Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

To Protect Your Devices, A Hacker Wants to Hack You Before Someone Else Does

The Hacker News - 19 Duben, 2017 - 18:44
It should be noted that hacking a system for unauthorised access that does not belong to you is an illegal practice, no matter what's the actual intention behind it. Now I am pointing out this because reportedly someone, who has been labeled as a 'vigilante hacker' by media, is hacking into vulnerable 'Internet of Things' devices in order to supposedly secure them. This is not the first time
Kategorie: Hacking & Security

Microsoft turns two-factor authentication into one-factor by ditching password

Ars Technica - 19 Duben, 2017 - 18:03

(credit: Microsoft)

Microsoft Authenticator is a pleasant enough two-factor authentication app. You can use it to generate numeric authentication codes for accounts on Google, Facebook, Twitter, and indeed, any other service that uses a standard one-time password. The login process is straightforward: first you sign in to each site with your username and regular, fixed password, then you use the code generated by the app.

But for Microsoft accounts, Redmond is offering something new: getting rid of that first password and using just the phone to authenticate. With phone-based authentication enabled, after entering your Microsoft Account e-mail address, you'll receive an alert on your phone. From that alert, you can either approve or reject the authentication attempt—no password necessary.

This same approve-or-reject choice on the phone has been offered previously to Microsoft Accounts, but in the past, it still required the use of the fixed password.

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security

Never can say goodbye: face scans for departing US visitors fast-tracked

Sophos Naked Security - 19 Duben, 2017 - 17:30
Biometric Exit, a scheme launched under Obama to check departing passengers, is being rolled out to every international airport in the US

How tech support scammers have made millions of dollars

Sophos Naked Security - 19 Duben, 2017 - 15:59
Researchers who spent eight months digging into the scammers' techniques reveal the tools the bad guys use and the money they've made

Bank employees using social networks at work: danger or mere distraction?

Positive Research Center - 19 Duben, 2017 - 15:37

Banks always have been a lure for attackers, and while new technologies help to improve client service, they also create additional information security risks.

Cyberattacks on banks frequently start with criminals persuading employees of a financial institution to open specially crafted malware. Positive Technologies expert Timur Yunusov explains below if it makes sense for banks to ban workplace use of social networks to reduce the risk of such attacks.

Employees: the weak link in security
Most cyberattacks on banking infrastructure rely on social engineering. By smoothly manipulating bank employees in correspondence or conversation, criminals frequently manage to penetrate a bank’s internal network. In the case of a targeted attack directed at many bank employees—we know of attacks targeting 10 to 50 (or even more) employees at the same time—we can safely assume that at least one of them will open malware attached to an email message, therefore infecting that employee’s computer.

Research performed by Positive Technologies demonstrates that information security awareness among employees remains low. Employees often open potentially malicious attachments and act in a way that may jeopardize the security of the company's infrastructure. Unfortunately, awareness is still low at companies where employees undergo information security training.

One of the most effective tools for a hacker is the telephone—in 100 percent of cases with the clients we audited, our testers managed to convince the employee on the other end of the line to open the malicious file they had previously sent, or even to disclose the employee’s user name and password. Bank employees are a weak link in security, and therefore financial institutions have to think about how to reduce the risk of attacks on their staff.

Putting the social network controversy in perspective
Considering all the above, banning workplace use of social networks might seem to be a safe and sensible step. After all, popular online services are another way for attackers to spread malware.

But in reality, social networks are less useful for fraudsters than the phone, for instance. To persuade employees to perform a certain action, attackers first need to create relationships and earn trust. Targeted attacks via social networks are a time-consuming process that usually takes a week or more. Timing is trickier too, since if the attacker sends the malicious software or link when the employee is at home, the malware will infect the employee’s computer, instead of a bank computer.

Sometimes attackers hack the accounts of the target employee’s friends. In this case, success is more likely because people trust their friends more than they trust strangers. But performing this attack at any kind of scale against bank employees via social networks is quite difficult and has no guarantees of success. Overall, emails and phone calls are much more effective for hackers.

