That’s because an unknown person — possibly a white-hat hacker — gained access to some of the servers that cybercriminals use to distribute the Dridex Trojan and replaced the malware with an installer for Avira Free Antivirus.
Dridex is one of the three most widely used computer Trojans that target online banking users. Last year, law enforcement authorities from the U.S. and U.K. attempted to disrupt the botnet and indicted a man from Moldova who is believed to be responsible for some of the attacks.
But their efforts caused only a temporary drop in Dridex activity, the botnet returning to full strength since then and even adding new tricks to its toolset. The Trojan can record key strokes and injects malicious code into banking websites opened on affected computers.
Dridex attacks usually start with targeted email messages that contain malicious Word documents. Those documents have embedded macros, which, if allowed to execute, connect to a server and download the Dridex installer.
Very recently, malware researchers from antivirus vendor Avira observed that some of the Dridex distribution servers were pushing out an “up-to-date Avira web installer” instead of the Trojan.
This means that some victims were lucky and instead of having their computers infected, they received a legitimate and digitally signed copy of the company’s antivirus program. However, the program’s installation is not automatic or silent, so users would have had to manually go through the installation process to get it running.
“We still don’t know exactly who is doing this with our installer and why, but we have some theories,” said Moritz Kroll, a malware expert at Avira, via email. “This is certainly not something we are doing ourselves.”
One possibility is that cybercriminals are doing this themselves in order to confuse antivirus vendors and mess with their detection processes. However, this is unlikely, as they would have more to lose than gain from helping victims secure their computers.
The more likely explanation is that this unusual incident is the work of a white-hat hacker who hijacked the Dridex distribution servers.
Hackers in China attempted to gain access to over 20 million active accounts on Alibaba Group Holding Ltd’s Taobao e-commerce website using Alibaba’s own cloud computing service, according to a state media report posted on the Internet regulator’s website.
An Alibaba spokesman said the company detected the attack in “the first instance”, reminded users to change passwords, and worked closely with the police investigation.
Chinese companies are grappling a sharp rise in the number of cyber attacks, and cyber security experts say firms have a long way to go before defenses catch up to U.S. counterparts.
In the latest case, hackers obtained a database of 99 million usernames and passwords from a number of websites, according to a separate report on a website managed by the Ministry of Public Security.
The hackers then used Alibaba’s cloud computing platform to input the details into Taobao. Of the 99 million usernames, they found 20.59 million were also being used for Taobao accounts, the ministry website said.
The hackers started inputting the details into Taobao in mid-October and were discovered in November, at which time Alibaba immediately reported the case to police, the ministry website said. The hackers have since been caught, it said.
Alibaba’s systems discovered and blocked the vast majority of log-in attempts, according to the ministry website.
The hackers used compromised accounts to fake orders on Taobao, a practice known as “brushing” in China and used to raise sellers’ rankings, the newspaper said. The hackers also sold accounts to be used for fraud, it said.
Alibaba’s spokesman said the hackers rented the cloud computing service, but declined to comment on security measures designed to stop the system being used for the attack. He said they could have used any such service, and that the attack was not aided by any possible loopholes in Alibaba’s platform.
“Alibaba’s system was never breached,” the spokesman said.
The number of accounts, 20.59 million, represents about 1 out of every 20 annual active buyers on Alibaba’s China retail marketplaces.
That’s what Canadian researchers found when they studied fitness-tracking devices from eight manufacturers, along with their companion mobile apps.
All the devices studied except for the Apple Watch transmitted a persistent, unique Bluetooth identifier, allowing them to be tracked by the beacons increasingly being used by retail stores and shopping malls to recognize and profile their customers.
The revealing devices, the Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2 and Xiaomi Mi Band, all make it possible for their wearers to be tracked using Bluetooth even when the device is not paired with or connected to a smartphone, the researchers said. Only the Apple device used a feature of the Bluetooth LE standard to generate changing MAC addresses to prevent tracking.
