Sponsor

2014/08/12

| 08.12.14 | Tricky Windows tech support scams move onshore

If you are unable to see the message below, click here to view.

What's New:
1. Windows tech support scams move onshore
2. Russians now need passport to use public wireless
3. Social engineering blunders at security shows
4. Red light: Traffic control systems easy to hack
5. Federal agency releases advice for safely investing in Bitcoin

Spotlight:
Mobile payment vendor Square dives into bug bounty game

Also Noted:
Yahoo CISO on security at Web scale; Making of a cybercrime market; more Much more...

News From The Fierce Network:
1. The role of mobile tech in treating mental health issues
2. Web site allows tech pros to auction off their talents
3. Microsoft's August patch resolve bugs in IE, Windows, server apps

FierceITSecurity

August 12, 2014

Subscribe | Website
Refer FierceITSecurity to a Colleague

This week's sponsors:
PGi
Dell
GLOBO



 Follow @fierceitsec on Twitter


This week's sponsor is PGi.

Webinar: IT and Marketing: Extreme Collaboration
Tuesday, August 26th, 2pm ET / 11am PT | New Editorial Event!

Media outlets love to focus on the tension between IT and marketing. But if it's a war, both sides lose. Instead, CIOs have to partner with CMOs to help deliver on aggressive business goals in an ever-changing landscape. Register Today!


Sponsor: GLOBO

Webinars

> IT and Marketing: Extreme Collaboration - Tuesday, August 26th / 2pm ET / 11am PT
> Advancing the federal cybersecurity workforce - Wednesday, September 10th | 2pmET/11amPT

Marketplace

> Whitepaper: Supporting VDIs and Thin Clients
> eBook: eBrief | Making BYOD Work: 4 Critical Strategies for Midmarket and SMB Companies

This week's sponsor is Dell.
UnboundID
Webinar: Advancing the federal cybersecurity workforce
Wednesday, September 10th, 2pm ET/ 11am PT

Join NIST and NICE leaders as they explore The National Cybersecurity Workforce Framework, innovative spproaches to cybersecurity training and workforce improvement, the broader focus of NICE in advancing cybersecurity awareness nationawide, and more! Register Today!

What's New

1. Windows tech support scams move onshore

By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn

Many early attempts at 'Windows tech support' scams--with a caller telling the victim that their computer is sending out tech support requests--had a lower success rate because U.S. targets were put off by the heavily accented English of offshore scammers.

Malwarebytes senior security researcher Jerome Segura now warns that similar scams are moving onshore, removing that particular red flag. Segura also said new variations on the theme include malicious websites that tell users to call a toll-free number for help 'fixing' their computers' problems.

Segura told Computerworld's Gregg Keizer the story of how he discovered a particular Florida-based company called E-Racer Tech, which allegedly planted fake warnings on a number of domains. Segura called the provided 800 number and was told by the 'support tech' that Windows Event Viewer showed his computer had 127 infected files. He offered a $129 service that would remove the infections and provide Segura with a (pirated) copy of Malwarebytes Anti-Malware Premium to prevent future issues.

For more:
- read Keizer's article

More on scams and malware:
Tech support scams now targeting mobile devices
Symantec uncovers 1200 malicious apps on Google Play

 

Read more about: tech support scams
back to top


This week's sponsor is GLOBO.

eBrief | Making BYOD Work: 4 Critical Strategies for Midmarket and SMB Companies

Bring-your-own-device (BYOD) can be a blessing for mid-size and small businesses. But getting the real payoff requires some attention to details that may differ from those at large enterprises. This FierceMobileIT eBrief provides practical advice for making BYOD work. Download today.


2. Russians now need passport to use public wireless

By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn

Russia continues to crack down on free or anonymous Internet usage.

New laws require Russians to provide a passport-validated phone number in order to receive permission to log on to public wireless networks. (A passport is required to purchase a SIM card in the country.)

Leonid Levin, deputy chairman of Russia's State Duma lower chamber, is quoted by the Wall Street Journal as saying "It will affect all public places .... the point is to make sure that people who use public wi-fi are responsible for the actions they choose to take online without creating additional difficulties for the users."

The Register notes that this law follows several others passed this year, making Russian Internet access and usage more and more problematic. In May the government created a requirement that bloggers register with the state and pay a 1,000-ruble charge, and in July the country passed another law banning the storage of Russian citizens' data on servers outside of Russia. That law goes into effect in September 2016.

