Slashdot Mirror

An anonymous reader quotes a report from The New York Times: In weekly online posts last year, WikiLeaks released a stolen archive of secret documents about the Central Intelligence Agency's hacking operations, including software exploits designed to take over iPhones and turn smart television sets into surveillance devices. It was the largest loss of classified documents in the agency's history and a huge embarrassment for C.I.A. officials. Now, The New York Times has learned the identity of the prime suspect in the breach (Warning: source may be paywalled; alternative source): a 29-year-old former C.I.A. software engineer who had designed malware used to break into the computers of terrorism suspects and other targets.

F.B.I. agents searched the Manhattan apartment of the suspect, Joshua A. Schulte, one week after WikiLeaks released the first of the C.I.A. documents in March last year, and then stopped him from flying to Mexico on vacation, taking his passport, according to court records and family members. The search warrant application said Mr. Schulte was suspected of "distribution of national defense information," and agents told the court they had retrieved "N.S.A. and C.I.A. paperwork" in addition to a computer, tablet, phone and other electronics. But instead of charging Mr. Schulte in the breach, referred to as the Vault 7 leak, prosecutors charged him last August with possessing child pornography, saying agents had found the material on a server he created as a business in 2009 while he was a student at the University of Texas.

The five most common ways of hacking an organization all involve stolen credentials, "based on data from 75 organizations, 100 penetration tests, and 450 real-world attacks," writes an anonymous Slashdot reader. In fact, 66% of the researchers' successful attacks involved cracking a weak domain user password. From an article on Dark Reading: Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian. Organizations would be far better served by improving credential management and network segmentation...

"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do"... [O]ne stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way.
Similar results were reported in Verizon's 2016 Data Breach Investigations Report.

Biological engineers at a Department of Energy lab "are experimenting with encrypted DNA storage for archival applications." Slashdot reader ancientribe shares an article from Dark Reading: Using this method, the researchers could theoretically store 2.2 petabytes of information in one gram of DNA. That's 200 times the printed material at the Library of Congress... Instead of needing a 15,000 square-foot building to store 35,000 boxes of inactive records and archival documents, Sandia National Laboratories can potentially store information on much less paper, in powder form, in test tubes or petri dishes, or even as a bacterial cell... "Hard drives fail and very often the data can't be recovered," explains Bachand. "With DNA, it's possible to recover strands that are 10,000 to 20,000 years old... even if someone sneezes and the powder is lost, it's possible to recover all the information by just recovering one DNA molecule."

Joseph Cox, reporting for Motherboard: After details emerged of Stuxnet, arguably the world's first digital weapon, there were concerns that other hackers would copy its techniques. Now, researchers have disclosed a piece of industrial control systems (ICS) malware inspired heavily by Stuxnet. Although the copycat malware -- dubbed IRONGATE by cybersecurity company FireEye -- only works in a simulated environment it, like Stuxnet, replaces certain types of files, and was seemingly written to target a specific control system configuration. [...] IRONGATE works within a simulated Siemens environment called PLCSIM, used for testing programs before they are pushed out into the field. Like Stuxnet, IRONGATE replaces a Dynamic Link Library (DLL), a small collection of code that can be used by different programs at the same time, with a malicious one of its own. IRONGATE's DLL records five seconds of traffic from the Siemens' system to the user interface, and replays it over again, potentially tricking whoever is monitoring the system into thinking everything is fine, while the malware might manipulate something else in the background.Dark Reading's coverage on this is also worth a read.

Kelly Jackson Higgins, reporting for Dark Reading: A new study reveals that none of the top 10 U.S. university computer science and engineering program degrees requires students take a cybersecurity course. There's the cybersecurity skills gap, but a new study shows there's also a major cybersecurity education gap -- in the top U.S. undergraduate computer science and engineering programs. An analysis of the top 121 US university computer science and engineering programs by CloudPassage found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don't offer any cybersecurity courses at all. The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate. "With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys," Robert Thomas, CEO of CloudPassage, told SCMagazine.com.

