Internet Surveillance Backdoors to be Required in Kazakhstan

While those of us in the UK worry about risks to our internet security posed by the Snooper’s Charter and the calls for removing or weakening encryption in the wake of the recent terrorist attacks, Kazakhstan is one step ahead of the west. After January 1st 2016, every internet capable device in the country will be required to install a “national security certificate”, which will allow the government to gain access to its communications, whether they are encrypted or not. In order to help enforce the requirement, ISPs and network carriers must keep records of users that do and don’t install the certificate code, making it almost impossible to avoid it if you want to access the internet.

There are many risks with implementing such a backdoor on a nationwide level. As well as allowing the government to potentially keep tabs on those who would challenge the current government, the backdoor could also be misused by unscrupulous parties for the own ends, whether it is criminals finding a way to misuse the backdoor to access sensitive date or even opening its citizens up to surveillance or cyber attacks from other nations.

The requirement of using the certificate is shaky too, as while it is designed to work on Windows, Mac OSX, Android and iOS, it has no provision for users of Linux. And there could be problems if the certificate were to be revoked, or become incompatible with future versions of operating systems. Were someone wishing not to play by the rules, they could find ways to encrypt data that the backdoor won’t reveal or spoof their usage of it.

In this day and age, where internet security is a topic of hot debate, it will be interesting to see how well these backdoors work for Kazakhstan or whether they do more harm than good.

iGuardian Promises Business-Grade Security for Home Users

The news headlines are full of stories about hacked computers and data breaches, a thing that is starting to concern the users around the world quite a bit. Antivirus technology is a dead end, the companies who create the software say so themselves, so where does that leave the average consumer? Companies have access to a lot of security hardware designed for their network, the rest of us don’t. A new Kickstarter project aims to provide the worrying users with a cheap and easy to use solution.

The iGuardian is born. a Plug and play, zero configuration, Internet protection system, designed specifically for home use. The kickstarter goal of $125 thousand has been passed a while ago and as of writing it has almost $150 thousand in backed pledges, and still 5 days to go. There is no doubt that there is a market for this device, so we can only hope that the after-match of the campaign will run smoothly.

Thirty early birds were able to snag up the iGuardian for just $99, but the rest of us will have to pay $149 plus shipping if we want one. This is still a great price when you compare to other products on the market for this function, they easily cost $1000 and above, and require quite a bit of knowledge on your side to set up. Not so with the iGuardian.

The iGuardian is a device that’s slightly larger than a pack of gum and connects to your network before any other device. It then monitors the data going in and out from connected devices using the most recent security protocols and with the ability to be updated as necessary. The iGuardian serves as an Internet doorman of sorts, keeping an eye out for threats and denying them any kind of access whatsoever.

It is easier to set up than any kind of software firewall, just needing to be plugged into the same network that others are plugged into. From there, iGuardian can protect not only computers, but smart home appliances, smartphones, and any other products connected to the network

Itus Networks, creator of the iGuardian, lament in their video the lack of home network security on the level of effectiveness that businesses utilize regularly. With the attitude of any engineer, Itus set out to bridge that gap and give individuals reliable digital security that doesn’t get in the way, explaining how the iGuardian works along the way.

The hardware specification variate between the prototype and the target version, but if the prototype can do it, so can the final version too as it has upgrades in every way. The prototype uses two 600MHz ARM11 CPU’s, 512MB RAM, 32MB Flash, 2x Gigabit Ethernet Interfaces, one RJ45 Console and a 8GB MicroSD Card.

The final version on the other hand will have a lot more power with two 1.0 GHz MIPS64 CPU’s, 1Gb DDR3 RAM, three Gigabit Ethernet Interfaces, one RJ45 Serial Console, 64MB Flash, SD Card Slot.

[youtube width=”800″ height=”500″]https://www.youtube.com/watch?v=v8r6E7ZXgWY[/youtube]

Thank you Kickstarter for providing us with this information

Images and video courtesy of Kickstarter.

U.S Department of Public Health Exposes 1.3 Million Records In Data Breach

A new report suggests that hackers managed to access an American government server for the Department of Public Health and Human Services (DPHHS) in Montana. The data breach means that the sensitive personal data of 1.3 million individuals was exposed to the hackers. The details that were accessed included names, addresses, dates of birth, and Social Security numbers. Furthermore, there was information relating to health assessments, diagnoses, treatment, health condition, prescriptions, and insurance of certain individuals.