In addition, companion apps for the wearables variously leaked login credentials, transmitted activity tracking information in a way that allowed interception or tampering, or allowed users to submit fake activity tracking information, according to an early draft of the report, “Every Step you Fake: A Comparative Analysis of Fitness Tracker Privacy and Security.” It was published by Canadian non-profit Open Effect, and researched with help from the Citizen Lab at the Munk School of Global Affairs, University of Toronto.
The apps are typically used to gather data from the fitness tracking device and upload it to a central server, where users can analyze their performance and perhaps compare it with that of other device wearers.
Using a man-in-the-middle attack, researchers were able to spy on traffic between the apps and the servers for all but two of the apps, Apple’s Watch 2.1 and Intel’s Basis Peak 1.14.0. For the six remaining apps, this allowed them to observe even encrypted data sent via HTTPS.
Apple and Intel used a technique called certificate pinning to avoid being fooled by the fake security certificates presented by the researchers. Intel has been highlighting the risks of poorly secured wearable devices since at least 2014, when it published the report “Safeguarding the Future of Digital America 2025.”
When it comes to the problem of handling errant drones, there’s been a number of high-tech solutions — from radio jamming to laser beams to nets launched by other drones – but a group in The Netherlands has a rather unique low-tech solution that’s much more elegant.
The Guard From Above says it is training birds of prey to attack drones, taking advantage of their natural predatory instincts and precision in the sky.
A video posted by the company on YouTube shows a bird attacking a DJI Phantom drone as it hovers, grabbing the drone with its feet and flying away with it.
The bird’s claws have scales that should prevent it from getting injured by the fast rotating blades, said the company. But it did say it is investigating extra protective measures that could be taken.
It also appears to be a concern to the Dutch National Police, which is investigating the use of birds to take down drones. The police have asked the Dutch Organization for Applied Scientific Research (TNO) to research potential danger to birds.
To date there have only been a handful of incidents in which drones were used to breach security and get to places they are not supposed to be, such as The White House lawn or the roof of the Japanese Prime Minister’s office.
Tech companies are also racing to provide high-tech solutions to skittish security agencies. In the meantime, a decision by police on whether to move ahead with using the eagles is expected by the end of the year.
‘KIN’ ‘ELL. You don’t want to be the people who bunged this morning’s distributed denial-of-service (DDoS) attack at HSBC, as the money lender and local business supporter has already set the authorities on your behind.
The DDoS attack rained down on the bank and its customers for most of this morning and locked punters out of a range of online banking services at a time when minds were turning to the pub and the weekend. We don’t know how big an attack it was, but we understand that there are some huge scary DDoS monsters out there.
HSBC said that it has fixed the problem and beaten off the attackers with some success. The bank confirmed that customer transactions have not been affected.
The most recent statement suggests that things are getting back to normal, but are not quite there yet. This has been a testing month for HSBC and its customers.
“HSBC internet banking came under a DDoS attack this morning, which affected personal banking websites in the UK. HSBC has successfully defended against the attack, and customer transactions were not affected,” the company said.
“We are working hard to restore normal service. HSBC is working closely with law enforcement authorities to pursue the criminals responsible for today’s attack on our internet banking.”
HSBC hit by DDoS attack. Online banking is offline https://t.co/ThNdEaeo8q pic.twitter.com/6qXibUTDnx
— Graham Cluley (@gcluley) January 29, 2016
HSBC isn’t just going to walk away with this without some security firm saying that they should have seen it coming.
“DDoS attacks, regardless of motive, are never good for any organisation. Whether they are driven purely as a means to cause downtime, force the owner to pay extortion fees or as a cover for malware activity, it quite often mostly affects the users the most,” said Mark James, a security specialist at ESET.
“As in all situations like this please be mindful of the after effects. Nothing may happen but just be a little bit more cautious when opening emails or taking calls from people claiming to be associated with your financial organisations.