An anonymous reader writes: A project called 'Gridstrike' found that free and publicly available information can be used to determine the most critical electric substations in the US, which if attacked, could result in a nationwide blackout. Researchers from iSIGHT Partners used a combination of publicly available transmission substation information, maps, Google Earth, and grid congestion documentation, and drew correlations among the substations that serve the top ten cities in the US. They ID'ed 15 substations that if attacked and knocked offline would result in a nationwide blackout, they say. Their research took the spin of whether a homegrown terror group with little funding could get this crucial information. The study was inspired by the 2013 Federal Energy Regulatory Commission (FERC) study in 2013 that found that attacks on just nine electric substations in the U.S. could cause a blackout across the entire grid.

ancientribe writes: Microsoft has invested $1 billion over the past year in security and doubled its number of security executives, according to company's CISO Bret Arsenault. In an address today (webcast), CEO Satya Nadella officially announced the launch of a new managed security services group and a new cyber defense operations center — all part of its new strategy of holistic and integrated security across its products and services. Microsoft execs rarely detail the company's strategy so publicly, so that in itself underlines how security is a major element in its strategy.

ancientribe writes: Two models of Virginia State Police cruisers were hacked in an experiment to expose vulnerabilities in the vehicles and to come up with ways to protect the cars from hackers. Mitre Corp., the Virginia Dept. of Motor Vehicles, the University of Virginia, and other organizations in cooperation with DHS and the DOT demonstrated the attacks on an unmarked 2012 Chevrolet Impala and a marked patrol car, a 2013 Ford Taurus. GM and Ford even provided their comments to the press in the wake of the experiment.

An anonymous reader writes: The past several weeks have been rife with major vulnerabilities in modern cars, but none were so dramatic as when Charlie Miller and Chris Valasek tampered with the systems on a moving Jeep Cherokee. Now, Miller and Valasek have left their jobs to join a research laboratory for Uber. It's the same lab that became home for a number of autonomous vehicle experts poached from Carnegie Mellon University. From the article: "As Uber plunges more deeply into developing or adapting self-driving cars, Miller and Valasek could help the company make that technology more secure. Uber envisions autonomous cars that could someday replace its hundreds of thousands of contract drivers. The San Francisco company has gone to top-tier universities and research centers to build up this capability."

ancientribe writes Once again, SSL/TLS encryption is getting dogged by outdated and weak options that make it less secure. This time, it's the weak keys in the older RC4 crypto algorithm, which can be abused such that an attacker can sniff credentials or other data in an SSL session, according to a researcher who revealed the hack today at Black Hat Asia in Singapore. A slice: Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, [researcher Itsik] Mantin says. But MITM could be used as well, though, for hijacking a session, he says.

PLAR writes It turns out LaserWash automatic car washes can be easily hacked via the Internet to get a free wash or to manipulate the machines that clean the cars, a security researcher has found. Billy Rios says these car washes have web interfaces with weak/default passwords which, if obtained, could allow an attacker to telnet in and use an HTTP GET request to control the machines. Rios adds that this probably isn't the only car wash brand that's vulnerable.

New submitter PLAR writes: Everyone's worried about the next Stuxnet sabotaging the power grid, but a security researcher says there's been a spike in traditional banking Trojan attacks against plant floor networks. The malware poses as legitimate ICS/SCADA software updates from Siemens, GE and Advantech. Kyle Wilhoit, the researcher who discovered the attacks, says the attackers appear to be after credentials and other financial information, so it looks like pure cybercrime, not nation-state activity.