The initial findings suggest that it isn’t possible to determine if data was directly removed from the server but a breach did occur. The server was shut down a week after an investigation into suspicious activity started. Officials from the government of Montana have stated that all affected parties will be notified of the breach and offered credit monitoring and identity protection insurance in order to contain the damage. The security of the DPHHS servers has now been upgraded but it is clearly too little, too late for those affected by it.

Source: Softpedia

Image #1 courtesy of blog.credit.com, image #2 courtesy of U.S DPHHS

Comodo Internet Security 7.0 Launces in the UK, Backed by a £300 Virus-Free Guarantee

Comodo is a company offering leading solutions in terms of PC/Mac antivirus and malware software, SSL digital certifications, as well as android antivirus and malware solutions. It’s latest product is the all-in-one protection software, Comodo Internet Security Pro 7, which has been recently made available to the UK market.

The all-in-one software is said to be a unique and patented prevention tool for unknown viruses, as well as a detection tool for known ones. It works by inspecting each file attempting to run on a computer and instantly compares the file to its White List and Black List database. In the case of a file not being present in either list, the software restricts its access using Auto Sandbox Technology, keeping the computer clean and virus-free.

The company has also made a few changes to its latest Comodo Internet Security Pro 7 software, including a user interface update that allows tasks to be performed quicker while delivering more information on the current computer status. In addition to the interface update, Comodo claims that it has shortened the Sandbox function’s average process time per file by up to 700%, while adding the ability to reverse potentially undesirable actions of software without necessarily blocking the software entirely.

Also, Comodo has added an advanced Website Filtering feature, allowing website access rules to be created for particular users of a computer and logging each activity when a user tries to visit a website which is in conflict with a rule. Another interesting new feature added is the Protected Data Folder, which keeps each and every file placed inside a ‘Protected Data Folder’ from being read, accessed and modified by applications running in Sandbox mode. The last but not least addition is PrivDog, a software specially designed to suppress any malicious advertisement, while being able to run alongside all major browsers on the market.

What makes Comodo’s Internet Security Pro 7.0 one of the best antivirus and malicious software prevention is the company’s confidence in suppressing each and every virus and malware roaming the internet, including GOZeuS and CryptoLocker, as the company stated. This is why the company offers a $500 (£298.54) money back guarantee, should a user’s computer become infected while using the Comodo Internet Security Pro 7.0.

The Comodo Internet Security Pro 7.0 comes with a yearly subscription of just £30 which covers three machines and includes GeekBuddy online support. Comodo’s Internet Security Complete 7 is also available at a £68 yearly subscription, including all of the Pro’s features, plus TrustConnect Wi-Fi/Hotspot encryption and 50 GB of Online Storage. A trial for the software can be downloaded over at Comodo’s website.

Internet Explorer 9 and 10 Users Exposed To Unpatched Vulnerability

Microsoft revealed yesterday that Internet Explorer versions 9 and 10 both contain an unpatched vulnerability. Computer World reports that these vulnerabilities are mainly being exploited on Internet Explorer 10 by hackers.

The distribution of Internet Explorer versions among users shows that 15.3% use IE9 and 15.9% use IE10 meaning around a third (31.2%) of all IE users are vulnerable.

“Microsoft is aware of limited, targeted attacks against Internet Explorer 10. Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected.” Said a Microsoft spokesperson.

The solution to the problem, unsurprisingly, is that Microsoft thinks all IE users should upgrade to the latest version which is IE11. Windows Vista users are being “left out in the cold” as the latest version of IE they support is IE9. Microsoft is expected to deliver a fix for the problem on March 11th.

Image courtesy of the Verge

“Safer Internet Day” – More Education On Internet Safety Needed For Children

 

In light of today’s Safer Internet Day 2014 a Kaspersky Labs report has revealed some startling information. They have found that a quarter of parents take no action to control their children’s online activity whether on a home PC or a mobile device like a smartphone or tablet.

“Regardless of how their children are accessing the internet, parents must remain vigilant, supervise their internet use and consider parental control technologies,” said David Emm, senior security researcher at Kaspersky Lab.

Of course it is not surprising Kaspersky are advocating parental control technologies, since they sell those, but the point is still a valid one – some degree of parental control is needed to prevent children from accessing harmful things on the internet. According to ITProPortal as many as 2 million children under 16 in the UK claim to have been approached by strangers online without the knowledge of their parents.

