Articles | Cyber Crimes Unit

Only 36% of small firms apply security patches. No wonder cybercrooks are stealing their cash

Anti-Virus Comments Off

May 242013

Small businesses are under constant attack from malware, scams and online fraud.

They are not only losing money directly to fraud, but also in costs associated with maintaining security. Small businesses are simply woefully under-prepared to keep their assets safe. Despite reorganisation and redirected priorities, the police can still do little to help.

This all emerges from a report on the threat of online fraud to small UK businesses, released by the FSB. No, not Russia’s slightly cuddlier successor to the KGB; this is the Federation of Small Businesses, a UK pressure group representing the needs of small businesses, and providing a range of services to them, boasting over 200,000 members.

Survey synopsis

The study takes the form of a survey of a subset of that membership, covering their experiences of online fraud, their attitudes to how it affects them, and what actions they’ve taken to protect themselves.

Now, such studies are notoriously biased – asking people with a vested interest and minimal specialist knowledge what they think of a complex technical issues will always give some off-the-wall results.

This report contains some useful data though, both on what small business owners think has happened to them in the past, and on the parlous state of their cyber defences.

Stats

The report kicks off with a third-party figure of £18.9 billion lost to fraud by small-and-medium enterprises. This boils down to an average of just under £4000 per business in their study, although that covers all kinds of fraud. A previous analysis came up with a figure of £2900 for ‘normal’ fraud, hinting that the figure for online losses is over a quarter of the total.

On the plus side, 49% of businesses suffered no fraud losses at all, and only around 7% lost more than £5000. 10% reported incidents of card fraud, including ‘card not present’ problems associated with online trading. Such issues, along with the costs and complexity of PCI-DSS compliance, have apparently discouraged many businesses from operating online at all.

20% report ‘virus’ infections, with a further 8% spotting hacking or other ‘electronic intrusion’, and that’s only those that knew about the issues – 73% claimed they had had no problems.

It would be interesting to see how the list of victims overlaps with those who regularly apply security patches to software (a mere 36%), and those who regularly update their anti-virus software (a much higher, but still rather depressing, 59%). 17% claimed they took no actions to counter cyber-attack, from a lengthy list of options.

The figures contrast rather oddly with another survey published just a month ago, produced by the Department for Business, Innovation and Skills (BIS), who also partnered with the FSB on this report. That survey does cover all types of data breach and all associated costs though, rather than just the direct costs of fraud.

Police action

A lot of businesses have gripes about the banks, how little they do to help and how much they cost. They also claim the police don’t help much either.

Indeed, among the study’s headline recommendations are a need to ‘manage expectations around the police response to fraud and online crime by highlighting the benefits of reporting in terms of feeding into a wider intelligence picture’ and ‘Inform businesses what the police do not have the capacity to deal with so they can take preventative measures to help themselves more’.

This is basically admitting that if your businesses is robbed online, the police may provide you with a pat on the hand and a sympathetic “there, there”, but that’s about it – you should be dealing with this stuff on your own.

At least there is that encouragement to keep reporting issues so their levels can be monitored, which gives some hope that one day even the police will begin to sit up and take notice. The police’s centralised, outsourced Action Fraud reporting system is referenced.

Top tips

The FSB study also provides a good, clear ‘ten top tips’ to help business owners protect themselves.

It includes the basics of running up-to-date security software, applying patches and using at least reasonably strong passwords.

Here is the FSB top ten tips:

Implement a combination of security protection solutions (anti-virus, anti-spam, firewall(s))
Carry out regular security updates on all software and devices
Implement a resilient password policy (min eight characters, change regularly)
Secure your wireless network
Implement clear and concise procedures for email, internet and mobile devices
Train staff in good security practices and consider employee background checks
Implement and test backup plans, information disposal and disaster recovery procedures
Carry out regular security risk assessments to identify important information and systems
Carry out regular security testing on the business website
Check provider credentials and contracts when using cloud services

This is a good start, but business owners clearly need a lot more help. In the UK at least, they may not be so at risk from the POS malware targeting their US cousins, but they face some serious issues.

Many of these problems are based on a simple lack of know-how and IT security illiteracy.