For more:
- read The Register's coverage

More on Internet law:
Dan Geer: Mandatory reporting of cybersecurity incidents needed for Internet health
International cybercrime ring behind $16M StubHub theft taken down
Target breach: From Russia, with malware

Read more about: Russia
back to top


3. Social engineering blunders at security shows

By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn

The more hacker-ish the show ethos, the more attention attendees should pay to their own behavior.

That's a simple notion that's forgotten every year at RSA, Black Hat, DEF CON and dozens of other security conferences and expos. At CSOonline, Steve Ragan recounts two incidents--obfuscating the details a bit--from DEF CON last week.

In the first instance, Ragan walked behind two security pros loudly discussing a sensitive startup project. Reciting the old "loose lips sink ships" mantra, Ragan points out several reason why divulging this information too soon could derail the project.

The second incident leads a laundry list of sins. Apparently another DEF CON attendee discussed "shady" activities, left a laptop unattended, read sensitive emails (one including details of an Office 365 rollout that listed username and password) and so on.

In both cases, the individuals involved divulged information that could feed a social engineering effort to obtain additional information and access.

The Fierce Take: This certainly isn't the first time this issue has been raised; read a previous CSOonline recounting of how one social engineer claimed to have talked his way into the RSA show with no badge.

Hackers and security pros issued a fair number of reminders and warnings on Twitter before and after Black Hat/DEF CON this year to help prevent social engineering tricks, cell phone data slurping and various other known problems at the show.

For more:
- read Ragan's post

More on social engineering:
US Marshals service gaffe leads to Bitcoin phishing scam
3 smarter ways to fight social engineering
Social engineering: A short glossary of terms

Read more about: RSA, DEF CON
back to top


4. Red light: Traffic control systems easy to hack

By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn

All communication in cleartext? Check. No data authentication? Check.

IOActive's CTO says traffic control systems are relatively easy to hack.

Reporting at last week's Black Hat conference, Kelly Jackson Higgins said Cesar Cerrudo's presentation noted the vulnerability of sensors and systems that control stoplights and electronic traffic alerts. "It's about $100 million worth of equipment that can probably be bricked and cause a traffic jam," Cerrudo said.

Many of the sensors in question are produced by Sensys Networks. Sensys provided no response to Dark Reading, while Cerrudo said the company had indicated to him that previous versions of the product used encryption, but that security feature was removed by customer request.

Cerrudo carried in a backpack a prototype system for updating the sensors' firmware. Within a range of about 150 feet of the sensors' access point, he was able to passively connect to the Sensys systems. His Black Hat presentation noted that:

  • The sensors and access point communicate in cleartext;
  • They don't authenticate data received;
  • The firmware itself is not encrypted.

Cerrudo acknowledged that his prototype system included some fairly specialized hardware. However, he said the multiple vulnerabilities mean that a knowledgeable hacker could update the devices' firmware and gain control of the traffic control system at a given intersection.

For more:
- read Jackson's writeup at Dark Reading

More on control system security:
Lack of control systems security is 'shocking and insane'
Heartbleed scan shows most companies are still vulnerable
Critical infrastructure: All together now

Read more about: Traffic Control Systems
back to top


5. Federal agency releases advice for safely investing in Bitcoin

By Robert Bartley Comment | Forward | Twitter | Facebook | LinkedIn

Another federal agency decried the potential dangers of Bitcoin and other virtual currencies Monday.

The Consumer Financial Protection Bureau released a consumer advisory highlighting known scams and shortcomings of cryptocurrencies. The agency also announced it would begin accepting complaints pertaining to specific virtual currencies or companies that deal in them.

Among the dangers detailed in the bulletin--including hackers, fewer protections than fiat currencies and scams dependent on cryptocurrency's digital nature--the CFPB provided some tips to help users protect themselves when entering the "Wild West" to buy virtual currency. Some of those tips include:

  • "Know who you're dealing with if you decide to buy." If there are complications in your purchases, it can be difficult to communicate with the other side of the deal thanks to the anonymous nature of virtual currencies.
  • "Bitcoin ATMs are not ATMs at all." They are mainly for deposits, lack many safeguards users have come to expect from ATMs and can charge as much as 7 percent in transaction fees.
  • "Be prepared to weather very large price fluctuations." The cryptocurrency markets are notorious for big swings in price, and have seen a "one-day price drop … as big as 80 percent" in 2014.
  • "If it seems too good to be true, it may be." As FierceITSecurity has reported, many of the scams associated with Bitcoin and the like are old rackets with a digital facelift. Those include such classics as the Ponzi scheme and extortion.

