They’re out there. Be afraid. They could be anywhere, everywhere, anyone. They are shadowy, deadly, mysterious, guided by intellects vast and cool and unsympathetic. Security consultants and antivirus firms whisper legends of them to their clients to scare them straight. They’re the Voldemort of online security, except that everyone is all too eager to say their name: the Advanced Persistent Threat. Hide your children! You cannot stop them!
…well, actually you probably could, and pretty easily too, but apparently most folks can’t be bothered.
Vanity Fair just wrote breathlessly about “Operation Shady RAT”, which featured, quote, “a species of malware that had never been seen before: a spear-phishing e-mail containing a link to a Web page that, when clicked, automatically loaded a malicious program—a remote-access tool, or rat—onto the victim’s computer.” Military-industrial standard-bearer Northrop Grumman is “constantly under attack by cyber-gangs.” A few months ago Security firm RSA’s SecurID systems were the victim of “an advanced persistent threat, a slow and consistent attack used by hackers to obtain specific information.” The Pentagon is alive to the APT threat, and says it is beginning to focus more on deterrence than on defence, because “each year, a volume of intellectual property exceeding the size of the Library of Congress is stolen from U.S. government and private-sector networks.” Why, just this week, San Francisco’s government-owned BART system was hacked by -
…waaaaaait a minute. → Read More
Security researchers at Trend Micro have discovered a new mobile malware application on Android that disguises itself as a Google+ app. The app has the capability to record phone calls, as well as gather the GPS location of the handset, the text messages and the call logs, all of which are sent off to remote servers.
The app installs itself on Android devices under the guise of being a Google+ application, using the Google+ icon to disguise itself in both the Android applications list and the list running services. → Read More
Try this: open up a new tab and type “kindle” into the address bar. Chances are it will send you to a Google search results page. That is, unless the ISP is intercepting such rogue queries and doing what they will with them. A pair of computer scientists at UC Berkeley have found that at least a dozen ISPs are still doing this, the result being that, for example, when someone types “kindle” into the address bar, it doesn’t go to your preferred search results, but directly to Amazon’s Kindle page.
Harmless, in a way, but in fact deeply invasive when the conditions are examined. These ISPs are using third party contractors who monetize such erroneous or accidental queries. A broad set of search items, things like “kindle,” “apple,” and “bloomingdales” are being listened for, logged, and intercepted, and the user’s intention ignored. As if that isn’t enough, one company suspected of being behind this activity, Paxfire, has filed for a patent on ISP-level tracking of users for advertising purposes. → Read More
Silly hackers are always trying to ruin the Internet and they have found yet another target in the form of popular VOIP software Skype. According to the sweetest security report ever, linked from h-online’s recap:
“Skype suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the ‘mobile phone’ profile entry.