Sadly, even the best defenses can get breached, and there needs to be a stronger deterrent in the criminal system. With the internet involved, this means global action, which remains a rather distant dream.

Follow @VirusBTN
Follow @NakedSecurity

Image of small businesses and small business crushed by foot courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vZ1uRTQviTg/

IP theft commission: US needs to take strong action

Brand Security Comments Off

May 242013

The U.S. government should bar foreign companies that repeatedly steal or use stolen U.S. intellectual property from selling their products in the country, a new report recommended.

About US$300 billion worth of intellectual property is stolen from the U.S. every year, with 50 to 80 percent of the theft coming from China, according to the report, released Wednesday by the Commission on the Theft of American Intellectual Property, a bipartisan group of former government officials and business representatives.

The U.S. government needs to take a series of strong measures to protect U.S. IP because current measures are ineffective, commission members said. The U.S. needs to make it much more costly for nations to encourage IP theft and for companies to engage in it, said Jon Huntsman, co-chairman of the commission and former U.S. ambassador to China and Republican presidential candidate.

Chinese industrial polices focused on acquiring science and technology “encourage IP theft,” Huntsman said during a press conference.

Representatives of the Chinese Embassy in Washington, D.C., didn’t immediately return emails seeking comment about the commission report.

The commission recommended that U.S. policymakers make it easier for the U.S. International Trade Commission to quickly block counterfeit goods from entering the U.S. The USITC’s so-called 337 process, allowing companies to file patent infringement complaints, should move quicker, the report said. That recommendation may be controversial because some patent experts have complained that companies have been able in recent years to abuse the process.

The commission also called on policymakers to allow the U.S. Treasury to block foreign companies that “repeatedly use or benefit from” the theft of U.S. IP from using the U.S. banking system, effectively locking them out of the U.S. market. And agencies considering whether foreign companies should be able to invest in the U.S. or trade on U.S. stock exchanges should look at their IP theft records when making those decisions, the report said.

“We are trying to force foreign companies to choose between access to the U.S. market and stealing American intellectual property,” said Dennis Blair, commission co-chairman and former director of national intelligence for U.S. President Barack Obama. “You can’t have both.”

The commission also recommends that Congress give more green cards, or permanent resident cards, to foreign workers trained in science or technology who want to move to the U.S. The report further recommends that Congress increase funding for law enforcement agencies investigating IP theft and amend the Economic Espionage Act to allow private companies to file lawsuits for trade-secret theft.

U.S. companies need to spend more to protect their IP, by building networks with “world-class,” around-the-clock cybesecurity, Blair added. “You don’t just order a firewall, plug it in, and go home on the weekend.”

If shorter-term measures don’t work, the U.S. government should consider “aggressive” counterattacks against cyberthieves, the report said. The commission also recommended that Congress consider withholding U.S. funding to the World Health Organization and consider Congress impose a tariff on all Chinese products equal to 150 percent of the U.S. losses from Chinese IP theft if other measures don’t work.

Craig Barrett, former chairman and CEO at Intel, called those longer-term ideas the “nuclear option,” but said they are worth exploring if other efforts don’t work.

Article source: http://www.computerworlduk.com/news/it-business/3448766/ip-theft-commission-us-needs-to-take-strong-action/

Coronavirus, Playboy, C&C, Argo: Intellectual Property

Brand Security Comments Off

May 242013

The novel coronavirus found in Saudi
Arabia has been patented by scientists outside the country,
Deputy Health Minister Ziad Memish told the World Health
Assembly in Geneva.

The virus was sent from the country without proper
permission, Memish yesterday told the assembly, the top
decision-making body of the World Health Organization. Companies
that make antivirals and vaccines have already signed deals with
the patent holder, Memish said.

Albert Osterhaus and Ron Fouchier, scientists at Erasmus
Medical Center in the Netherlands, said they patented the
coronavirus, calling the process a “normal thing to do.” No
agreements have been signed with any companies and they are
sharing the virus freely with other laboratories that request
it, they said in an interview.

