AusSHIRT 2013

 Anti-Virus  Comments Off
May 212013
 

The AusCERT 2013 conference has started, so the AusSHIRT 2013 puzzle is officially live!

In previous years, the puzzles typically had multiple stages, with the shirt decoding to a URL, and the URL taking you to the next level, and so forth.

For example, last year’s Skyfall #sophospuzzle required you to recover a stolen file, decrypt it and wrangle out of it the identity of a famous person.

Then you had to find out where he was incarcerated in the nineteenth century, and work out the twenty-first century location of the prison.

Apart from that, it was really straightforward.

Many of you asked us to make this puzzle a little more self-contained, so you wouldn’t need to spend hours on your computer working your way through it when you should be enjoying the conference.

So, instead of three stages, we’ve given the puzzle three dimensions (OK, technically it’s an isometric projection into two dimensions, but bear with us here), and just one stage.

So you can solve this year’s AusSHIRT #sophospuzzle straight from the shirt, using nothing but pencil, paper and intellect.

Of course, you can still throw some home-hacked scripts at the problem if you want: a little bit of brute force goes a long way, and you can leave your scripts running while you attend the conference parties.

How to get started

The puzzle is a cryptogram, which means that the letters on the cube have been scrambled using an encryption algorithm.

Encryption algorithms usually rely on a mixture of substitution, where one letter is changed into another, though not necessarily always into the same one, and transposition, where two letters are switched around, like an anagram.

The easy part in this puzzle is that the substitution always replaces each decrypted letter with the same encrypted letter.

And the letters in the answer appear in the same left-to-right, top-to-bottom order that they do on the cube.

The only transposition you need to worry about is to put the three faces in the right order, so there are only six possible combinations to worry about.

Usually, a straight letter-for-letter substitution is called a Caesar cipher.

→ The cipher gets its name because it was considered state-of-the-art back in 55BC, when J. Caesar first invaded Britain. He just shifted every letter two places along in the alphabet, writing C for A, D for B and so on. At the end, he wrapped round, so Y became A and Z turned into B.

Caesar ciphers are easy to solve because of repeated letters: the encrypted text shows the same bias (e.g. in English, that ETAOIN are more common than JKXQZ) as normal text.

So we’ve made this slightly harder than that, as follows:

  • Letters appearing more than once in the puzzle are all shifted by the same fixed amount (obviously, the shift is somewhere from 1 to 25).
  • Each letter that appears just once in the puzzle is shifted by a different amount, with one letter shifted by 9, another by 8, and so on down to a shift of 1.

By the way, the Sophos Shield icons are just for decoration – they don’t count as letters in the puzzle.

How to get hints

Follow @Sophos_ANZ on Twitter, and keep your eye on the hashtag #sophospuzzle.

Oh, and bear in mind that a dictionary attack probably wouldn’t hurt, so you might like to start out by trying to guess at text that is likely to appear in the solution.

How to get a prize

If you’re at AusCERT, there are two cool prizes of Transformer construction sets, which you can pretend you are going to give to your children.

The fastest solution will win one prize, and a random draw at the end of the conference will determine who wins the other.

Email your answers to pducklin@outlook.com to qualify. (The topmost Received: header will be used to determine the time of submission.)

If you aren’t at AusCERT, there are five DECODEME T-shirts to be won, drawn randomly.

Entries will be accepted until 2013-05-24T14:25+10.

That’s 2.25pm Queensland time on Friday 24 May 2013, five minutes before the final Speed Debating Session at the AusCERT conference.

NB. When emailing your answer, please indicate whether you wish to be identified as a solver, and if so, whether we should use your full name, first name, nickname, Twitter handle, or whatever. By default, you’ll be anonymous.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ScLM0lmwUuk/

Cyber Crime Costs Small Businesses £785m a Year

 News  Comments Off
May 212013
 

Small British firms lose £785m a year to cyber criminals and online fraudsters, according to a new report.

The Federation of Small Businesses (FSB) found that its members were losing on average £4,000 (€4,732, $6,099) each from cyber crime, with 41% having fallen victim to prowling online criminals in the past year.

Among the FSB’s recommendations was the creation of a new national advertising campaign to raise awareness of Action Fraud, a police facility for the reporting of internet fraud and an information hub on how people can protect themselves against hackers and web criminals.

