Sunday, March 28, 2010

Chinese student describes how to attack a small U.S. power grid sub-network

Cascade-based attack vulnerability on the US power grid

A paper by Chinese researchers envisioning a cyberattack on the U.S. power grid has ignited concerns in the United States. The researchers outlined an assault on a small U.S. power grid sub-network that triggers a cascading failure of the entire electrical infrastructure.

The paper's co-author, Chinese graduate engineering student Wang Jianwei, says the research is purely theoretical, and that its intent is to find ways to augment power grids' stability by investigating potential vulnerabilities. Although some analysts see the paper as a sign that China has an interest in interfering with the U.S. power grid, University of Pennsylvania physicist Reka Albert disagrees. "Neither the authors of this article, nor any other prior article, has had information on the identity of the power grid components represented as nodes of the network," Albert says.

"Thus no practical scenarios of an attack on the real power grid can be derived from such work." Wang says he chose the United States as a potential target because it publishes data on power grids, and it was the only country he could find with accessible, useful information.

Refer here to read more details about this news and click here to access the research paper.

Friday, March 26, 2010

Fully patched iPhone Hacked

Using all new ARM exploit - Entire SMS database hijacked

A pair of European researchers used the spotlight of the CanSecWest Pwn2Own hacking contest here to break into a fully patched iPhone and hijack the entire SMS database, including text messages that had already been deleted.

Using an exploit against a previously unknown vulnerability, the duo — Vincenzo Iozzo and Ralf Philipp Weinmann — lured the target iPhone to a rigged Web site and exfiltrated the SMS database in about 20 seconds. The exploit crashed the iPhone’s browser session but Weinmann said that, with some additional effort, he could have a successful attack with the browser running.

“Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control,” Weinmann explained. Iozzo, who had flight problems, was not on hand to enjoy the glory of being the first to hijack an iPhone at the Pwn2Own challenge.

Please refer here to read more details.

Saturday, March 20, 2010

Don't download attachments even from trusted source unless you are really sure

Faux Facebook emails use password reset ploy

A widespread phishing campaign is making the rounds that claims to be from Facebook but is meant to infect victims' PCs.

The fraudulent emails arrive with a note stating that the recipient's Facebook password was changed and they can find the new one in an attached ZIP file.

The malicious attachment actually contains an assortment of malware, depending on the message, including trojans and rogue anti-virus programs. The scam is global in its reach and, as of Wednesday afternoon, the malware contained in the phishing run ranked as the sixth most prevalent global virus that McAfee was tracking. It is possible that machines compromised with the Cutwail or Rustock botnets are delivering the spam messages.

Facebook Security, in a status update on its profile page, told users that the social networking site never would send a new password as part of an attachment.

"There's another spoofed email going around that claims to be from Facebook and asks you to open an attachment to receive a new password," read the update. "This email is fake. Delete if from your inbox, and warn your friends."

Monday, March 15, 2010

ATM Skimming: 8 Tips to Fight Fraud

Banking Institutions Must Take Preventive Measures

ATM fraud is on the rise and shows no sign of abating. There is a list of incident response tips for financial institutions that want to fight back against ATM skimming attacks.

Mike Urban, Senior Director of Fraud Solutions at FICO (Fair Isaac Corporation, the provider of credit scoring), says all types of ATMs - and even pay-at-the-pump gasoline stations - are under attack by tech-savvy fraudsters.

"As I have seen, [fraudsters] pretty much go after anyone; it's not one manufacturer or one model."

Several skimmers have been found at gas stations around the country in the last month, and these are where the criminals are placing readers to capture the PIN and the card number before the PIN is encrypted. "I predict we're going to see more of those," he says. "They are targeting the weakness of the mag stripe, and that will be something we have to live with until a better solution is developed."

The Skimming Trends

The current trend began slowly, says Urban. Several years ago, the targets were primarily off-premise ATMs. Criminals could buy ATMs, place skimming devices in them and collect card and pin information. But when changes such as the encrypting PIN pad and other advancements in technology changed how PINs were protected, criminals began focusing on financial institutions' ATMs.

