Razorpoint Security

Watching China While They Watch Us

2012-02-13T17:16:00.003-05:00

While China's growing business economy continues to be the popular media story of the last five years, many of its tactics to reach these high levels of productivity have come under scrutiny. Foreign reporters have sent back their observations from the field, which include stories of oppressive labor factories that crank out most of the First World Nations's gadgets. However, China is not only making the gadgets. They're also developing the ability to have our gadgets watch us at work.

The New York Times reports: "'If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated,' said Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence."

The Chinese and Russians have been stealing business and government secrets from all over the globe. Even large cyber security companies like McAree are left somewhat vulnerable.

"What might have once sounded like the behavior of a paranoid is now standard operating procedure for officials at American government agencies, research groups and companies that do business in China and Russia — like Google, the State Department and the Internet security giant McAfee. Digital espionage in these countries, security experts say, is a real and growing threat — whether in pursuit of confidential government information or corporate trade secrets."

At Razorpoint Security, we are constantly looking at new ways to protect your data locally and internationally. Contact us today for how we can save your information for tomorrow.

[Source: The New York Times - Traveling Light in a Time of Digital Thievery]

Along with Falling Stock Prices, Banks Fret Over Cyber Security

2011-08-11T10:08:00.004-04:00

In a new survey conducted by Fundtech, a global supplier of banking software, 100 executives from 50 financial institutions were asked what some of the biggest challenges the industry faced. In a dramatic uptick from last year, 65% said fraud monitoring has become an increasing concern. Last year's poll put that number at 53%.

According to Credit Union Times, who carried the story, "74%[of executives surveyed] said they think theihttp://www.blogger.com/img/blank.gifr small and medium-sized enterprise customers would be willing to change financial institutions to get better security and 79% said thttp://www.blogger.com/img/blank.gifhey think that 'only a small fraction of their business client base understands their liability for fraudulent transactions.'"

"'With little expectation that cyber attacks will be brought under control anytime soon, banks, their customers and their technology suppliers must collaborate in order to effectively quell this growing challenge,' said George Ravich, Fundtech’s chief marketing officer."

This is all the more reason to find out what Razorpoint Security can do for safeguarding your online business in retaining and building customer confidence.

Mobile Payment Device Square Shows It's Not In Shape Yet

2011-08-05T11:28:00.006-04:00

The tech world has been buzzing for the last year about the mobile payment device Square. Its inventor, Jack Dorsey, who also founded Twitter, has been marketing it as a boon for small businesses and independent vendors.

But it could be cyber criminals who profit the most, stealing credit card data from the device's easily hacked audio recognition software. Tech blog Mashable reports:

Adam Laurie and Zac Franken, directors of Aperture Labs, discovered that due to a lack of encryption in the current Square app and free dongle for swiping cards, the mobile payment system can be used to steal credit card information, without even having the physical credit card.

Square works by converting credit card data into an audio file that is then transmitted to the credit card issuer for authorization.

In order to bypass the need to swipe a card, Laurie wrote a simple program — in fewer than 100 lines of code — that enables him and Franken to feed magnetic strip data from stolen cards into a microphone and convert that data into an audio file. Once that is played into the Square device via a $10 stereo cable, the data is sent directly to the Square app for processing.

Through a combination of proprietary knowledge and cutting edge tools and technology sets, Razorpoint helps security-minded organizations repel potentially lethal cyber threats that often elude mainstream network security providers. Contact us today to learn more about our security services.

US House of Representatives committee approves cybersecurity standards bill

2011-07-26T10:36:00.008-04:00

The U.S. House of Represenatives is getting more serious with cyber security by pushing a new bill through the Senate. According to Computer Weekly:

The US House of Representatives has passed a bill designed to increase education, research and development to counteract cyberthreats.

The House Science, Space and Technology Committee last week approved the Cybersecurity Enhancement Act of 2011, which mirrors legislation passed last year by the House, but that never made it to the Senate, according to US reports.

With technology developing at faster rate than ever, Razorpoint Security, along with members of the U.S. Government, are working harder than ever in increasing cyber security.

Sony Continues To Be Threatened By Cyber Criminals

2011-06-01T15:15:00.007-04:00

The Sony Corporation, after suffering a cyber attack on its Playstation Network of 70 million users in late April, is still receiving formative threats.

A group of cyber criminals who have taken responsibility for breaking into PBS' site last week, calling themselves LulzSec, are upping the ante with the technology company.

From CNET:

The group...has been promising Sony attacks since this past weekend when it posted to its Twitter account that it is engaged in an operation it calls "Sownage," shorthand for Sony Ownage. The group stated at the time that it was working on hatching a plan that would be the "beginning of the end" for Sony. It has yet to reveal what it has planned. But yesterday the group said that the attack was already under way, seemingly without Sony's knowledge.

We at Razorpoint Security continue to take a serious interest in this story. If you feel your company needs tighter network security in defending against cyber-criminality, reach out to us.

Security Provider Finds Vulnarabilities In Cisco System's Devices

2011-05-25T15:53:00.003-04:00

At Razorpoint Security, we always stress that gadgets are not always the answer to finding holes in network security. But when it's the devices themselves that are allowing this breach, the network could at times be more complex to monitor. Such is the case with Cisco Systems, who recently found out their equipment has vulnerabilities they've been trying to patch up since 2010.

According to PC World's Business Center,

"The findings hint at two apparently contradictory themes, that of uniformity and complexity.

"The uniformity derives from the commoditization of IT equipment over the last decade, which has left companies of all sizes, in all countries and in all business sectors using similar families of products which are therefore open to the same vulnerabilities, including PSIRT 109444.

"As networks have become more uniform around standards and more commoditized, vendors have responded by competing in terms of features and development, which has created more complexity within the product families of dominant vendors such as Cisco. As complexity rises, so do the problems associated with management. Dimension also found that many network devices looked at in its assessments suffered from a range of configuration and policy violation issues in ways connected to this theme."

Cloud Computing Security

2011-04-29T16:34:00.000-04:00

The next rush into creating complex networks for corporations and personal computing has been to store personal data on a cloud. The cloud uses a large network instead of localization to run applications and devices.

With so many people investing in the cloud to bring server costs down, it would seem obvious that the more people working on the same network, the more vulnerable it becomes.

Many service providers understand this, but have put the burden on their customers to keep information secured.

From The Wall Street Journal:

"The majority of cloud service providers do not consider security as one of their most important responsibilities according to a surprising survey released yesterday.

"The survey of 127 cloud service providers, 24 in six European countries, the others in the U.S., by the U.S.-based Ponemon Institute found that a majority of providers believe it is their customer’s responsibility to secure data."

Experts: Web Generation Clueless About Online Privacy

2011-02-25T07:36:00.000-05:00

Last April Fool's Day, the online game store Gamestation.co.uk created a customer license agreement that asked gamers for their immortal souls. About 7,500 gamers unthinkingly clicked the "agree" button without reading the devilishly fine print.

The gamers kept their souls, but plenty of netizens have clicked "I agree" to download a new music service, software update or game demo without realizing that they had agreed to let the service provider access their personal information. Many more don't bother to figure out how to update their ever-changing privacy settings on social networks such as Facebook.

Thoughtless users don't deserve all the blame for giving up their personal privacy so easily. Online privacy safeguards have been deliberately designed to be irrelevant or annoying to the online experience, said Bruce Schneier, a security consultant who works with British Telecom.

The challenge is whether new generations that have never known a world without the Internet can adapt their online habits to better secure their privacy.

"The business of social networking sites is to invade privacy, because they want more users who lead to more revenue," Schneier explained. "The [user settings] are deliberately designed to be difficult to navigate and opaque."

Schneier spoke as a member of a panel at a symposium titled "Promoting Security and Sustaining Privacy: How Do We Find the Right Balance?" at the American Association for the Advancement of Science conference in Washington, D.C. on Feb. 19.

The Internet generation gap

Some of those who inherit the digital age often don't realize just how much information is being gathered about them all the time when they surf the Web. Others have simply become used to trading away personal information in exchange for Internet-based services that they find useful.

Either way, sometimes it seems the "kids don't give a damn," according to Stephan Lechner of the European Commission's Joint Research Centre Institute for Protection and Security of the Citizen.

But Lechner, who sat on the panel, also pointed to the clunky legal language of long customer license agreements by bringing up the April Fool's example.

Schneier put a slightly different spin on the problem.

"The Internet generation cares very much about privacy," Schneier said. "They might be terrible at it, but they care about it."

Many young netizens have "social fluency" when it comes to navigating the Internet, but they lack the technical knowledge of "where the computer ends and the Internet begins," Schneier pointed out.

They may not know that much of the information which they disclose to social networking websites and consumer websites is no longer as "private" in any strong sense of the word.

But teaching people to better safeguard their privacy can prove tricky as people spend more and more of their time doing computer-related tasks and storing data purely online – the huge trend known as cloud computing.

Other issues come up because of shifting privacy safeguards, such as Facebook's habit of regularly changing its privacy policies.

"This is a problem if you are educating the young and the unknowledgeable; how would you educate them if the info you tell them is outdated in a very short time?" Lechner said.

Forever playing catch-up

The panel experts mostly agreed that humans may never catch up if they hope to adjust social noms and behaviors to the rapid pace of new technological advances.

"I'm wondering if we can't educate users," Schneier said. "I'm not sure we can. I think things are moving too fast."

But a more hopeful view came from Katharina Zweig, a computer science researcher at the University of Heidelberg in Germany, who attended the symposium as an audience member.

The problem is that people fail to realize how the software behind social networks or consumer websites can easily dig up personal information online without direct consent of the human user, Zweig said. She suggested teaching people the difference between the capabilities of a computer and a human.

"I think we can educate people about the fundamental difference between computer thinking and human thinking," Zweig told LiveScience.

If successful, such an approach could help young generationsbetter appreciate the faceless programs behind the Internet websites and services.

After all, "the Internet never forgets," said Jeremy Pitt at the Institute for Security, Science and Technology of the Imperial College in London, and the third member of the panel.

"One question my five-year-old daughter asked, which completely floored me, was 'Does the Internet know who I am?'" Pitt said. "This question was wrong on so many levels."

Schneier jumped in before Pitt had finished.

"It's easy -- the answer is yes," Schneier said.

Facebook Phishing Scam Uses Fake Login Page

2011-02-23T19:33:00.001-05:00

A new phishing scam currently spreading through Facebook is proving how important it is to read the fine print.

