More Bugs Found in OpenSSL Security Tool

There have been six more bugs found in the widely used OpenSSL security tool.

OpenSSL is a security tool that houses computer programs to enable security over the public Internet.

OpenSSL is used in shared consumer applications, like software in Google’s Android smartphones.

With the Heartbleed vulnerability in OpenSSL,  the new publicity had system administrators rushing to update their systems to protect against it.

Computer administrators everywhere have frowned upon six new security issues that were recently found in the OpenSSL security library.

For example: if you see “https://” in your URL bar, it  indicates that the connection is secure.

The server computer at the other end of the connection is using OpenSSL to provide security.
The two main forms of security are:

1. It scrambles information so it is unreadable to anyone other than the intended recipient
2. It authenticates the source of information, ensuring the sender is who they say they are

 

How to protect yourself

Most won’t have to take any kind of action in response to the OpenSSL attack.

Non-browser client applications such as music players and chat programs will need to be immediately updated.

Distributors of Linux, which uses OpenSSL more openly, have already received issued updates.

If you haven’t already reset all your passwords due to the Heartbleed bug, it is the perfect time to do so.

Major service providers will inform you if it is necessary to reset your password.

Websites that are affected, may be unavailable for a short period of time.  This allows the fixed versions of OpenSSL to be installed by their system administrators.

There will most likely be more flaws discovered in OpenSSL.  Password resets, and software updates are becoming more of a habit with increased internet usage.

Delay no more, secure yourself and reset all your passwords.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

References:

Merkel, Robert
Six more bugs found in popular OpenSSL security tool – Homeland Security News Wire
http://www.homelandsecuritynewswire.com/dr20140609-six-more-bugs-found…
Published: June 9, 2014

Within the Heartbleed Bug

Only a few months ago, the Hearbleed OpenSSL bug was discovered.




We are still learning about the countless encrypted transactions that left your accounts vulnerable to theft.
When computers talk to each other, it is called a heartbeat.  Because of a coding mistake, the Heartbleed bug was born.

Lets say there is a banking transaction:  The client (you) sends its heartbeat to the server (your bank) and the server hands it back to you.  So if something goes wrong with the transaction, the other party will know because the heartbeats get out of sync.

It’s like a cassette tape breaking because one of the spindles stopped working correctly.

How it happened

The actual breach happened all because of the following code:

memcpy(bp, pl, payload);

To explain, the memcpy is a command that copies data, and it requires three pieces of information to do so. 
The first set of information is the destination of where the data needs to be copied.  The second is the exact location of the data that needs to be copied.  The third set is the amount of data the computer is going to find when it goes to make the copy.



The bp is a place on the server computer, pl is where the actual data the client sent as a heartbeat is, and payload is the number that says how big pl is.

The bp, which is where the data is going to be copied, is full of the data sitting in the part of the computer before.  Although, the computer treats it as if it were empty because the data has been marked for deletion.

When memcpy takes the data from pl and puts it in bp, it covers up all the old data in bp.

Everything that used to be in bp is destroyed and filled up with the pl data.

If payload says that pl is 64 KB but it only has 0 KB,  memcpy creates a 64 KB sized open space at bp that’s full of garbage data.  None of the bp old data gets overwritten because there’s nothing to replace it since pl is actually empty.

Meaning whatever old data was sitting in bp prior to the heartbeat gets passed back to the client.  Sometimes the data is irrelevant and sometimes its your banking password.

The Heartbleed bug has been fixed but the vulnerability has existed for a decade.  Who knows how much data was exploited.

Do you have maximum protection on your PC?  Is your antivirus out-of-date?  Let us help you protect yourself from the many vulnerabilities that live on the net.  [P] 619-325-0990

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

References:

Aguilar, Mario
Internet Vulnerability Left Encrypted Data Exposed For 10 Years – GIZMODO
http://gizmodo.com/internet-vulnerability-left-encrypted-data-exposed…
Published: June 5, 2014

Limer, Eric
How Heartbleed Works: The Code Behind the Internet’s Security Nightmare – GIZMODO
http://gizmodo.com/how-heartbleed-works-the-code-behind-the-internets-se…

Request for Google to remove links about you

Have you ever searched for your name on Google and saw just how easy it is for people to find out personal information about you?

Do you have personal information on the web that you would like deleted or hidden from Joe Schmo trying to find out about you?

Google has created an online form in which you can ask for the links to your personal data or posts to be removed from search results.

This form is a response to a European Commission ruling that people have “the right to be forgotten” online.

The EC has administered for Google to stop linking to anything that’s “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.”

The landmark privacy decision by the European Union Court of Justice emerged from a number of cases coming from the Spanish data protection authority in 2011.

This ruling applies across the EU, among those are web giants Google and Facebook.

