward.
One of the flaws newly discovered by Zimperium is located in a core Android library called libutils and affects almost all devices running Android versions older than 5.0 (Lollipop). The vulnerability can also be exploited in Android Lollipop (5.0 – 5.1.1) by combining it with another bug found in the Stagefright library.
The Zimperium researchers refer to the new attack as Stagefright 2.0 and believe that it affects more than 1 billion devices.
Since the previous attack vector of MMS was closed in newer versions of Google Hangouts and other messaging apps after the previous Stagefright flaws were found, the most straight-forward exploitation method for the latest vulnerabilities is through Web browsers, the Zimperium researchers said.
Zimperium reported the flaws to Google on Aug. 15 and plans to release proof-of-concept exploit code once a fix is released.
That fix will come on Oct. 5 as part of the new scheduled monthly Android security update, a Google representative said.
Source-http://www.thegurureview.net/mobile-category/stagefright-2-0-exploits-android-vulnerabilities.html
Was The Hilton Hotel Chain Hacked In April?
Comments Off on Was The Hilton Hotel Chain Hacked In April?
The Hilton organization is reportedly trying to work out whether it has been hacked and, if so, what it should do about it.
We say reportedly as we have not been able to contact Hilton ourselves and can rely only on reports. They are pretty solid reports, however, and they concern a problem at the company that happened between 21 April and 27 July.
Brian Krebs, of KrebsOnSecurity, started this off with a report about a payment card breach. Krebs said that he had heard about the breach from various sources, and that Visa – the card provider – has mailed potentially affected parties with a warning, and the news that it is the fault of a bricks and mortar company.
Visa did not name the company, but affected parties, or banks to be more precise, have uttered it to Krebs. Its name is Hilton.
“Sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: they were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts,” he wrote.
“It remains unclear how many Hilton properties may be affected by this apparent breach. Several sources in the financial industry told KrebsOnSecurity that the incident may date back to November 2014, and may still be ongoing.”
Krebs has a statement from the Hilton organisation in which the firm defended its security practices, and revealed that it is aware of the potential problem and is looking into it. This is a common theme among the breached, and should soon become part of mission statements.
“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” said the company in the statement to Krebs.
“We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.”
We have asked Visa and Hilton for their comments.
Source-http://www.thegurureview.net/computing-category/was-the-hilton-hotel-chain-hacked-in-april.html
Does AVG Respect Your Privacy?
AVG has been answering questions about its new privacy policy after accusations that the firm is about to sell its users down the river.
A Reddit discussion has heard from furious users who spotted that the simplified policy effectively gives the company permission to sell its mailing lists to third parties for fun and profit.
AVG stated under ‘Do You Share My Data?’ in the Q&A about the new policy, which is automatically enforced on 15 October: “Yes, though when and how we share it depends on whether it is personal data or non-personal data. AVG may share non-personal data with third parties and may publicly display aggregate or anonymous information.”
AVG has hit back at the criticism in a blog post today, by which we mean confirmed that its stance is correct, explaining: “Usage data allows [AVG] to customize the experience for customers and share data with third parties that allow them to improve or develop new products.
“Knowing that 10 million users like a certain TV program gives broadcasters the data to get producers to make more of that type of program.
“This is also how taxi firms know how to distribute their fleets, and how advertisers know where to place banners and billboards, for example. Even at AVG, we have published non-personal information that we have collected regarding app performance.”
But AVG added in big, bold type: “We do not, and will not, sell personally identifiable data to anyone, including advertisers.”
This will placate some, but others fear that the lack of choice over this matter, which requires an active decision to opt out, is too clandestine. As ever, there are threats to move to everything from Linux Mint to the Commodore 64, some more serious than others.
Several Redditors have likened it to similar warnings in Windows 10′s Insider Programme which essentially say: ‘we can track you … but we won’t, unless we do.’
Courtesy-TheInq
Hackers Accessed 10M Records At Excellus
September 23, 2015 by admin
Filed under Around The Net
Comments Off on Hackers Accessed 10M Records At Excellus
Hackers have penetrated the IT systems of U.S. health insurer Excellus BlueCross BlueShield and gained access to personal, financial and medical information of more than 10 million people, the company has disclosed.
The initial attack occurred in December 2013, but the company did not learn about it until Aug. 5. Since then it has been working with the FBI and cybersecurity firm Mandiant to investigate the breach.
The hackers may have had access to customer records which include names, addresses, telephone
numbers, dates of birth, Social Security numbers, member identification numbers, financial accounts and medical claims information.
Records may contain all or just some of that information, depending on the customer’s relationship with the company. The breach doesn’t affect just Excellus members, but also members of other Blue Cross Blue Shield plans who sought medical treatment in the upstate New York area serviced by the company.
The information was encrypted, but the attackers gained administrative privileges to the IT systems, allowing them to potentially access it, the company said on a website that was set up to provide information about the incident.
No evidence has been found yet that the data was copied or misused by the attackers.
Excellus will send breach notification letters via mail to all affected persons throughout the month and is offering free credit monitoring and identity protection services for two years through a partner.
The company will not contact affected individuals via email or telephone, so any emails or phone calls claiming to be from the company in regard to this attack should be ignored as they are probably scams.
The incident comes after three other Blue Cross Blue Shield health insurers — Anthem, Premera and CareFirst — announced large data breaches this year as a result of cyberattacks.
Excellus said that it doesn’t have sufficient information about the Anthem, Premera and CareFirst investigations in order to comment about possible connections between those attacks and the one against its own systems.
Source-http://www.thegurureview.net/aroundnet-category/hackers-accessed-10m-records-at-excellus.html
Are Cyber Criminals Hard To Catch?