The scam uses chat messages and wall posts on friends’ pages to trick users into thinking they are being directed to a Facebook application, according to the security firm F-Secure.

Instead of landing on the app page, users instead find themselves on a genuine-looking Facebook login page, where they are asked to re-authenticate their account by entering their e-mail address and password.

But if users look carefully at the login page, they realize the URL in the browser’s menu bar includes “.ru” after the regular Facebook.com address, meaning it’s not a legitimate Facebook site, and any information entered can be easily swiped by the cybercriminals perpetrating the phishing scam.

F-Secure says that although this particular Facebook scam hasn’t spread quickly, Facebook users should always be careful when asked to enter any information, and to be especially wary of links, even if they appear to come from friends.

Defend and protect your identity with Razorpoint Security Services!

IPad Hackers Charged For Email Scheme

2011-01-21T10:20:00.001-05:00

Back in the Summer of last year, a hacker group called Goatse Security found a breach in AT&T's server security that allowed them to access the email addresses of iPad 3G users. They downloaded over one hundred thousand of those email addresses, then alerted AT&T, who promptly fixed the hole. This past week, two of the hackers belonging to that group were each charged with crimes related to that breach.

Andrew Auernheimer and Daniel Spitler have each been charged with "one count of conspiracy to access a computer without authorization and one count of fraud," according to the New York Times article on the subject. Last July, after the events transpired, the FBI received more than 150 pages of chat logs which detail how the men were able to download these email addresses. What it basically came down to was a program on the AT&T servers which when given an iPad's ID number, would return the email address associated with that iPad. Mr Auernheimer and Mr. Spitler then only had to write a small script to guess ID numbers and store the returned addresses.

Both of the men charged insist they did nothing illegal. Mr. Spitler, when asked why he felt that way, replied by saying "cause I didn't hack anything." Their defense rests in the fact that they were accessing data on a public server with no password or encryption, basically that this data was available to anyone on the Internet. There is no evidence thus far that shows anyone trying to sell the data they uncovered, and they informed AT&T of the security hole, allowing them to fix the problem. AT&T on the other hand, is labeling the data mining as "malicious" and claim that their customers could have been "exposed ... to spam or fraud."

If you feel the need to increase your company network and server security, call Razorpoint today, 212.744.6900!

Researcher Breaks Wi-Fi Passwords Using Cloud Computing Power

2011-01-18T12:55:00.002-05:00

According to a press report, a German security specialist plans to give attendees at a hackers convention next week code that they can run on high-performance cloud computer systems to help them break passwords on seemingly secure, low-cost wireless networks – Wi-Fi, for instance.

As much as anything else, however, it's a demonstration of how much computing power is becoming available to larger numbers of people as a service for a fraction of what it costs to buy and maintain a supercomputer.

According to a report in Reuters, Thomas Roth, a security consultant in Cologne, used high-performance capabilities in Amazon.com's (NASDAQ: AMZN) Elastic Compute Cloud (EC2) service to "brute force" breaking passwords on wireless networks.

Roth will be speaking at next week's Black Hat Security Conference in Washington, D.C. His talk is titled "Breaking encryption in the cloud: GPU accelerated supercomputing for everyone."

The main focus of Roth's recent demonstration, however, was to show how easy, given the availability of such high-powered computing power in the cloud, it is today to break passwords that use an encryption algorithm he says was never meant to secure systems.

Roth reportedly said he was able to breach the relatively sophisticated encryption technology -- SHA-1 (Secure Hash Algorithm) -- by tapping a cluster of Nvidia graphics processors, available through Amazon's services, to provide the horsepower needed for the task of zipping through 400,000 possible passwords per second.

"SHA-1 was never made to store passwords. [It] is a hash algorithm ... made for verifying data. It was made to be as fast and as collision free as possible, and that's the problem when using it for storing passwords: It's too fast," Roth said on his blog in November.

Prices for the equivalent of a supercomputer provided as a service via the cloud are low as well. Roth told Reuters that it took 20 minutes to break into a network in his neighborhood, at a cost of 28 cents per minute -- and that, with improvements in the code, he could do the same in as few as six minutes now.

The problem is, as computing speeds climb ever higher and the price falls, the barrier to hackers falls as well.

"The speed of computers is increasing incredibly fast, and so brute forcing will get faster and faster, and the new cloud offerings make parallelization of such use tasks easy and affordable," Roth continued.

An Amazon spokesperson was not available at publication. However, in speaking with Reuters, a spokesperson made the point that the same feat could be achieved on competing cloud computing services as well.

By Stuart J. Johnston
January 12, 2011

1 in 4 AT&T iPhone users say they'll switch to Verizon

2011-01-14T12:29:00.001-05:00

ChangeWave survey finds many AT&T customers dissatisfied with reception/coverage

A new ChangeWave Research survey of 4,050 consumers, completed just days before Verizon announced plans to offer Apple's iPhone, reveals that the carrier will be able to draw significant numbers of new subscribers from its rivals.

Of the sample, 10% said they plan on switching wireless providers in the next 90 days: 2-points higher than a previous ChangeWave survey in September and the highest churn level of the past 18 months.

It seems most of Verizon's success will be from switchers coming from rival carriers, instead of its existing customers: only 4% of Verizon's customers plan to switch in the next 90 days, compared with 10% of Sprint customers, and 15% of both T-Mobile and AT&T subscribers.

No matter your cell phone provider, Razorpoint Security hopes that you take all precautions necessary to protect yourself from hackers! If you are wondering how to best protect yourself, contact our data security experts in New York City today.

VERIZON IPHONE: 7 key facts you should know

: ChangeWave found that AT&T's churn rate has more than doubled since June 2009, from 6% to 15% of AT&T customers saying they are "very likely" or "somewhat likely" to switch wireless carriers in the next 90 days.

These AT&T customers apparently have had it with the network's quality: 42% of these switchers cite poor reception/coverage as their top reason for leaving, followed by dropped calls, cited by 27%.

A total of 16% of existing AT&T subscribers say they'll switch to Verizon once it begins offering the iPhone; 23% say they don't know if they'll switch; 60% will stay with AT&T. Current Apple iPhone owners are the most likely group of all to switch: 26% saying they'll leave AT&T for Verizon.

In asking respondents how often they experienced dropped calls in the past 90 days, ChangeWave found major improvements for AT&T, though it still lags far behind Verizon Wireless at least in perception of network quality. The results showed 4.7% of the AT&T users in the survey had dropped calls, compared with 6.0% in the September 2010 survey.

This story appeared on Network World at
http://www.networkworld.com/news/2011/011311-iphone-verizon.html

Facebook Wants to Issue Your Internet Driver's License

2011-01-13T12:38:00.000-05:00

Cybersecurity and privacy-enhancing "identity ecosystem" by Facebook? President Obama put the U.S. Commerce Department in charge of a cybersecurity effort to give each American a unique Internet ID. But Facebook also wants to supply your unique Internet ID and its identity infrastructure is already on millions of websites.

President Obama put the U.S. Commerce Department in charge of a cybersecurity effort to give each American a unique Internet ID. But Facebook also wants to supply your unique Internet ID and its identity infrastructure is already on millions of websites. If participation remains voluntary, could Facebook distribute your Internet driver's license?

Worldwide, e-commerce is estimated at $10 trillion annually. The National Strategy for Trusted Identities in Cyberspace (NSTIC) plan of developing a secure and privacy-enhancing "identity ecosystem" for the Internet is supposed to lower the risks of identity theft, which is rampant, and create a greater confidence in online transactions since less personal information would be collected and stored with each transaction. But there are privacy and civil liberties groups who oppose the idea of any government intelligence agency being in control of its citizens online ID. Many of those same group oppose the government requiring a backdoor into all online programs as part of the Internet's infrastructure.

According to Technology Review, Facebook is becoming a "critical part of the Internet's identity infrastructure" and wants to supply your Internet driver's license. Facebook Login allows any website to use its identity infrastructure by adding a few lines of code so users will see "Connect with Facebook" button on the site. Facebook Connect is one of the most popular codes adopted by websites, so that anyone with a Facebook account is but a click away from logging in, "liking" or sharing a site.

Besides being easy and free for websites to implement, Facebook Connect provides the site with the user's real name as required per Facebook's terms of service. Many sites don't want the hassle and headache of managing their own identity system, but do want users to login for commenting purposes and limiting spam.

On the negative side, Facebook has made horrible privacy mistakes in the past. Since it happened again and again, it seems Facebook showed little regard to its users' outrage of the privacy breaches. It's also a hot target for cyberthugs. Any site is only as strong as the weakest link -- which usually tends to be the user. On any given day on Facebook, there are always phishing scams, busy social engineers, and accounts taken over by hackers. The Firefox plug-in Firesheep makes sniffing out cookies and taking over accounts so easy that even the clueless can manage it over an unsecured Wi-Fi network.

Last fall, making itself a no less appealing target, a New Zealand bank opened the doors to Facebook's first online bank branch. When logged into Facebook, the bank's customers can access their banking information. As more businesses adopt Facebook Connect, it is becoming a universal login on the web, making Facebook a tempting target to cybercriminals.

If participation in Obama's NSTIC cybersecurity program is voluntary and not required, it offers people the ability to stay anonymous by simply not participating. However, if nearly all sites adopt it and then require it, that's not really very optional for people who want to remain anonymous online.

One thing Facebook might have over the Commerce Department issuing unique online IDs is that many people will not trust a government sponsored ID system. As CDT's Jim Dempsey said, any Internet ID must be created by the private sector and must stay voluntary and competitive. "The government cannot create that identity infrastructure. If it tried to, it wouldn't be trusted," stated Dempsey.

However, Commerce Department Secretary Gary Locke was quick to reassure people that the cybersecurity ID wasn't a guise for more big brother government. "We are not talking about a national ID card," Locke said at the Stanford Institute for Economic Policy Research event. "We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy, and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities."

White House Cybersecurity Coordinator Howard Schmidt assured people that anonymity and pseudonymity will remain possible online. "I don't have to get a credential, if I don't want to," Schmidt stated. He added there is no chance that "a centralized database will emerge."

The Commerce Department beat out other candidates such as the NSA and DHS to head up the new online identity project. Cnet pointed out, this "should please groups that have raised concerns over security agencies doing double duty in police and intelligence work."

Somehow it doesn't seem too hard to see the potential for abuse if either the government or Facebook become the Internet cops handing out IDs. Can we trust either one to guard users' privacy and security above their own interests and motives?