(FSB)

“Cyber crime poses a real and growing threat for small firms and it isn’t something that should be ignored,” said Mike Cherry, FSB national policy chairman.

  • FOLLOW IBTIMES
  • Google Plus

“Many businesses will be taking steps to protect themselves but the cost of crime can act as a barrier to growth. For example, many businesses will not embrace new technology as they fear the repercussions and do not believe they will get adequate protection from crime.

“While we want to see clear action from the government and the wider public sector, there are clear actions that businesses can take to help themselves.”

Two-thirds of the businesses surveyed by the FSB had taken some action to protect themselves against cyber crime. Many were critical of banks and authorities in their efforts to combat online crime.

Almost half the respondents (45%) said banks should take more responsibility, while 31% said they want a more effective police response to fraud.

The FSB offered ten tips for small firms on how to protect themselves against the threat of cyber crime, such as keeping security software regularly updated and a policy of resilient passwords for staff.

(FSB)

“Cyber security is a crucial part of the Government’s National Cyber Security Strategy and we need to make sure that all businesses, large and small, are engaged in implementing appropriate prevention measures in their business,” said James Brokenshire, Home Office minister for security.

City of London Police recently warned that the government’s austerity cuts put the UK at an increased threat from cyber crime. Of the 800 specialist internet crime officers, 200 are at risk of losing their jobs.

Related articles:

Cyber Criminals Are the New Bonnie and Clyde

UK Losing War on Cyber Crime, Warns City of London Police [VIDEO]

Cyber-criminals Target UK Banks with Sophisticated Malware

To report problems or to leave feedback about this article, e-mail:
To contact the editor, e-mail:

Article source: http://www.ibtimes.co.uk/articles/469414/20130521/fsb-cyber-crime-uk-business-hacking-fraud.htm

 Posted by at 10:00 am

From our website to your door: The secrets of your phone delivery

 News  Comments Off
May 212013
 

maindistribution

There’s nothing quite like that feeling of ordering a new phone. Whether you’ve just clicked the checkout button in the online store, or you’ve just completed an order over the phone, the anticipation of your phone’s arrival is always huge. But what happens behind the scenes once your order’s been placed? To find out, we’ve been to Vodafone’s state-of-the-art logistics centre – to bridge the gap between your order being placed and your new phone arriving.

robin

The logistics centre has a lot to deal with, and there’s a lot to take in, so we caught up with Account Manager Robin Berry, our man on the inside, to try and understand the process. “The site dispatches around 2 million items per month,” he says. “We dispatch stock to all Vodafone’s consumer and business customers regardless of whether the order was placed over the phone, online or through a different channel.

“We send phones, devices, SIM cards and accessories and get them to our customers quickly. The logistics centre really is at the heart of the supply chain.”

“We also deliver stock and customer orders direct to Vodafone’s network of retail stores. We send out bulk orders and supply third party distributors and retailers too. We repair devices, bringing them back to life and send them back out to customers to use again. We even support pagers!”

Rise of the machines

That’s no mean feat. So how does the logistics team keep things under control? The answer’s simple: technology…

“We’re always looking for ways to deliver an even better customer experience,” says Robin. And to that end processes are constantly evolving.

wall 2

“Our processes used to be manual. Products were stored in different locations and operatives would pick and pack orders by hand. But two years ago we introduced state of art technology to allow us to automate many of these manual tasks. This allows us to pick products faster and more accurately and it allows us to manage spikes in customer demand.”

 

Inside your mobile mind

psychology-featured-imageWe love trying to unravel the way we all think when it comes to phones and mobile habits – whether it’s the innate mental processes behind why we send a text instead of making a phone call, or the changing patterns in how we actually own our tech.

 

“We’ve got a normal daily volume to handle, but when a major new phone is launched – we’re likely to see a huge surge in customer orders, and we need to be able to handle that.”

But let’s take things back a step, and begin this journey at the start.

