used under creative commons from johnsnape's Flickr

Second step in password reset

• Upon enrolling in the system, cardholders should be requested to set a “Secret question” which will later serve as authentication data for a passsword change.

 

• Instead of simply clicking through to the reset screen, a one time password reset URL should be delivered to a registered email address.

 

• Whever a change to the account details is requested, or is succesful, the registered email address should receive a notification message.

 

 
Oh, one more thing, it would be really great if I could use special characters in my password, please.
 

used by permission from flattop341 Flickr photostream

Trend Micro and the FBI are very pleased to announce today the dismantling of a criminal botnet, in what is the biggest cybercriminal takedown in history.
 
This concerted action against an entrenched criminal gang is highly significant and represents the biggest cybercriminal takedown in history. Six people have been arrested through multinational law enforcement cooperation based on solid intelligence supplied by Trend Micro and other industry partners. more than 4 million victims in over 100 countries have been rescued from the malign influence of this botnet and an infrastructure of over 100 criminal servers has been dismantled with minimal disruption to the innocent victims.
 
If you are worried that you might have been a victim of this criminal activity, the FBI have made an online tool available which will allow you to check if your DNS server settings have been tampered with.
 
First you will need to discover what your current DNS server settings are:
 
On a PC, open the Start menu by clicking the Start button or the Windows icon in the lower left of your screen, in the  Search box type “cmd” and hit return (for Windows 95 users, select “Start“, then “Run“).This should open a black window with white text. In this window type “ipconfig /all” and hit return. Look for the entry that reads “DNS Servers” and note down the numeric addresses that are listed there.
 
On a Mac (yes they can be victims too), click on the Apple icon in the top left of your screen and select “System Preferences“, from the Preferences panel select the “Network” icon. Once this window opens, select the currently active network connection on the left column and over on the right select the DNS tab. note down the addresses of the DNS servers that your computer is configured to use.
 
You can check to see if these addresses correspond to servers used by the criminals behind Operation Ghost Click by using this online tool provided by the FBI, simply enter the IP addreses, one by one and click the “check ip” button.
 
If you feel that you computer may have been infected, you can visit Trend Micro’s HouseCall for a free scan and clean-up and notify the FBI by submitting this form. You should also contact your Internet Service Provider for advice on restoring your legitimate DNS settings.
 
Ongoing updates on this threat can be found on our Operation Ghost Click landing page.
 

 
Information “possibly obtained”:
– Billing address
– Purchase history
– PlayStation Network/Qriocity password security question responses
– all above data for any dependent accounts (your children’s sub-accounts)

 
Although there is no evidence at this time that payment card information has been accessed, Sony are “unable to rule out this possibility” and are advising their customers accordingly.
 
What does this mean for you? Well if you’re the type of person who tends to reuse your password across multiple web sites today’s the day to get out there and start changing that password and breaking that habit. Criminals now have your email address and common password, they may also have the answers to your security questions, which also tend to get reused.
 
It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember
 
As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.
 
Aside from this, given the nature of the warning from Sony keep aeather eye on your bank statements for any unauthorised activity.
 

My notification mail from Hilton HHonors

• Pay careful attention to emails your receive in the coming months, perhaps years.
• Never surrender personal information to a website without having used one of your own bookmarks to get there or typing it yourself (i.e. don’t follow links in mails).
• Before giving out personal details, ensure that the connection is secured with SSL. You can see this is the case if the address starts with “https://“. If it’s not encrypted they don’t deserve your data.
• Read the privacy agreement carefully before you hand over any details. If there is anything you are unhappy with reconsider your decision to sign up.
• To better insure yourself against this kind of eventuality in future consider using unique addresses for each service, I wrote an article on how to easily achieve this here.

 
And for all of the companies out there that process, store or transmit personal data belonging to other people… ENCRYPT IT, no excuses, no get out clause. This is only the beginning and you owe your customers a duty of care.
 

Tweet from the New York Times after they fell victim to criminal ads

  
Web site owners use trusted content networks to provide advertisements for their websites, and criminals are actively targeting this trust relationship as it represents a weak link in the chain of content control. Criminals create shell companies to place advertisements that hide malicious content in ads that are subsequently placed with high profile advertising networks. These malvertisements are then syndicated across many hundreds of web sites silently infecting as many victims as possible, as these examples illustrate.
  
Malvertisments, as they are referred to, have become increasingly common over the past few years and continue to be a growing problem. The potential number of victims available to criminals through a syndicated ad will often far outstrips the potential return for compromising an individual website. Internet users are unknowingly putting themselves at risk when they visit legitimate websites, which happen to be carrying malvertisements, designed to invisibly and automatically infect them through drive-by downloads. A drive-by download usually involves a chain of events; the victim visits a website which in this case is carrying a malvertisement, the malvertisement will contain content (most often JavaScript or Adobe Flash) which will be automatically executed by the browser. The purpose of the JavaScript is to automatically and invisible redirect the browser to a server hosting exploits (commonly a criminal exploit kit such as Yes!, Eleonore or Phoenix for example) these exploits are then used to push out the final malicious payload of the criminal’s choosing. In some cases exploits for technologies such as Adobe Flash are embedded directly within the malvertisements and this has the same end result of delivering a malicious payload. Once infected, your PC is compromised or your virtual wallet lifted in a number of ways; from pushing fake security software which attempts to fool the you into believing that your PC is infected with any number of entirely bogus malware which only this (paid-for) application can remove, to criminals stealing your personal or financial details and/or obtaining remote access to your PC.
  