To ban or not to ban
Statistics show that employees of financial institutions are at risk and are the logical first target for hackers. Many methods are available to hackers for this purpose, including social networking websites.

But banning use of social networks may actually be counterproductive. After a ban, employees could switch over to other communication methods (for example, email and phone) that are statistically riskier with respect to social engineering.

In addition, outright prohibitions may not work and instead push employees to seek dangerous workarounds. At a minimum, any ban must be reinforced by training to educate employees on the basics of information security.

The more effective and reliable choice for banks and other businesses is to combine security awareness training with use of special protection and attack detection tools, such as security information and event management (SIEM) and web application firewall (WAF) solutions.

Scammers mine online recruiter for patsies in package reship scheme

Ars Technica - 19 Duben, 2017 - 15:29

Enlarge / That sketchy speedy delivery gig you were offered by that company that you applied to work for? It's probably a scam.

If you're using a Web-based third-party recruiter site to look for and apply for jobs, you may want to keep a close eye on the e-mails you get in response. As Steve Ragan of CSO reports, scammers are harvesting information from recruiter sites to offer "flexible" jobs that are in fact criminal undertakings—often posing as executives from the companies where applicants have applied for jobs.

One woman who applied for a job at the paint manufacturer Sherwin-Williams through the site of ZipRecruiter received an e-mail shortly afterward from someone posing as the CEO of the company. The person claimed that the position she had applied for was filled but offered another job as a "personal assistant" for the CEO himself for $500 a week.

"If you accept my offer, I will need you to take charge of my mails pick up and drop off as well as errand running during your spare time outside of work," the e-mail read. "The job is flexible so you can do it wherever you are as long as there is a post office in the area. I will pay for the first week in advance to run errands, and will also have my mails/packages forwarded to a nearby post office where you can pick them from at your convenience."

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security

The Administrative Credentials Security Hole

InfoSec Institute Resources - 19 Duben, 2017 - 14:00

Did you know that almost anyone with a bit of initiative can break into your systems in minutes – quietly and without leaving a trace? Even when you lock up your servers, apply patches, and use group policies to secure your servers and workstations, it only takes a few minutes for a hacker to gain […]

The post The Administrative Credentials Security Hole appeared first on InfoSec Resources.

Kategorie: Hacking & Security

China’s New Cyber Security Law

InfoSec Institute Resources - 19 Duben, 2017 - 14:00

1Section 1. Introduction Regional regulations on data transfers, such as the U.S.-E.U. Privacy Shield framework, have a significant impact on the cross-border moving, use, and protection of personal data. In Asia, one of the major players in the field of ICT, China, is moving towards a more comprehensive regulation of its cyberspace. On 1st of […]

The post China’s New Cyber Security Law appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Memory Forensics: Enumeration

InfoSec Institute Resources - 19 Duben, 2017 - 14:00

In Part 1 of this article, we have looked at the memory forensics power during the enumeration of forensically important objects like PROCESS, VAD nodes, MEMORY mapping, etc. In this article we will see memory forensics enumeration of other forensically important objects. DLLS Enumeration from memory DLL’s are used to be shared among processes for […]

The post Memory Forensics: Enumeration appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities

Threatpost - 19 Duben, 2017 - 13:20
Oracle released a record 299 patches, including a fix for a Solaris vulnerability disclosed by the ShadowBrokers, and another for the recently disclosed Apache Struts 2 flaw.
Kategorie: Hacking & Security

Watch out for fraudsters attacking Amazon Marketplace accounts

Sophos Naked Security - 19 Duben, 2017 - 12:35
Are you a Marketplace seller? Here are some tips to help you avoid becoming a victim of the latest round of attacks

Personalized Spam and Phishing

Kaspersky Securelist - 19 Duben, 2017 - 11:58

Most spam, especially the sort that is mass-mailed on behalf of businesses, has quite an impersonal format: spammers create a message template for a specific mailing purpose and often drastically diversify the contents of that template. Generally, these kinds of messages do not personally address the recipient and are limited to common phrases such as “Dear Client”. The most that personal data is ever involved is when the name of the mailbox (or part of it) is substituted with the electronic address that the spammer has. Any specifics that may help the recipient ascertain whether the message is addressed personally to him or not, for example, an existing account number, a contract number, or the date of its conclusion, is missing in the message. This impersonality, as a rule, attests toa phishing attempt.