The agency further says that storage of virtual currencies is no sure thing either. Hackers can access wallets if they are on a network, lost or forgotten passwords will make currencies unattainable and there is no safety net--such as the FDIC--for ruinous behavior (self-inflicted or otherwise).

For more:
- read the Consumer Finance Protection Bureau's consumer advisory

Related Articles:
Proposed NY Bitcoin regulation to secure market draws criticism
U.S. Marshals Service gaffe leads to Bitcoin phishing scam
Bitcoin mining malware hidden in Google Play apps

Read more about: scam
back to top


Also Noted

TODAY'S SPOTLIGHT... Mobile payment vendor Square dives into bug bounty game

ThreatPost reports that Square--which enables credit and debit card payments via smartphone--has hired prominent security researcher Dino Dai Zovi and initiated a bounty program for others to help the company identify vulnerabilities in its Square.com and Squareup.com websites. Square is using the HackerOne platform, which allows each participating company to set its own rules and scope. Read more.

 

 

> Yahoo CISO details challenge of security at scale (ESecurityPlanet)
> New calls for a common hardware vulnerability database (Security Ledger)
> The making of a cybercrime market (CSO)
> Mobile chips face lockdown to prevent hacks (ITWorld)

And Finally... Passwords aren't the problem--we are (Infoworld)

 

Webinars

> IT and Marketing: Extreme Collaboration - Tuesday, August 26th / 2pm ET / 11am PT

Media outlets love to focus on the tension between IT and marketing. But if it's a war, both sides lose. Instead, CIOs have to partner with CMOs to help deliver on aggressive business goals in an ever-changing landscape. Register Today!

> Advancing the federal cybersecurity workforce - Wednesday, September 10th | 2pmET/11amPT

Join NIST and NICE leaders as they explore The National Cybersecurity Workforce Framework, innovative spproaches to cybersecurity training and workforce improvement, the broader focus of NICE in advancing cybersecurity awareness nationawide, and more! Register Today!

Marketplace

> Whitepaper: Supporting VDIs and Thin Clients

Companies have already begun deploying VDIs and thin clients (like Google's Chromebook) on a massive scale. The low-cost, easily deployed workstations present a significant cost savings for companies, but require unique tools to support them. This whitepaper, written by Proxy Networks, outlines the best way to do that. Download now.

> eBook: eBrief | Making BYOD Work: 4 Critical Strategies for Midmarket and SMB Companies

Bring-your-own-device (BYOD) can be a blessing for mid-size and small businesses. But getting the real payoff requires some attention to details that may differ from those at large enterprises. Download this eBrief to get more practical advice for making BYOD work.


©2014 FierceMarkets, a division of Questex Media Group LLC This email was sent to ignoble.experiment@arconati.us as part of the FierceITSecurity email list which is administered by FierceMarkets, 1900 L Street NW, Suite 400, Washington, DC 20036, (202) 628-8778.
Refer FierceITSecurity to a Colleague

Contact Us

Editor: Fred Donovan. VP sales and business development: Jack Fordi. Publisher: Ron Lichtinger.

Advertise

General advertising: Jack Fordi. Press releases: Fred Donovan. Request a media kit.

Email Management

Manage your subscription

Change your email address

Unsubscribe from FierceITSecurity

No comments:

Post a Comment

Keep a civil tongue.

Label Cloud

Technology (1464) News (793) Military (646) Microsoft (542) Business (487) Software (394) Developer (382) Music (360) Books (357) Audio (316) Government (308) Security (300) Love (262) Apple (242) Storage (236) Dungeons and Dragons (228) Funny (209) Google (194) Cooking (187) Yahoo (186) Mobile (179) Adobe (177) Wishlist (159) AMD (155) Education (151) Drugs (145) Astrology (139) Local (137) Art (134) Investing (127) Shopping (124) Hardware (120) Movies (119) Sports (109) Neatorama (94) Blogger (93) Christian (67) Mozilla (61) Dictionary (59) Science (59) Entertainment (50) Jewelry (50) Pharmacy (50) Weather (48) Video Games (44) Television (36) VoIP (25) meta (23) Holidays (14)

Popular Posts (Last 7 Days)