Step by step

“We get deliveries from different manufacturers and our suppliers every day. The first thing we do is take one item from each pallet and put it on a machine that weighs it and takes its dimensions. That’s really important,” Robin says, “because it allows our automated systems to kick in further down the line”

“Once weighed, we’ll put our deliveries into our bulk store. It’s a large area where we can store stock until it’s required.” And he’s not kidding, the bulk store is huge…

bulk

Whatever the phone, the ‘totes’ are the next step of the process – the phones go from the bulk store to a huge, imposing wall of red and blue boxes, all controlled and stacked by an enormous robotic arm.

wall of totes

“When we’re ready, we’ll take a pallet from the bulk store, individually scan every item and feed them into one of these ‘totes’. That then gets sent through a series of conveyors and cranes and gets fed into one of different locations in the wall. We know – because we weighed everything – exactly how many products need to go in each tote. If a tote gets scanned and there are suddenly extra or missing items in there – we’ll know straight away.”

Why red and blue? “It’s a visual indicator – the only difference is the size. Red totes are slightly shallower so they are easier to reach into if they are above waist height.”

Going tote to tote

The wall of totes is an intermediary step – it’s a place where your phone will stay, scanned and ready, only for a short time before making the rest of the journey. So what happens next?

“We have pick stations where one of the team will pick items from a blue or red tote into a green tote to match customer demand” says Robin. “Now things are automated, digital displays in front of each tote tells the team how many items need to be picked. The team member working here will scan each item before placing it into the green tote.”

“If he makes a mistake and scans too many items, or places too few into the tote, the weight checks kick in and stops the process in its tracks. These controls are sensitive down the weight of a SIM card, and that eliminates errors being made.”

scanning

At this stage, your phone, SIM Card or accessory is getting closer to you by the minute. Robin tells us the rest of the journey:

“The tote is now full of items, so what’s going to happen now? Well it could be destined for a Vodafone retail store. If so, the tote will be sealed and the paperwork placed inside and this will be despatched straight to a store. The next morning, when the store opens, all their new stock for the day will be in the green tote ready for them.”

Alternatively, the tote could be full of individual orders. “These are the type of orders that consumers typically make. In this case the phones are placed individually onto a conveyor, a machine prints the documentation and then they’re bagged and the address label is attached. Everything is scanned at every step of the way so we know where every order is at any time,” Robin explains.

bagging

“The bags are then pushed automatically into a box depending on the delivery type that the customer has selected. Up until 6pm, customers can order for next day delivery and our couriers’ last truck turns up just after 11pm. That means we have only a few hours to turn all those orders around.”

Now your phone’s in its packaging, it’s got the right address – either to a Vodafone store or your front door – and it’s back to the loading gates where it started it’s journey. Only now it’s leaving instead of arriving, and it’s headed for you.

There’s a lot more to the logistics centre’s day-to-day activity, including the story of what happens to your phone if you send it back for repair. Stay tuned to Vodafone Social to find out more.

The best of the blog: Vodafone Social is a year old, and to celebrate, we’ve rounded up our best highlights for your reading pleasure!

Article source: http://blog.vodafone.co.uk/2013/05/21/the-secrets-of-your-phone-delivery/?utm_source=rss&utm_medium=rss&utm_campaign=the-secrets-of-your-phone-delivery

 Posted by at 10:00 am

The man who ‘nearly broke the internet’

 News  Comments Off
May 212013
 

The day Sven Olaf Kamphuis parked his huge orange Mercedes van with its German numberplates outside Bar Javis, in the Catalan town of Granollers, the owner’s son snapped a picture with his mobile phone.

“Not a lot happens in this street,” Maria Cruz, the bar’s owner, explained. “And it was so huge, with all those funny antennas and solar panels poking out of the roof, that it blocked the light to the bar.”

Even stranger was the 35-year-old Dutch man who parked it in this narrow street after renting a small attic flat with windows made of glass blocks in the poorer end of this nondescript town 15 miles from Barcelona.

Even on hot early summer days, Kamphuis wore a woollen hat. And he spoke no Spanish, answering “yes, yes” in English to everything people from this friendly neighbourhood said to him.


Sven Olaf Kamphuis
Sven’s van

Kamphuis, 35, is one of the most controversial characters in the murky world of spam and hacking – deemed the internet‘s public enemy number one by some, though others believe his reputation has been blown out of proportion by the grandstanding of his foes.

Capable of rigging up sophisticated computer systems anywhere, including the back of a van, he allegedly masterminded a flurry of March internet attacks that the security company CloudFlare claimed “almost broke the internet”, plunging the world into digital darkness. When Spanish and Dutch police arrested him they found the flat occupied by a tangle of cables and computer gear. A copy of the science fiction writer Neal Stephenson’s Quicksilver lay on the unmade bed.