An anonymous reader writes: The folks at the USPS have responded to the recent breach that exposed data on 800K employees and another some 2.8 million customers. They have suspended telecommuting for all employees until further notice while they replace their VPN with a more secure version. "Additionally, the postal service will upgrade some of its equipment and systems in the coming weeks and months as part of a broad security overhaul in response to the breach."

daten writes A coalition of security companies has hit a sophisticated hacking group in China with a heavy blow. The effort is detailed in a report released today by Novetta. The coalition, which calls itself Operation SMN, detected and cleaned up malicious code on 43,000 computers worldwide that were targeted by Axiom, an incredibly sophisticated organization that has been stealing intellectual property for more than six years. The group united as part of Microsoft's Coordinated Malware Eradication (CME) campaign against Hikit (a.k.a. Hikiti), the custom malware often used by Axiom to burrow into organizations, exfiltrate data, and evade detection, sometimes for years.

Lucas123 (935744) writes Research by two security experts presenting at Black Hat this week has labeled the 2014 Jeep Cherokee, the 2015 Cadillac Escalade and the 2014 Toyota Prius as among the vehicles most vulnerable to hacking because of security holes that can be accessed through a car's Bluetooth, telematics, or on-board phone applications. The most secure cars include the Dodge Viper, the Audi A8, and the Honda Accord, according to Researchers Charlie Miller and Chris Valasek. Millar and Valasek will reveal the full report on Wednesday, but spoke to Dark Reading today with some preliminary data. The two security experts didn't physically test the vehicles in question, but instead used information about the vehicles' automated capabilities and internal network. "We can't say for sure we can hack the Jeep and not the Audi," Valasek told Dark Reading. "But... the radio can always talk to the brakes" because both are on the same network. According to the "Connected Car Cybersecurity" report from ABI Research, there have been "quite a few proof of concepts" demonstrating interception of wireless signals of tire pressure monitoring systems, impairing anti-theft systems, and taking control of self-driving and remote control features through a vehicle's internal bus, known as controller area network (CAN).

ancientribe writes: If you're wondering whether the most tech-loaded vehicles are also the most vulnerable to hackers, there is now research that shows it. Charlie Miller, a security engineer with Twitter, and Chris Valasek, director of security intelligence at IOActive, studied modern auto models and concluded that the 2014 Jeep Cherokee, the 2014 Infiniti Q50, and the 2015 Escalade are the most likely to get hacked. The key is whether their networked features that can communicate outside the vehicle are on the same network as the car's automated physical functions. They also name the least-hackable cars, and will share the details of their new findings next week at Black Hat USA in Las Vegas.

ancientribe writes "Cyber security pro Kerstyn Clover in this Dark Reading post shares some rare insight into what it's like to be a woman in the field. She ultimately found her way to her current post as a member of the incident response and forensics team at SecureState, despite the common societal hurdles women face today in the STEM field: 'I taught myself some coding and computer repair in probably the most painstaking ways possible, but my experiences growing up put me at a disadvantage that I am still working to overcome,' she writes."

mask.of.sanity writes "Google has revealed details on its Beyond Corp project to scrap the notion of a corporate network and move to a zero-trust model. The company perhaps unsurprisingly considers the traditional notion of perimeter defense and its respective gadgetry as a dead duck, and has moved to authenticate and authorize its 42,000 staff so they can access Google HQ from anywhere (video). Google also revealed it was perhaps the biggest Apple shop in the world, with 43,000 devices deployed and staff only allowed to use Windows with a supporting business case."

CowboyRobot writes "The incentives are high for many businesses and government agencies to not be too heavy handed in combating the global botnet pandemic. There's money to be had and, with each passing day, more interesting ways are being uncovered in how to package the data, and how to employ it. It used to be that the worlds of bug hunters and malware analysts were separate and far between. In the last couple of years the ability to analyze malware samples and identify exploitable vulnerabilities in them has become very important. Given that some botnets have a bigger pool of victims than many commercial software vendors have licensed customers, the value of an exploit that grants reliable remote control of a popular malware agent is rising in value. In many ways, botnets have become a golden goose to those charged with gathering intelligence on the populations of foreign entities. The bulk of the victim's data is useful for mapping populations, communication profiles, and as egress points for counter intelligence exercises. Then, given how many botnet victims there are, the probability that a few 'interesting' computers will have succumbed along the way is similarly high — providing direct insight in to a pool of high value targets."