“And definitely make sure you have good, regularly updating internet security software installed on your computer or mobile device.”
The study predicts that the continued expansion of Internet-connected devices — such as smart TVs and vehicles, IP video cameras and more — will offer fresh opportunities for tracking targets.
“Law enforcement or intelligence agencies may start to seek orders compelling Samsung, Google, Mattel, Nest or vendors of other networked devices to push an update or flip a digital switch to intercept the ambient communications of a target,” it said. “These are real products now.”
The study comes from Harvard’s Berkman Center for Internet Society and was signed by well-known figures, including security expert Bruce Schneier, Jonathan Zittrain of Harvard Law School and Matthew G. Olsen, former director of the U.S. National Counterterrorism Center.
All are members of the Berkman Center’s Berklett Cybersecurity Project, which studies surveillance and cybersecurity issues.
The technology industry has come under increasing pressure from some government officials in the U.S. and U.K., who contend that bolstering data security, primarily through encryption, will diminish their capabilities to fight terrorism and crime, and will result in those sources “going dark.”
While law enforcement can gain access to data held by service providers through warrants, some systems have been designed in a way that the service providers can’t provide any information at all.
These so-called end-to-end encryption systems leave users in sole possession of the decryption keys. Without a password, law enforcement would have to use other means to try to decrypt data.
The study, titled ”Don’t Panic: Making progress on the encryption debate,” does acknowledge encryption will poses challenges in some instances but by no means will dictate the landscape of future technology products.
“To be sure, encryption and provider-opaque services make surveillance more difficult in certain cases, but the landscape is far more variegated than the metaphor suggests,” it said. “There are and will always be pockets of dimness and some dark spots — communications channels resistant to surveillance — but this does not mean we are completely ‘going dark’.”
The application, called Smart Notice, is a kind of multifunctional widget, managing contacts, notifications, and weather and traffic alerts.
Once the code was on the phone, any information stored on its SD card, such as private images and chat logs, could be stolen.
“The root cause for the security problem is the fact that Smart Notice does not validate the data presented to the users,” BugSec and Cynet wrote in a blog post on Thursday.
The researchers found a variety of ways to trigger their malicious code and carry out actions, such as opening a phishing site that tries to steal a person’s Gmail credentials or prompt a person to download a remote access trojan.
“With a little tweak, we were able to load external scripts from a remote host and ‘refresh’ our code every few seconds, giving us the ability to have active command and control over the LG phone and send new payloads,” the companies wrote.
It was also possible to conduct a denial-of-service attack that could only be stopped by doing a hard reset of the phone, they wrote.
Slapdash developers have been advised not to use the open source JSPatch method of updating their wares because it is as vulnerable as a soft boiled egg, for various reasons.
It’s FireEye that is giving JSPatch the stink eye and providing the warning that it has rendered over 1,000 applications open to copy and paste theft of photos and other information. And it doesn’t end there.
FireEye’s report said that Remote Hot Patching may sound like a good idea at the time, but it really isn’t. It is so widely used that is has opened up a 1,220-wide iOS application hole in Apple users’ security. A better option, according to the security firm, is to stick with the Apple method, which should provide adequate and timely protection.
“Within the realm of Apple-provided technologies, the way to remediate this situation is to rebuild the application with updated code to fix the bug and submit the newly built app to the App Store for approval,” said FireEye.
“While the review process for updated apps often takes less time than the initial submission review, the process can still be time-consuming and unpredictable, and can cause loss of business if app fixes are not delivered in a timely and controlled manner.
Let’s not all make this JSPatch’s problem, because presumably it’s developers who are lacking.
FireEye spoke up for the open source security gear while looking down its nose at hackers. “JSPatch is a boon to iOS developers. In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes,” the firm said.
Facebook Inc has banned global users from coordinating person-to-person private sales of firearms on its online social network and its Instagram photo-sharing service, countering concerns that it was increasingly being used to circumvent background checks on gun purchases.