The virus has sickened at least 44 people globally since
last year, including 22 deaths. In a Saudi Arabian outbreak, at
least 10 deaths have been reported, according to the WHO.
Laboratory-confirmed cases have also been reported in Jordan,
Qatar, the United Arab Emirates, France, the U.K., Germany and
Tunisia, the United Nations health agency said.

Coronaviruses are a family of pathogens that cause
illnesses ranging from the common cold to SARS, which sickened
more than 8,000 people in 2002 and 2003, according to the WHO.
While the new virus is related to the one that causes SARS, it
appears far less transmissible, the WHO has said.

For more patent news, click here.

Trademark

Playboy’s Bunny Can Remain on Energy Drink for Now, Court Says

Playboy Enterprises failed to win a court order that would
bar the use of the Playboy rabbit trademark on an energy drink
made by a unit of CirTran Corp. (CIRC)

In a May 15 ruling, U.S. District Judge Robert W. Gettleman
said that the trademark and licensing-contract dispute in his
court must be stayed until resolution of a parallel action in
Illinois state court.

The dispute between West Valley City, Utah-based CirTran
and Playboy has also played out in federal bankruptcy court.
Origins of the conflict are a 2006 license granting CirTran’s
Play Beverages unit a license to use the Playboy name and bunny-head logo on its product.

The parties “characterize the terms of the license
agreement slightly differently,” leading to the court cases,
Gettleman said in his ruling. CirTran alleged that Playboy
disrupted its business operations and distribution networks, and
Playboy said CirTran violated the terms of the license and thus
was no longer authorized to use the logo and trademark.

Given that the state court had initial jurisdiction over
the dispute, and has “invested significant time in
familiarizing itself with the facts of this dispute and has
advanced greater discover and ruled on substantive motions,”
the judge put the federal case on hold.

Because the case is stayed, Gettleman rejected Playboy’s
request for a court order barring CirTran’s use of the marks.
His ruling was without prejudice, opening the door to a future
request from Chicago-based Playboy once the state-court case is
resolved.

Playboy was acquired by Icon Acquisition Holdings Inc. in
March 2011.

The case is Playboy Enterprises International Inc. v. Play
Beverages LLC, 13-cv-00826, U.S. District Court, Northern
District of Illinois (Chicago).

CC Unit Seeks to Halt Coffee Roaster’s Use of Woodchuck Logo

CC Group Plc (GCC)’s Vermont Hard Cider unit, a maker of the
largest-selling brand of fermented apple cider beverages in the
U.S., sued a Vermont coffee roaster for trademark infringement.

According to the complaint filed in federal court in
Rutland, Vermont, Woodchuck Coffee Roasters of South Burlington
is accused of infringing the cider company’s “woodchuck”
trademarks.

Vermont Hard Cider has been selling hard cider under the
Woodchuck brand since 1991, the company said. It has used the
mark on a wide range of promotional products and in ads in
addition to the product label. It initially registered the
Woodchuck trademark with the U.S. Patent and Trademark Office in
2001, and has several subsequent registrations and one pending
application.

The company claims that the coffee roaster is using a label
that is “strikingly similar” to the one used on the cider
products, both containing a woodchuck — a member of the ground-squirrel family — sitting on its haunches. The only
differences, the cider company says, is that the coffee
company’s woodchuck is holding a coffee cup, while the woodchuck
on the cider label is holding an apple.

Woodchuck Coffee Roasters’ use of a similar name and logo
will “inevitably” cause consumer confusion, the cider company
said. Already it has begun to receive queries from some
customers about whether it has gone into the coffee business.

Vermont Cider claims the coffee roaster’s use of the
woodchuck name and logo is willful and deliberate, part of
efforts to have instant brand recognition and to trade on the
cider company’s reputation and goodwill.

The two companies have engaged in discussions to no avail,
with the coffee roaster taking the position that once the
Vermont secretary of state approved the business name, it had
the “absolute right” to use the woodchuck marks with its
coffee, Vermont Cider said in its pleadings.

Following CC Group’s acquisition of Vermont Cider in
December, Woodchuck Coffee “suddenly demanded a six-figure
monetary payment for ceasing use of the Woodchuck marks,”
according to court papers.

The coffee roaster didn’t respond immediately to an
e-mailed request for comment.