Recent arrests show the criminals perpetrating these crimes are from Eastern Europe. A lot of the techniques and a lot of the technology they are placing on the ATMs are coming from Eastern Europe. Those criminals have been targeting financial institution ATMs for years, primarily because those are the kinds that are deployed -- there aren't as many stand-alone ATMs in Europe.

Incident Response Tips

Action items for banking institutions include:

Have a Plan -- for what you do if you find a skimming device on one of your ATMs.

Document the Plan -- listing everything that should happen, people to be contacted, actions to be taken.

Educate Your Branch Employees -- If a device is found, all employees should know what and what not to do. Educate branch employees and third-party vendors, as well as ATM servicers. Make sure they are monitoring the outside of the ATMs for residue or devices that actually are on the ATM.

Inspect All Locations - frequently, checking the facia and surroundings around the ATMs, making sure nothing has been added or moved.

Set ATM Standards - including visual standards for all ATMs in all branches. Keep it standard. Take a photograph of each ATM, inside and outside. Show employees what it should look like, so ATMs can be quickly examined to see what may be out of place. "It sounds like a bit of overkill, but a picture is worth a 1000 words," says Urban.

Don't Touch Skimmer If Found -- Contact law enforcement if a device is found on the ATM. Tell employees to not touch it or pick it up or pull it off the ATM. Secure the area with bank robbery tape until law enforcement arrives.

Be Vigilant At All Times -- Increase your checks on ATMs, especially if you've heard of ATM skimming in your area. If there are reports of ATM skimming, increase the number of checks. Even if there are no reports, have employees check ATMs in off-hours and over weekends, which are prime times for skimmers to be put on ATMs.

Contact Other Institutions -- Share information with local and regional institutions about what's happening at your branches and make sure they share information with your institution.

If you know of any more tips, please let me know.

Saturday, March 13, 2010

Attack Unmasks User Behind the Browser

Researchers develop proof-of-concept that exploits social networking patterns to 'deanonymize' online users

Vienna University of Technology researchers have developed the "deanonymization" attack as a way to reveal the identity of Internet users based on their interactions in social networks. The attack uses social networking groups as well as traditional browser history-stealing tactics to single out specific users.

The researchers focused on Germany's Xing business social network and Facebook and matched stolen browsing histories with social network group members to identify users. "It is the combination of history stealing and group information that is novel," says Vienna University post-doctoral researcher Gilbert Wondracek. Criminals could use the deanonymization method for targeted attacks, which only requires that the victim visit a malicious Web site that contains the attack code.

There is no fix for the attack, but users can turn off their browsing history or use a private-browsing mode to minimize the risk.

Refer here for more details.

Wednesday, March 10, 2010

US identified cybersecurity as a top priority

US plan to make hacking harder revealed

The Obama administration has declassified part of its plan to improve the security of cyberspace in an attempt to cultivate greater collaboration between government and civilian groups. More cooperation between the private sector and the U.S. National Security Agency is the centerpiece of the Comprehensive National Cybersecurity Initiative (CNCI).

The declassified abstract of the plan reveals that the U.S. Department of Homeland Security will operate a new security system, called Einstein 3, that analyzes email and other data traffic into and out of federal networks. CNCI also urges merged oversight of federal spending on research and development in cybersecurity, with a particular focus on "leap-ahead" technology.

Although the initiative acknowledges that traditional security approaches "have not achieved the level of security needed," it says the federal government is now outlining "grand challenges" for the research community to help solve the most difficult problems.

Refer here to read more details.

Monday, March 8, 2010

GPS vulnerable to hacker attacks

Technology that depends on satellite-navigation signals is increasingly threatened by attack

Experts warn that technology reliant on satellite navigation signals is increasingly vulnerable to attack from widely available equipment. At a U.K. conference at the National Physical Laboratory, professor David Last said the global positioning system's (GPS's) biggest vulnerability is the extreme weakness of the signals that reach receivers, which allows jamming by Earth-based equipment to be executed.

