Bugs Money
Talk about geek chic. Facebook has started paying researchers who find and report security bugs by issuing them custom branded “White Hat” debit cards that can be reloaded with funds each time the researchers discover new flaws.
Category Archives: A Little Sunshine
Who Knows What Youhavedownloaded.com?
You may have never heard of youhavedownloaded.com, but if you recently grabbed movies, music or software from online file-trading networks, chances are decent that the site has heard of you. In fact, you may find that the titles you downloaded are now listed and publicly searchable at the site, indexed by your Internet address.
Twitter Bots Drown Out Anti-Kremlin Tweets
Thousands of Twitter accounts apparently created in advance to blast automated messages are being used to drown out Tweets sent by bloggers and activists this week who are protesting the disputed parliamentary elections in Russia, security experts said.
Pro Grade (3D Printer-Made?) ATM Skimmer
In July 2011, a customer at a Chase Bank branch in West Hills, Calif. noticed something odd about the ATM he was using and reported it to police. Authorities who responded to the incident discovered a sophisticated, professional-grade ATM skimmer that they believe was made with the help of a 3D printer.
Download.com Bundling Toolbars, Trojans?
It wasn’t long ago that I felt comfortable recommending CNET’s download.com as a reputable and trustworthy place to download software. I’m going to have to take back that advice: Unfortunately, CNET now is bundling invasive and annoying toolbars with much of the software on its site, even some open-source software whose distribution license prohibits such activity.
I first became aware of this after reading mailing list posting by Gordon “Fyodor” Lyon, the software developer behind the ever useful Nmap network security scanner. Lyon is upset because download.com, which has long hosted his free software for download, recently began distributing Nmap and many other titles with a “download installer,” that bundles titles with browser toolbars like the Babylon toolbar.
Chats With Accused ‘Mega-D’ Botnet Owner?
Recently leaked online chat records may provide the closest look yet at a Russian man awaiting trial in Wisconsin on charges of running a cybercrime machine once responsible for sending between 30 to 40 percent of the world’s junk email.
DDoS Attacks Spell ‘Gameover’ for Banks, Victims in Cyber Heists
The FBI is warning that computer crooks have begun launching debilitating cyber attacks against banks and their customers as part of a smoke screen to detract attention away from simultaneous high-dollar cyber heists.
The bureau says the attacks coincide with corporate account takeovers perpetrated by thieves who are using a modified version of the ZeuS Trojan that’s being called “Gameover.” The thefts come after a series of heavy spam campaigns aimed at deploying the malware, which arrives disguised as an email from the National Automated Clearing House Association (NACHA), a not-for-profit group that develops operating rules for organizations that handle electronic payments. The ZeuS variant steals passwords and gives attackers direct access to the victim’s PC and network.
Attempted Malvertising on KrebsOnSecurity.com
Members of an exclusive underground hacker forum recently sought to plant malware on KrebsOnSecurity.com, by paying to run tainted advertisements through the site’s advertising network — Federated Media. The attack was unsuccessful thanks to a variety of safeguards, but it highlights the challenges that many organizations face in combating the growing scourge of “malvertising.”
Apple Took 3+ Years to Fix FinFisher Trojan Hole
The Wall Street Journal this week ran an excellent series on government surveillance tools in the digital age. One story looked at FinFisher, a remote spying Trojan that was marketed to the governments of Egypt, Germany and other nations to permit surreptitious surveillance for law enforcement officials. The piece noted that FinFisher’s creators advertised the ability to deploy the Trojan disguised as an update for Apple’s iTunes media player, and that Apple last month fixed the vulnerability that the Trojan leveraged.
But the WSJ series and other media coverage of the story have overlooked one small but crucial detail: A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw.
DHS Blasts Reports of Illinois Water Station Hack
The U.S. Department of Homeland Security today took aim at widespread media reports about a hacking incident that led to an equipment failure at a water system in Illinois, noting there was scant evidence to support any of the key details in those stories — including involvement by Russian hackers or that the outage at the facility was the result of a cyber incident.
Last week, portions of a report titled “Public Water District Cyber Intrusion” assembled by an Illinois terrorism early warning center were published online. Media outlets quickly picked up on the described incident, calling it the “first successful target of a cyber attack on a computer of a public utility.” But in an email dispatch sent to state, local and industry officials late today, DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said that after detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.