Lately, however, we have been noticing an opposite tendency occurring quite often, wherein fraud becomes personalized and spammers invent new methods to persuade the recipient that the message is addressed personally to him. Thus, in the malicious mailing that we discovered last month, spammers used the actual postal addresses of the recipients in messages to make them seem as credible as possible. This information is sold to evildoers as ready-to-use databases with physical addresses (they are frequently offered for sale in spam messages), collected by evildoers from open sources, or obtained by evildoers when hacking email accounts, for example. Of course, cybercriminals will not have very many of these addresses at their disposal (compared to generated addresses), but they are much more valuable.

The way spammers organize their personalized attacks plays an important role as well. In general, messages are mass mailed on behalf of an existing company, while the technical headers of fake messages use the company’s actual details.

There are several ways to use valid details. The most unsophisticated method is spoofing, which is substitution of technical headers in messages. The headers can be easily placed with any mass mailing program. In particular, during the spoofing process, the “From” field contains the real address of the sender that the fraudsters have. In this case, spam will be mass-mailed on behalf of the spoofed company, which can stain the company’s reputation quite seriously. Yet, not all technical headers can be substituted when spoofing, and good anti-spam filters will not let these messages through.

Another method entails sending spam from so-called hijacked infrastructure, which is much harder to do technically, as the mail server of the target company has to be hacked. After gaining control over it, an evildoer can start sending messages with legitimate technical headers from any email address owned by the company and on behalf of any employee who works there. At the same time, the fake message looks quite credible for anti-spam filters and freely travels from server to server, as all of the necessary certificates and digital signatures in the header correspond to genuine counterparts. This would result in losses by both the recipient, who takes the bait of the evildoers (network infection and theft of personal data or business information), and the company, whose infrastructure is abused by the evildoers.

Usually, cybercriminals select small businesses (with up to several dozen employees) as victims for hacking. Owners of so-called parked domains are of particular interest, as parked domains are used by a company without creating a website on these domains.

In the samples detected by us, personalized malicious spam was mass-mailed on behalf of an existing business that was a small company specialized in staff recruitment. The messages contained order delivery notifications that are typical of malicious spam, but also indicated the real postal addresses of the recipients. The messages also contained URLs that were located on legitimate domains and were constantly changing throughout the mailings. If a user navigates to the URL, then malicious software will be downloaded to the user’s computer.

In this way, we may affirm that spam is becoming more personalized and mailing is becoming targeted. With the rising digital literacy of users, this is exactly what evildoers rely upon; It is not so easy to remember all your subscriptions, all your online orders, or where you’ve left your personal data, including addresses. Such an information load calls for the use of smart security solutions and the employment of security measures to protect your “information-driven personality”.

Microsoft nabídne přihlašování ke svému účtu, aniž byste znali heslo. Pomůže mobil

Zive.cz - bezpečnost - 19 Duben, 2017 - 09:51
K přihlášení k účtu Microsoftu už nebudete potřebovat znát ani své vlastní heslo. Firma se totiž na svém blogu pochlubila aktualizací aplikace Authenticator, která doposud sloužila k dvoustupňovému ověření identity. Ve vylepšeném Autheticatoru budete moci nastavit, aby vás aplikace při pokusu o ...
Kategorie: Hacking & Security

Vigilante botnet infects IoT devices before blackhats can hijack them

Ars Technica - 19 Duben, 2017 - 03:41

Enlarge / Vigilante Man (Illustration by Projectvillain photographed by Seth Anderson) (credit: projectvilliain/Seth Anderson)

Mirai, the botnet that threatened the Internet as we knew it last year with record-setting denial-of-service attacks, is facing an existential threat of its own: A competing botnet known as Hajime has infected at least 10,000 home routers, network-connected cameras, and other so-called Internet of Things devices.