Kamphuis displayed a Napoleonic sense of grandeur. “He claimed he had diplomatic status,” said the Spanish police officer who led the operation, but asked not to be named. “He said he was the telecommunications minister and foreign minister of a place called the Cyberbunker Republic. He didn’t seem to be joking.”

“The request to arrest him came from the Netherlands,” said the police officer, who heads the cybercrime unit in Barcelona. “But Britain, the United States and Germany were all affected by the massive denial of service attacks that he launched.

“The van was fitted out as a mobile office from which he could launch his attacks. Amongst other things we found the IP addresses of his targets and that is part of the evidence we are sending to the Netherlands.”

Kamphuis has yet to be tried, but Spanish police believe they know his modus operandi. “He brought together hackers from around the world to launch the attacks. It is obviously not all over yet, because the Dutch have been under attack again in recent days – presumably as revenge by his friends.

“Some of them have networks of zombie computers, having spread viruses that let them control others people’s computers. They all agree to launch the attack and they do millions of requests to the server at the same time.”

The result was what the New York Times called an attack of previously “unknown magnitudes”, producing a 300bn-bits-per-second data stream that targeted the British and Swiss-based anti-spam operator Spamhaus and its allies. This had reportedly blacklisted his CB3ROB/Cyberbunker company, which claims its servers are housed in an old Nato nuclear bunker near Rotterdam, for hosting hundreds of spam and malware websites. Kamphuis happily claimed to be punishing Spamhaus for “abusing their influence”.

“Nobody ever deputised Spamhaus to determine what goes and does not go on the internet,” he told the New York Times in an angry message. He later denied involvement. “We want to be absolutely clear that the DDoS [distributed denial of service] attacks are not and have not ever been orchestrated within CB3ROB/CyberBunker, nor are they conducted under the supervision of Sven,” he wrote on his Facebook page.

But the huge number of spammers he hosts has led even hacktivists sympathetic to his pro-Pirate party, Anonymous and Julian Assange’s stance to question his real activities.

Several other mysteries remain. If this was one of the most successful spammers in history, why was he living in a squalid flat and a camper van?

“If you get paid a few cents for each spammed email and you send out million emails every day, then you can make a lot of money,” said the Spanish police chief.

Kamphuis certainly did not behave like a criminal on the run. “He seemed too relaxed to be a crook,” said Cruz. “And he certainly didn’t hide away. He had even written his name on the letterbox.”

“He wasn’t really trying to hide,” agrees the Spanish police chief. “I think he thought that we wouldn’t track the attacks to him or that we would leave him alone because he was not attacking Spanish targets.”

His attacks were widely reported to have slowed the entire internet down, but internet speed trackers such as Internet Traffic Report barely registered a blip.

Some point to publicity-seeking grandstanding by CloudFlare, an internet security company called in to protect Spamhaus. It claimed this was “the DDoS [attack] that almost broke the internet”.

“The record-breaking attacks were initially directed at Spamhaus infrastructure such as websites, mailservers and nameservers. Then, over the course of the following two weeks, the attacks escalated to targeting Spamhaus’s supporting networks and services including various internet exchanges,” Spamhaus’s British founder Clive Linford said on his blog, describing the attacks that started in the middle of March. “While the DDoS caused disruptions to our organisation and its hosts and partners, the flow of the Spamhaus anti-spam data that protects over 1.7bn mailboxes worldwide was never interrupted.”

Kamphuis was last week taken to the Netherlands – a country that recently announced plans to let police hack into computers located abroad, installing spyware, reading emails and deleting files. He is being held in jail while investigators decide what charges to bring.

A spokesman for the Dutch public prosecutor’s office said he would appear before a court in Rotterdam again this week to have bail conditions reviewed after the “unprecedented heavy attacks” on Spamhaus and its partners in the US, Netherlands and Great Britain.

Article source: http://www.guardian.co.uk/technology/2013/may/20/man-accused-breaking-the-internet

 Posted by at 4:00 am

Four British Lulzsec members convicted for cyber attacks

 News  Comments Off
May 202013
 

Shutterstock

Advertisement

Advertisement

Four British members of hacking collective Lulzsec have been convicted
for a wave of high-profile cyber attacks that took place in
2011.