Clearing Your Name

When you submit links that you would like to be removed, Google says it will,

“assess each individual request and attempt to balance the privacy rights of the individual with the public’s right to know and distribute information.”

A statement provided to CNET by Google, Floridi called the move “an exciting initiative, which will probably require some hard and rather philosophical thinking.”

Google has pledged to consider whether or not there is public interest in information about financial scams, professional malpractice, criminal convictions, and public conduct or government officials.

In order to ask for links to be removed, you have to supply the URL and request, provide your name, contact email address, and a copy of a photo ID.

You may put in a request on the behalf of another person, like a spouse, or an associate, to have their name removed from a link.

Once Google has reviewed your request and have removed the link, it will disappear from Google search results in all site across the EU.

There is a statement saying, Google’s lawyers are arguing that applying the EU ruling to US publications in Google’s US search results would be “absurd”.

So by deleting your name from the EU, are you really being deleted from the net?
 For more information, view this EU podcast below:


Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

References:
Published by Trenholm, Rich
You can now ask Google to remove links about you – C|Net
http://www.cnet.com/news/you-can-now-ask-google-to-remove-links-about-you/

eBay Breach: Password Reset Issues

There are 145 million people affected by the security breach from the Internet giant eBay.

Dumping the Data

When a catastrophic event happens, cyber-criminals come out from the shadows and lurk on their pray…YOU!

It has been stated that  eBay’s database and is on the market and priced for 1.45 bitcoin.

The claimed offer is for sale via anonymous text file site Pastebin.

It is likely that the data is not from the recent eBay data breach but possibly from another source.

The hacker provided a 3,000-row extract from a database with Asian-Pacific user names, addresses, phone numbers and their DOB.  This equals to about 145 million users.

The users are shown in the sample would represent an odd subset of users for an international company like eBay.

Even if the sample is not from the eBay breach, it could potentially be data from another major company’s leak.

Or it could be fake, and just another cyber-criminal trading for bitcoin on the blackmarket.

Did you receive a notice?

Many reports from worried eBay users says eBay has not yet sent them an email about the issue.  There is no notification when you go to eBay.com or any kind of warning about the breach.

There was a notification after the user tries to reset their password which urges users to create a new one.





It is common for websites to put a banner or notification on their site after a breach.  Notifications urging their users to change passwords, even when the theft is only of encrypted (and properly salted and hashed) passwords.

The reason why eBay hasn’t done the same, is a mystery…

 

Beef up the password

If you haven’t already done so, create a strong, unique password for your account.
Make sure you can remember it but nobody else will be able to guess it.

eBay unlike many others, allows short 6 character passwords.  The suggested amount of characters is at least 8.

eBay does require a mix of characters with upper, lower, number and a symbol.  Try and use a combination of them all.

The following passwords are rated as “medium” allowing users to use these as passwords:

• Password1
• MyH0us3
• Iloveyou!
• !2345@

You see how these passwords still have a combination of characters and numbers, although they are still quite easy to guess.

This is why it is so important to create a strong, secure password at least 8 characters long.

De-link PayPal

Since eBay owns PayPal, they suggest users to link their PayPal account to their eBay account.

Since the breach, if you have followed their suggestion, you may want to rethink your choice.

If you un-link PayPal from eBay account, you can still pay with your PayPal account at any time.

Linked accounts provide cyber-criminals with an easy way to gather a variety of data.

Anytime a step is removed from the process of logging in as a user, you remove a step of security against criminals gaining access to your information.

It took eBay two months to discover the hack because there was no sign of “unusual activity” detected.  eBay has not confirmed if the data stolen was private information or not.

Security experts have criticized the company for not encrypting all private customer information obtained.
eBay is aggressively investigating the intrusion with police enforcement but has no evidence that user accounts have been tampered with.

What do you think about this data breach?  Please leave your comments below, we would love to hear from you!

Be sure to follow us on Twitter at @hyphenet or “Like” us on Facebook to stay up-to-date on the latest computer security threats.

References:
Myers, Lysa
ESET
eBay breach news: Posted data dump not valid, password reset issues
http://www.welivesecurity.com/2014/05/22/ebay-breach-news-posted-data-dump…
Published: May 22, 2014

Gibbs, Samuel
TheGuardian
Ebay denies ‘stolen database’ on sale for 1.45 bitcoin is authentic
http://www.theguardian.com/technology/2014/may/22/ebay-denies-stolen-database-on-sale…
Published: May 22, 2014

Cyber Security Tips

10 Tips on how to Protect Your Personal Data

Target, Google, Yahoo, and eBay have all sent out announcements to change your password and secure your personal data.