CowboyRobot writes "The price of a stolen identity has dropped as much as 37 percent in the cybercrime underground: to $25 for a U.S. identity, and $40 for an overseas identity. For $300 or less, you can acquire credentials for a bank account with a balance of $70,000 to $150,000, and $400 is all it takes to get a rival or targeted business knocked offline with a distributed denial-of-service (DDoS)-for-hire attack. Meanwhile, ID theft and bank account credentials are getting cheaper because there is just so much inventory (a.k.a. stolen personal information) out there. Bots are cheap, too: 1,000 bots go for $20, and 15,000, for $250."

CowboyRobot writes "Penetration tester and long-time security professional Sumit 'Sid' Siddharth has developed a real-world SQL injection sandbox simulator, and invites the public for a capture the flag event later this month. 'The only way you can understand the true impact of vulnerabilities is by practicing exploitation. Even vulnerability identification goes hand-in-hand with exploitation,' says Siddharth. 'Sometimes identifying the vulnerability is really difficult, and it's only when you know advanced exploitation techniques that you can do so. We've also put together some really nice examples where identifying the vulnerability is really difficult, and we've asked people to find the needle in the haystack because that's how websites get compromised at the end of the day,'"

CowboyRobot writes "A Tripwire survey of 1,320 IT personnel from the U.S. and U.K. showed that most staff 'don't communicate security risk with senior executives or only communicate when a serious security risk is revealed.' The reason is that staff have resigned themselves to staying mum due to an environment in which 'collaboration between security risk management and business is poor, nonexistent or adversarial,' or at best, just isn't effective at getting risk concerns up to senior management."

An anonymous reader writes "Ralph Langner, the security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran's Natanz nuclear facility, has come up with a cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government's Cyber Security Framework. Langner's Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down ICS/SCADA plants than the NIST-led one, focusing on security capabilities rather than risk. He hopes it will help influence the final version of the U.S. government's framework."

CowboyRobot writes "According to a new report by Pew Research Center's Internet & American Life Project, more than half of American teenagers have steered clear of a mobile app due to worries about privacy. Some 56 percent of younger teens (ages 12 to 14) who use mobile apps avoid some apps after learning they had to share personal information to use it, while 49 percent of older teens (14 to 17) have. Also, teens who had at some point sought outside advice about privacy management were considerably more likely than those who had not sought advice to say that they had disabled location tracking features."

ancientribe writes "Hackers who hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars are finding some life-threatening security flaws in these newly networked consumer devices, but their work is often dismissed or demonized by those industries and the policymakers who govern their safety. A grass-roots movement is now under way to help bridge this dangerous gap between the researcher community and consumer product policymakers and manufacturers. The security experts driving this effort appealed to the DEF CON 21 hacking conference audience to help them recruit intermediaries who can speak both hacker and consumer product and policy."

CowboyRobot writes "As the Internet Corporation for Assigned Names and Numbers (ICANN) continues its march toward the eventual approval of hundreds, if not more than 1,000, generic top-level domains (gTLDs), security experts warn that some of the proposed names could weaken network security at many companies. Two major issues could cause problems for companies: If domain names that are frequently used on a company's internal network — such as .corp, .mail, and .exchange — become accepted gTLDs, then organizations could inadvertently expose data and server access to the Internet. In addition, would-be attackers could easily pick up certificates for domains that are not yet assigned and cache them for use in man-in-the-middle attacks when the specific gTLD is deployed." Another way to look at it: why were they using invalid domains in the first place?