The problem is a serious one but one that is neglected at the institutional level. Paul Martini, CEO at iboss Network Security, believes:

“Parental teaching of key Internet safety issues needs to be just as common as warning children not to get into a car with a stranger,Safety is built on education, boundaries and a watchful eye at home and at school. There needs to be an advanced security platform with the new web that goes beyond basic web filtering,” he added. “And, schools need to take granular control of what students can access whilst within the school grounds. The Internet cannot be left wide open.”

Trying to balance the challenges of monitoring the internet while still ensuring adequate freedom is a tough one for parents. How do you control what content your children access?

Image courtesy of SaferInternetDay

Criminals Can Recover Personal Details From Used Phones, Even After Factory Reset

A recent Channel 4 investigation into the used phone trade in the UK has exposed some worrying privacy concerns. An investigation into two of the largest pawn brokers that are selling second-hand phones, CEX and Cash Converters, revealed that many phones still have recoverable details on them once sold. Some of the data that is left behind on the devices, or is recoverable, includes photos, text messages, passwords, credit card information and internet history. This comes despite Cash Converters and CEX telling customers that their devices will be wiped clean of all personal data before they are sold.

The issue arises from the assumption by these companies that a “factory reset”, or something of that equivalence, is enough to wipe all personal data from the device. The reality is a factory reset doesn’t completely eradicate all personal data as it is still recoverable from the memory. One security expert that Channel 4 spoke to claims that data can be easily recovered using freely available software and about 10 minutes of your time.

“The phones look like they’re completely blank, but the data is still there in the memory,” said Glenn Wilkinson of SensePost. “You can use software to find it, and that software is freely available for download. I can teach you how to access the data in 10 minutes.”

The extent of information that people store on their phones means that for criminals and fraudsters second hand phones are a goldmine of valuable and sensitive private information.

The Chief Executive of one of the major pawn brokers, Cash Converters, stated that:

“All phones are wiped to a standard level and full factory restores are carried out,” said Mr Patrick. “It is our understanding that specialist software may still be able to recover certain information stored on the phone, but we do everything in our power to ensure all personal data is removed from the device.”

However, the clear moral of the story is that if you’re selling your phone make sure you have securely removed all your data to the best of your ability. In some cases the manufacturer reset function will be enough but in others it may not and specialist data removal software may be needed.

Image courtesy of the Guardian

Recent Adobe Hack Reveals 1.9 Million People Used 123456 As Their Password

People use stupid passwords, it is a fact that we’ve known since passwords became important for accessing online services. At the end of last month Cybercriminals hacked Adobe’s systems, managing to expose 130 million encrypted passwords. Yet the encryption was so weak that almost all of the passwords have now been converted into plain text equivalents. This is because Adobe used the Triple DES (3DES) hashing algorithm according to Softpedia, and this algorithm provides some clues to what the password might be. If you combine that with the fact Adobe’s database also contained password hints, it has made it very easy for security experts to crack these passwords.

Of those 130 million hacked passwords, 1.9 million of them were “123456”, 0.45 million were “123456789”, 0.35 million were “password” and 0.2 million were “adobe123”. Scrolling down the below list you can see the usual array of lazy passwords that are as rubbish as they are insecure. It goes without saying that if your password for any website or service can be found below then you really need to be changing it pretty quickly to something much stronger.

Image #1 courtesy of Adobe and image #2 courtesy of Stricture Consulting Group

Microsoft Says Windows XP’s Infection Rate Is 6X That Of Windows 8

Microsoft really wants to encourage users to make the shift to a newer operating system, mainly Windows 8.1. To do this Microsoft is pushing the security side of things, particularly as business users are the most prominent users of Windows XP who are essentially keeping the operating system alive and well. On its TechNet blog Microsoft published figures from its own internal data about the infection and encounter rates of all their operating system. The figures show that Windows XP is about six times more likely to become infected by malware than Windows 8.

“Windows XP was built more than 12 years ago and was architected to include security technologies that were innovative at the time. For example, Windows XP SP2 was released in 2004 and introduced Data Execution Prevention. However, the threat landscape has changed quite a bit since then and technologies that were built a decade ago, like DEP, are now commonly bypassed.” Stated Microsoft.

Of course Windows XP users will find that they can reduce their infection by simply using some third party anti-virus and anti-malware protections, but these will not be able to account for vulnerabilities within the operating system itself. If you value security as a high priority then Microsoft believes the case is convincing enough for you to make the move to Windows 8.