Other input fields may also be affected.” → Read More
You guys might remember a few years back when someone demonstrated that many tubular locks, like those use on many Kryptonite bike locks, could be opened with a common Bic pen. That someone was Marc Weber Tobias, and he’s back now to warn you again that your laptop lock might not be as secure as you think. Case in point: this HP lock, which his associate opens on camera in just a few seconds by whacking it with a screwdriver. → Read More
The latest victim in this rash of cyberattacks is Sega, whose own gaming network and marketplace Sega Pass has been compromised. The site says it’s “going through some improvements” but a message to members reveals that they’re locking it down until the situation is back under control. What was leaked? Fortunately just emails, DOBs, and encrypted passwords. Nothing you don’t give out every day for free, then, but to be safe, change your password elsewhere if you’ve been affected by this hack. Probably a good idea to change your password right now anyway just in case what with half the sites on the net getting hacked. [via SlashGear] → Read More
It’s been a hellish month for Sony, which has faced no less than three major data breaches and a number of minor ones. And now the woes have spread to Nintendo… or have they? → Read More
If you’re concerned about keyjacking attacks, in which a wireless keyboard’s signal is intercepted and information extracted from the stream, this might be of interest to you. Microsoft’s new Wireless Desktop 2000 has 128-bit AES encryption built right in. Not much help if someone’s looking over your shoulder, but at least they can’t snatch your credentials right out of the air. → Read More
Some charming youngsters from Cornell have created a fairly simple and effective face matching system using a webcam, a little LCD read-out, and a tiny Atmel ATmega644 8-bit microcontroller running a set of Eigenface tests on the face in question. The system is 88% accurate with no false positives. It is almost completely self-contained and is small and simple enough to add to a front door lock or other device where case real estate comes at a premium.. → Read More
Howard Stringer, Sony’s CEO and the most visible target for criticism regarding the recent PSN data breach, has gone on an interview rampage, speaking with major news outlets to get word out that no network is fully secure and Sony went above and beyond the call of duty in its response. I don’t think users will agree, and though it may not be fair… well, tough. → Read More
While gamers around the world are pining for their online play and PSN store access, the companies that rely on the service to sell games are really feeling it. Capcom is one of many PSN-reliant companies that’s losing a ton of money in lost sales. VP Christian Svensson posts on their forums: “as an executive responsible for running a business, the resulting outage obviously costing us hundreds of thousands, if not millions of dollars in revenue that were planned for within our budget. These are funds we rely on to bring new games to market for our fans.” With the end of the outage in sight but several weeks out (by the latest estimates), it looks like they’re going to lose a lot more. → Read More
I would take this report with a grain of salt, but it seems a little IRC lurker-bird told CNET that the same hackers who hit both PSN and SOE are going for a third strike this weekend. It’s not clear where these secret hacker talks are taking place other than on IRC somewhere, and no details were given aside from that a third attack was forthcoming. FUD? Fabrication? Or confidence? You be the judge. By the way, if you’re worried about your private info, Sony is generously offering complimentary enrollment in a identity theft protection program. Details here. → Read More
It looks like the same hack that resulted in millions of PSN users’ personal details being stolen extended to Sony Online Entertainment, as early reports today indicated. Sony has posted the details here. The gist? Your name, address, email, phone number, among other things are indeed at risk. On the bright side, credit card information was not accessed, and passwords were hashed. Still, keep an eye on all your accounts and stay vigilant. → Read More
Japanese newspaper the Nikkei is reporting (subscription required) that Sony has suffered a second major cyberattack, this time to the Sony Online Entertainment servers in Japan. Up to 12,700 credit cards have supposedly been taken. Sony has offered a limited statement (pictured above) and promises more information today. [via BGR and Kotaku] → Read More
This information was in the link I put earlier, but just so it’s clear: Sony states that all credit card information in their breached database was indeed encrypted, though the “personal data” wasn’t. What does that mean? → Read More
There’s just no way around it. Sony really screwed up. And not just in the way they consistently have in the past. I mean big time. The outage that started last week and was finally addressed yesterday is worse than anyone expected, and naturally, someone has already sued. The lawsuit alleges that Sony was both remiss in its security responsibilities and its duty to inform its customers of the problem. I think it’s got legs. → Read More
Toshiba announced [PDF] it has developed a series of self-decrypting hard drives that automatically destroy their content when connected to an unknown piece of hardware. The company says it’s the first to make it possible to configure such devices, for example to invalidate protected data by command or on power cycle. → Read More
Troubling news here. AVG, the anti-malware company, says that the majority of smartphone users are unaware of the security risks they face when, um, using smartphones. What? You mean I have to be careful when fiddling around with my iPhone or Android device? Yes. Yes you do. → Read More
This is… potentially disturbing. Mohamed Hassan recently purchased a brand-new Samsung laptop. As part of his normal setup procedure, he ran a complete scan with security software and found a keylogger installed in the Windows directory.
Hey, maybe it’s just an innocent mistake. This is my skeptical face.
Update: Debunked. No keylogger, kids. → Read More