So where does the responsibility lie? Is it with the web site that is hosting the malicious adverts, the network distributing them, or the consumer who visits the website? Really the responsibility, as well as the potential for damage, is shared. Web site owners and ad-networks alike suffer embarrassing brand damage when their customers are infected and the victim of course suffers the pain of information or identity theft and financial loss.
  
It is certainly true to say that if the right checks and balances were in place the problem would largely cease to exist, at least on legitimate websites. Clients of ad-networks should be applying pressure to their provider of choice to ensure that the appropriate checks are made before the advert goes out. Ideally, automated systems need to be in place at the advertising content providers, to run the ads through a sandbox before they are released into the public domain, checking for any kind of active or malicious code. Third party providers should perform specific checks to verify URLs and detect any unexpected or unwanted behaviour such as automated redirections, even if not malicious no web user wants to be bounced off to a third party website simply as a result of rendering an ad in their browser and no website owner would want their visitors stolen in this way either!
  
In the meantime, Internauts should ensure that they have the appropriate anti-malware software installed on their PC to minimise the risk. Free options include tools such as Browser Guard, which blocks exploit attempts and detects malicious JavaScript, stopping it from executing. When choosing anti-malware software, it’s important not to focus purely on software that will scan for bad files, but also that will stop PCs (and not just browsers) from connecting to malicious destinations.
 

Image from MJ/TR Flickr under Creative Commons

“I’m the developer of the original Guitar Solo Lite. I noticed the rogue app a bit more than a week ago (I was receiving crash reports sent from the pirated version of the app). I notified Google about this through all the channels I could think of: DCMA notice, malicious app reporting, Android Market Help…they have yet to respond. Thankfully this was posted on Reddit, since after the post the rogue dev and all his apps have been removed from the market. There really should be a faster/easier way to get Google to act on it!”

 
Trend Micro detect this threat (popularly known as DroidDream) as ANDROIDOS_LOTOOR.A, further details in the link.
 
During the five days these apps were available an estimated 50,000 downloads have taken place. Google have now pulled the apps and blocked the rogue developer from Android marketplace, they have also remotely removed the apps from affected handsets. Of course this remote kill switch will not remove any other code that may have been dropped onto the device as a result of the initial infection. So if you are one of the estimated 50,000 people who have downloaded these malicious apps it could be worth your while investigating the possibility of getting a replacement handset or reinstalling the operating system on the one you have if possible.
 
The Android app ecosystem is by definition open, there is a wide array of app stores available and apps can be published to the user community in minutes. This greater openness of the developer environment has been argued to foster an atmosphere of creativity, but as Facebook have already discovered it is also a very attractive criminal playground.
 
It is worth remembering that full security suites are now available for Google Android, such as this one. The number of threats to mobile platforms is growing and growing at a steady rate. Of course the sheer volume of mobile malware  is a long way from the epidemic proportions of Windows based malware, but criminal interest is clearly there and growing. We see multi-platform attacks distributed by the same criminal groups that traditionally have focused on Wintel systems, and the growth in complexity of threats, for example ZeuS malware now incorporating mobile elements aimed at intercepting SMS banking authentication codes is striking. Criminals are driven by consumer behaviour and as the money-making opportunities move to mobile platforms criminals will, in fact already are, following.
 
A full list of the trojanised apps, published by Myournet, is:

• Falling Down
• Super Guitar Solo
• Super History Eraser
• Photo Editor
• Super Ringtone Maker
• Super Sex Positions
• Hot Sexy Videos
• Chess
• äž‹ć æ»šçƒ_Falldown
• Hilton Sex Sound
• Screaming Sexy Japanese Girls
• Falling Ball Dodge
• Scientific Calculator
• Dice Roller
• èșČ避ćŒč球
• Advanced Currency Converter
• App Uninstaller
• ć‡ äœ•æˆ˜æœș_PewPew
• Funny Paint
• Spider Man
• 蜘蛛䟠

 
The Guardian have published an expanded list of apps believed to be trojanised in this way here.
 

used under creative commons from rieh's Flickr

“Our website has been the victim of hackers. 24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website. For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.”

 
I was initially alerted to the attack by one of my own friends whose card, along with her husband’s have subsequently been used to make fraudulent purchases totalling almost ÂŁ6000 from well-known online retailers.
 
The risk of these stolen card numbers being used by criminals has already moved from the theoretical to reality.
 
For the most part shopping online is as safe as shopping in store, but when a compromise occurs at an online merchant often its consequences are far greater, affecting many more people than in store card cloning due to the centralised nature of online stores. If you feel you may have been affected, contact your bank immediately.
 
Consumers should be demanding more services such as one-time credit card numbers from their financial institutions to afford them more protection when shopping online. One-time credit card numbers were introduced back in 2000 by AmEx but have not been as widely adopted by consumers as I would have expected. Talk to your bank, find out what security they offer for online shopping.
 
Lush haven’t gone public over exactly how the information was accessed, but it’s never a bad idea to restate a few best practices for securing web applications:
 

• Keep them patched.
• NEVER store sensitive data in clear text (in fact this is a PCI requirement).
• Get them regularly vulnerability scanned from the inside as well as the outside.
• Use strong authentication (2 factor) if you are only serving a limited user population or if the data you are holding is particularly sensitive. Cookies can lead to session hijacking.
• Bounds checking of input data helps to avoid buffer overflows and SQL injection type attacks.
• Provide access to information on a Need to Know basis and always provide it with Least Privilege.
• Don’t provide detailed error information to browsers, you don’t expect your customers to debug your application, so don’t give up that error message.