Such jamming has been conducted by military systems for years to disrupt adversaries' navigation systems, but small jamming devices are increasingly available online. Moreover, receivers can be fooled into accepting erroneous data by bogus GPS signals, Last warned. Seagoing vessels are especially susceptible to GPS hacking, given that their systems increasingly use satellite navigation directly as well as feed GPS signals into other equipment.

Refer here to read the news.

Saturday, March 6, 2010

Single sign-on system for Internet session?

The safe way to use one Internet password

Queensland University of Technology (QUT) Ph.D. researcher Suriadi is investigating using an anonymous credential system, an Internet authentication system from the 1980s, to enable Web users to securely log in only once per Internet session. Suriadi says future single sign-on systems could give users access to multiple accounts--including email, bank, and shopping--but would need to provide extreme privacy to avoid hackers.

He says the anonymous credential system could enhance the security and privacy of a single sign-on system. "The system works by revealing as little information about who you are as necessary for logging into an account, therefore allowing you to remain anonymous," Suriadi says. A single sign-on system backed by the anonymous credential system requires the cooperation of business and organizations to enable it, Suriadi notes.

"However, if one of the parties is compromised, for example by a virus, a 'denial of service' attack or insecure set-up, it puts all the user's linked accounts at risk."

Refer here to read more details.

Wednesday, March 3, 2010

Customer Vs. Bank: Who is Liable for Fraud Losses?

Customer raises Key Questions About Responsibility and Security

The lawsuit, filed by EMI in a Michigan circuit court, alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank's security software. In January 2009, an EMI employee opened and clicked on links within a phishing email that purported to be from Comerica. The email duped the employee into believing the bank needed to update its banking software. Subsequently, more than $550,000 was stolen from the company's bank accounts and sent overseas.

EMI says even though the bank had two-factor authentication using digital certificates for its online banking portal, the phishing scam was able to circumvent these measures. The bank says its online security methods were reasonable "because they were in general used by other similarly situated customers of other banks."

Anytime a company incurs a data breach that compromises personal information, the organization risks having its customers walk away for good. That's why it's so important that, before an incident occurs, a company take proactive steps to implement a reasonable security program.

Is a Bank Liable For Phishing?

Should a bank be held liable for a customer's employee falling for a phishing email that supposedly represents the bank?

Most employees have been warned about phishing attempts, but even the most robust training does not protect against occasional human error. Does this training need to occur more frequently, or is it a matter of customizing the training to the evolving and specific types of phishing attempts? If a company is going to be responsible under the law for employees' vulnerability to phishing attempts, that's a pretty good incentive to increase training.

Can a bank be held liable? Some security experts say emphatically 'No.' "The bank clearly could have made better decisions on how to update security information.

What is 'Reasonable Security'?

In this case, was the bank's two-factor security token technology an unreasonable safeguard based on the information available at the time it was implemented by the company?

The key issue here is that What measures were in place to detect unauthorized, unusual activity involving this customer account, and did the bank act quickly enough in response to such detection? "All companies could benefit from evaluating and assessing how they compare the issues raised in this case against their own information security programs.

Banks should view it as a wake-up call and work on mitigating phishing attacks.

Refer here to read more details.

Monday, March 1, 2010

Security Threat Against ‘Smart Phone’ Users

Personal computer security threat can now attack smart mobile phones

Rutgers University (RU) computer scientists have demonstrated how rootkits could surreptitiously instruct a smartphone to eavesdrop on a meeting, track its owner's location, or rapidly drain the battery. Smartphones "run the same class of operating systems as desktop and laptop computers, so they are just as vulnerable to attack by malicious software, or malware," says RU professor Vinod Ganapathy.

Rootkit attacks on smartphones could be especially effective because smartphone users tend to carry their phones with them all the time, which creates opportunities for attackers to eavesdrop, extract personal information, or pinpoint the users location using the phone's global positioning system.

Refer here to read more details about the research.