Images courtesy of Microsoft

Microsoft Is Leading PC Anti-Virus Vendor According To Report

New research figures by software and IT solutions company OPSWAT suggest that Microsoft dominates the desktop and laptop anti-virus markets with its free Microsoft Security Essentials offering. Microsoft has an impressive 25.4% of the market with all its products combined, though this is mainly comprised of MSE and Windows Defender. Microsoft is followed closely behind by Avast who manage to rack up an impressive 23.6% mainly through their free anti-virus offering. AVG, Symantec, ESET, Avira and Kaspersky also made the list with market shares between 6.5 and 8.3%.

In terms of the single most popular programs well Avast lead the way with their free antivirus followed closely behind by MSE. Windows Defender, Avira and AVG come in third, fourth and fifth respectively meaning the entire top 5 is comprised of free anti-virus solutions – which is hardly surprising. The leading paid anti-virus solutions are produced by ESET, Kaspersky, Norton, Avast and AVG respectively.

For more details and in depth graphs on the current state of the PC anti-virus market, see here.

Image courtesy of OPSWAT

Cryptic Software And Bournemouth University Team Up To Train Students In Cyber Security

Cyber Security is becoming an increasing concern for everyone; businesses, schools, hospitals, governments and even the everyday home user. That’s why we were quite interested to see security company Cryptic Software teaming up with Bournemouth University to offer students a chance to train and work in the field of Cyber Security while taking related degrees there – namely the BSc in Digital Forensics and Security.

As part of the joint-venture Bournemouth University will get access to £500,000 worth of computer hardware and software to set up a special Cyber Security unit. £250,000 of which is provided by the UK government’s Higher Education Innovation Fund (HEIF).

The Cyber Security unit is set to be profitable too as Bournemouth University is expected to earn £250,000 in the first year on consultancy work, rising to £3 million by the end of the third year. With Cyber Crime costing the UK around £27 billion the state of the art research that is to be undertaken at Bournemouth University in partnership with Cryptic is going to be essential for securing international competitiveness for UK firms in the online services industry.

Image courtesy of Bournemouth University 

Microsoft Wants To Increase 16 Character Password Limit

Microsoft’s Outlook.com team took to Reddit to engage in an Ask Me Anything (AMA) session recently. One of the hotly debated topics was the reasoning behind the 16 character password limit Microsoft implement. Microsoft’s Outlook.com team still believes that malware and phishing techniques are the most common for compromising accounts. It also believes that the uniqueness, choice and arrangement of characters is generally more important than the password length.

“Please note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we’ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites – none of which are helped by very long passwords.”

Microsoft says that it will increase the character limit in the future and that this is something the Outlook.com team is currently working on but it did say that it will take quite some time due to the difficulty in centralising the password logic across different products.

“Sixteen characters has been the limit for years now. We will always prioritize the protection needs of users’ accounts and we will continue to monitor the new ways hijackers and spammers attempt to compromise accounts, and we design innovative features based on this. At this time, we encourage customers to frequently reset their Microsoft account passwords and use unique passwords that are different from other services…We are working on increasing the password length. Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it’s a bigger change than it should be and takes longer to get to market.”

Image courtesy of Microsoft

41% Of Online Fraud Victims Never Recover Lost Funds Says Kaspersky Report

According to a recent Kaspersky Labs report and survey, things do not look good for online fraud victims. Apparently 41% of victims did not recover any of the lost funds while 45% recovered them all and 14% partially recovered them. 33% of victims had the money stolen during an e-Payment checkout operation, 17% during online banking sessions and 13% while online shopping.

Sadly only 12% of online store customers who were defrauded received full compensation, for online banking the figure was 15%. Of course Kaspersky Labs says that this means only one thing – that companies, consumers and businesses should all take more care in using appropriate protection when dealing with money online.

As expected the majority of consumers assume that their bank or retailer is responsible for protecting them. 34% of respondents take no security measures when using public WiFi while 45% believe the bank will return any stolen money. Despite the relative prevalence of these incidents, around 62% of respondents experienced an incident where attempts to steal financial details were encountered, the average cost of an attack was only about $74 per person.