Ryan Cleary, 21, Jake Davis, 19, Mustafa al-Bassam, 18,
and Ryan Ackroyd, 26, targeted Sony, EA, News International
and the Serious Organised Crime Agency (Soca). Cleary was sentenced
to 32 months in prison, Ackroyd 30 months, Davis for 24 months and
al-Bassam was given a 20 month suspended sentence which includes
200 hours of community service.

Andrew Hadik, a lawyer for the Crown Prosecution Service, called
the group “cowardly and vindictive” in a
statement. “The harm they caused was foreseeable, extensive and
intended. Indeed, they boasted of how clever they were with a
complete disregard for the impact their actions had on real
people’s lives.”

Their attacks in 2011 were mostly distributed denial of service
(DDoS) attacks against targets, with occasional forays into
stealing confidential information, including the personal
information of
24.6 million Sony customers – an attack estimated to have
cost Sony £13m. Another particulalry memorable attack by Ackroyd
saw the front page of The Sun’s website replaced with a
fake story about Rupert Murdoch killing himself, but the humour
of the attacks was not an excude, Hadik stressed:

“Whilst aggressively protecting their own privacy and
identities, they set out to hack and publish hundreds of thousands
of innocent individuals’ private details. Companies also suffered
serious financial and reputational damage. A senior executive of
one American company lost his job and had to move his young family
because of death threats.

“Coordinating and carrying out these attacks from the safety of
their own bedrooms may have made the group feel detached from the
consequences of their actions. But to say it was all a bit of fun
in no way reflects the reality of their actions. They were in fact
committing serious criminal offences for which they have been
successfully prosecuted. This case should serve as a warning to
other cyber-criminals that they are not invincible.”

According to the BBC, Ackroyd was the ringleader, with Davis the
“press secretary”, Clearly the provider of software and al-Bassam
responsible for posting stolen information online.

Another Lulzsec member, Recursion (real name: Cody Kretsinger)
was
sentenced in a Los Angeles court last month to a year in prison
for his role in hacking Sony’s website and causing damage Sony
valued at £400,000. Evidence used to convict both the British group
and Recursion came from Hector Xavier Monsegur, the
28-year-old ringleader of Lulzsec who, after his arrest in late
2011,
turned snitch to avoid prison.

The specific charges that the four British men pleaded guilty to
were hacking and launching cyber attacks, both under the Misuse of
Computers Act 1990. Some of the four could face further extradition
to the US to face charges there, particularly Cleary, who has
already been
indicted for further charges (that he’s pleaded guilty to as
well) of hacking into the computers of the US Air
Force. Interestingly, the prosecutor specifically said that
Cleary wasn’t a core member of Lulzsec, despite his involvement –
he just really wanted to be.

Advertisement

Advertisement

A further alleged Lulzsec accomplice, 24-years-old but unnamed,
has been
arrested in Australia and charged with hacking a
government website.

Image: Shutterstock

Article source: http://www.wired.co.uk/news/archive/2013-05/16/lulzsec-hacking-conviction

 Posted by at 10:00 pm

Congress asks Google if and how it’s protecting privacy with Glass

 Anti-Virus  Comments Off
May 202013
 

Image from Stop the CyborgsThe US Congress on Thursday sent Google a letter [PDF] listing eight specific privacy areas concerning Glass that legislators would like to know quite a bit more about.

Congress members aren’t the only ones.

Since the emergence of Glass – Google’s uber-geeky, internet-enabled head gear that’s worn like discrete, photo-snapping/video-grabbing eyeglasses – the technology has:

Congress – specifically, eight members of the privacy caucus – has thus risen from the swirl of speculation around Glass and asked Google to answer a specific list of questions.

Letter from Congress to Larry Page Google

Here they are, reiterated and unfolded (Congress packed multiple questions into one question in a few spots):

  1. How will Glass not be like WiSpy? As in, how is Google going to prevent Glass from unintentionally collecting data about users or non-users without consent? As it is, Congress pointed out, the company was fined $7 million for its StreetView cars having sucked up information via unsecured wireless networks. How will Google avoid a similar mess with Glass?
  2. How will Google proactively protect non-users who get ogled?
  3. Is Google building in product lifecycle guidelines? One such framework is Privacy by Design, which covers the embedding of privacy and data protection throughout a technology’s lifecycle, from the early design stage to its deployment, use and ultimate disposal. Specifically, Congress wants to know what happens when a customer resells or otherwise disposes of Glass and whether Google has baked in capabilities to keep the original owner’s personal information secure.
  4. Will Glass use facial recognition? If so, how do users get that information? How do non-users opt out of this personal data collection? If they can’t opt out, why is that?
  5. Under what circumstances does Google refuse requests from Glass that invade the privacy of others? Congress here references Google’s Privacy Policy, which states that it may reject requests that are:

    “… unreasonably repetitive, require disproportionate technical effort, … risk the privacy of others, or would be extremely impractical…”

  6. Is Google tweaking its privacy policy to reflect the sensory and processing capabilities of Google Glass? If not, why not?
  7. What device-specific information is Google collecting from Glass? Here, Congress is referencing Google Privacy Policy as it pertains to collecting hardware models, operating system versions, unique device identifiers, and mobile network information, including phone numbers.
  8. Is Google collecting data about the user without the user’s knowledge?
  9. To what extent was privacy considered when approving the first app for Google Glass, rolled out by the New York Times? How is Google ensuring that privacy’s a priority for the other app developers who’ve since followed suit?
  10. Is Glass storing data on the device itself? If so, will it be protected, and if so, via what type of user authentication or other means?

Congress is looking for answers by Friday, June 14.

These are great questions, and Congress is to be lauded for asking them.

Some Congress members – well, one, at any rate – actually think highly enough of Google’s past respect for privacy to take hope in Glass being rolled out with all due care.

Here’s how Sen. Al Franken a Democrat from Minnesota, put it to Ars Technica:

“In the past, Google has taken a principled position in making facial recognition an opt-in service for its social network, Google+… This gives me hope that this same kind of thoughtfulness will be applied to its roll-out of Glass. I’m looking forward to talking to Google more about its deployment of Glass and what it means for privacy.”

Senator, let us hope that *your* hope is not misplaced.

Mine tends to be shredded whenever I contemplate Google’s voluminous Privacy Rap Sheet.


Image of “No Google Glass” courtesy of Stop the Cyborgs.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6UvCEiMXONY/

Inside the "PlugX" malware with SophosLabs

 Anti-Virus  Comments Off
May 202013
 

Join SophosLabs Principal Researcher Gabor Szappanos (Szappi) as he takes you on a fascinating journey into the PlugX malware factory.

This is a malware family that keeps evolving as the criminals in charge of it churn out new variants.

Just like legitimate software, malware has major version upgrades and point releases.

In this paper, Szappi looks at the recently-released Version 6.0 of the PlugX malware framework.

You’ll enjoy Szappi’s paper because it’s not so technical as to get bogged down in researcher-only jargon, yet not so high-level as to skip over the details that help you to understand how virus writers think.

Szappi writes clearly and logically, taking apart and explaining the numerous and deliberately-distinct phases in the malware’s infection mechanism.

Splitting up malware means that each step does only a small piece of the overall work, in order to avoid looking suspicious on its own.

The aim is to reduce the chance of being flagged as dangerous by heuristic defences that expect more complex behaviour.

Szappi even uses some debugging features left behind in the malware to estimate the size of the programming project behind it, using a statistical technique first used in anger during the Second World War.

The Allies used it to convert observations from the field into reliable estimates of how many tanks the Nazis had at their disposal; now it’s turned against the PlugX crew.

And Szappi describes how, and why, the malware carries around with it a pirated copy of a legitimate, digitally-signed application (this one is from Chinese social media outfit Tencent) to help it do its dirty work.

A fascinating paper, well worth reading: clearly written, interesting, and informative.

Download now

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WxKlU5kiKII/

22 million user IDs may be in the hands of hackers, after Yahoo Japan security breach

 Anti-Virus  Comments Off
May 202013
 

Yahoo JapanThe call has gone out to Yahoo Japan’s 200 million users to change their passwords, after the company warned that it suspected hackers had managed to access a file containing 22 million user IDs.

Yahoo Japan says that it detected an attempt to gain unauthorised access to its administrative systems on Thursday at approximately 9pm local time.

Although the information taken from Yahoo Japan’s servers is said not to contain passwords, or other personal identifying information required to hijack an account (such as the answers to secret questions), the site has decided that users should reset their passwords regardless.