When visiting a website you enter personal information sometimes without even knowing it.

eBay said that its corporate network was hacked and hackers obtained names, encrypted passwords, e-mail addresses, home addresses, and phone numbers.

Cyber-security experts say that this information leak could lead to spam e-mails and bogus applications.

To avoid cyber-criminals from accessing your personal data, follow these tips on how to protect yourself.

1.  Strong Passwords

Never, never, never use an easy-to-guess password for any of your accounts.  ie. password, 123456, admin

You know you are not supposed to do it, but you do anyway, right?

That is until your identity gets stolen and your life has entered into a state of chaos.

2.  Creative Passwords

Experts advise you to use complex passwords with multiple characters and numbers in them.

Thankfully most technologically advanced companies know the importance in this, so you are forced to create a complex password.

3.  Use Different Passwords

This is a very bad habit and increases the risk of all your accounts being tampered with.

A hacker can begin to profile a victim that uses the same password or very similar variations of a password to hack into accounts.

If one of the accounts are linked with a payment method, then your money is that much closer to being stolen.

4.  Do Not Use Family Names or Pet Names

Social media sites give-a-way more information than sometimes realized.  Personal data like; birthdays, pet names, and even a persons obsessions are public to followers and depending on your preference settings, possibly everyone.

Many people use their pet’s name for their password.  If a person is so into their pet that they would use it as a password, that pets name is probably posted on their social media site somewhere.

5.  Avoid Sharing Information

Avoid sharing credit card information on retail, e-commerce, or social networking sites.

Just by stating you have a specific credit card, provides information that cyber-crooks can tug on.

When posting personal information online, be sure not to share personal details because it can remain online for an infinite amount of time.

6.  Know Your Stuff

When receiving an email from an unknown sender, check the information to make sure all details make sense.

Gauge the name, email address, spelling, and format to see if their are visible red flags.  Cyber-criminals are getting witty and starting to put more detail into these emails.

Logos are being swiped from the legitimate companies and put into emails to fool users.

Even if you receive an email that is from a friend, it is important to know that their account may have been tampered with.

7.  Know Whats Bogus

If you reply to a bogus email, then a signal to hackers may be sent to other hackers for more spam emails to be sent out to you.

If anyone asks for log-in details, personal details, or for you to call a number within the email, refrain from further compliance.

8.  Legitimacy

Place your cursor or mouse over the website url and see what appears.  If there are a bunch of numbers or random characters, it may be a spam site.

Fake sites and web links sometimes have addresses that do not match the organization in the stated email.

Look for any grammar mistakes or spelling errors.  If the site is secure, the Web address should start with a “https”.

A green padlock in the address bar will often show that the website is secure and safe to visit.

9.  What to do if hacked

Change all your FTP, software, and email passwords.  Write them down on paper, do not save your password to your computer.

Run an antivirus scan on your computer.  Here are come recommended resources:
http://www.malwarebytes.org/
Excellent malware scanning software, with a free download option.
http://www.microsoft.com/security/default.aspx
Start with Microsoft’s website for free or low cost security options.
http://download.cnet.com/windows/internet-security-software-suites/
CNET writes fairly current reviews on the latest antivirus apps. I would start here.

10.  Close Your Account

Sometimes closing your account is safer and will limit the risk of hackers taking over your personal data.

Information associated with compromised accounts can be stored in other places.   Take into consideration to see weather information on a website is encrypted from one end to another, and stored securely.

Users are responsible for checking the website and making sure it is trustworthy.

Do you need professional advise to know if your computer has been compromised?

Follow us on Twitter at @hyphenet or “Like” us on Facebook to stay up-to-date on the latest tech news and PC security alerts.

References:
Chee, Kenny
10 tips on how to protect your personal data online
http://news.asiaone.com/news/digital1/10-tips-how-protect-your-personal-data-online?page=0%2C0
Published: May 26, 2014

IT Security and Risk Management Review

With the world turning digital, people are connected to multiple  devices throughout the day. Listening to your iPod at home, connecting to Wi-Fi at the coffee shop, or accessing your smartphone at work can leave you open to all kinds of cybercrime.

The digital world consists of the widespread use of mobile devices that cybercriminals are able to access through platforms, social networks, and the public cloud.

Organizations in particular need to protect against multi-faceted ‘advanced persistent threats’ (APTs – also known as ‘advanced targeted attacks, or ATAs).

The key attributes are:  the use of social engineering (such as spear phishing) to gain initial entry to a target organization’s network and execute a zero-day attack; the acquisition of privileges to further penetrate the target network; the establishment of communication links with external ‘command and control’ (C&C) servers; the theft or compromise of assets; and the covering of tracks after completing the mission.

Source: The Ponemon Institute/HP

 

Cost of a Cyberattack

The Ponemon Institute’s 2013 survey has found that the average annul cost of  cybercrime is $7.2 million per organization.