Image courtesy of Kaspersky Labs

German Security Provider Says 750 PayPal Phishing Sites Are Created Daily

PayPal phishing schemes drive me mad. I probably get about 5-10 emails everyday across my various work and personal email accounts from phishing sites trying to trick me into handing over PayPal details. A German email security provider has shed light on why this is such a frequent occurrence. Apparently everyday an average of 750 new PayPal phishing sites are set up. By simple math that means we see 22,000 of these rotten things every month and 270,000 in the average year.

Most of these Phishing pages are hosted on legitimate websites that have been compromised by cybercriminals so spotting a phishing site may not often be as obvious as you think, although if it isn’t on PayPal.com then it should be pretty obvious.

“The online payment service PayPal is not only one of the most popular online payment methods, but also a preferred target for phishers: PayPal regularly tops the lists of phishing topics worldwide. Every day, an average of 750 newly compromised websites are targeted primarily at PayPal users, according to numbers from Commtouch’s GlobalView URL filtering database – resulting in more than 22,000 new sites per month and 270,000 sites per year. The sites are usually legitimate websites that are compromised through security flaws. The findings highlight the need for hosters and website owners to protect their sites and for users to deploy an effective Web security solution.” Stated Eleven Research.

Image courtesy of Eleven Research

Wikipedia Pushing Ahead With Encryption To Lock NSA Out

Wikipedia is taking steps to ensure that the NSA cannot spy on it or its users by adding encryption to the website wherever possible according to RT. Users that login will now have to use secure encryption when on the site and visitors to the website will use the HTTPS security protocol as a further defence mechanism.

“[Wikipedia] believes strongly in protecting the privacy of its readers and editors. Recent leaks of the NSA’s XKeyscore program have prompted our community members to push for the use of HTTPS by default for the Wikimedia projects,” said the statement published on the organization’s website.

Wikipedia had already been taking efforts to transfer to the HTTPS security protocol but since recent leaks about the XKeyscore have implicated Wikipedia they are taking steps to fast track encryption and HTTPS with all resources available. Wikipedia founder Jimmy Wales also stated that he believes encryption is an issue of Human Right’s and that all companies should start using it.

Image courtesy of Wikipedia

Windows 8.1 Features Improved Malware Resistance And Data Protection

At this week’s Black Hat 2013 conference Microsoft has been busy explaining some of the newest security features for its Windows 8.1 Operating System. Microsoft is trying to push Windows 8.1 to the business community and has promised that “pervasive device encryption” means employee data is always safe on their devices. Pervasive device encryption has been added to all editions of Windows 8.1 for devices with support for InstantGo and another new feature is the ability to selectively wipe corporate data.

While encryption is fully supported other mechanisms like BitLocker and BitLocker To Go are also supported on Windows 8.1 Pro and Enterprise. New protections have been introduced such as the network key protector, automatic recovery key escrow to Active Directory and other protections to ensure a physical drive isn’t compromised when lost or stolen.

“With Windows 8.1, we introduce Remote Data Removal which will allow an IT department to wipe corporate data (e.g. emails, attachments, corporate data that came from Work Folders) off a BYOD device without affecting personal data.” Microsoft’s Dustin Ingalls states.

Additional security improvements include an updated Windows Defender with behaviour monitoring for the memory, registry and file system. Internet Explorer has added improved security with an improved API that can make a “security determination” before executing a binary extension. Internet Explorer 11 will also pack an Enhanced Protection Mode.

So Microsoft is really pushing new security features for both consumers and business customers. Of course you can trial some of these new features with the Windows 8.1 Preview.

Image courtesy of Microsoft

Former NSA Director Says Huawei Is A Threat To National Security

In an interview with the Australian Financial Review the former director of the American National Security Agency (NSA), General Michael Hayden, stated that the Chinese firm Huawei (who sell various smartphones, tablets and other electronics) are a threat to both American and Australian national security. The former NSA director believes that Huawei has been used by China to spy on other nations stating:

“Yes, I have no reason to question the belief that’s the case. That’s my professional judgment. But as the former director of the NSA, I cannot comment on specific instances of espionage or any operational matters”

He may have a point, but how is China using Huawei to spy any different to the USA using Skype, Microsoft, Google, Facebook and other American firms to spy (on China and many other nations including Australia)? General Michael Hayden added that:

“At a minimum, Huawei would have shared with the Chinese state intimate and extensive knowledge of the foreign telecommunications systems it is involved with. I think that goes without saying. That’s one reality”

Luke Coleman, Huawei Australia’s spokesperson commented on the accusations stating that:

“People have been saying these things for a long time but for years and years we’ve never seen any evidence and nothing’s changed on that front so from Huawei’s perspective we’re saying it’s time to put up or shut up…If the evidence is out there people have a right to see it, our staff have a right to see it and so far no one seems to have come in with that evidence…We’ve seen this in the past, clearly there are bigger geopolitical issues going on right now between America and China and unfortunately Huawei tends to be a bit of a piggy in the middle here”.

