Friday, April 15, 2011

Another “Typical” breach. Note that bank is unlikely to reimburse the Dealership, since their security was breached, not the bank's.

http://www.msnbc.msn.com/id/41743727/ns/technology_and_science-security/from/toolbar

Cybercrooks Drive Away With $63,000 from Car Dealership

On Nov. 1, 2010, the controller for Abilene, Kan.-based Green Ford Sales, Inc. submitted $51,970 in payroll checks to First Bank Kansas through the bank’s online banking website, according to the blog Krebs on Security.

The bank’s authentication program sent the company's controller an e-mail to confirm and approve the transaction details, which he did. Unbeknownst to the controller, however, cybercriminals had infected his Windows PC with the infamous Zeus Trojan, a piece of malware engineered to aid criminals in hijacking online banking information.

With total access to the company’s online finances, the crooks were able to siphon $63,000, and even intercept the bank’s confirmation e-mail so the controller had no idea any illicit transaction took place.

Green Ford recovered $41,000, and although the company has since changed its security procedures, Krebs said that as long as PC viruses exist, online banking sessions will continue to be high-priced targets for cybercriminals.

“If a bank’s system of authenticating a transaction depends solely on the customer’s PC being infection-free, then that system is trivially vulnerable to compromise in the face of today’s more stealthy banking Trojans,” Krebs wrote.



For my Computer Security students. Not everyone fixes problems immediately – even some who should know better...

http://www.databreaches.net/?p=17772

Hundreds of College and Government websites still redirecting to fake stores

April 14, 2011 by admin

In January, I talked about high-profile websites, which had been hacked to redirect users to fake online stores. One unique aspect of the hack was the fact that the attackers had set up additional web servers on non-standard ports. Most of the domains I listed in the post were cleaned up pretty quickly.

Three months later, there are still a number of hijacked sites redirecting to the same fake stores. One day recently, I found 68 hijacked domains, mostly college and government sites, including:

Berkeley: cshe.berkeley.edu
Harvard: research4.dfci.harvard.edu
Purdue University: web.ics.purdue.edu
Oklahoma State University: osu.okstate.edu
Australian Government: brokenhill.ses.nsw.gov.au

Read more on The Security Blog.



Add to your “If I ever become a Stalker” folder

http://www.makeuseof.com/tag/creepy-shows-geolocation-data-broadcast-online/

Creepy Shows Just How Much Geolocation Data You Broadcast Online

Enter someone’s Twitter or Flickr usernames and see everywhere they’ve been and when. If this sounds creepy then it is.

Ever wonder how much information geolocation leaves behind? As it turns out, quite a lot. The Creepy geolocation tool is a program for Ubuntu and Windows made primarily made to demonstrate just how much information that is, and how easily it could be used for nefarious purposes.



The pendulum swings back...

http://www.pogowasright.org/?p=22401

FL Sup. Ct: Dog sniff of home violates Fourth Amendment

April 14, 2011 by Dissent

So no sooner than I post a link to an article of how courts have expanded dog sniffs (drugs) to the home, than John Wesley Hall of FourthAmendment.com points me to a decision overturning some previous rulings:

The Florida Supreme Court held today that a dog sniff in the home violates the Fourth Amendment. The court discusses all cases decided to this point from all jurisdictions. Jardines v. State, SC08-2101 (April 14, 2011)

Read the excerpt on FourthAmendment.com



Perhaps not the best way to deflect the question. Likely to stir up a “Striesand effect”

http://yro.slashdot.org/story/11/04/14/2323203/RIM-Co-CEO-Cries-No-Fair-On-Security-Question?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

RIM Co-CEO Cries 'No Fair' On Security Question

"When asked about letting governments in Asia and the Middle East into the 'secure' message service used by their BlackBerry devices, Mike Lazaridis, the co-chief executive of RIM, walked out of the interview and said, 'We've dealt with this, the question is no fair.' By 'dealt with, 'we can only assume he meant: 'been paid handsomely to let governments read what they wish.'"



...and they knew they would be tested!

http://www.thetechherald.com/article.php/201115/7066/Trusteer-User-education-can-t-protect-against-social-engineering

Trusteer: User education can’t protect against social engineering

An experiment by security firm Trusteer has shown that even the most educated user can be fooled by a Phishing attack. By using 100 well-informed participants on social/business portal LinkedIn, Trusteer sent out messages similar to the ones site users would see on a regular basis. Interestingly, almost 70 percent of the test group fell for the con.

… Within the first 24 hours, 41 participants had fallen for the scam. Within seven days, 68 people had clicked the button. If this had been a real attack, those numbers would have marked a high return on a criminal’s investment. In all, Trusteer spent about 17 hours on the study.

As for the other 32 people, Boodaei explained that, when approached: “Sixteen said they haven't seen this email (it probably went into their spam folder). Seven said they usually don't read LinkedIn updates. Nine said that the update was not interesting enough for them to click the link.”