Vermont Cider asked the court for an order halting further
infringement of its marks and for the destruction of all
infringing items, together with awards of money damages,
attorney fees, litigation costs and the cost of remedial
advertising.

The case is Vermont Hard Cider Co. v. Woodchuck Coffee
Roasters LLC, 13-cv-00078, U.S. District Court, District of
Vermont (Rutland).

For more trademark news, click here.

Copyright

Dotcom Wants Patent-Licensing Revenue to Fund Court Fight

Kim Dotcom, the founder of the cloud-storage service
Megaupload.com, is claiming he holds a patent on a method of
securing online services known as two-factor authentication and
he’d like some licensing income from companies that use the
technology, Cnet News reported.

Presently fighting extradition from New Zealand to the U.S.
in a criminal copyright case, Dotcom said that while he believed
in sharing knowledge and ideas for the good of humanity, he
might file a patent-infringement case because he needs the money
for his legal defense, according to Cnet News.

Dotcom’s patent 6,078,908 was issued to him in June 2000
under his former name, Kim Schmitz, the news service reported.

He used Twitter Inc.’s short-message service to say that he
would use licensing revenue from the patent to fight the
criminal copyright case to the end because he’s innocent of the
charges, according to Cnet News.

For more copyright news, click here.

Trade Secrets/Industrial Espionage

BankcorpSouth Bank, Argo Data Case Won’t Move to State Court

BankcorpSouth Bank of Tupelo, Mississippi, and Richardson,
Texas-based Argo Data Resource Corp.’s removal of a trade
secrets case from Texas state court to federal court was
appropriate, a federal judge in Dallas ruled.

Spear Marketing Inc. of Dallas sued the two companies in
August, claiming they misappropriated trade secrets related to a
cash-management system known as VaultWorks.

The two defendants sought removal of the case to federal
court, claiming that all the claims made against them were pre-empted by federal copyright law.

Spear Marketing opposed the removal and sought to have the
case returned to state court. It argues that its claims of
trade-secret theft fell outside copyright law’s subject matter.

In her May 16 ruling, U.S. District Judge Jane J. Boyle
ruled that the trade-secret theft claims were based, at least
partly, on the alleged reproduction, distribution or display of
Spear Marketing’s trade secrets and confidential information.
They were therefore “equivalent and at least partly preempted
by the Copyright Act,” she said.

As a result, she denied Spear Marketing’s request to move
the case back to state court.

The case is Spear Marketing Inc. v. BankcorpSouth Bank, 12-cv-00358, U.S. District Court, Northern District of Texas
(Dallas).

Obituary

Oblon Spivak Firm’s Name Partner Gregory J. Maier Dies

Gregory J. Maier, name partner in Alexandria, Virginia’s
Oblon Spivak McClelland Maier Neustadt LLP died yesterday, the
firm said in a statement.

Maier, who was born in 1943, had served both as president
of the IP specialty firm and as managing partner of its
electrical and mechanical patent-prosecution groups. He also was
a past chairman of the American Bar Association’s Section of
Intellectual Property Law.

Before he was a lawyer, he was a patent examiner at the
U.S. Patent and Trademark Office and worked at the Office of
Naval Research.

He had an undergraduate degree in electrical engineering
from the University of Rochester and a law degree from
Georgetown University.

To contact the reporter on this story:
Victoria Slind-Flor in San Francisco at
vslindflor@bloomberg.net

To contact the editor responsible for this story:
Michael Hytha at mhytha@bloomberg.net

Article source: http://www.bloomberg.com/news/2013-05-24/coronavirus-playboy-c-c-argo-intellectual-property.html

NYPD detective charged with hiring email hackers to break into colleagues’ personal accounts

Anti-Virus Comments Off

May 232013

New York City police have arrested a NYPD detective for hiring an email hacking service to pinch the login details for at least 43 personal email accounts and one cell phone belonging to at least 30 individuals.

Edwin Vargas, 42, of Bronxville (a part of New York City), is accused of having paid $4,050 via PayPal to an illicit hacking service between March 2011 and October 2012.

According to a statement from Preet Bharara, the US Attorney for the Southern District of New York, Federal Bureau of Investigations (FBI) agents arrested Vargas outside his home on Tuesday.