In a press statement published on Yahoo Japan’s website, the number one search engine in Japan stressed that it had not confirmed that the data had definitely leaked to the outside world, but that it deeply apologised for any inconvenience caused.

Yahoo Japan statement

Fingers crossed, only user IDs were exposed during the security breach and nothing more serious. But even user IDs should be private, and kept out of the hands of cybercriminals.

Potentially, online criminals now have a database of 22 million Yahoo Japan email addresses – and there are surely slimebags out there who would get a real kick out of spewing out a spam campaign, sending a phishing attack to Yahoo users, posing as a legitimate email from the company, or launching a targeted malware attack.

Hopefully Yahoo Japan will be investigating how the security breach occurred, and putting strong defences in place to prevent it – or anything worse – happening in future.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TdiK72RqmCg/

Blogger threatened with $1 billion suit for writing about allegedly predatory publisher

 Anti-Virus  Comments Off
May 202013
 

Judge's gavel image courtesy of ShutterstockJeffrey Beall, a US academic librarian who uses his Scholarly Open Access blog to write about publishers’ dubious practices, is being threatened with a $1 billion lawsuit by an Indian publishing group.

Beall keeps a running list, known as “Beall’s list,” of journals and publishers who do fishy things such as spamming scholars or charging bogus fees.

As Ars Technica’s Nathan Mattise tells it, Beall’s work has earned him notice from the likes of the New York Times.

In an April 7 article, the NYT tells of one such fishy scheme in the “exploding world of pseudo academia.”

After signing up for what they thought was a prestigious entomology conference, scientists recruited for “Entomology-2013″ (lose the hyphen and you’ve got the name of a legitimate, academically sanctioned conference) found that they had been recruited by email, as opposed to being vetted by leading academics.

To add insult to injury, those who agreed to appear were charged “a hefty fee” for the privilege of appearing on a podium and being able to pad their resume with the negligible accomplishment, according to the NYT.

It’s one example of “a parallel world of pseudo-academia, complete with prestigiously titled conferences and journals that sponsor them,” the NYT’s Ginan Kolata reports, with many journals and meetings adopting names that are “nearly identical to those of established, well-known publications and events.”

Usher in Beall, the watchdog who keeps tabs on the publishing end of this predatory phenomenon.

Beall maintains a blacklist of what he calls “predatory open-access journals.”

The list enumerated 20 publishers in 2010 and has since grown to more than 300.

Speaking with the NYT, Beall estimated at least 25 percent of the total number of open-access journals published today are predatory—as many as 4,000.

In fact, a clear example of predatory publishers’ spamming ways are emails Beall gets from publishers asking to be added to his list of predators.

Beall writes here about one such email, wherein a correspondent who describes himself as “a internee for International Journal of Biology” asks that the journal be listed.

Beall investigated this one in particular and found deceit:

“The new journal [claims to have] ‘published’ four issues, but upon closer examination, it really hasn’t. It’s a ruse. Among the four issues, there are only six articles. At least some of them are copied from the former BioMed Central (BMC) journal called the Journal of Biology. In 2010, this journal merged with BMC Biology, and the merged journal is called BMC Biology.”

“The publisher of the new journal has taken previously-published articles and edited them, changing some of the words, and published them as new original articles in the journal.”

It is this kind of detective work that’s raised the ire of the OMICS Publishing Group, based in India.

Lawsuit image courtesy of ShutterstockAccording to the Chronicle of Higher Education, Beall on Tuesday received a letter from an IP management firm’s lawyer, warning him that he could be imprisoned for up to three years under India’s Information Technology Act.

Beall has accused OMICS of spamming scholars with invitations to publish, quickly accepting their papers, then charging them a nearly $3,000 publishing fee after accepting a paper.

The Chronicle of Higher Education calls the six-page letter “rambling”.

In the letter, the IP management firm calls Beall’s blog “ridiculous, baseless, impertinent,” and says that it “smacks of literal unprofessionalism and arrogance.”

Here’s an excerpt, all nonstandard English being sic:

“All the allegation that you have mentioned in your blog are nothing more than fantastic figment of your imagination by you and the purpose of writing this blog seems to be a deliberate attempt to defame our client. … Our client perceive the blog as mindless rattle of a incoherent person and please be assured that our client has taken a very serious note of the language, tone, and tenure adopted by you as well as the criminal acts of putting the same on the Internet.”