Furthermore Luke Coleman claims  a massive conflict of interests with the former NSA director’s statements claiming he is on the boardroom of both Cisco and Motorola – two of Huawei’s largest competitors.

Image courtesy of Af.mil

Reports Suggest MSI.com Has Been Hacked And Injected With Malware Code

According to unconfirmed reports MSI.com has recently been hacked and can distribute Malware code. The report states that cyber-criminals have hacked MSI.com and have altered it to distribute malware that is hosted by Kristians1(dot)net and some other shady websites. The writer of the report, Conrad Longmore of Dynamoo’s Blog, reports that he notified MSI of such an exploit but they have not responded and the malware still remains in place.

Google’s safe browsing report of MSI.com suggests that 23 exploits including 2 Trojans have been hosted on MSI.com from 5 domains. Google’s safe browsing report is as follows (we have removed all hyperlinks so please do not attempt to visit any of these websites or you may put your computer’s safety at risk):

Of the 2469 pages we tested on the site over the past 90 days, 16 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-07-16, and the last time suspicious content was found on this site was on 2013-06-16.

Malicious software includes 23 exploit(s), 2 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 5 domain(s), including abdelmonem.net/, oportunidadesdesdesucasa.com/, jobsreal.biz/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including for-test-only.ru/.

This isn’t the first time MSI has let security drop and back in May MSI Taiwan had 50,000 user account details stolen and its site was defaced.

MSI responded to us about this latest incident with the following brief statement:

“Our service has been compromised. Our webteam are currently working on it as we speak.”

Image courtesy of MSI

Microsoft Internet Explorer 11 Bug Bounty Claimed By Google Employee!

Microsoft and other big browser companies often give out “bug bounties” for people who can discover exploits in their software. Microsoft offered up a rather large bug bounty for Internet Explorer 11 and is offering up to $11,000 for every security flaw people can find in the browser.

Katie Moussouris, Senior Security Strategist at Microsoft said:

“The security community has responded enthusiastically to our new bounty programs, submitting over a dozen issues for us to investigate in just the first two weeks since the programs opened.  I personally notified the very first bounty recipient via email today that his submission for the Internet Explorer 11 Preview Bug Bounty is confirmed and validated. (Translation: He’s getting paid.)”

One of the winners of a bounty was Google information security engineer Ivan Fratric who bagged a healthy serving of the Internet Explorer 11 bounty. He previously won $50,000 back in 2012 in Microsoft’s BlueHat contest.

“We have other researchers who have qualified for bounties under the IE11 program as well, and their notifications will be coming from secure [at] Microsoft [dot] com this week and beyond. We plan to add an acknowledgement page on our bounty web site, listing the researchers who would like to be publicly recognized for their contributions to helping us make our products more secure, so look for that page to appear linked from www.microsoft.com/bountyprograms in the near future.”

Microsoft’s Internet Explorer 11 bug bounty window ends on July 26th.

Image courtesy of the Verge

EU Adopts Tough Anti-Cybercrime Legislation

Cybercrime is a growing problem of the modern age and on Thursday the European Parliament adopted a new set of rules to fight cybercrime with a more tough stance. The new measures came in with a majority vote of 541 for and 91 against and all EU nations must adopt these new laws within 2 years.

The new directive states that cybercriminals who interfere with data and information systems, or intercept communications and sell hacking tools, will face at least two years in prison. Attacks against serious infrastructure that cause serious damage will be met with a minimum of 5 years while Botnet creators will face a minimum of 3 years.

Furthermore inter-state cooperation is designed to be improved and member states are being told to collect cyberattack statistics and have the relevant authorities to process such data and respond to attacks.

“This is an important step to boost Europe’s defences against cyber-attacks. Attacks against information systems pose a growing challenge to businesses, governments and citizens alike. Such attacks can cause serious damage and undermine users’ confidence in the safety and reliability of the Internet” said Cecilia Malmström, EU Commissioner of Home Affairs.