CowboyRobot writes "Local storage is a big change from HTML of the past, where browsers could only use cookies to store small bits of information, such as session tokens, for managing identity. HTML5 changes this with sessionStorage, localStorage, and client-side databases to allow developers to store vast amounts of data in the browser that is all accessible from JavaScript. An attacker could retrieve this data or manipulate the data, which would then get used again later by the application and may be uploaded back to the server to attack others, as well. Another risk comes from using 3rd-party code. Until HTML5, JavaScript was limited to requesting resources from the domain from which it was loaded, but with the addition of cross-origin resource sharing (CORS), this has been changed to allow JavaScript to request resources from different domains. This offers increased functionality but requires strict usage policies or risks being abused."

CowboyRobot writes "Machine learning techniques can be used to detect fraud and spies on social networks based on certain features, such as the number of followers and the number of devices used to access the network. Certain characteristics of social-network accounts have a high correlation with fraud and can be used to differentiate between real and fake accounts, a researcher presenting at the SOURCE Boston Conference said this week. Using machine learning techniques, Vicente Diaz, a senior security analyst with security software firm Kaspersky Lab, found that seven characteristics of Twitter profiles could identify fraudulent accounts 91% of the time. The number of devices from which a user accesses the service, the ratio of followers to people following an account, the average number of tweets to each person, and the number of tweets to an unknown receiver are all features that correlate strongly to fraudulent accounts, he says."

CowboyRobot writes "A new study by researchers from the U.C. Berkeley School of Information examined the brainwave signals of individuals performing specific actions to see if they can be consistently matched to the right individual. To measure the subjects' brainwaves, the team utilized the NeuroSky Mindset, a Bluetooth headset that records Electroencephalographic (EEG) activity. In the end, the team was able to match the brainwave signals with 99% accuracy (pdf). 'We are not trying to trace back from a brainwave signal to a specific person,' explains Prof. John Chuang, who led the team. 'That would be a much more difficult problem. Rather, our task is to determine if a presented brainwave signal matches the brainwave signals previously submitted by the user when they were setting up their pass-thought.'"

CowboyRobot writes "Using data about Web sites, IP addresses and domains, researchers find that they can detect 99 percent of malicious executables downloaded by users, outperforming antivirus and URL-reputation services. The system, known as Content-Agnostic Malware Protection or CAMP, triages up to 70 percent of executable files on a user's system, sending attributes of the remaining files that are not known to be benign or malicious to an online service for analysis, according to a paper (pdf) presented at the Network and Distributed System Security Symposium (NDSS) in February. While the system uses a blacklist and whitelist on the user's computer to initially detect known good or bad files, the CAMP service utilizes a number of other characteristics, including the download URL, the Internet address of the server providing the download, the referrer URL, and any certificates attached to the download."

An anonymous reader writes "Security guru Bruce Schneier contends that money spent on user awareness training could be better spent and that the real failings lie in security design. 'The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on,' Schneier writes in a blog post on Dark Reading. He says organizations should invest in security training for developers. He goes on, '... computer security is an abstract benefit that gets in the way of enjoying the Internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a bother right now, and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy. No one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: Security is never salient.'"

CowboyRobot writes "Columbia University grad student Ang Cui demonstrated how networked printers and phones can be abused by attackers. 'The attack I demonstrated is caused by the multiple vulnerabilities within the syscall interface of the CNU [Cisco Native Unix] kernel,' Cui tells Dark Reading. 'It is caused by the lack of input validation at the syscall interface, which allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP [Digital Signal Processor], buttons, and LEDs on the phone. The attack I demonstrated patches the existing kernel and DSP in order to carry out stealthy mic exfiltration.'"

CowboyRobot writes "Earlier this year, the state's Department of Revenue was storing 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. After a state employee clicked on a malicious email link, an attacker was able to obtain copies of those records. It's easy to blame the breach on 'Russian hackers' but who is really to blame? 'The state's leadership, from the governor on down, failed to take information security seriously or to correctly gauge the financial risk involved. As a result, taxpayers will pay extra to clean up the mess. Beyond the $800,000 that the state will spend — and should have already spent — to improve its information security systems, $500,000 will go to the data breach investigation, $740,000 to notify consumers and businesses, $250,000 for legal and PR help, and $12 million for identity theft monitoring services.'"