The 10 biggest hoaxes in Wikipedia's first 10 years

2011-01-12T12:41:00.003-05:00

From Stephen Colbert and Rush Limbaugh to Adolf Hitler: a history of Wikipedia hoaxes

Wikipedia will celebrate its 10th birthday on Saturday, with founder Jimmy Wales having built the site from nothing to one of the most influential destinations on the Internet. Wikipedia's goal may be to compile the sum total of all human knowledge, but it's also, perhaps, the best tool in existence for perpetuating Internet hoaxes. Let's take a look at the 10 biggest hoaxes in Wikipedia's history. (Did we miss any? Let us know in the comments).

The Essjay controversy

This one's so big it has its own Wikipedia page. In February 2007 a Wikipedia administrator who went by the name Essjay "was found to have made false claims about his academic qualifications and professional experiences on his Wikipedia user page and to journalist Stacy Schiff during an interview for The New Yorker, and to have exploited his supposed qualifications as leverage in internal disputes over Wikipedia content." Essjay had been contributing to Wikipedia since 2005, claiming that he "teaches graduate theology, with doctorates in Theology and Canon Law." He also gained a job with Wikipedia sister company Wikia. "Jimmy Wales proposed a credential verification system on Wikipedia following the Essjay controversy, but the proposal was rejected," according to the Wikipedia article.

Edward Owens

Another hoax worthy of its own Wikipedia page, "Edward Owens" was a "fictional character, part of a historical hoax created by students at George Mason University on Dec. 3, 2008 as a project in a class dealing with historical hoaxes called "Lying About the Past." One tactic was creating a Wikipedia article about Owens, "who supposedly lived from 1852 to 1938 in Virginia ... fell on hard times during the Long Depression that began in 1873 and took up pirating in Chesapeake Bay to survive the economic downturn." After media outlets including USA Today were fooled, the class professor decided in December 2008 to reveal the hoax.

Stephen Colbert inflates the population of African elephants

Oh, Stephen Colbert. What would we do without you? Colbert's brilliant media satire show, the Colbert Report, took on Wikipedia in July 2006, urging viewers to edit the encyclopedia to indicate that the population of African elephants had tripled in the previous six months. Known for inventing the word "truthiness," Colbert also gave us "wikiality," the concept that "together we can create a reality that we all agree on — the reality we just agreed on."

Sinbad dead? No, that was just his career ... hey-ohh!

This bit of wiki-vandalism brought Wikipedia down (or up?) to the level of newspapers, which have been known for publishing quite a few premature obituaries. In this case, Wikipedia falsely reported the death of the 50-year-old Sinbad, who even received a telephone call from his daughter and calls, texts and e-mails from hundreds of others after the hoax spread. The Sinbad Wikipedia page was temporarily protected from editing to prevent further vandalism. But numerous others have been falsely listed as dead on Wikipedia, including Sen. Edward Kennedy (months before his actual death), Miley Cyrus, Sergey Brin and Paul Reiser.

Wikipedia biography controversy, or "the Seigenthaler incident"

In May 2005 a Wikipedia editor created a hoax article declaring that 78-year-old American journalist John Seigenthaler "had been a suspect in the assassinations of U.S. President John F. Kennedy and Attorney General Robert F. Kennedy," and it went uncorrected for more than four months. Seigenthaler ultimately wrote about the incident in a USA Today column. Afterward, Wales "stated that the encyclopedia had barred unregistered users from creating new content," the Wikipedia page on the controversy states. But unregistered users can still edit existing articles.

The founder of Orange Julius did not invent a shower stall for pigeons

Jeopardy champion and all-around smart guy Ken Jennings apparently discovered this one, blogging in May 2010 about how the Wikipedia article on Orange Julius namesake Julius Freed was "full of all kinds of crazy trivia, like the fact that he invented a shower stall for pigeons." What Jennings calls "the funniest development on this story" is that "Dairy Queen, which now owns Orange Julius, inadvertently used the hoax material as the basis for a 2007 ad campaign!" This was one of the more successful Wikipedia hoaxes, judging by the amount of time it remained on the site, having stayed up there for five years. "How many hundreds (thousands?) of other articles like this are sitting out in the Wiki-ether right now, wreaking havoc and just waiting to be debunked?" Jennings wonders.

College student fools the whole world's media

If you're a journalist, Wikipedia is a great initial source of information. But you should always use primary sources to verify that what Wikipedia says is true before actually running with it (unless you're writing a cheesy top 10 list story like this one). But one student's experiment in 2009 showed that media members are apparently allergic to fact-checking when it comes to lifting material from Wikipedia. A Dublin University student named Shane Fitzgerald inserted a fabricated quote into the Wikipedia article about recently deceased composer Maurice Jarre. The quote wasn't damaging to Jarre himself - it read "One could say my life itself has been one long soundtrack. Music was my life, music brought me to life, and music is how I will be remembered long after I leave this life. When I die there will be a final waltz playing in my head that only I can hear." But it was damaging to the credibility of newspapers such as The Guardian, which were fooled into using the quote in obituaries. No one even noticed the hoax until Fitzgerald himself reported it a month later, and said he was "shocked at the results" of his own experiment.

Rush Limbaugh turns out to be just as incompetent as the rest of the media

Last year, Limbaugh spent a while talking about Roger Vinson, a federal judge involved in a legal challenge to the new healthcare law. According to The New York Times, "The conservative radio host informed his listeners that the judge was an avid hunter and amateur taxidermist who once killed three brown bears and mounted their heads over his courtroom door to 'instill the fear of God into the accused.' ... But, in fact, Judge Vinson has never shot anything other than a water moccasin (last Saturday, at his weekend cabin), is not a taxidermist and, as president of the American Camellia Society, is far more familiar with Camellia reticulata than with Ursus arctos." It was all because Rush (or his staffers) read hoax material on a Wikipedia page and repeated it as fact. Limbaugh's staff claimed they found the information in a Pensacola News Journal article, but no such article existed.

Actually, maybe this is how we know Rush Limbaugh is a real journalist. He trusts Wikipedia.

Henryk Batuta hoax

Another hoax worthy of its own Wikipedia page, this one was "perpetrated on the Polish Wikipedia from November 2004 to February 2006," and concerned "an article about Henryk Batuta (born Izaak Apfelbaum), a fictional socialist revolutionary and Polish Communist. The fake biography said Batuta was born in Odessa in 1898, participated in the Russian Civil War", and that "a street in Warsaw was named 'Henryk Batuta Street.'" Several Polish newspapers and magazines wrote about the Wikipedia article, which was deleted. The article was apparently a protest designed to "draw attention to the fact that there are still places in Poland named after former communist officials who do not deserve the honour."

Tony Blair – Hitler worshipper?

We couldn't get through a whole Wikipedia hoax article without mentioning Hitler, now could we? It's Godwin's law. Anyway, the Wikipedia page on former British Prime Minister Tony Blair once said that he kept posters of Adolf Hitler on his bedroom wall during his teenage years. Actually, I couldn't find any proof that those words ever appeared on his Wikipedia page, but it seems to have been reported on enough sites that it must have happened. Plus, it was in a book or something.

Fake White House holiday e-mail is cyber attack

2011-01-06T09:39:00.001-05:00

It looked like an innocent e-mail Christmas card from the White House.

But the holiday greeting that surfaced just before Christmas was a ruse by cybercriminals to steal documents and other data from law enforcement, military and government workers — particularly those involved in computer crime investigations.

Analysts who have studied the malicious software said Tuesday that hackers were able to use the e-mail to collect sensitive law enforcement data. But so far there has been no evidence that any classified information was compromised.

The targeted e-mail attack comes as the federal government is desperately trying to beef up its cybersecurity after the release of thousands of State Department cables and military documents by the WikiLeaks website. Federal authorities want to improve technology systems and crack down on employees to prevent the theft or loss of classified and sensitive information.

The red holiday e-mail card, with its brightly decorated Christmas tree, prompted recipients to click on a link, which would then download the ZueS malware — a well-known malicious code that is often used to steal passwords and other online credentials, primarily to poach Internet banking information. The malware was created several years ago and is widely available for criminals to acquire and adapt. It has been used to steal millions of dollars.

In this case, however, the code downloaded a second payload that is designed to steal documents from the recipient's computer, accessing Microsoft Word and Excel files.

Don Jackson, director of threat intelligence for Atlanta-based SecureWorks, a computer security consulting company, said the attack was somewhat small and targeted to a limited number of groups with law enforcement, military and government affiliations.

It was small enough, he said, to suggest that is was sent out manually and not by a large network of infected computers. He said it was not large enough to be picked up by cybersecurity spam traps or sensors.

Alex Cox, principle research analyst for NetWitness, a cybersecurity firm in northern Virginia, said the e-mail was sent out just a day or so before Christmas, delivered by a control server in Belarus. He and Jackson said they believe this ZueS version was created by the same people who launched a similar but much larger attack last February.

Cox, who discovered the ZueS-infected malware last year when it infected at least 74,000 computers, said it's hard to determine how many people were affected or how many documents were stolen in this latest attack.

Jackson said at the hackers stole at least several gigabytes of data.

Analysts learned of the e-mail attack last week and have spoken with federal authorities about it.

Homeland Security Department spokeswoman Amy Kudwa said officials are aware of the ZueS e-mail and are monitoring it along with other similar malware attacks that have been tracked for some time.

Cox and Jackson would not disclose details on who was attacked or what documents may have been compromised but agreed that the hackers probably were after the documents, rather than any banking or financial passwords.

One theory, said Jackson, is that the hackers were looking for information about law enforcement cases and investigative techniques related to cybercrime so that they could sell it to other criminals.

The e-mail attack, however, underscores the continuing vulnerability of government workers and their computer systems to versions of the ZueS malware. Hackers can easily tweak the code each time so that it does not trigger antivirus software.

"Criminals have found that if they change the files in small ways it can slip past antivirus software," said Jackson.

While ZueS-related attacks are fairly common, this latest one stood out because of the use of the White House connection to lure recipients in and the targeted way it went after law enforcement, analysts said.

One U.S. official said that the code was rather poorly written. The hackers could only get easily accessible documents and not those filed deep within layers of folders on the hard drive, said the official, who spoke on condition of anonymity to discuss ongoing investigations.

Do not get caught in an e-mail cyber attack! Contact Razorpoint Security today to ensure your systems are well protected!

Army kicks off construction of $1.2 billion NSA cybersecurity center

2011-01-05T09:42:00.000-05:00

The US Army Corps of Engineers (USACE) is scheduled to begin work this week on a $1.2 billion data center at Camp Williams in Salt Lake City, Utah, that will house a National Security Agency cybersecurity intelligence center.