Image courtesy of capreform.eu

Americans Worried About Account Hacks, But Can’t Be Bothered With Extra Security

According to a new report, by Harris Interactive on behalf of Imperium, 79% of Americans have stated that they are worried about their accounts, for various online services, being hacked/compromised yet 75% of them say they have never used two factor authentication and 27% of them say they just cannot be bothered to do it because it is inconvenient.

The report revealed some interesting things such as:

  • 79% of respondents were worried about their emails being hacked
  • 71% of respondents were worried about their bank account being compromised
  • 55% of respondents were worried about their social media being hacked
  • 75% of respondents had never used two factor authentication
  • 27% of respondents said they didn’t use it because it was inconvenient or they didn’t want to disclose their phone number
  • 39% of respondents blamed hacks on websites for a lack of security features
  • 37% of respondents blamed hacks on weak passwords
  • 37% of respondents had been victims of a phishing attack
  • 26% of respondents had their accounts for an online service compromised
  • 20% of respondents had their social media credentials stolen
  • 5% of respondents stated that a loss or stolen phone led to unwanted disclosure of information

So the message from this survey is clear, Americans are aware of the risks, and many of them have fallen victim to hacks but no one really wants to take responsibility for it. It is surely much easier to blame the websites/companies involved than it is to take some initiative and used a strong password or enable two factor authentication in your account settings.

Image courtesy of Imperium

Opera Gets Hacked, Expired Certificate Signing Code Stolen

According to Opera’s official blog they have recently halted and contained a targeted attack on the company’s internal network. Opera’s Sigbjørn Vik said that on June 19th an attack took place which didn’t compromise any user data but stole at least one old and expired Opera code signing certificate. Hackers can then use this signing certificate to sign malware which allows them to distribute it as appearing to be either the Opera browser itself or a program verified by Opera.

“This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser” said Opera’s Sigbjørn Vik

Apparently Opera are working hard to try and fix the problem by introducing a new version of the Opera browser that uses a new code signing certificate. Any users who used Opera between 1:00 and 1:36 UTC on the day of the breach (June 19th) could have had malicious software installed onto their computer automatically without their knowing.

As if Opera wasn’t having a hard enough time already of tempting users over from the “big four” (IE, FireFox, Chrome and Safari) this latest incident is sure to make things even harder for them.

Image courtesy of Opera

British Spy Agency Worse Than The NSA, Monitors Huge Amounts Of Internet Traffic

 

You thought the NSA were bad right? – Tapping into the internet data of Americans in the name of fighting terrorism and national security. The NSA’s British equivalents, the GCHQ, are apparently much worse according to a report by the Guardian. The GCHQ, or Government Communication Head Quarters of the United Kingdom is able to redirect and process all the data that comes through internet fibre optic cables and this allows it to monitor most internet traffic around the world.

The GCHQ taps into 200 fibre optic cables in and around the UK and these cables link Europe, Africa, the Middle East and India to the internet, meaning the GCHQ can monitor most of the world. The GCHQ has the capability of monitoring up to 46 of the 200 cables at any one time in near real time speeds – considering each cable has a throughput of about 10 gigabits a second this is very impressive, but worrying at the same time.

And if that all wasn’t bad enough the GCHQ is reportedly expanding surveillance operations at an alarming rate and any ISPs and Telecommunications companies that do not come on-board voluntarily are forced to do so by court orders and gagged about releasing public information by court orders too. What’s more the GCHQ shares almost all of its data between the Five Eyes intelligence alliance (USA, UK, Canada, Australia and New Zealand) and everything with the NSA who actually helps the GCHQ organise their mass amounts of data.

Image courtesy of the Guardian

Experts Reveal Criminal DIY Bitcoin Mining Tool

The Security Experts “Webroot” have revealed a subscription-based criminal DIY mining malware tool. Apparently they found this tool on a Cybercrime forum and the tool can be used to Bitcoin mine on malware infected PCs.

“The Bitcoin mining tool comes with a DIY generating tool, start up functionality, installation persistence, assembly changer, icon changer, support for both Bitcoin and Litecoin CPU/GPU, the ability to change the CPU/GPU threads, as well as the ability to adjust the GPU fan percentage”

People interested in using this can pay via non-traceable methods such as PayPal, Bitcoin, Teracoin or Litecoin. Cybercriminals can use this tool on malware infected PCs to generate profit. In fact the controls are so advanced that the cybercrimianls can set fan speeds and maximum temperatures on the victim’s PC.