CowboyRobot writes "A new targeted attack campaign with apparent Korean ties has been stealing email and Facebook credentials and other user-profile information from Russian telecommunications, IT, and space research organizations. The attackers are grabbing email user accounts and passwords from Outlook, as well as information about the victims' email server."

CowboyRobot writes "Adobe today confirmed that one of its databases has been breached by a hacker and that it had temporarily taken offline the affected Connectusers.com website. The hacker, who also goes by Adam Hima, told Dark Reading that the server he attacked was the Connectusers.com Web server, and that he exploited a SQL injection flaw to execute the attack. 'It was an SQL Injection vulnerability, somehow I was able to dump the database in less requests than normal people do,' he says. Users passwords for the Adobe Connectusers site were stored and hashed with MD5, he says, which made them 'easy to crack' with freely available tools. And Adobe wasn't using WAFs on the servers, he notes. Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old."

Mephistophocles writes "A chilling article by Darkreading's Kelly Jackson Higgins describes how the growing accessibility of hacking tools like RATs (Remote Access Trojans) have made cyber-espionage possible for more than just those financially backed by large nation-states, and speculates on what the implications of this may be: 'Researchers at Norman Security today revealed that they recently analyzed malware used in phishing emails targeting Israeli and Palestinian targets and found that attackers used malware based on the widely available Xtreme RAT crimeware kit. The attacks, which first hit Palestinian targets, this year began going after Israeli targets, including Israeli law enforcement agencies and embassies around the world. Norman says the same attacker is behind the attacks because the attacks use the same command-and-control (C&C) infrastructure, as well as the same phony digital certificates. This attack campaign just scratches the surface of the breadth and spread of these types of attacks around the world as more players have been turning to cyberspying. "We're just seeing the tip of the iceberg," says Einar Oftedal, deputy CTO at Norman.'"

CowboyRobot writes "A pair of reports by Juniper and Bit9 confirm the suspicion that many apps are spying on users. '26 percent of Android apps in Google Play can access personal data, such as contacts and email, and 42 percent, GPS location data... 31 percent of the apps access phone calls or phone numbers, and 9 percent employ permissions that could cost the user money, such as incurring premium SMS text message charges... nearly 7 percent of free apps can access address books, 2.6 percent, can send text messages without the user knowing, 6.4 percent can make calls, and 5.5 percent have access to the device's camera.' The main issue seems to be with poor development practices. Only in a minority of cases is there malicious intent. The Juniper report and the Bit9 report are both available online."

CowboyRobot writes "As budgets are pinched by reduced tax collection, many U.S. states are facing a possibility of not being able to handle the ever-increasing number of data breaches. 70% of state chief information security officers (CISOs) reported a data breach this year, each of which can cost up to $5M in some states. 'Cybersecurity accounts for about 1 to 2 percent of the overall IT budget in state agencies. ... 82 percent of the state CISOs point to phishing and pharming as the top threats to their agencies, a threat they say will continue in 2013, followed by social engineering, increasingly sophisticated malware threats, and mobile devices.' The full 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study is available online (PDF)."

ancientribe writes "A couple of college interns have discovered that remote administration tools (RATs) often used for cyberspying and targeted cyberattacks contain common flaws that ultimately could be exploited to help turn the tables on the attackers. RATs conduct keylogging, screen and camera capture, file management, code execution, and password-sniffing, and give the attacker a foothold in the infected machine as well as the targeted organization. This new research opens the door for incident responders to detect these attacker tools in their network and fight back."

CowboyRobot writes "Security expert Mikko Hypponen talks about his experience at F-Secure, including adventures such as flying to Lahore to interview the creators of 'Brain,' one of the early computer viruses that was spread manually on floppy disks. But while the early virus creators were just trying to have fun and learn, modern malware makers are motivated only by money. 'But there's a misconception that they all necessarily make a lot of money. There's a hierarchy of workers, with some just making a few hundred dollars to $1,000 doing the dirty work of the more experienced online criminals who make the real money.'"