Officials said that 19 of Vargas’ alleged targets are current NYPD officers, one is retired from the NYPD, and another is an administrative staff member of the NYPD.

Vargas allegedly used the login credentials to peek into at least one personal email account belonging to a current NYPD officer. He also allegedly accessed another victim’s online cellular telephone account.

Law enforcement officials said that when they checked out the hard drive on Vargas’ NYPD computer, they also found that his Gmail account Contacts section included a list of at least 20 email addresses, along with what looks like telephone numbers, home addresses, and vehicle information corresponding to those email addresses.

The list also contained what seem to be passwords for the email addresses.

Vargas also allegedly accessed the federal National Crime Information Center (NCIC) database to get information about at least two NYPD officers and then paid email hacking services to filch their logins.

The detective has been charged with one count of conspiracy to commit computer hacking and one count of computer hacking. Each count carries a maximum sentence of one year in prison.

US Attorney Bharara said in the statement that it’s pretty darn bad when the cops themselves are the ones breaking the laws they’re paid to enforce:

As alleged, Detective Edwin Vargas paid thousands of dollars for the ability to illegally invade the privacy of his fellow officers and others.

He is also alleged to have illegally obtained information about two officers from a federal database to which he had access based on his status as an NYPD detective.

When law enforcement officers break the laws they are sworn to uphold, they do a disservice to their fellow officers, to the Department, and to the public they serve, and it will not be tolerated.

FBI Assistant Director-in-Charge George Venizelos also said in the statement that gosh, you’d think you’d be able to trust your coworkers if your workplace is a police department:

As alleged, the defendant illegally acquired log-in information for the email accounts of dozens of people, including police department co-workers.

Of all places, the police department is not a workplace where one should have to be concerned about an unscrupulous fellow employee.

Unlike the email accounts, the defendant didn’t need to pay anyone to gain access to the NCIC database. But access is not authorization, and he had no authorization.

Let’s assume that Naked Security readers won’t fall for pitches from such email hacking services, such as this charmingly misspelled/garbled one:

If you want to know someone’s email password than get it right now. How to hack? No, you don’t have to do that, let our experts to hack your requested password in less than 48 hrs and you will be charged with $100

How do these services work?

Some of them, in their marketing materials, put up lists of techniques that include brute-force attack, keylogger installation, dictionary attacks, sniffing (if the hacker and the victim share the same wireless network, such as in a workplace or cyber cafe), and/or social engineering techniques.

Unfortunately, if the allegations prove true, it sounds as though the NYPD not only harbored one bad apple; it also has plenty of staff who might well have fallen for one or more of the email hacking services’ techniques.

As far as protecting ourselves from having our accounts breached, the tried and true advice holds: keep on top of patches; don’t click on phishy links or open phishy email; make sure you’re using a password management program to generate convoluted, hard-to-guess passwords; and/or read Graham Cluley’s piece about cooking up your own.

_{(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)}

Better still, follow the advice I saw on a cartoon on Wednesday:

Sorry, your password must contain a capital letter, two numbers, a symbol, an inspiring message, a spell, a gang sign, a hieroglyph and the blood of a virgin.

Bravo!

Follow @LisaVaas
Follow @NakedSecurity

Image of login screen courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sVK02Y27YgA/

Why Twitter’s two-factor authentication isn’t going to stop media organisations from being hacked

Anti-Virus Comments Off

May 232013

Twitter has announced the availability of two factor authentication (2FA) for its service, meaning that users can opt-in to something stronger than just a username and password to protect their accounts.

In a blog post, Twitter explains how the new security measure works.

If you decide to turn 2FA on for your Twitter account, every time you try to log into the site you will be prompted to enter a six-digit code that Twitter sends to your phone via SMS.

Here is a video Twitter released, demonstrating the feature:

So, the big question is this… is this going to help media organisations such as The Guardian, NPR, the Financial Times, and others who have found their Twitter accounts hijacked by the likes of the Syrian Electronic Army?

Sadly, I don’t think it’s going to help them at all.

Media organisations who share breaking news via social media typically have many staff, around the globe, who share the same Twitter accounts.