The 1.5-million-square-foot facility, known as the Utah Data Center, will house an NSA facility that will gather intelligence about cybersecurity threats to federal government networks. Construction on the center is scheduled to begin on Thursday.

The center will consist of 100,000 square feet of raised floor data center space and more than 900,000 square feet of technical support and administrative space, according to a USACE release. Support facilities include an electrical substation, a vehicle inspection facility and visitor control center, fuel storage, water storage and a chiller plant.

The NSA center is being built as part of the White House’s Comprehensive National Security Initiative (CNSI), which is designed to improve cybersecurity efforts to protect federal computer networks.

The CNSI has the following goals:

To establish a front line of defense against immediate cybersecurity threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the federal government and acting to reduce current vulnerabilities and prevent intrusions.
To defend against the full spectrum of cybersecurity threats by enhancing counterintelligence capabilities and increasing the security of the supply chain for key information technologies.
To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the federal government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace.

Trojan Targeting Android Phones

2010-12-30T13:42:00.002-05:00

Geinimi malware displaying botnet characteristics can compromise a significant amount of information on a user's smartphone.

A new Android Trojan that displays some botnet characteristics has emerged from China, Lookout Mobile Security warned on Wednesday.

Called Geinimi, the malware can compromise a significant amount of information on a user's Android smartphone and send it to remote servers, the security developer said in a blog. Once installed on the phone, it potentially could allow the server's owner to control the mobile device, said Lookout. If you are concerned you may have this virus, Razorpoint can help you with mobile security!

"Geinimi is effectively being 'grafted' onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. The affected applications request extensive permissions over and above the set that is requested by their legitimate original versions," Lookout said in its blog. "Though the intent of this Trojan isn't entirely clear, the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet."

Lookout has written and delivered an automated update to protect existing free and premium users from the Trojan, the company said.

Consumers can protect themselves from this -- and the anticipated surge in future Trojans targeting mobile apps -- by only downloading apps from trusted sources such as reputable developers, said Lookout. Likewise, users should use common sense when reading the permissions for each app, it recommended.

If a phone starts acting unusually, this could be a sign it has become infected: Some odd actions include unknown applications being downloaded without approval, SMS messages sent without approval to unknown recipients, and uninitiated phone calls being placed, for example. And, of course, Lookout recommends that all smartphone users download a security app.

In fact, smartphones make many CIOs nervous since they are highly portable and give the owner so much access to often sensitive information. In one Ovum study, 80% of IT executives said they think these devices increase the business' vulnerability to attack.

By Alison Diana , InformationWeek
December 30, 2010 10:45 AM

The Oldest Hack in the Book

2010-12-22T04:48:00.000-05:00

As a political statement, a distributed denial-of-service attack ranks somewhere between running naked across your college campus and throwing a brick through a shop window. It's juvenile, not very pretty, and not especially articulate. On the plus side, anyone can do it, it's usually not too damaging, and you do get your point across—the point being that you want the world to start taking you seriously already.

The DDoS, as it's known, has hit the news this week because it's the main tool of the online flash mob that calls itself Anonymous. In the last couple of days they've launched DDoSes on the Web sites of Visa, MasterCard, and various other entities who they believe have hurt or maligned WikiLeaks and its founder Julian Assange. Early on Thursday morning, @Op_Payback, one of the Twitter accounts that seems to be associated with the group, gave out instructions to begin attacking Amazon.com. The plan, though, was quickly abandoned—Amazon, the group determined, was too big to be affected by a DDoS attack, and it was better to stick to smaller, less tech-savvy victims.

The distributed denial-of-service is one of the oldest hacks on the Internet. It's been around for more than a decade, and it first hit the mainstream in 2000, when a Canadian teenager who went by the handle Mafiaboy used a DDoS to take down Amazon, eBay, Yahoo, and other big sites. A DDoS attack is sort of akin to the Mean Girls-esque trick of having your friends prank-call your loser enemy all night long to tie up her phone line. The Internet equivalent of this is getting all your friends—or even strangers, whose computers you've wrangled into a "botnet" via a contagious computer worm—together and directing a bunch of bogus requests at a single Web server all at once. The target machine gets overwhelmed by the requests, knocking it offline for all legitimate users.

It's striking that DDoS attacks can still happen at all anymore. The Internet is very different from the anarchic place it was in the 1990s, and we've conquered many of the earliest threats— spam, e-mail viruses, Nigerian scams—to a peaceful life online. But DDoSes persist. According to a survey (PDF) of network operators conducted by Arbor Networks—which makes tools for systems administrators to detect and fight denial-of-service attacks—just about every network operator working on a large site sees at least at least one DDoS attack every month, and some see dozens. The attacks are getting larger, too. In 2002, a big DDoS attack might consume only around 400 megabits per second of network bandwidth; today's big attacks, which are usually the product of enormous botnets created by worms like last year's Conficker, consume 100 times more bandwidth, up to 49 gigabits per second. Why have DDoS attacks persisted? And why, after all this time, haven't we found a way to quash them?

It's because the means of attack have been baked into the architecture of the Internet. A Web server's main job is to respond to incoming requests, to serve up Web sites based on public demand. Web servers were originally designed not to discriminate—they didn't look to see where a request originated from, or what it asked for, or whether lots of other machines had been asking for the same thing many thousands of times during the last few minutes. All the server knew how to do was respond—that was its reason for being, its only purpose in life. And that's precisely the weakness that a DDoS exploits.

Jose Nazario, a security researcher at Arbor Networks, says that network operators have tried to build more intelligence into Web servers. A lot of major Web sites use anti-DDoS systems that look for deviations from normal traffic—if requests are spiking beyond the baseline, that's a sign the site could be under attack. Security software also analyzes the kinds of requests that outside machines are making, how often they're asking, where they're located on the network, and what software they're using to connect to your server. Through this analysis, the server can determine which computers on the Web are sending malicious requests and blacklist them. "These tools have been remarkably successful at keeping the net up and running," Nazario says. "Considering the number of attempted attacks that we see and the scale, you don't hear about them very often."

But DDoS-defense tools aren't perfect, and Nazario says they never will be. That's because attackers are getting smarter, too. The savviest hackers have begun to analyze their targets for weaknesses. If they find a page on a site that generates a lot of internal processing, or makes a lot of database calls, then they craft their attack to take advantage of that resource-hogging feature. "We've seen them do a lot of reconnaissance to find out the best place on the site to attack—if they find that a handful of requests on this page, say, will bring down the whole site, they'll attack that," Nazario says. What's more, the tools to launch an attack are now much more easily available than in the past. Twitter and Facebook also make it simpler for attackers to recruit and organize their efforts. Anonymous, the group behind the pro-WikiLeaks attacks, has been launching its DDOS efforts using a program called LOIC, which stands for "Low Orbit Ion Cannon."

Followers can download LOIC and instantly join a hive whose target is set by a central administrator.

The denial-of-service attacks that make the news are often ones that are launched for some ideological purpose. The most famous such example occurred in 2007, when hackers brought down the sites of banks, newspapers and other public institutions in Estonia. Although the attackers were never formally charged, many experts blame the attack on a group of Russian hackers who used DDoSes as a kind of cyber warfare, possibly with the blessing of the Russian government. Smaller, ideologically motivated attacks pop up all the time. In September, the meme-inspiring, prank-obsessed message board 4Chan took down the site of the Motion Picture Association of America. Last month, 4Chan set its sites on Tumblr, the blogging platform that 4Chan folks believe is overrun with lazy hipsters. That attack doesn't seem to have worked.

But ideological attacks, Nazario says, are the minority—most DDoSes are launched for much more pedestrian reasons. The main one is business competition; a shady company might hire the operators of a botnet to take down its rivals' site. Extortion is also a big thing, with hackers threatening to take companies offline unless they pay up. "Believe it or not," Nazario adds, "one of the big growth areas we see is people building small botnets to get an upper hand in online gaming. You've identified someone who's better at the game than you, but maybe you can knock his computer offline with an attack and then win the game."

This week's attacks didn't result in that sort of direct kill. While parts of the Visa, MasterCard, PostFinance (a Swiss bank that closed Assange's account), and PayPal Web sites went down for a brief while on Wednesday, the attacks don't seem to have done any serious damage to these companies. In particular, none of their primary operations were down—the attacks did nothing to prevent people from using their Visa and MasterCard accounts, or from paying with PayPal. It's unlikely that the DDoS can achieve much more than that. Still, for no money and very little time, the attackers made headlines around the world. That's not a bad return on their investment.

By Farhad Manjoo

Geek to Live: Choose (and remember) great passwords

2010-12-20T16:39:00.000-05:00

A secure, memorable password is easy for you to remember, and hard for others to guess.

Everywhere you turn you've got to come up with a password to register for something or another. Whether it's the dozens of web sites that require you log in to use them, or your ATM card PIN, or your wireless network login, how do you decide on a new password? More importantly, how do you remember it?

Don't use the same password for everything.

The problem with using the same password for everything you do is that if it's compromised and someone finds it, the rest of your identity is at risk. If your mutual fund company, for example, has a security breach that exposes usernames and passwords, and you use the same login details there as your online banking and at Amazon.com, potentially thieves could not only compromise your mutual fund account, but your online banking account and credit card details stored in your Amazon.com account as well.

Remember 100 different passwords with 1 rule set.

You don't need to remember 100 passwords if you have 1 rule set for generating them. One way to generate unique passwords is to choose a base password and then apply a rule that mashes in some form of the service name with it. For example, you may use your base password with the first two consonants and the first two vowels of the service name. Say your base password is "asdf." (See how easy those keys are to type?). Then your password for Yahoo would be ASDFYHAO, and your password for eBay would be ASDFBYEA.

Something simpler - but along the same lines - might involve the same letters to start (say, your initials and a favorite number) plus the first 3 letters of a service name. In that case, my password for Amazon would be GMLT10AMA and for Lifehacker.com GMLT10LIF. (Include obscure middle initials - like your mother's maiden name or a childhood nickname - that not many people know about for extra security.)

Before you decide on your single password generation rule, keep in mind that while password requirements are different for each service in terms of length and characters allowed and required, a good guideline is a password at least 8 characters long that includes both letters and numbers. To make a password even more secure - or applicable for services that require special characters - add them around it, like #GMLT10LIF#.