The move comes as the United States debates the issue of access to guns after a string of mass shootings. U.S. President Barack Obama has urged social media companies to clamp down on gun sales organized on their platforms.
It updates Facebook’s regulated goods policy, introduced in March 2014, that banned people from selling marijuana, pharmaceuticals and illegal drugs.
Facebook already prohibited private firearms sellers from advertising “no background check required,” or offering transactions across U.S. state lines without a licensed dealer because the company said such posts indicated a willingness to evade the law.
Licensed retailers will still be able to advertise firearms on Facebook that lead to transactions outside of Facebook’s service, the spokeswoman said.
“Over the last two years, more and more people have been using Facebook to discover products and to buy and sell things to one another,” Monika Bickert, Facebook’s head of product policy, said in a statement.
“We are continuing to develop, test, and launch new products to make this experience even better for people and are updating our regulated goods policies to reflect this evolution,” Bickert said.
Facebook is the world’s most popular online social network, with 1.59 billion users across the globe, 219 million of them in the United States and Canada.
The National Rifle Association, a lobbying group opposed to limits on U.S. gun ownership rights, did not immediately respond to a request for comment.
Groups advocating increased gun control applauded the new policy.
“Moms are grateful for the leadership shown by Facebook today,” said Shannon Watts, founder of Moms Demand Action for Gun Sense in America, a part of the Everytown for Gun Safety campaign group. “Our continued relationship with Facebook resulted in today’s even stronger stance, which will prevent dangerous people from getting guns and save American lives.”
Toshiba is getting out the processor business so that it can concentrate on making memory as it tries to recover from its $1.3 billion accounting scandal.
The Japanese press has suggested that Toshiba has interest in part of its chip making business from the Development Bank of Japan. The state-owned bank has already invested in Seiko’s semiconductor operations.
Toshiba is keeping its NAND flash memory operations and will chuck some of the money it has not got into improving production.
What will be sold is its LSI and discrete chips, which are widely used in cars, home appliances and industrial machinery. In fact it is one of the few companies trying to get out of the automotive industry. Some of this is because Tosh has not made much money out of it. This division lost $2.78 billion in the year ended March 2015.
Following the accounting scandal, Toshiba has been focusing on nuclear and other energy operations, as well as its storage business, which centers on NAND flash memory chips.
The Amazon “share” feature invites customers to share a product via e-mail, Facebook, Twitter or Pintrest.
The court said on Monday that sharing by e-mail without approval of the recipient was illegal. It is “unsolicited advertising and unreasonable harassment,” the regional court in Hamm said, confirming the ruling of a lower court in Arnsberg.
The case was brought against one of Amazon’s resellers by a competitor.
Amazon did not immediately respond to a request for comment.
The ruling comes after Germany’s highest court ruled earlier this month that a similar feature that encourages Facebook users to market the social media network to their contacts as unlawful.
At the time, the Federation of German Consumer Organisations (VZBV), which brought the Facebook case to court, had said the ruling would have implications for other services in Germany which use similar forms of advertising.
Almost 300,000 recreational drone owners have registered their unmanned aircraft in a new federal database created to help address a surge of rogue drone flights near airports and public venues, U.S. regulators said on Friday.
The Federal Aviation Administration said 295,306 owners registered in the 30-day period after the registry was launched on Dec. 21 and obtained an FAA identification number that must be displayed on their aircraft.
It was not clear how many drones had been registered. The registration applies to drones that weigh between 0.55 pound (250 grams) and 55 pounds (25 kgs).
Experts have said 700,000 to 1 million unmanned aircraft were expected to be given as gifts in the United States last Christmas alone. People who operated their small unmanned aircraft before Dec. 21 must register by Feb. 19.
Owners who registered during the first month had the $5 fee reimbursed.
“The registration numbers we’re seeing so far are very encouraging,” FAA Administrator Michael Huerta said in a statement.
Federal officials see online registration as a way to address the safety concerns that have arisen as a result of unauthorized drone flights near airports and crowded public venues across the country.