2FA isn’t going to help these companies, because they can’t all access the same phone at the same time.

Either those people will have to leave themselves permanently logged into Twitter (which is itself unwise from the security perspective), or one central trusted person will have to “own” the phone – and share the six-digit code with journalists as they try to log in to share breaking news stories.

It’s a complex problem to fix, and for that reason many media organisations may choose not to enable Twitter’s additional security at this time.

Of course, *another* solution would be to have an intermediary service, acting as a proxy, to which journalists could post their Twitter updates (using appropriate authentication) and then have *that* service feed the official Twitter account.

If you take that approach, just ensure that you have proper security systems in place for that proxy service – to keep out hackers and mischief-makers.

Corporations with “shared accounts” on Twitter would be wise to keep their defences updated, educate their staff on security and best practice, and learn the lessons of how Twitter accounts have been hacked in the past.

If you do enable Twitter two-factor authentication, whether you are Joe Public or a multinational corporation, realise that the technology isn’t going to help if you have users who are easily phished.

Determined online criminals could use “man-in-the-middle” techniques to grab the six digit passcode alongside your password and username if they are determined.

So, even if you do turn on Twitter’s 2FA, you still need to double-check that when you enter your username and password, or your six digit code, that you are *really* on Twitter’s https website.

Otherwise, the crooks can just use all three items to log in as you…

In time, Twitter will surely mature and offer appropriate security, and mechanisms which recognise how many corporate brands and news organisations are using Twitter today.

Maybe they will one day adopt a system like Facebook has, where multiple users can have access to an account – all with different levels of authority, all with different usernames and passwords.

Right now Twitter’s 2FA is more likely to be welcomed by individuals who own personal accounts, and small companies with a Twitter presence, than embraced by the high profile victims attacked by the Syrian Electronic Army in the past.

Follow @gcluley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/20Nyxx9Fma8/

Sophos RED scoops "Protector Award" at this year’s AusCERT conference

Anti-Virus Comments Off

May 232013

We try to avoid being too marketroidistic here on Naked Security.

After all, we’re aware that you can work out which company’s products we’d recommend just by looking at the URL of this article.

But when our technical colleagues get outside recognition for the excellence of the products they create, we can’t help but mention it.

(Especially when said techies are stuck at the coalface, knee deep in code, while one of their colleagues gets to collect their award at a Gala Dinner event in a subtropical holiday resort.)

So we’re proud to say that at this evening’s 2013 Information Security awards at the AusCERT conference in Australia, Sophos scooped the Protector Award with Sophos RED.

RED, you ask, from a company with a blue logo?

Yes! RED stands for Remote Ethernet Device, and it’s a brilliantly simple way of connecting up your branch office or remote workers:

The Sophos Remote Ethernet Device protects branch offices and provides secure remote access. Simply plug the device into your Internet router and centrally manage it from the Sophos UTM appliance at headquarters. Branch office traffic is forwarded to the Sophos UTM appliance for complete security.

The neat thing about the RED is that it can’t be misconfigured when it arrives at the remote office.

You enter the unique device ID printed on your RED into your Sophos Network Security Gateway (or UTM for short) back at HQ, and a new configuration file is automatically created and stored with the Sophos provisioning service.

When the non-techie at the remote office plugs in the unit and turns it on for the first time, the RED and the cloud automatically do the rest.

You end up with an encrypted Virtual Private Network (VPN) connection that is equivalent to having your remote workers plugged into your wired network at head office.

Delivering a product of this sort that Just Works isn’t a job for the faint hearted programmer.

The challenge of words like zero in computer science is that they are unambiguously absolute.

So when you promise a “zero configuration” experience, you really have to mean it: you can’t have a single pop-up dialog, tick box, or [OK] button.

→ Even a washing machine typically needs some user-side configuration, no matter that it’s just twiddling a dial and pressing a switch.

So, congratulations to our techie brothers and sisters for making “zero” mean zero!

By the way, if you’re wondering why you might want to consider a full-blown VPN instead of just relying on remote workers to connect to key services over HTTPS, take a look at some of the comments on our recent Wireless Security Myths video.