Choose your base password

Some options for choosing your base password:

The first letter of a phrase or song refrain. For example, if you wanted to use the famous Jackson 5 song "I Want You Back", your base password might be "IWUB." Remembering the password is a matter of singing yourself the song.
Use a pre-established keyboard pattern, like "yui" or "zxcv." Just look at your keyboard to remember it.
Use your spouse's initials and your anniversary, like "TFB0602." This one guarantees you won't forget an anniversary card, either.
For extra security, choose an easy to remember base, like your spouse's initials, or the word "cat" and then shift your fingers up one row on the keyboard when you type it. In the case of "cat," you'd get "dq5."

Then combine this base with some extra information unique to the service.

A clever password generator bookmarklet creates a password based on a web site URL and autofills it when you visit that site with a click. Another option is to simply use Firefox to manage your web site logins.

One problem with rules-based passwords is that some sites have their own password requirements that conflict with your established password, such as "no special characters" or "at least 12 characters in length" or "all numbers/numbers and letters/just alphabetical." In those cases, somehow you have to document or remember the exception to your rule for those services.

How do you choose your passwords? Let us know in the comments or visit us at Razorpoint.com!

by Gina Trapani, the editor of Lifehacker

How You To Can Hack Weak Passwords

2010-12-16T17:01:00.001-05:00

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let's see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I'll probably get into all of them.

Your partner, child, or pet's name, possibly followed by a 0 or 1 (because they're always making you use a number, aren't they?)
The last 4 digits of your social security number.
123 or 1234 or 123456.
"password"
Your city, or college, football team name.
Date of birth – yours, your partner's or your child's.
"god"
"letmein"
"money"
"love"

Statistically speaking that should probably cover about 20% of you. But don't worry. If I didn't get it yet it will probably only take a few more minutes before I do…

Hackers, and I'm not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

You probably use the same password for lots of stuff right?
Some sites you access such as your Bank or work VPN probably have pretty decent security, so I'm not going to attack them.
However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you've shopped at might not be as well prepared. So those are the ones I'd work on.
So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
Once we've got several login+password pairings we can then go back and test them on targeted sites.
But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser's cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker's computer, and the speed of the hacker's Internet connection.

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it's just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Remember, these are just for an average computer, and these assume you aren't using any word in the dictionary. If Google put their computer to work on it they'd finish about 1,000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But if you're going to do that how about using something that no one is ever going to guess AND doesn't contain any common word or phrase in it.

Here are some password tips:

Randomly substitute numbers for letters that look similar. The letter ‘o' becomes the number ‘0′, or even better an ‘@' or ‘*'. (i.e. – m0d3ltf0rd… like modelTford)
Randomly throw in capital letters (i.e. – Mod3lTF0rd)
Think of something you were attached to when you were younger, but DON'T CHOOSE A PERSON'S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn't work if you don't use the same password everywhere.
Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you'd like to download it without having to navigate their web site here is the direct download link. (Ed. note: Lifehacker readers love the free, open-source KeePass for this duty, while others swear by the cross-platform, browser-based LastPass.)
Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
Once you've thought of a password, try Microsoft's password strength tester to find out how secure it is.

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn't important because "I don't get anything sensitive there." Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank's Web site and tell it I've forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is safe behind a router or firewall device. Of course, they've never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network — after which time they will own you!

Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven't even mentioned.

I also realize that most people just don't care about all this until it's too late and they've learned a very hard lesson. But why don't you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn't completely in vain.

Please, be safe. It's a jungle out there.

From iFusion Labs, and John Pozadzides.

Note: This isn't intended as a guide to hacking *other people's* weak passwords. Instead, the aim is to help you better understand the security of your own passwords and how to bolster that security. We originally published this piece back in March, but in light of our recent security breach, it seemed more applicable than ever.

The Internet knows what Poppy Harlow keeps private

2010-12-13T13:55:00.006-05:00

Two simple pieces of data -- your name and e-mail address -- can unlock a shocking number of details about you, even if you consider yourself to be a very private person who carefully guards your online identity.

Just ask CNNMoney anchor Poppy Harlow. She doesn't have a personal Facebook profile. She doesn't have a LinkedIn account. She is on Twitter, but she typically limits her tweets to links for CNNMoney stories and videos. Yet starting with only those two bits of information, Poppy's e-mail and name, a privacy researcher's searches across multiple online databases turned up information she found startlingly personal: Her father died of cancer at a young age. She has a half-brother. She's Episcopalian. She's not married. She and her father both went to Columbia University. She rents her apartment. Poppy is a nickname. Then, there was the more private stuff. Her birthday. Years-old photos with friends. Her shopping habits. And some guesstimates about her salary and her family's financial background -- inaccurate ones, it turned out.

That's a lot of information about someone who values her privacy so much. Imagine what the Internet knows about people who aren't as careful. ReputationDefender, an online privacy company, compiled the dossier on Poppy at CNNMoney's request to illustrate just how much information is lurking around online -- hidden, but accessible to those motivated to go hunt it down. ReputationDefender does not create or sell these dossiers on people; instead, its business is selling consumers tools to control their online personal data.

But other companies are gathering up those personal details and creating similar dossiers for commercial gain. Called "data miners" or "aggregators," they crawl the Web scooping up tidbits. Much of what they collect is public information from things like voter registration records and telephone books, but the real treasure trove comes from social networks, which provide photos, interests, activities and a list of your friends. The most advanced aggregators can even tie your Web browsing behavior to your online profile.

One individual source of information may not be all that revealing -- but when you tie multiple sources together, you can paint a pretty detailed picture. Your Amazon.com wish list, public Facebook profile, Pandora playlists and Picasa albums individually may not say much about you, but your name, shopping habits, list of friends, musical tastes and photographs combined say a lot about who you are. Companies like Acxiom, Rapleaf, Spokeo, Intelius, Merlin Information Services and PeopleFinders have built businesses around compiling and selling that information.

Rapleaf and Klout even score your ability to influence others on the Web. (Poppy rates a 42 out of 100 on Klout's influence scale. One of Klout's top influencers, President Obama, scores an 86.) Right now, those profiles and scores are sold primarily to direct marketers and political campaigns, but insurance companies and prospective employers are starting to use the technology too. Privacy experts say the market for information will keep expanding -- as will the amount of data that can be collected about you.

Dossiers will be built on each of us in the future in a much more intimate way," said Michael Fertik, ReputationDefender' CEO. "This will be used for much more far reaching and invasive things than advertising." So if hiring, firing, insurance or even dating decisions are going to be made about us based on our online profiles, what's especially scary is that a lot of the information collected about us is incorrect. The address ReputationDefender found for Poppy was five years old, her phone number was completely wrong, and her salary information was way off (though Poppy says she'd love to make as much as the search results thought she did).

But even more disturbing are some of the conclusions an automated algorithm could make about Poppy based on online associations with her name. Bankruptcy, prescription drug abuse, Wall Street and Detroit were some of the most frequent words associated with her name – all because she reports on those subjects daily. "No one looks underneath your credit score to find out why it is what it is," Fertik said. "Accurate or inaccurate, life decisions are being based on your online personal information. It's going to define you forever."

If you are concerned about your online privacy, Razorpoint's world-class security experts help companies repel potentially lethal cyber threats that often elude mainstream network security providers.

By David Goldman, staff writer, and Poppy Harlow, CNNMoney.com

Malware incidents drive up IT costs, survey finds

2010-12-10T14:02:00.001-05:00

The main driver of IT operating expenses is the increasing costs of malware incidents, according to a recent survey of IT personnel conducted by the Ponemon Institute.

A full 59% of the 782 IT practitioners surveyed said that malware was a significant factor for increasing operating expenses.

Over a third of organizations experienced at least 50 malware incidents per month, or more than one intrusion per day, the State of the Endpoint 2011 survey found. Forty-three percent of respondents noted a dramatic increase in malware attacks in 2010.

“What we are seeing is that malware incidents are increasing, and those incidents are causing an impact to organizations. Malware generates help desk calls, re-imagining costs, and lost productivity”, said C. Edward Brice, senior vice president for worldwide marketing at Lumension, which sponsored the survey.

“IT is getting a much better handle on what their costs are, and what they are seeing is that there is a hard cost associated with malware”, he told Infosecurity.

In addition, about one-third of organizations put no restrictions on which applications run on their network, while another one-third employ application policies but do not actively enforce them, according to the survey.

Despite this lax security, a majority of those surveyed said that preventing applications from being installed or executed is a top challenge for IT security managers.

According to the survey, mobile/remote workers (50%), PC desktop/laptop vulnerabilities (48%), and the introduction of third-party applications onto the network (39%) are the greatest areas of end point risk currently. This is a shift from last year, where end point security concerns were mainly focused on removable media and data center risks.

“Most companies have more mobile and remote workers who are working from mobile platforms that are becoming smarter and able to house more sensitive data. We are definitely seeing application risk shift away from servers and operating system to mobile platforms like laptops and third-party applications”, Brice said.

The top five applications that concern IT managers the most when it comes to security are: third-party applications outside of Microsoft (58%), Adobe (54%), Google Docs (46%), Microsoft operating system/applications (44%), and Oracle applications (39%).

Despite increasing application risks, organizations are sticking with older technologies, even though there are newer technologies better able to reduce end point risk, the survey found. This issue was most notable with the following technologies: vulnerability assessment (used by 51% but considered effective by 70%); application whitelisting (used by only 29% but considered effective by 44%); device control (used by 26% but considered effective by 57%); and end point management and security suites platform (used by 40% but considered effective by 61%).

For 2011, respondents said that the top three security threats are expected to be increasing volumes of cyber attacks and malware incidents (61%), negligent insiders (50%), and cloud computing (49%).

Larry Ponemon, chairman and founder of the Ponemon Institute, commented on the survey: “There is a real need to put the appropriate technologies and personnel in place to best-position organizations of all sizes and in all industries for success in the ongoing battle to ward off cyberthreats as we head into 2011.”

If you find your company spending too much time and money on malware, you are in need of a Application vulnerability assessment from Razorpoint Security, give us a call, 212.744.6900.

This article is featured in:
Application Security • Internet and Network Security • Malware and Hardware Security

Congresswoman says chance of cyber attack against electric grid is 100%

2010-12-06T07:15:00.000-05:00

Rep. Yvette Clarke (D-NY) delivered the evening keynote during the SC Congress in mid-town Manhattan yesterday, as the member of the House Committee on Homeland Security told the audience that the US electric grid remains vulnerable to a near-certain cyber attack.