There are currently so many “underground/criminal shops” selling access to hacked computers and exploitative software that Cybercriminals don’t even have to bother hacking people’s computers as someone else has already done the hard work for them.

I think the lesson of this story is clear; never underestimate the value being a cautious internet user, having a solid firewall, good anti-virus but most importantly using your common sense online. Keep an eye on your CPU/GPU usage too because the chances are if your system is always running at close to 100% then you could be a victim of this type of Bitcoin mining hijack malware that is becoming ever more prevalent in recent times.

Image courtesy of Webroot

Facebook Bug Exposes Data Of 6 Million Users

Facebook revealed in a security update announcement that a bug had made the data of six million users vulnerable. Apparently it was possible to use Facebook’s data export tool to reveal six million email addresses and usernames.Facebook says the data was not widely leaked and the data only reached a handful of people most of which would of known a lot of people on the list of exposed data as it was based on contact data similarities.

Normally Facebook asks you to import contact data from other social networks, email or your phone and then this would be stored privately and securely from the main user data. At no stage should the data be shared with anyone and is only meant for use in a people-data matching algorithm. Yet somehow the data did get stored to some people’s accounts and Facebook was made aware of the bug in its “White Hat” program which offers up cash sums for finding bugs and exploits in the website.

“We’ve concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.”

Image courtesy of Facebook

The Pirate Party Demands European Response To PRISM Scandal

The PRISM “scandal” originating the USA has triggered public outcry in the USA as well as across the world. The Pirate Party who are very much anti-American due to the long history of copyright battles have today revealed their AntiPRISM website and call to action against PRISM.

The Pirate Party firstly state that they are appalled by the PRISM program and have applauded Edward Snowden for his actions in revealing these things. They have then also demanded that European countries treat Edward Snowden sympathetically and allow him Asylum.

“In light of this situation, it is important that the European Union, rather than remaining complicit with this abuse of powers that comes at an untenable cost to society, becomes a worldwide beacon for digital rights and privacy protection, government protection and whistleblower protection”

Furthermore they demand to know the extent of European involvement in PRISM and request a European Parliament Committee to investigate the extent of PRISM and which EU bodies had knowledge of and active involvement in the PRISM program. As you might expect they Pirate Party also demanded any European surveillance programs be scrapped and that we need an international treaty on the freedom of the internet and appropriate data protection.

Image courtesy of AntiPRISM

Microsoft Follows Facebook In Releasing Government Request Data To The Public

Microsoft, Google and Facebook all joined together recently to demand more transparency about government data requests and being able to reveal details of these to their user base. Facebook recently revealed that it had to release data on some some 19,000 individuals at the legal request of the American government. Yet it was disappointed by being relatively constrained in what data it could release, it was still unable to release details on secret/spy requests that everyone really wants to know about.

Microsoft finds itself in a more or less identical situation as it has been given permission to reveal basic details about government data requests, although nothing on spy requests. Microsoft revealed it received between 6000 and 7000 criminal and national security warrants. It received a further 31,000 to 32,000 subpoenas and orders on consumer accounts. All of this took place in the last 6 months of 2012.

Essentially Microsoft has been able to clump national security with criminal warrants. National security warrants would mean anything to do with PRISM or FISA so we know that the U.S government made less than 7000 PRISM or FISA data requests to Microsoft. Obviously if you account for the criminal warrants then the PRISM/FISA requests are probably much smaller, I would hazard a guess at less than 1000, but we cannot truly know until Microsoft publish (or are allowed to publish) the details.

Microsoft’s statement read:

“This afternoon, the FBI and DOJ have given us permission to publish some additional data, and we are publishing it straight away. However, we continue to believe that what we are permitted to publish continues to fall short of what is needed to help the community understand and debate these issues. We are permitted to publish data on national security orders received (including, if any, FISA Orders and FISA Directives), but only if aggregated with law enforcement requests from all other U.S. local, state and federal law enforcement agencies; only for the six-month period of July 1, 2012 thru December 31, 2012; only if the totals are presented in bands of 1,000; and all Microsoft consumer services had to be reported together”

While Microsoft is jumping on the privacy bandwagon let us not forget that Microsoft is accused of using its Skype VoIP service to spy on its users, monitor their calls and scan their text chats. In fact this is why Skype has been so wrapped up in the PRISM program because the opportunity to voice chat spy on millions of users has clearly been very useful to the NSA.

Image courtesy of Microsoft