Despite 100,000 cyber crimes being committed every year UK authorities only caught 12 hackers.
In fact on average just one person was convicted of an offence under the Computer Misuse Act every month for the past 23 years.
We assume that it was not the same bloke, because he would be the most luckless criminal ever.
Campaigners from the Digital Trust, which supports victims of online abuse, said police do not know how to cope with the problem.
Need more laws
Criminal justice expert Harry Fletcher, who is a director of the Digital Trust, said: “The police still concentrate their resources on traditional offences offline, but most people are more likely to be mugged online than in the street.
“The law needs to change. It should, for example, be an offence to use any technological device to locate, listen to or watch a person without legitimate purpose.
“In addition, restrictions should be placed on the sale of spyware without lawful reasons. It should also be against the law to install a webcam or any other form or surveillance device without the target’s knowledge.”
Of course just creating new laws is not going to mean that more hackers will be caught, it will just mean that there are more crimes which they could be arrested for.
The conviction rate against hackers are not bad, if the coppers do arrest someone. Between 1990 to 2006 only 183 defendants were proceeded against and 134 found guilty under the Computer Misuse Act.
Unfortunately the Trust did not see, to realize that a lot of the hacks against companies and individuals come from overseas, particularly Russian or China. Changing laws in the UK would not change anything.
Criminals Remotely Erasing Smartphone Data
Comments Off on Criminals Remotely Erasing Smartphone Data
Smartphones taken as evidence by police in the UK are being wiped remotely by crooks in order to remove potentially incriminating data, an investigation has uncovered.
Dorset police told the BBC that six devices were wiped within the space of a year while they were being kept in police custody, and Cambridgeshire, Derbyshire, Nottingham and Durham police also confirmed similar incidents.
The technology being used was originally designed to allow device owners to remove sensitive data from phones or tablets if they are lost or stolen.
“We have cases where phones get seized, and they are not necessarily taken from an arrested person, but we don’t know the details of these cases as there is not a reason to keep records of this,” a spokeswoman for Dorset police told the BBC.
A spokeswoman for Derbyshire police also confirmed one incident of a device being remotely wiped while in police custody.
“We can’t share many details about it, but the case concerned romance fraud, and a phone involved with the investigation was remotely wiped,” she said. “It did not impact upon the investigation, and we went on to secure a conviction.”
Software that enables this remote wiping has been available from a variety of security firms for some time now.
For example, BitDefender announced a product a while back intended to track lost or stolen Android devices. Not only did it allow users to connect remotely and ‘wipe’ data from a web profile via the internet, but to activate commands with text messages.
Pen Test Partners’ digital forensics expert, Ken Munro, said it is common practice to immediately put devices that are seized as evidence into a radio-frequency shielded bag to prevent any signals getting through and stop remote wipes.
“If we can’t get to the scene within an hour, we tell the client to pop it in a microwave oven,” he said. “The microwave is reasonably effective as a shield against mobile or tablet signals – just don’t turn it on.”
BlackBerry To Patch For Heartbleed
BlackBerry Ltd said it will release security updates for messaging software for Android and iOS devices by Friday to address vulnerabilities in programs related to the “Heartbleed” security threat.
Researchers last week warned they uncovered Heartbleed, a bug that targets the OpenSSL software commonly used to keep data secure, potentially allowing hackers to steal massive troves of information without leaving a trace.
Security experts initially told companies to focus on securing vulnerable websites, but have since warned about threats to technology used in data centers and on mobile devices running Google Inc’s Android software and Apple Inc’s iOS software.
Scott Totzke, BlackBerry senior vice president, told Reuters on Sunday that while the bulk of BlackBerry products do not use the vulnerable software, the company does need to update two widely used products: Secure Work Space corporate email and BBM messaging program for Android and iOS.
He said they are vulnerable to attacks by hackers if they gain access to those apps through either WiFi connections or carrier networks.
Still, he said, “The level of risk here is extremely small,” because BlackBerry’s security technology would make it difficult for a hacker to succeed in gaining data through an attack.
“It’s a very complex attack that has to be timed in a very small window,” he said, adding that it was safe to continue using those apps before an update is issued.
Google spokesman Christopher Katsaros declined comment. Officials with Apple could not be reached.
Security experts say that other mobile apps are also likely vulnerable because they use OpenSSL code.
Michael Shaulov, chief executive of Lacoon Mobile Security, said he suspects that apps that compete with BlackBerry in an area known as mobile device management are also susceptible to attack because they, too, typically use OpenSSL code.
He said mobile app developers have time to figure out which products are vulnerable and fix them.
“It will take the hackers a couple of weeks or even a month to move from ‘proof of concept’ to being able to exploit devices,” said Shaulov.
Technology firms and the U.S. government are taking the threat extremely seriously. Federal officials warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the Heartbleed bug.
Companies including Cisco Systems Inc, Hewlett-Packard Co, International Business Machines Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others, like BlackBerry, are rushing to get them ready.
Javascript Security Flaws Discovered
Polish researchers have released technical details and attack code for 30 security issues affecting Oracle’s Java Cloud Service. Some of the flaws make it possible for attackers to read or modify users’ sensitive data or to execute malicious code.
Security Explorations said it would normally withhold public airings until after any vulnerability has been fixed. But apparently Oracle representatives failed to resolve some of the more crucial issues including bypasses of the Java security sandbox, bypasses of Java whitelisting rules, the use of shared WebLogic server administrator passwords, and the availability of plain-text use passwords stored in some systems.
Oracle apparently has admitted to the researchers that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centres in the future.
Adam Gowdiak, CEO of Security Explorations said Oracle unveiled the Java Cloud Service in 2011 and held it up as a way to better compete against Salesforce.com.