What's New Many early attempts at 'Windows tech support' scams--with a caller telling the victim that their computer is sending out tech support requests--had a lower success rate because U.S. targets were put off by the heavily accented English of offshore scammers. Malwarebytes senior security researcher Jerome Segura now warns that similar scams are moving onshore, removing that particular red flag. Segura also said new variations on the theme include malicious websites that tell users to call a toll-free number for help 'fixing' their computers' problems. Segura told Computerworld's Gregg Keizer the story of how he discovered a particular Florida-based company called E-Racer Tech, which allegedly planted fake warnings on a number of domains. Segura called the provided 800 number and was told by the 'support tech' that Windows Event Viewer showed his computer had 127 infected files. He offered a $129 service that would remove the infections and provide Segura with a (pirated) copy of Malwarebytes Anti-Malware Premium to prevent future issues. For more: - read Keizer's article More on scams and malware: Tech support scams now targeting mobile devices Symantec uncovers 1200 malicious apps on Google Play Read more about: tech support scams back to top Russia continues to crack down on free or anonymous Internet usage. New laws require Russians to provide a passport-validated phone number in order to receive permission to log on to public wireless networks. (A passport is required to purchase a SIM card in the country.) Leonid Levin, deputy chairman of Russia's State Duma lower chamber, is quoted by the Wall Street Journal as saying "It will affect all public places .... the point is to make sure that people who use public wi-fi are responsible for the actions they choose to take online without creating additional difficulties for the users." The Register notes that this law follows several others passed this year, making Russian Internet access and usage more and more problematic. In May the government created a requirement that bloggers register with the state and pay a 1,000-ruble charge, and in July the country passed another law banning the storage of Russian citizens' data on servers outside of Russia. That law goes into effect in September 2016. For more: - read The Register's coverage More on Internet law: Dan Geer: Mandatory reporting of cybersecurity incidents needed for Internet health International cybercrime ring behind $16M StubHub theft taken down Target breach: From Russia, with malware Read more about: Russia back to top The more hacker-ish the show ethos, the more attention attendees should pay to their own behavior. That's a simple notion that's forgotten every year at RSA, Black Hat, DEF CON and dozens of other security conferences and expos. At CSOonline, Steve Ragan recounts two incidents--obfuscating the details a bit--from DEF CON last week. In the first instance, Ragan walked behind two security pros loudly discussing a sensitive startup project. Reciting the old "loose lips sink ships" mantra, Ragan points out several reason why divulging this information too soon could derail the project. The second incident leads a laundry list of sins. Apparently another DEF CON attendee discussed "shady" activities, left a laptop unattended, read sensitive emails (one including details of an Office 365 rollout that listed username and password) and so on. In both cases, the individuals involved divulged information that could feed a social engineering effort to obtain additional information and access. The Fierce Take: This certainly isn't the first time this issue has been raised; read a previous CSOonline recounting of how one social engineer claimed to have talked his way into the RSA show with no badge. Hackers and security pros issued a fair number of reminders and warnings on Twitter before and after Black Hat/DEF CON this year to help prevent social engineering tricks, cell phone data slurping and various other known problems at the show. For more: - read Ragan's post More on social engineering: US Marshals service gaffe leads to Bitcoin phishing scam 3 smarter ways to fight social engineering Social engineering: A short glossary of terms Read more about: RSA, DEF CON back to top All communication in cleartext? Check. No data authentication? Check. IOActive's CTO says traffic control systems are relatively easy to hack. Reporting at last week's Black Hat conference, Kelly Jackson Higgins said Cesar Cerrudo's presentation noted the vulnerability of sensors and systems that control stoplights and electronic traffic alerts. "It's about $100 million worth of equipment that can probably be bricked and cause a traffic jam," Cerrudo said. Many of the sensors in question are produced by Sensys Networks. Sensys provided no response to Dark Reading, while Cerrudo said the company had indicated to him that previous versions of the product used encryption, but that security feature was removed by customer request. Cerrudo carried in a backpack a prototype system for updating the sensors' firmware. Within a range of about 150 feet of the sensors' access point, he was able to passively connect to the Sensys systems. His Black Hat presentation noted that: - The sensors and access point communicate in cleartext;
- They don't authenticate data received;
- The firmware itself is not encrypted.
Cerrudo acknowledged that his prototype system included some fairly specialized hardware. However, he said the multiple vulnerabilities mean that a knowledgeable hacker could update the devices' firmware and gain control of the traffic control system at a given intersection. For more: - read Jackson's writeup at Dark Reading More on control system security: Lack of control systems security is 'shocking and insane' Heartbleed scan shows most companies are still vulnerable Critical infrastructure: All together now Read more about: Traffic Control Systems back to top Another federal agency decried the potential dangers of Bitcoin and other virtual currencies Monday. The Consumer Financial Protection Bureau released a consumer advisory highlighting known scams and shortcomings of cryptocurrencies. The agency also announced it would begin accepting complaints pertaining to specific virtual currencies or companies that deal in them. Among the dangers detailed in the bulletin--including hackers, fewer protections than fiat currencies and scams dependent on cryptocurrency's digital nature--the CFPB provided some tips to help users protect themselves when entering the "Wild West" to buy virtual currency. Some of those tips include: - "Know who you're dealing with if you decide to buy." If there are complications in your purchases, it can be difficult to communicate with the other side of the deal thanks to the anonymous nature of virtual currencies.
- "Bitcoin ATMs are not ATMs at all." They are mainly for deposits, lack many safeguards users have come to expect from ATMs and can charge as much as 7 percent in transaction fees.
- "Be prepared to weather very large price fluctuations." The cryptocurrency markets are notorious for big swings in price, and have seen a "one-day price drop … as big as 80 percent" in 2014.
- "If it seems too good to be true, it may be." As FierceITSecurity has reported, many of the scams associated with Bitcoin and the like are old rackets with a digital facelift. Those include such classics as the Ponzi scheme and extortion.
The agency further says that storage of virtual currencies is no sure thing either. Hackers can access wallets if they are on a network, lost or forgotten passwords will make currencies unattainable and there is no safety net--such as the FDIC--for ruinous behavior (self-inflicted or otherwise). For more: - read the Consumer Finance Protection Bureau's consumer advisory Related Articles: Proposed NY Bitcoin regulation to secure market draws criticism U.S. Marshals Service gaffe leads to Bitcoin phishing scam Bitcoin mining malware hidden in Google Play apps Read more about: scam back to top |
No comments:
Post a Comment
Keep a civil tongue.