Hajime uses a decentralized peer-to-peer network to issue commands and updates to infected devices. This design makes it more resistant to takedowns by ISPs and Internet backbone providers. Hajime uses the same list of user name and password combinations Mirai uses, with the addition of two more. It also takes steps to conceal its running processes and files, a feature that makes detecting infected systems more difficult. Most interesting of all: Hajime appears to be the brainchild of a grayhat hacker, as evidenced by a cryptographically signed message it displays every 10 minutes or so on terminals. The message reads:

Just a white hat, securing some systems.

Important messages will be signed like this!

Hajime Author.

Contact CLOSED

Stay sharp!

Another sign Hajime is a vigilante-style project intended to disrupt Mirai and similar IoT botnets: It blocks access to four ports known to be vectors used to attack many IoT devices. Hajime also lacks distributed denial-of-service capabilities or any other attacking code except for the propagation code that allows one infected device to seek out and infect other vulnerable devices.

Read 3 remaining paragraphs | Comments

Kategorie: Hacking & Security

Two members of ATM skimming ring plead guilty to bank fraud

Ars Technica - 18 Duben, 2017 - 23:32

Enlarge (credit: Piotrus)

Joel Abel Garcia, a 35-year-old from the Bronx, New York, became the third member of an alleged ring of automated teller machine "skimmers" to plead guilty today in the US District of New Jersey to the charge of conspiracy to commit bank fraud. Another member of the group—Victor Hanganu, a Romanian citizen living in Bayside, New York—pleaded guilty to the same charge on April 10. Eleven others have been charged in the conspiracy, which targeted PNC and Bank of America ATMs in New Jersey from March 2015 until June of 2016. Another Romanian, Radu Marin, pleaded guilty on March 29.

"According to admissions made in connection with the pleas, Garcia, Hanganu, and others sought to defraud financial institutions and their customers by illegally obtaining customer account information, including account numbers and personal identification numbers," a Department of Justice spokesperson said in a statement made on behalf of federal prosecutors in New Jersey. Garcia was found to be personally responsible for $132,805 in withdrawals using forged ATM cards out of a total of $428,581 over the 15-month period.

Garcia admitted as part of the plea that "he installed 'skimming' devices on the ATMs" belonging to PNC and Bank of America at multiple locations in New Jersey, "including pinhole cameras that recorded password entries and card-reading devices capable of recording customer information encoded on magnetic strips," according to the statement.

Read 3 remaining paragraphs | Comments

Kategorie: Hacking & Security

Security Evaluation Models

InfoSec Institute Resources - 18 Duben, 2017 - 21:32

Most organizations these days want their information system to be managed as safely as possible. Security Evaluation is the basic step in achieving this goal for any organization, followed by Assurance and Information Security Certification. Security Evaluation is particularly important because of the rapidly changing environment of the information security system or the operation system. […]

The post Security Evaluation Models appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Russian Hacker Selling Cheap Ransomware-as-a-Service On Dark Web

The Hacker News - 18 Duben, 2017 - 20:18
Ransomware has been around for a few years, but it has become an albatross around everyone's neck, targeting businesses, hospitals, financial institutions and individuals worldwide and extorting millions of dollars. Forget about developing sophisticated banking trojans and malware to steal money out of people and organizations. Today, one of the easiest ways that can help cyber criminals get
Kategorie: Hacking & Security

IHG Confirms Second Credit Card Breach Impacting 1,000-Plus Hotels

Threatpost - 18 Duben, 2017 - 20:15
InterContinental Hotels Group said on Friday that it found malware designed to access payment card data at more than 1,000 of its hotels.
Kategorie: Hacking & Security

Facebook Delegated Account Recovery SDKs Published for Java, Ruby Apps

Threatpost - 18 Duben, 2017 - 19:45
At F8 today, Facebook released SDKs and documentation for the integration of Delegated Account Recovery into Java, NodeJS and Ruby applications.
Kategorie: Hacking & Security

News in brief: Facebook introspects; Magento RCE; RIP Robert Taylor

Sophos Naked Security - 18 Duben, 2017 - 19:38
Your daily round-up of some of the other stories in the news
Syndikovat obsah