HTTPS secures individual transactions, but it doesn’t secure the DNS lookups of your remote users, and it doesn’t shield the times or destinations of their connections.

That might not sound like a lot, but an attacker who controls your DNS can entirely own your network, and an attacker who knows the pattern of your communications can apply traffic analysis and learn more about your business than you might like.

Much worse, rather obviously, is that HTTPS works with co-operating secure websites only; it protects nothing else that leaves or enters your computer.

So…which company’s product would I recommend for remote office connectivity?

Let me just say, “You can work it out just by looking at the URL of this article.”

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FFPbFkF1Cts/

IKOS boss wins UK court victory to protect trading software

Brand Security Comments Off

May 232013

* The score: Elena Ambrosiadou 2 – Martin Coward 0 *

Less than two years after a Limassol court upheld the island’s reputation as being safe for IP rights, a court in England has also found that the intellectual property of the high-speed trading software in question belongs to the company and thus, the co-author who abandoned the European hedge fund IKOS has no claim to the software.
The UK High Court handed down a decisive victory to IKOS against Martin Coward, a former director, by affirming the company’s ownership of its quantitative analysis software, and rejecting Coward’s claims to it, saying he had written a substantial part of it.
The court also ruled that Coward had no right to take copies of IKOS’ software, first developed to trade Japanese Equity Warrants in the 1990s. He has already admitted to covertly making a copy of the software in November 2009 which he then took to Monaco and other countries, and also uploaded to cloud storage. Cyprus and Monaco officials have launched criminal investigations into Coward’s actions and a number of his associates.
This outcome is a resounding success for IKOS and its CEO, Elena Ambrosiadou, who has long advocated improvements in European Intellectual Property protection laws.
“Our investors will be very pleased with this result because it secures the future of their investment with IKOS,” Ambrosiadou said after the ruling by Judge Asplin.
“In addition to confirming the ownership of the IP, this ruling vindicates IKOS’ defence of its lawful rights to IP and strengthens the case for an overhaul of the European laws regarding protection of Intellectual Property,” she added.
IP theft in the UK and other European countries are largely out of date in the era of global networks and cloud computing, and trail behind United States law where recent cases of trade secrets and theft have resulted in long jail sentences.
“Having in mind the vague and insufficient protection of copyright in the EU (there is no official copyright registration system, unlike in the U.S.), such rulings are very important for the protection of copyright,” said Sozos-Christos Theodoulou, M Law, D.E.A., Partner/Advocate at the Law Offices of Dr. Christos A. Theodoulou.
“Cypriot courts should follow in the same path, in order to enhance the feeling of intellectual security and, thus, encourage creativity among our compatriots,” Theodoulou added.
“This development strengthens and gives even more credibility to Cyprus’ attractive intellectual property regime, whereby 80% of the profits from the disposal and exploitation of the IP are treated as an expense and thus disregarded for tax purposes,” explained Efthymios Kanaris, Director at Kanaris, Demetriades Associates in Nicosia.
Eralier this year, Vincent Pfister, the elusive IT expert charged with stealing software and data from IKOS, appeared in a Cyprus court to hear seven charges of theft and fraud filed by the state.
He had been evading the authorities since April last year when the police filed the charge sheet in Limassol District Court.
Limassol District Court Judge Yiota Kyprianides set the hearing date for May 21 and let Pfister free on a bail of 50,000 euros.
In a landmark case involving the protection of intellectual property rights that has shed light on the cloak-and-dagger intricacies of the high-speed trading world, Pfister has been charged with stealing proprietary software, source codes, data files, archives, as well as other information deemed confidential.
He was found to have stored the software and documents on a hard drive and later on a memory stick that was traced in a joint police sting involving officers in Cyprus, the U.K. and France.
In a related case, Pfister was accused of stealing the information in November 2009 with the intent of setting up a rival firm to IKOS in Monaco, which would be operated by Martin Coward.

Article source: http://www.financialmirror.com/news-details.php?nid=29942

SSCC 109 – Laptop theft, money mules, LulzSec, Microsoft and more [PODCAST]

Anti-Virus Comments Off

May 232013

Episode #109 of our popular Chet Chat podcast series is out.