The Congresswoman from New York’s 11th legislative district, which encompasses parts of Brooklyn, said that our electrical grid is “what distinguishes our nation as an advanced, modern civil society”. She subsequently warned of the all-too-familiar dangers that could potentially devastate the nation’s power supply.

“As many of you in this room are aware, the grid remains vulnerable” to advanced viruses that are designed specifically to target industrial control systems. Clarke cited Russia, Iran, China, and North Korea as nations that are known to regularly use “offensive cyber attack capabilities, while terrorist organizations continue to work to develop these capabilities”.

“We must do everything in our power to ensure that our grid is protected”, Clarke implored during her on-floor keynote. She reminded the crowd of what happens when the grid goes beyond capacity and breaks, like it did during the Northeast blackout in the summer of 2003, which interrupted service for more than 55 million people in the US and Canada.

“While our citizens remained relatively calm throughout the ordeal, it still caused 11 deaths and roughly $6 billion in damages”, Clarke said. “Imagine what those damages would be for a nationwide blackout lasting a few weeks.”

Clarke continued that, based on current scientific research, if we faced a long-term power outage lasting weeks or even months, our society as we know it would be “irreparably destroyed”.

She stressed that this characterization was hardly an overstatement of the research: “A 2009 National Academy of Sciences report warned that a severe geomagnetic storm is inevitable” and would cause $1–2 trillion in damage and could take anywhere from five to 10 years to recover from.

Next Clarke boldly proclaimed that “the likelihood of a cyberattack that could bring down our grid is also 100%. Our networks are already being penetrated as we stand here. We are already under attack. We must stop asking ourselves ‘could this happen to us’ and move to a default posture that acknowledges this fact and instead asks ‘what can we do to protect ourselves’?”

The representative said the good news is that Congress has begun to take steps to address the vulnerabilities in our electric grid, or at least acknowledge there is a problem. The subcommittee she chairs on Emerging Threats, Cybersecurity, Science, and Technology held a hearing in July 2009 to examine the issue, where, in Clarke’s words, “members of the committee were appalled to learn about the vulnerabilities that affect the electric grid and the lack of robust protection against cyber attacks”.

The solution, said Clarke, “will require efforts from both the government and the private sector. That partnership is something that must be held in high regard. The government cannot do this alone, and we don’t expect to do this alone. We must have partnership. It will take a joint effort between government and the private sector to result in the most robust, effective security practices.”

Congress has already begun to take action as well, according to Clarke, with the unanimous House passage of the GRID Act, which would grant the Federal Energy Regulatory Commission authority to require that expanded cybersecurity protections be put in place as part of broader bill on cybersecurity now being considered by the Senate.

“From what we’re hearing, there is interest in passing the bill”, Clarke said. However, the congresswoman said she was concerned that the current approach, which combines the GRID Act as part of a broader bill on cybersecurity, might be doomed to failure. “This approach”, she lamented, “will stall the potential passage of the bill, and the GRID Act may not come to pass in the end.”

She said the US should look toward its British allies, which recently pledged a nearly £1bn investment to strengthen cybersecurity defenses. “We cannot afford to fail”, Clarke concluded. “The private sector, the administration, the Congress have all made progress, but we lack the sense of urgency that is necessary. We must move on this forcefully.”

Razorpoint can help organizations configure, deploy, and troubleshoot existing technology to eliminate security vulnerabilities that go undetected. A critical component of every security program is the process for addressing security monitoring, escalation, and follow-up procedures that provide your organization with preventative and adaptive security capabilities. Razorpoint works with organizations to define a rules-based escalation procedure for effective security incident response. The Razorpoint team conducts network and host security testing, and then relies on the results to assess the inventory of current security technology and processes in the organization, to evaluate the critical information assets, and to analyze the security roles related to the infrastructure.

GAO finds gaps in federal wireless network cybersecurity

2010-12-03T16:49:00.002-05:00

The Government Accountability Office (GAO) has uncovered gaps in security for wireless networks at federal agencies – gaps that hackers could exploit.

The GAO reviewed wireless network security at 24 federal agencies, concluding that the application of measures to improve security and limit vulnerability to attack “was inconsistent among agencies”.

Among other things, the government watchdog found “gaps” in security measures for “dual-connected laptops and mobile devices taken on international travel”.

“Several agency officials stated that they were aware of the risks posed to mobile devices during international travel, but that agencies had not yet developed policies to address these risks….By not having documented policies, agencies may be at increased risk that sensitive information could be compromised while a device is in another country, or that malware obtained during an international trip could be inadvertently introduced onto agency networks, placing sensitive data and systems at risk”, the GAO warned.

The GAO reached a number of conclusions about federal agencies’ wireless network security: “gaps exist in policies, network management was not always centralized, and numerous weaknesses existed in configurations of laptops and smartphones….[Until] agencies take steps to fully implement leading security practices, federal wireless networks will remain at increased vulnerability to attack, and information on these networks is subject to unauthorized access, use, disclosure, or modification.”

To beef up wireless security, the GAO offered recommendations to the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST). For OMB, the government watchdog recommended that it include metrics related to wireless security as part of the Federal Information Security Management Act reporting process and develop the “scope and time frames for additional activities that address wireless security as part of their reviews of agency cybersecurity programs”.

For NIST, the watchdog recommended that it develop and issue guidelines in the following areas: technical steps agencies can take to mitigate the risk of dual-connected laptops; government-wide secure configurations for wireless functionality on laptops and for smartphones; ways agencies can centralize their management of wireless technologies; and criteria for selection of tools and recommendations on appropriate frequencies of wireless security assessments and monitoring of wireless networks.

If you feel that your company is in need of improving security of your wireless networks, contact Razorpoint today, we are the experts you’ve been waiting for.

This article was reposted from http://www.infosecurity-us.com/

11 Tips for Safe Online Shopping

2010-11-29T20:33:00.001-05:00

Razorpoint believes in protecting you from online identity theft and let's face it, there's every reason in the world to shop online. The bargains are there. The selection is mind-boggling. The shopping is secure. Shipping is fast. Even returns are pretty easy, with the right e-tailers. It's a golden age for not going to the store, yet buying more than ever.

But since the average person will spend almost $700 this season (according to the National Retail Federation, or NRF) and the number of phishing scam sites that resemble e-commerce companies has more than tripled from just July to September of 2010 according to IID's Third Quarter Phishing Trends Report, that means there's so many more chances you could accidentally hand over data to the wrong guy. A busy holiday season is only going to mean even more attempts at stealing your money and your identity.

You're already a step up in safety by shopping online—there's no way for you to leave behind a credit card or wallet that way—but you could still run into trouble. However, with some common sense and basic guidelines in place, your <>should never be troubling. Here are 11 tips for staying safe online while knocking out that holiday shopping list.

1. Use Familiar Web Sites
Start at a trusted site rather than shopping with a search engine. Search results can get rigged to lead you astray, especially when you drift past the first few pages of links. If you know the site, chances are it's less likely to be a rip off. We all know Amazon.com and that it carries everything under the sun; likewise, just about every major retail outlet has an online store, from Target to Best Buy to Home Depot. Beware misspellings or sites using a different top-level domain (a .net instead of a .com, for example)—those are the oldest tricks in the book. Yes, the sales on these sites might look enticing... that's how they get you into giving up your info.

2. Look for the Lock
Never ever, ever buy anything online using your credit card from a site that doesn't have SSL (secure sockets layer) encryption installed—at the very least. You'll know if it has it because the URL for the site will start with HTTPS:// (instead of just HTTP://) and an icon of a locked padlock will appear, typically in the status bar at the bottom of your Web browser. Never give anyone your credit card over e-mail. PayPal, however, is still a good, safe way to make a payment.

3. Don't Tell All
No online shopping store is going to need your social security number or your birthday to do business. But if a bad-guy gets them, combined with your credit card number for purchases, they can do a lot of damage. When you can, default to giving up the least amount of information.

4. Check Statements
Don't wait for your bill to come at the end of the month. Go online regularly during the holiday season and look at electronic statements for your credit card, debit card, and checking accounts. Make sure you don't see any fraudulent charges, even originating from sites like PayPal (after all, there's more than one way to get to your money). If you do see something wrong, jump on the phone to address the matter quickly. In the case of credit cards, don't pay the bill until you know all your charges are accurate. You have 30 days to notify the bank or card issuer of problems, however; after that, you might be liable for the charges anyway!

5. Inoculate Your PC
Bad-guys don't just sit around waiting for you to give them data; sometimes they give you a little something extra to help things along. You need to protect against such Trojan horse malware with regular updates to your anti-virus program.

6. Use Strong Passwords
We like to beat this dead horse about making sure to utilize uncrackable passwords, but it's never more important than when banking and shopping. Our tips for making a unique password for each site can come in handy during a time of year when shopping around probably means creating new accounts on all sorts of shopping sites.

7. Think Mobile
The NRF did a survey that also predicts that 25 percent of adults will do their online shopping via their smartphones, but mostly as a way of find gifts, not purchase them. You can buck that trend, just follow the advice above. Better yet, download store specific apps like those for Amazon, Target, etc. and use them to find what you want and make the purchase without going to the store or the Web site.

8. Stay at Home
Do we really have to tell you it's a bad idea to use a public computer to make purchases? Hopefully not. If you do, just remember to log out every time you use a public terminal, even if you were just checking e-mail.. But what about using your own laptop to shop while you're out? It's one thing to hand over a credit card to get swiped at the checkout, but when you have to enter the number and expiration date on a Web site while sitting in a public cafe, you're giving an over-the-shoulder snooper plenty of time to see the goods. At the very least, think like a gangster: sit in the back, facing the door.

9. Privatize Your Wi-Fi
If you do decide to go out with the laptop to shop, you'll be on a Wi-Fi connection. Only use the wireless if you access the Web over a virtual private network (VPN) connection. If you don't get one from your employer, you can set up a free one with AnchorFree Hotspot Shield, if you're willing to put up with the ads. By the way, now is not a good time to try out a hotspot you're unfamiliar with. Stick to known networks, even if they're free, like those found at Starbucks.

10. Count the Cards
Gift Cards are the most requested holiday gift every year, and this year will be no exception. Stick to the source when you buy one; scammers like to auction off gift cards on sites like eBay with little or no funds on them upon arrival.

11. Know What's Too Good to Be True
McAfee compiled a list of scams to look for and one of them is the offer of a free product with purchase, in particular the iPad (a very coveted gadget this holiday) or even holiday job offers. Many of these "offers" will come in via social media. Beware even of your friends, who might innocently forward such a thing. Skepticism in these cases can go a long way toward saving you from a stolen card number.