The current system is available only to owners who intend to use drones exclusively for recreational or hobby purposes. The FAA is also working to make the system available for non-model aircraft users including commercial operators by March 21.
Officials say the agency is also working with the private sector to streamline registration including through the use of new smart phone apps that could allow a manufacturer or retailer to register a drone automatically by scanning an identification code on the aircraft.
Intel has unveiled a new version of its 6th-gen Core family of chips aimed at enterprises.
Launched today, 6th-gen Core for business comprises a choice of the same Skylake chips revealed last year, as well as Intel vPro chips, but packaged up and targeted for business users with new features and a full business device refresh that will see new form factors.
The 6th-gen Core chips remain largely the same, particularly in terms of specs, but one of the biggest new features is the integration of Intel Authenticate, a solution that has been designed to make business systems more secure.
Authenticate is built onto the 6th-gen Core platform and is designed to “dramatically improve identity security” via true multifactor authentication technology. This sees user information, IT policy and credential decisions stored in computer hardware, making it harder for hackers to penetrate systems in the cloud.
The Intel Authenticate firmware can properly identify those trying to access systems and protect authentication factors, such as PIN entry, proximity Bluetooth and biometrics, being accessed by the wrong people.
Another feature new to the 6th-gen Core is Intel Unite that looks to expand workplace transformation solutions by doubling the offering of wireless and wired docking designs.
Intel said that Unite will “transform existing conference rooms” by bringing together the firm’s Core vPro processor functions and wireless capabilities so that workers can interact with meeting content in real time from any location. It is said to make life much easier for the average employee to work seamlessly between the home and the office.
The Core chip family was revealed at IFA in Berlin last year and is made up of Core i3, Core i5 and Core i7 chips aimed at all types of desktop devices across the market, including gaming towers, traditional PC towers, all-in-ones, mini PCs, portable all-in-ones and the Intel Compute stick.
These processors promise up to 60 percent better performance over the previous 5th-gen Core chips, with six times faster 4K video transcoding, 11 times better HD graphics performance, and the ability to be overclocked via full range base clock tuning.
What’s special about Skylake is that it is the first mainstream Intel desktop platform to support DDR4 memory, and is claimed to deliver 30 percent better performance than a three-year-old PC based on Ivy Bridge architecture, 20 percent better performance than a two-year-old PC (Haswell), and 10 percent better performance than a one-year-old PC (Broadwell).
Skylake is the successor to the chipmaker’s Broadwell architecture, and was unveiled at Intel’s Developer Forum last year. It is touted to deliver significant increases in performance, battery life and power efficiency.
Processors based on the Skylake architecture have a new chip design, despite being fabbed on the same 14nm process as Broadwell, making Skylake a ‘tock’ iteration in Intel’s ‘tick-tock’ chip architecture cadence.
One of the models, called FreeBee Data 360, is available in beta starting Tuesday. Under the plan, content providers can give some or all their mobile content to consumers via an app or mobile website on a per gigabyte basis without using up a consumer’s data plan.
The other model of FreeBee Data, which goes into beta on Jan. 25, allows a content provider to sponsor specific consumer actions, such as watching a mobile video clip, listening to an audio stream or downloading an app. Content providers are charged on a per-click basis, but the data is free to users. The broad outline of the service is described for businesses on Verizon’s website.
Verizon said per-click participants so far include Hearst Magazines, AOL and Gameday. They will sponsor some free mobile content for 1,000 test subscribers. A commercial version is coming later in 2016.
Verizon described the advantages to content providers as offering the ability to build smarter mobile marketing campaigns. For consumers, access to content and other data, either per click or for an entire app or website, will be free.
AT&T announced a similar sponsored data program in October called Data Perks, which allows customers the ability to accumulate up to 1 GB of free data per billing period. Customers accumulate free data by clicking on special offers from companies like Fandango, Hotel Tonight, Rosetta Stone and others.