Chet and Duck (Chester Wisniewski and Paul Ducklin) are back with their almost entirely reverent opinions on the latest computer security issues.

If this is your first time listening to the Chet Chat: episodes come out every two weeks, and usually last about a quarter of an hour.

That makes the Chet Chat podcast ideal for your daily commute or for a spot of lunchtime listening.

(You can keep up with our podcasts via RSS or iTunes, and catch up on previous Chet Chats and other Sophos podcasts by browsing our podcast archive.)

Listen now:

(20 May 2013, duration 15’23″, size 9.3 MBytes)

Download now:

Sophos Security Chet Chat #109 (MP3)

Chet Chat episode 109 shownotes:

• Laptop theft

Duck wrote about a video of a chap in London whose laptop was stolen in under a second, live on CCTV.

Was he using full-disk encryption? Both Chet and Duck sincerely hope so.

Duck poses the question, “Does the modern-day fence [handler of stolen goods] treat the data as valuable as well as the laptop?” Chester advises us to assume that the answer is, “Yes!”

• Casher crews

Chet and Duck discuss the recent casher crew busts in New York, and talk about how people end up as money mules [processors of cash payments] for cybercrooks.

• LulzSec busts

Chester suggests that the prison sentences dished out to Lulzseccers in the UK were probably long enough to satisfy people who thought the UK was a bit soft on cybercrime, but not so long as to be unreasonable.

He also mentions the interview he recorded back in February with Parmy Olson, who wrote a book about what makes these guys tick. It’s now available on podcasts.sophos.com.

• Patch Tuesday

Chester points out that MS fixed not only its PWN2OWN hole that was discovered a couple of months back, but also the “Dept of Labor” zero-day from just ten days before the update. He thinks that is pretty swift.

Duck agrees, admitting, “These are not words that naturally come billowing out of my mouth, but, ‘Well done, Microsoft!’”

• Name.com breach (and others)

Chet reels off a list of recent breach-ees, of which name.com is a recent example. At least they only lost password hashes.

Duck remarks on the addition of another newspea kword to go with Advanced Persistent Threat: AoC. “Abundance of caution.”

He argues that that’s better than complete denial, but worries that it might mean the cure ends up worse than the disease.

• Signing off

Chet and Duck sign off by inviting you to enter for a prize in the latest #sophospuzzle, now live on nakedsecurity.sophos.com

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ebHkEYPc_Rg/

Three wireless security myths – busted! [VIDEO]

Anti-Virus Comments Off

May 232013

Last year Sophos looked at Wi-Fi security by sending one chap right across London on a bicycle, and me on foot to tramp the Sydney CBD North to South and East to West…

…and we found that while things weren’t terrible, they weren’t 100% rosy, either.

So, to coincide with the 2013 Cyber Security Awareness Week in New Zealand, we thought it was worth making a short revision video.

Here you are: Three Wireless Security Myths.

(If you enjoyed this video, you’ll find plenty more on the SophosLabs YouTube channel.)

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/m49L13Q7u6U/

Breakfast malware at Tiffany’s? Trojan horses spammed out widely

Anti-Virus Comments Off

May 232013

Did you open your email inbox this morning to find an email like the following?

Kindly open to see export License and payment invoice attached, meanwhiole we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if there is any problem.

Thanks
Karen parker

Whatever you do, don’t open the file attached to the email.

Contained inside the file invoice copy.zip is a malicious Trojan horse, designed to compromise your computer.

Sophos products detect the malware proactively as Mal/BredoZp-B, but users of other vendors’ products should check that their software is fully up-to-date and defending against the threat.

Curiously, samples of the malware campaign intecepted by SophosLabs claim to come from the world-famous jewellers Tiffany Co.

This may be a deliberate ploy on the part of the criminals behind the attack to tempt more people into opening the attachment.

Of course, it’s child’s play to forge email header information, and there is no suggestion that the messages were really sent by Tiffany’s. If anything, they are also victims of this campaign.

Little blue boxes from Tiffany Co. are the stuff of dreams for many. Don’t let an unexpected email delivery – apparently from the company – make you so giddy with an excitement that you end up with a computer nightmare.

Follow @gcluley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sKjAGJdlAW8/

Older Entries