Reposted from Eric Griffith of PCMag.com

Published November 29, 2010

Security needs drive cyberforensics industry

2010-11-23T14:07:00.005-05:00

This is a great article out of USA Today about Cyberforensics, a field and service that Razorpoint Security is very familiar with and often is asked to help consult with clients on.

Cyberforensics, the science of finding and securing digital evidence buried deep within company networks, is fast emerging as a global industry.

Three major players are in the vanguard. PricewaterhouseCoopers has recently hired several former law enforcement agents and prosecutors to supplement its cyberforensic services, which already have 3,000 employees and 55 labs in 37 countries.

Verizon Business — supplier of communications, networking and security technologies to large organizations — has pumped more than $50 million into cyberforensics-related services in the past two years. That includes setting up a state-of-the-art hygienic lab to examine computer circuit boards.

The National Cybersecurity and Communications Integration Center in Arlington, Va.

And Stroz Friedberg, a private CSI-like company founded by an ex-FBI agent and an ex-U.S. Attorney, recently received a $115 million investment from private equity firm New Mountain Capital to open new offices across the U.S., Europe and Asia.

Demand for cyberforensics is being driven by "the proliferation and complexity of security issues companies are facing," says Alok Singh, New Mountain's managing director. "Issues of data security and integrity are critical for all companies around the world."

Large organizations increasingly need expert guidance preserving and extracting digital records, such as e-mail and copies of sensitive documents, for civil lawsuits and regulatory audits. They also increasingly need help getting to the bottom of security breaches.

U.S. Internet crime losses reached $560 million in 2009, up from $265 million in 2008, says the Federal Deposit Insurance Corp. Research firm Market Research Media estimates that the federal government will spend $55 billion from now through 2015 on cybersecurity.

Globally, a recent study by the Computing Technology Industry Association, a non-profit trade group, found that 63% of large organizations surveyed in 10 nations experienced at least one security incident in the past 12 months, with 45% of those incidents classified as serious.

Much like the CSI investigators portrayed on TV, cyberforensics sleuths preserve the crime scene and use their training, experience and intuition to ferret out crucial evidence. But instead of looking for fingerprints, DNA and ballistics, they hunt for "subtle data attributes inside company networks that have been changed or altered," says Ed Stroz, ex-FBI agent and co-founder of Stroz Friedberg.

PricewaterhouseCoopers forensics director Kim Peretti, a former Justice Department litigator, says the hunt can become intricate. "Looking for breach indicators is really more of an art than a science," Peretti says. "The more you do these types of investigations, the more you know where to look and what to look for."

By Byron Acohido, USA TODAY

128 Bit What? Razorpoint on SlideShare!

2010-11-16T14:19:00.000-05:00

Razorpoint launched it’s new website a few months ago and one of our great new features are our whitepapers which show our commitment to our clients and dedication to the highest level of service in information security!

128 BIT WHAT?

View more documents from Razorpoint Security.

This is the first in our series, 128 bit what?!

Your data is encrypted. So what? Are you using SSL, AES, 3DES, or something else? Can your data be compromised with a cryptographic attack? What key length are you using? This paper attempts to shed a bit of light on the myths and misconceptions when dealing with encryption.

Is Free WiFi really Ever Free?

2010-11-03T13:13:00.010-04:00

Razorpoint came across the article below and find it astounding as it may seem, people still don't get it. I have been in situations where internet access was "really needed," and an open "linksys" or "tmobile" or "default" network seemed like kismet (no pun intended). But, alas, the malicious hackers have taken this all too common scenario and used it to exploit the uneducated (read: most) wireless users. If remote wireless access is becoming more and more of a "must," try getting a MiFi box that allows a private WiFi connection to the box and then relays your connection over a 3G or 4G cellular network.

This way, as long as you have a cell signal, you have your own WiFi connection, even in a moving car or train. of course, if your cellular phone supports "tethering" you could also use your cell phone as a MiFi box. pun = kismet is also the name of a wireless network analysis/hacking tool.

Razorpoint Security will help you and your company prevent intrusions, hackers!

(Newser) – You're stuck in an airport and don't feel like paying $9.95 for Internet access ... but wait! You stumble upon a network called "Free Public WiFi." The heavens are smiling, right? Wrong. Available in thousands of locations across America, "Free Public WiFi" is an "ad hoc" network that connects you to another computer in the vicinity instead of the Internet, wireless security expert Joshua Wright tells NPR. The "zombie network" appears to have spread via a bug in old versions of Windows XP—and it provides an easy access point for hackers. As NPR explains, when computers running the older version of XP can't find one of its "favorite" wireless networks, it creates an "ad hoc" one named after the last network joined ... and the "Free Public WiFi" name then becomes available to nearby computers, enticing their unsuspecting owners to join, explains Wright. He compares its spread to how "a zombie takes a hold of one person, bites them, and they become infected by this zombie virus." He believes it may originally have been created by somebody trying to trick a friend into connecting "so he would get a Web page with some kind of a gross image or childish prank." Other "zombie" networks to steer clear of include "linksys," "hpsetup," "tmobile," and "default."

Originial article:

http://www.newser.com/story/102722/beware-free-public-wifi.html

ZEUS Malware Infects Globally Million PCs

2010-10-18T14:00:00.005-04:00

Just when security companies have developed new ways of dealing with the infamous Zeus Trojan, a variant characterized as the "Son of Zeus" has arisen. Worse yet, the variant has the trait of being virtually undetectable by conventional antivirus applications.

About the Zeus Trojan and MS Windows

The Zeus Trojan made headlines back in 2009 as a "highly customizable" tool for hackers. It's main mission is to sniff out financial information and break into online bank accounts. Security experts estimate that the Zeus Trojan has been used to infiltrate tens of thousands of PCs around the world. Owners of infected PCs are unaware their computers are even infected, with the majority (if not all) of infections targeting MS Windows PCs.

Zeus a Persistent Threat, Continues to Morph

The Zeus Trojan continues to be a persistent threat and was responsible for stealing 3 Million US Dollars (as of October 1st, 2010) and a reported 6 Million British Sterling from UK bank accounts (Source: itnews.com.au).

The latest revision of the Trojan ("Son of Zeus") Trojan is codenamed "TSPY_ZBOT.BYZ," according to security experts. The reason why it is able to slip by conventional antivirus programs is because it imports a large number of application programming interfaces (API's), making it difficult to know (or even predict) where it will strike next. (Source: itpro.co.uk)

New Variant More Efficient Than Original

As is the case with most types of malware variants, the newer version is somewhat different (and much more efficient) than its predecessor. It is also different in its compression and can foil a detection system based on calculable entropy. In a nutshell, calculable entropy pertains to finding where in the viral code certain trigger routines might be hidden and gives TSPY_ZBOT.BYZ its "undetectable" status.

With most forms of malware, security companies are able to isolate the virus in a virtual "sandbox" and track how the code was executed, what system changes it made and any network traffic it generated. Thus, Zeus (in all of its forms) refuses to "play in the sandbox". (Source: itnews.com.au)

Conventional Antivirus Not Sufficient

This spells disaster for most security companies whose primary focus is to keep their customers safe. As Trend Micro research engineer Julius Dizon expressed, "To properly guard against this threat, conventional antivirus is not sufficient. Only improved detection techniques and proactive blocking of the websites, working together, can protect users."

Razorpoint Services Can Protect You
Mainstream network security providers are fine for organizations looking to "check the box." Most can neutralize the average hacker and help organizations comply with a security checklist. They apply their technologies and processes and fix the obvious problems. But these organizations usually are not suited to keep pace with the world's most sophisticated cyber criminals. Razorpoint is.

Passwords: To Secure or Not to Secure

2010-06-11T16:48:00.003-04:00

Passwords have been in use since ancient times but it seems like the periodic controversy over whether or not to use them really gained momentum with computing. The latest view turned up in the SmartPlanet blog. There you’ll find Joe McKendrik waxing poetic about a Microsoft study that basically says the cost of passwords outweighs the risks. Wrong!

There is a perception that coming up with unique, strong passwords is a burden. And adding to this perceived difficulty are things like creating a new password, on a regular basis, that can never be the same as a previously used one, is in insurmountable task.

Reading that above blog posting made me feel as if i had taken a time machine to work that morning. Really? Passwords are always hard to remember? Really? So, let's see, users (the de facto weakest link in any security chain) should just be allowed to do whatever they like because, as soon as the enormous burden of password creation and retention is removed from their hectic schedules, productivity skyrockets. Really? Facebook, YouTube, and MySpace anyone? Oh, and finally, a "top security researcher from Microsoft?" Don't get me started.

Flux-capacitor and time circuits set back to 2010, cybercrime is about to surpass illegal drug trafficking as a moneymaker for criminals. Yes, you read that correctly. Cybercriminals can make more money than drug dealers. Hello? Things are getting worse, not better. While end user failure enables a large part of the rise in cybercrime, corporate ineptitude still plays a key role. Training and basic understanding of network and cybersecurity (strong passwords included) is pitifully low. On regular security engagements, my team and I are routinely stunned at what we find. Whether it is a small, medium, or even a large global firm, undoubtedly we achieve a mind blowing, head shaking dose of "I can not believe what I'm seeing." Dated or non-existent security policies, unmonitored and out-of-date security technologies (firewalls, VPN, IDS, etc.), understaffed and undertrained IT departments tasked with a security role, and a common company-wide malaise regarding proper network security. Routinely, we're able to obtain identity information, bank account access, transaction histories, internal pricing lists, etc. Billions spent on network security, and we're going backwards.

I agree that users get bombarded with different, often unclear and untrue, messages about security and how to handle certain situations (phishing emails and web sites, spoofed SSL certificates, even social engineering). A big reason for this is the wrong people get tasked with designing and disseminating a company's security policy. Security personnel should be doing this, not IT personnel. Perhaps a topic for another article, but Security is not an IT issue, it is a management issue.