Is Beall in danger?

In India, Section 66A of the Information Technology Act makes it illegal to use a computer to publish “any information that is grossly offensive or has menacing character” or to publish false information. The punishment can, in fact, be as much as three years in prison.

According to the Chronicle, were the lawsuit to go forward, Beall would likely win in a US court, if the statements on his blog are in fact true. Were the suit filed in India, the situation gets hazier.

As it is, Section 66A has led to public pushback in India, which in turn has led to the government modifying the law such that complaints must now first be approved by a police deputy commissioner or inspector general.

If the suit does go to litigation, will Beall be looking at paying the Dr. Evil-ish sum of one billion dollars?

Beall thinks the idea is “silly”:

“The amount is silly—I haven’t done any damage to their operation. … The case has no merit, in my opinion.”

Good luck with the situation, Mr. Beall.

May you and other watchdogs not get hounded into silence by vindictive litigation, which this certainly sounds to me like it might be.


Images of lawsuit papers and gavel courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/R3Y5fstFH18/

Chinese military unit resumes cyber attacks on US businesses

 Brand Security  Comments Off
May 202013
 

A Chinese hacking team responsible for attacks on numerous US companies has resumed its harmful cyber campaign.

A number of unnamed government security experts and officials confirmed that the hackers had restarted their attacks on Sunday, following a three-month period of inactivity, the New York Times (NYT) reported. The team is reportedly the same one detailed in a report from security firm Mandiant earlier this year.

Mandiant claimed to have linked a branch of the Chinese military codenamed Unit 61398 to the APT1 cyber-espionage campaign in February. The unit is based in Shanghai and is estimated to have mounted attacks on over 141 companies.

The identity of the campaign’s victims remains unknown, though the NYT claims the attacks are hitting a number of US companies and are designed both for basic espionage and intellectual property theft. At the time of publishing Mandiant, the US Embassy in London and the White House had not responded to V3‘s request for comment on the report.

The US Department of Defense reported detecting several attacks on businesses involved in critical infrastructure areas stemming from China in its Military and Security Developments Involving the People’s Republic of China 2013 report to Congress earlier in May. The Chinese government has always denied the allegations, saying cyber attacks are a global issue facing all countries.

Sophos security expert, Graham Cluley, told V3 that while news that the team has resumed its activities is troubling, firms should not overreact, as attacks of this nature are now an everyday occurrence, with nearly every government in the world mounting similar campaigns.

“Government departments, military contractors and international companies working on sensitive deals need to be aware that cyber espionage is a reality, and there may be remote hackers interested in breaking into your systems and snooping on your data and communications,” he said.

“It would be wrong to assume that Chinese hackers were the only ones involved in attacks like this, of course. They’re all at it. I would be surprised if any developed nation wasn’t involved in some level of internet espionage. After all, it’s relatively easy to do and a low risk compared to having spies on the ground. Of course, the problem is always proving a particular attack was state-sponsored rather than being done by lone hackers of their own choosing.”

Cluley said that the number of government-funded cyber attacks will undoubtedly increase in the coming years and that firms must update their defences to address the growing threat.

“As more and more data is entrusted to computers, it becomes ever more attractive for those interested in accessing the data to target those networks,” he said.

“In fact, I’d be disappointed if our security services were wasting budget parachuting in spies with James Bond gadgets to steal info when they could just write some spyware and email it to our enemies.

“The best defence? A mixture of training your staff, layer protection at desktops, gateways and servers, keeping up to date with patches to reduce exposure to potential exploits.”

F-Secure researcher, Sean Sullivan mirrored Cluley’s sentiment, saying IT managers should not overreact to the threat.

“I wouldn’t say that firms should be worried to the point of panic – but I would advise that they listen to their IT managers’ concerns. IT security has always been a bit of a budget battle. Good IT management often requires good ‘political’ skills in order to convince upper management to pay for what’s needed,” he said.

The comments echo those of numerous other security experts. McAfee vice president, Ross Allen and Symantec chief technology officer Darren Thomson urged businesses to take a measured approach to the cyber threat they face during a panel discussion at the Trustmarque conference in London.

Article source: http://www.v3.co.uk/v3-uk/news/2269159/chinese-military-unit-resumes-cyber-attacks-on-us-businesses

 Posted by at 3:59 pm
 Older Entries