This represents a 30% increase from the year before.  The United States takes the greatest hit out of all countries surveyed.

Denial of Services (DoS) attacks account for the highest percentage of costs in both smaller(16%) and larger (22%) companies.

Attacks like viruses, worms and trojans, and phishing and social engineering (both 1.7x more prevalent in smaller organizations), malware (2.5x) and botnets (2.7x).

The larger companies are hit the hardest by Dos, and malicious insiders attacks.

Source: The Ponemon Institute/HP

Source: The Ponemon Institute/HP

The survey shows the average number of days that it takes to resolve the cyberattack ranges from 2.6 days for viruses, worms and trojans up to 53 days for malicious insider attacks:

Source: The Ponemon Institute/HP

To view more Internet Security full reports:

1. Symantec – Internet Security Threat Report 2013
2. Trustwave – 2013 Trustwave Gloval Security Report
3. PwC – 2013 Information Security Breaches Survey

Hyphenet can help you find the right type of cyberdefence for your company.  Rackmount appliances, cloud-based services and threat defense are all precautions you can take to protect your business and keep the bad guys out.

Call us today!  619-325-0990

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

References:

McLellan, Charles
IT Security and Risk Management: An overview
http://www.zdnet.com/it-security-and-risk-management-an-overview_p3-7000022659/

Do you know how to avoid Android ransomware malware?

Ransomware is a type of malware that restricts the access to your computer system and infects it.
Then a ransom is demanded to be paid to the creator of the malware in order for the restriction to be removed.

Ransomware can be the encryption of files on the system’s hard drive and usually locks the system demanding payment for it to be lifted.

Another form of ransomware is CryptoLocker.  This leaves your computer running while scrambling your data and demands a fee for the decryption key to get your data back.

The fee is usually around $300.  Recently, the pay-to-unlock ransomware has made its way into the Android ecosystem, and charges $300 to un-lock.

“Koler”

One of the most ransomware through the Android is known as “Koler”.  Koler is very similar to the Reveton malware, which leaves your data in tack but locks you out of your computer.

It’s thought that the Reveton gang is the one behind Koler.  Both malware’s follow a criminal formula that has worked for them on Windows computers.

As soon as the malware pops up, it downloads a display warning screen stating you are accused of viewing something illegally, like pornography.

According to reports, the crooks use the time-honored trick of telling you to install a specific “video player” app, then offering you help with downloading it.

**Because Koler has not made it into the Google Play Store, you need to have “Allow installation of apps from unknown sources” enabled in your Android security settings to be at risk.

Just like with Windows-based police warning ransomware, the malware can adapt the content it displays depending on your country or language settings.

The malware warnings have been coming from “U.S.A. Cyber Crime Center” and “FBI Department of Defense” (which doesn’t make sense because the FBI is not part of the DoD).





The screen shot shows fake government seals and an assortment of ripped-off images coaxing the victims to do what they are told on the screen.

These scare tactics often work for many, how many times do you have The President pointing his finger at you in a scolding manner?

Another message that is often seen:


ATTENTION! Your phone has been blocked up for safety reasons listed below. All the actions performed on this phone are fixed. All your files are encrypted. CONDUCTED AUDIO AND VIDEO.





Note. Sophos products, including Sophos Free Anti-Virus and Security for Android, detect this malware as Andr/Koler-A.

Get rid of Koler

Koler doesn’t scramble your data or disengage your audio.  It locks your phone with a pop-over browser window that automatically reappears if you try to get rid of it.

News that continually reappears through pop-up windows makes it nearly impossible to get into the Settings menu to remove the malware.

When trying to reboot, the malware kicks back in at the beginning of restarting your device.
If this happens, a factory reset will get rid of it.  The reset will remove the malware along with any other apps and stored data installed on your device.

It is recommended to use the Android “Safe Mode”, also detailed explination can be found in Sophos’  companion article.

via: NakedSecurity – Sophos

Stay protected from police warning ransomware Here are five easy tips to help you deal with Android malware of all sorts, including “police lockers”:

• Install a reputable anti-virus program to vet all new apps automatically before they run for the first time.
• Be cautious of apps you are offered in ads and pop-ups.
• Stick to Android’s default setting of allowing installs from the Google Play store only.
• Keep off-device backups of your important data.
• Read our article about using “Safe Mode”, just in case you ever need it in a hurry.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

References:
Zorabedian, John
NakedSecurity from SOPHOS
Android “police warning” ransomware – how to avoid it, and what to do if you get caught
Published: May 19, 2014
http://nakedsecurity.sophos.com/2014/05/19/android-police-warning-ransomware-how-to-avoid-it-and-what-to-do-if-you-get-caught/