Growing cybercrime profitability shows us that current and past security practices are severely flawed. But, stopping the use of one of them (passwords) isn't a solution. They should be enhanced. Yes, use a credentialed mechanism for secure access to data, sites, services, etc. But perhaps instead of forcing the average user to produce and remember cryptic passwords constantly, teach them to use patterns on a standard QWERTY keyboard. Examine this password: 0ok9ij)OK(IJ - It has all the password characteristics of a security manager's dream. But how on earth is someone going to remember that? Look at your keyboard and notice that those characters are in a pattern. Start with the zero and then move down and to the left; you get the "o" and the "k". Then move from the zero to the 9 and go down again for the "i" and "j". Then do the same two downward patterns while holding the Shift key. Dream password? Solved. Want another password? Pick a new starting point and a new directional pattern. What to make it unique to a particular site? Add a letter before or after that password ("E" for email, "I" company intranet, "A" for Amazon.com, etc.). You now have a strong password with nothing to remember but a keyboard pattern.

Strong passwords aside, however, two-factor authentication is another technology that can help with the ongoing battle of user password management. Two-factor authentication is something you have, and something you know. You can "have" a random password generator token on your key chain, and you can "know" a sufficiently strong password that goes with it. These and other technologies are available today in an attempt to curb cybercrime's expanse.

If it’s your business you’re securing, you can ignore the reports that say passwords are not cost effective. Instead, invest in employee education. Truly relevant, informative, actionable, employee security education. A good investment always yields solid returns. If you want to keep your support costs down while keeping your company secure, teach your employees the importance of good password habits along with an overarching mindset of reality-based security awareness.

While companies have consistently failed at these things, the future is now and big differences can be made. I believe we can only go up from here.

Gary Morse is President and Founder of Razorpoint Security Technologies.

Tabnabbing: A new type of phishing

2010-05-25T17:36:00.001-04:00

Check out this page at azarask.in. They demonstrate a new method of phishing. A page you are looking at can auto-switch to a page that resembles a page of a trusted website such as gmail, facebook, paypal, or online banking. Part of the attack involves changing the favicon of the page and monitoring for page inactivity.

A New Type of Phishing Attack from Aza Raskin on Vimeo.

Widespread attacks continue against WordPress sites

2010-05-18T12:18:00.002-04:00

Owners of self-hosted WordPress based websites should make sure that their FTP and wordpress passwords are secure. Also review your WordPress installation to make sure that it is up to date. The current version is 2.9.2. Sites hosted on WordPress.com are not affected.

Intruders in recent weeks have hacked a large number of websites created through the WordPress blogging platform to spread malware, with another major campaign launched on Thursday, security researchers said.

In addition to WordPress blogs, websites created with other PHP-based platforms, including the Zen Cart eCommerce solution, were affected by the attacks, Regina Smola, co-founder of WPSecurityLock, a provider of WordPress security services, told SCMagazineUS.com on Tuesday.

Attackers injected malicious JavaScript into the sites, causing visitors to be redirected to scareware domains that attempted to trick users into installing a virus, she said.

1.5 million stolen Facebook IDs up for sale

2010-04-26T14:56:00.010-04:00

A hacker named Kirllos is offering to sell the accounts in an underground forum for 2.5 cents per account.

A hacker named Kirllos has a rare deal for anyone who wants to spam, steal or scam on Facebook: an unprecedented number of user accounts offered at rock-bottom prices.

Researchers at VeriSign's iDefense group recently spotted Kirllos selling Facebook user names and passwords in an underground hacker forum, but what really caught their attention was the volume of credentials he had for sale: 1.5 million accounts.

IDefense doesn't know if Kirllos' accounts are legitimate, and Facebook didn't respond to messages Thursday seeking comment. If they are legitimate, he has the account information of about one in every 300 Facebook users. His asking price varies from US$25 to $45 per 1,000 accounts, depending on the number of contacts each user has.

To date, Kirllos seems to have sold close to 700,000 accounts, according to VeriSign Director of Cyber Intelligence Rick Howard.

Hackers have been selling stolen social-networking credentials for a while -- VeriSign has seen a brisk trade in names and passwords for Russia's VKontakte, for example. But now the trend is to go after global targets such as Facebook, Howard said.

Facebook has more than 400 million users worldwide, many of whom fall victim to scams each day. In one such scam, criminals send out messages from a compromised account, telling friends that the account's owner is trapped in a foreign country and needs money to get home.

In another, they send Web links that lead to malicious software, telling friends that it's a hilarious or sensationalistic video.

"People will follow it because they believe it was a friend that told them to go to this link," said Randy Abrams, director of technical education with security vendor Eset. Once the malware gets installed, criminals can steal more passwords, break into bank accounts, or simply use the computers to send spam or launch distributed denial of service attacks. "There's just a plethora of things that people can do if they can trick people into installing their software," he said.

Kirllos' Facebook prices are extremely cheap compared to what others are charging. In its most recent Internet Security Threat Report, Symantec found that e-mail usernames and passwords typically went for between $1 to $20 per account -- Kirllos wants as little as $0.025 per Facebook account. More coveted credit card or bank account details can go for much more, ranging between $0.85 to $30 for credit card numbers to $15 to $850 for top-quality online bank accounts.

Reposted from IT World.

Is your company social networking?

2010-03-22T16:00:00.006-04:00

At the RSA Security conference during the week of March 1st, one of the topics of discussion was securing networks in a web 2.0 world (http://www.itworld.com/security/98911/tweet-social-network-security-risky-business?page=0%2C0&source=ITWNLE_nlt_today_2010-03-04.

Facebook, Twitter, LinkedIn and other social networking sites were until recently considered to be productivity killers. Most companies blocked access to these websites for their employees to make sure their staff members were not using company resources on frivolous time-wasters.

It is a good idea to block access to these sites for another reason. Social networking sites are just another point of exposure to malware, phishing attempts, and viruses. Everyone agreed that it was just best to keep your employees away from social networking.

However, last year marked a turning point in social networking. Employees in sales, HR, customer service and marketing need to use social networking sites to do their jobs. Corporations are now looking to open their doors to social networking, but how do you protect your company from malicious attacks?

Our take on the situation? Its not time to open the floodgates. Social networking is still potentially dangerous.

Your company should continue to block access to Facebook, Twitter and LinkedIn for most employees. Access should be granted on an individual or departmental basis, and only sparingly using monitored firewall, IPS or Application Security Gateway rules. Check Point and Tipping Point offer good solutions in these areas.

Cybercriminals love social networks because there is a false sense of being in a trusted, safe zone. Employees who do have access to social networking need to be educated that:

There is no privacy anywhere on the web. They should assume that anything posted on a social network may somehow become public. Trade secrets are at risk as well as your corporate brand.
All links should be treated suspiciously. Social networks use link shortening services like bit.ly and tinyURL. It's impossible to know where such a link will take you. It could be a phishing site that will enable someone to take over your account, steal your information or install a virus or malicious code on your computer.
All third party applications should be treated suspiciously. Twitter and Facebook offer thousands of applications that they do not take responsibility for. Be wary when installing one, or giving access to your account.
Finally, consider heavily what information you add to your public or semi-public social networking profiles. Remember that things like "High School attended," "Birth Date," "Pet Names," "Sibling Names," etc. are all things used by banks and credit institutions to validate your identity. You wouldn't hand out this information to strangers on the street, would you? Why, then, do people gleefully post this online? I'm actually surprised Facebook doesn't have a "Mother's Maiden Name" field.

There is No Security Patch for Stupidity

2010-03-18T16:26:00.010-04:00

At Razorpoint, we spend a lot of time trying to stay ahead of malicious attackers and cybercriminals. We track the newest, most advanced techniques so that we can work with our customers to repel attacks. That's why we were floored by this article:

http://www.businessweek.com/news/2010-02-18/global-hackers-breached-2-400-companies-security-firm-says.html

According to Bloomberg News "hackers infiltrated the computer networks of more than 2,400 companies in almost 200 countries over an 18-month period." When we took a closer look at these attacks we noticed something very interesting:

"The attack uses a piece of software called ZeuS, designed in Eastern Europe, that takes control of large numbers of computers. These so-called botnets of computers are deployed to extract login and personal information related to e-mail, financial and social-networking Web sites."

ZeuS (aka Kneber) is a bot that steals information by keystroke logging. This method of infiltration is over 10 years old and it should not work anymore. Yet it does - because users continue to fall for the same dumb tricks. They open attachments to email that they shouldn't. They respond to phishing emails.

ZeuS and other bots now control more than 100 million computers worldwide. ZeuS targets login credentials for online social networks, e-mail accounts, and banking. Anti-virus software may not offer protection. The primary way to prevent infection is to offer training and security awareness to prevent your employees from clicking on hostile or suspicious links in email and in social networks.

Razorpoint knows that the Internet is still a target-rich environment. While there isn't a security patch for stupidity you can help protect your company by employing our endpoint client protection service (Rz.Endpoint). Additionally, companies should have regular comprehensive security assessments conducted in an effort to stay ahead of attacks like this.

PleaseRobMe.com

2010-03-08T16:24:00.009-05:00

Foursquare is an increasingly popular location-based social network that is based on a game-like premise. Players use smart phones or laptops to "check in" to a location, recording their position on a map for friends using the service to see. The more often you check in, the better your chances of being declared the mayor of a particular location, be it a restaurant, bar, office or even your own home. Fourquare updates can be connected to twitter and facebook, keeping the world up to date about your progress.

Is this a good idea? No, and the new site http://www.pleaserobme.com/ shows exactly why. The site is a simple stream of Foursquare updates posted on twitter.

Please Rob Me consists exclusively of an aggregation of public Twitter messages that have been pushed through fast-growing location-based networking site Foursquare, one of a handful of services that encourages people to share their whereabouts with their friends. You can filter by geographic location, too.

You wouldn’t post a sign for all the world to see advertising the fact that you are not home. But people who connect Foursquare to publicly viewable sites like twitter not only let the world know that they are not home, but how far away they are.

Security is not just about installing alarms, locks or guard dogs. Its about exercising common sense. Be secure online and in the real world and keep your whereabouts private.

Razorpoint Security Begins 10th Year

2010-03-04T14:22:00.007-05:00

Razorpoint Security Technologies specializes in comprehensive security assessments that provide business leaders and corporate clients the certainty and stability required for survival in today's business climate.

On March 1, 2010, Razorpoint Security Technologies celebrated the beginning of their 10th year in business – great, and slightly hard to believe, at the same time. Our tremendously talented staff and faithful clients have kept us going the entire way. We've done quite a bit to help secure cyberspace in that time. However, we have also realized there is an astonishing amount still to be done. The good news is, we're not tired. There is much more to come.

Seemingly every day another security breach is reported. Bank accounts, identities, corporate data and intellectual property are just some of the valuable assets targeted by attackers. The danger and risk posed to corporate environments grows daily.

If you think your company's network is at risk then call us today for a full risk assessment!