The concept of sponsored data has raised concerns from net neutrality supporters who question whether the services violate the spirit of an open Internet. However, supporters of sponsored data say it won’t cost anything to explore the marketing offers and claim the sponsored traffic is not prioritized over other Internet traffic.
The fifth annual password survey from Splash Data has shown that there is still a huge chunk of people who think that ’123456′ and ‘password’ are safe. In fact, they’re the two most popular.
’12345678′ has gone up one place, and so has ‘qwerty’, while ’12345′ is down two places. In other words, there’s been a shift about, but essentially the top five is identical to last year’s.
Let’s pause here for a Public Service Announcement: CHANGE THESE PASSWORDS. THEY ARE NOT SAFE!!!
What is odd is that most sites these days insist on an alphanumeric password, and many on upper-case or ‘special’ characters too. But there’s also an assumption that Re-Captcha and similar anti-bot procedures will keep you safe. They won’t. They never did.
The next five are ’123456789′, ‘football’ (up three places), ’1234′ (down one), ’1234567′ (up two) and ‘baseball’ (down two).
The highest new entry this year is ‘welcome’ at number 11, which is used by some manufacturers as a default, but there is no insistence that it must be changed on first log-in so many people don’t. Given that it is often used as a root password, this practice needs to be nipped in the bud.
What is notable is that the message about obvious words is, for the most part, getting through as ‘dragon’, ‘monkey’ and ‘letmein’ all dropped sharply. However, at the lower end of the table, these are being replaced by the likes of ‘starwars’ ‘princess’ and ‘solo’.
Also worth noting is ‘passw0rd’ at 24. We’ve been a party to advising readers in the past that using special characters to substitute words l!k3 th!5 is a good idea. Sadly, that lasted about five minutes and most cracking software is wise to it now. The fact is that real words aren’t safe. Random is the only way to go.
Before we do the top 25, a few words on keeping your account safe. First off, if there’s an option for two-step verification, turn it on. It may feel like a pain in the neck having to get a code by text message, but it’s very effective.
If you’re a user of Google, Dropbox, WordPress, Windows 10 and a growing number of other sites, consider investing in a FIDO-compliant key like the Yubikey range. These simply won’t let you log-in until the USB key is inserted (unless you make the computer ‘safe’). There’s even an NFC version for phones.
Windows 10 users: there’s an option to use a PIN instead of a password. Think carefully before you activate it because there are, de facto, far fewer combinations of numbers alone than of alphanumeric, although compatible computers and a growing number of phones will do biometric identification too.
And here’s a controversial idea. The most effective passwords are random. But random is hard to remember, and with password managers as liable to hacking as any other site, why not write your passwords down?
We’ve been told for years not to write our PINs down, but passwords? Think about it. As long as you keep a notebook with your passwords at home, safely (don’t take it around with you), the only way it could go missing is if you are burgled. And if a burglar breaks into your house, are they really going to be interested in a tatty notebook, rather than your laptop itself? Maybe it’s re-reinvent the reinvention of the wheel and go old school. You can’t hack paper. Yet.
And so without further ado, here’s the top 25 passwords for 2015. Crank up the chart music below and ask yourself – How stupid do you feel?
1 123456 (UNCHANGED)
2 password (UNCHANGED)
3 12345678 (+1)
4 qwerty (+1)
5 12345 (-2)
6 123456789 (UNCHANGED)
7 football (+3)
8 1234 (-1)
9 1234567 (+2)
10 baseball (-2)
11 welcome (NEW)
12 1234567890 (NEW)
13 abc123 (+1)
14 111111 (+1)
15 1qaz2wsx (NEW)*
16 dragon (-7)
17 master (+2)
18 monkey (-6)
19 letmein (-6)
20 login (NEW)
21 princess (NEW)
22 qwertyuiop (NEW)
23 solo (NEW)
24 passw0rd (NEW)
25 starwars (NEW)