CowboyRobot writes "Spyware is no longer the primary concern with unwanted software on mobile devices. According to mobile security firm Lookout, most mobile malware performs 'toll fraud' — billing victims using premium SMS services. The problem is very geographically-dependent, worst in areas with weak SMS regulation, particularly China, Ukraine, and Russia, where users are 10,000 times more likely to have malware on their phones than users in Japan, for example. Other risks include mobile ads surreptitiously uploading personal data, as well as apps that download other malware without users knowing. The full report is available."

CowboyRobot writes "Informatica64, a security research group, demonstrated the use of cached JavaScript to control computers connecting to a malicious proxy. 'The researchers found a variety of low-level criminals using their proxy server: fraudsters posing as British immigration officials offering work permits in hopes of stealing money and sensitive documents from their victims; a man pretending to be a pretty woman on a number of dating sites to con victims into sending money for a plane ticket; and another fraudster selling nonexistent Yorkshire Terriers.'"

yahoi writes "AT&T has teamed up with an 11-year-old hacker and DefCon Kids to host a hacking contest during the second annual conference that runs in conjunction with the adult Def Con hacker show later this month in Las Vegas. The kid who finds the most zero-day bugs in mobile apps wins $1,000 and an IPad, courtesy of DefCon Kids. The contest was inspired by the mini-hacker's discovery last year of a whole new class of mobile app vulnerabilities."

An anonymous reader writes "Apple's hacker nemesis Charlie Miller, who the company banned from its app store developer program, apparently hasn't been waiting around for his suspension to be lifted. His latest pet project is hacking near-field communications (NFC), and at Black Hat USA in Vegas this month, he will demonstrate the dangers of using your smartphone to pay your cab fare. (But when his Apple 'sentence' is up, look out)."

ancientribe writes "Phony AV scammers posing as Microsoft dialed the wrong number when they inadvertently phoned a security researcher at home. He lured them into a honeypot to study their actions, and posted the video online here. His main takeaway: they were 'Stone Age' when it came to their tech know-how."

yahoi writes "Researchers at NC State are sharing their analysis and classification of Android malware samples under a new project that they hope will help shape a new way of fighting malware, learning from the lessons of the PC generation and its traditional anti-malware products. Xuxian Jiang, the mastermind behind the Android Malware Genome Project, says defenses against this malware today are hampered by the lack of efficient access to samples (PDF), as well as a limited understanding of the various malware families targeting the Android. The goal is to establish a better way of sharing malware samples and analysis, and developing better tools to fight it, he says."

CowboyRobot writes "A new top-level domain (TLD) in the works for the Internet will bake security in from the outset: The .secure domain will require fully encrypted HTTPS sessions and a comprehensive vetting process for websites and their operators. If the new domain takes off, it could shift the way Web domains are secured. ICANN is expected to sign off on .secure, and for the new TLD to be up and running June or July 2013."

New submitter EliSowash writes "Malware developers are increasingly using QR Codes as an attack vector. 'The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it." There's no way to tell what is behind that QR code.' The advice we've always given to the computer user community is 'don't click a link in an email if you don't know who it's from or where it goes' — so how do we protect unsuspecting users from QR codes, where you can't see the destination at all?"

nut writes "The much-hyped payment application from Google on Android has been examined by viaForensics and appears to store some cardholder data in plaintext. Google wallet is the first real payment system to use NFC on Android. Version 2 of the PCI DSS (the current standard) mandates the encryption of transmitted cardholder data encourages strong encryption for its storage. viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number."

An anonymous reader writes "A hacktivism panel at the DefCon hacker convention was conspicuously missing its star member Aaron Barr, who dropped out under legal pressure from his former company HBGary Federal, debated how Anonymous could channel its efforts for the greater good. Members of Anon attending the discussion chimed in, too."