(Related) Don't use your real email address unless and until you trust the site on the receiving end.

http://www.smashingapps.com/2011/04/14/ten-great-tools-to-help-you-secure-from-spam-emails.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SmashingApps+%28Smashing+Apps%29

Ten Great Tools To Help You Secure From Spam Emails



Well, well, well. Looks who is calling the kettle black. Interior has a history of making poor IT decisions.

http://yro.slashdot.org/story/11/04/14/2129252/Groklaw-Microsoft-Cloud-Services-Arent-FISMA-Certified?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Groklaw: Microsoft Cloud Services Aren't FISMA Certified

"If you were as puzzled as I was by the blog fight, as Geekwire calls it, between Google and Microsoft over whether or not Google was FISMA certified, then you will be glad to know I gathered up some of the documents from the case, Google et al v. USA, and they cause the mists to clear. I'll show you what I found, but here's the funny part — it turns out it's Microsoft whose cloud services for government aren't FISMA certified. And yet, the Department of the Interior chose Microsoft for its email and messaging cloud solution, instead of Google's offering even though Google today explains that in [actuality] its offering actually is. It calls Microsoft's FUD 'irresponsible.'"



Something for my Computer Security students to play with... Not free, but there is a free trial for up to 2,000 emails.

http://www.killerstartups.com/Web-App-Tools/spockly-com-analyze-who-emails-you?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+killerstartups%2FBkQV+%28KillerStartups.com%29

Spockly.com - Analyze Who Emails You

Spockly gives sending and receiving emails a whole new layer - a social one. Spockly can take your existing inbox and turn it into a whole different entity, as you will become enabled to know more about any person who sends you an email.

That data is pulled from public sources. In no event does Spockly resort to cookies, and the kind of data people might mistakenly have made public is also obviated when figuring out who is who.

A service like Spockly is great for running targeted campaigns. The service has a dashboard that will let you look at different attributes such as the occupation of your contacts and their age to the influence they exert on the Internet, and then segment everything accordingly.

http://spockly.com/

[From the website:

And to those of you concerned about privacy, we only collect data that is publicly available on the web and we go further by anonymizing any personally identifiable information gleaned from social media.

This way, our customers get the maximum of marketing data with none of the privacy-related headaches.



For my Ethical Hackers.

http://www.reuters.com/article/2011/04/14/us-china-usa-cyberespionage-idUSTRE73D24220110414

Special report: In cyberspy vs. cyberspy, China has the edge

As America and China grow more economically and financially intertwined, the two nations have also stepped up spying on each other. Today, most of that is done electronically, with computers rather than listening devices in chandeliers or human moles in tuxedos.

And at the moment, many experts believe China may have gained the upper hand.

Though it is difficult to ascertain the true extent of America's own capabilities and activities in this arena, a series of secret diplomatic cables as well as interviews with experts suggest that when it comes to cyber-espionage, China has leaped ahead of the United States.

According to U.S. investigators, China has stolen terabytes of sensitive data -- from usernames and passwords for State Department computers to designs for multi-billion dollar weapons systems. And Chinese hackers show no signs of letting up. "The attacks coming out of China are not only continuing, they are accelerating," says Alan Paller, director of research at information-security training group SANS Institute in Washington, DC.


(Ditto)

http://www.bespacific.com/mt/archives/027011.html

April 13, 2011

Leaping Over the Firewall: A Review of Censorship Circumvention Tools

"A new Freedom House report found that while the majority of circumvention tools used to evade government censorship online perform similarly well, the country in which they are used and the nature of the censorship dictate their effectiveness. No one tool provides a silver bullet for security as governments become more sophisticated in filtering content and monitoring user activity. Freedom House recently released the findings of the report, which were based on user surveys..."



For my Graphic Design students: Blender is a free, open source 3D graphics application that can be used for modeling, texturing, skinning, animating, rendering, and creating interactive 3D applications, including video games, animated film, or visual effects.

http://news.slashdot.org/story/11/04/14/233225/Blender-257-Released-mdash-and-Its-Easy-To-Use?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Blender 2.57 Released — and It's Easy To Use!

"Past Blender releases, as capable as they were, had learning curves somewhere between straight up and down and 90 degrees. The release of Blender 2.57 changes all that. No longer are simple features 'non discoverable.' It has more or less a completely redesigned user interface that is clean, sensible and newbie friendly (hey, I'm using it!). It has a handy tab interface for Actions/Properties such as Render, Scene, World and Object etc. Plus, it's fast and CPU friendly. I'm running the official Blender standalone binary on Fedora 14, with 2GB RAM, Radeon X1300 (free drivers) and a cheap CPU Intel duel e2200. No more more slow GUI, no more 100% unexplained CPU, just great stuff. Kudos to all who made this possible."



For my Website students

http://developers.slashdot.org/story/11/04/15/016225/Maqetta-Open-Source-HTML5-Editor-From-IBM?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Maqetta: Open Source HTML5 Editor From IBM

"IBM has released an online HTML5 editing tool called Maqetta, hosted by the Dojo Foundation. eWeek calls it an open source answer to Flash and Silverlight. That remains to be seen, but it does look interesting."


No comments: