Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
Anything under the umbrella of IT Security, Computer Security, IT Controls
Moving right along … Now that ATM operators more sophisticated means to detect and prevent machine tampering, criminals are finding easier pickings for their skimming operations. Germany’s Federal Criminal Police Office (BKA) has reported that fraudsters have begun using ATM skimming devices to collect PINs and data at card readers of train ticket machines.
Original article at atmmarketplace.com
Microsoft today released a stopgap fix for a critical security flaw in most versions of Internet Explorer that hackers have been exploiting to break into Windows systems. The company said it expects to issue an official patch (MS12-063) for the vulnerability on Friday, Sept. 21.
The company released a “fix it” tool, designed to blunt the threat of attack on this flaw for users of IE 7, 8 and 9. In a blog post, Microsoft’s Yunsun Wee said the one-click solution should not affect users’ ability to browse the Web, and it does not require the reboot of your computer. Users should not need to uninstall the fix to apply the full security patch when Microsoft releases it.
I’m glad to see Microsoft take this step. The company keeps downplaying the threat, stating that “there have been an extremely limited number of attacks,” against that this flaw and that “the vast majority of Internet Explorer users have not been impacted.” Nevertheless, as I noted in previous stories this week, a reliable exploit for this vulnerability has already been rolled into free, easy-to-use attack tools, so IE users should not delay in applying this fix-it tool.
Original article at krebsonsecurity
US-Cert has put out a vulnerability note during December 2011 regarding a brute force attack against wireless routers. The vulnerability was first discovered by Stefan Viehböck and was subsequently independently reported by Craig Heffner. Craig and his team have now released their tool “Reaver” over at Google Code which helps with the brute force attacks.
Continue reading “WiFi Protected Setup PIN brute force vulnerability”
Fortinet – a worldwide provider of network security appliances and the market leader in unified threat management (UTM) – has forecasted following eight threats that they consider to be the most damaging / dangerous in 2012.
Continue reading “Top 8 Security Predictions for 2012 by Fortinet”
Fraud is a business too and as can be seen from this article, cybercriminals are now outsourcing work to underground call centers to obtain information using social engineering skills.
Continue reading “Underground call-centre for identity theft uncovered by security researchers”
Federal authorities are investigating a hack that resulted in the burnout of a water pump at the Curran-Gardner Township Public Water District in Illinois.
A hacker apparently exploited a supervisory control and data acquisition (SCADA) system that managed the water pump and set the pump to continually turn on and off. Only after the pump failed, earlier this month, did plant operators discover that their systems had been exploited, apparently in September. The attack appeared to have been launched from a server based in Russia.
Continue reading “Can our Power Supply / Other Utility Systems be hacked?”
Typically a strong online banking authentication relies on generating a Transaction Authorisation number, sending it to the registered mobile number of the internet banking user, and the user will then have to enter the random generated authorisation code into the mobile banking site for the transaction to get authorised. Beware — danger is lurking in this scenario also.
ZITMO (Zeus-In-The-Mobile) is a trojan designed to intercept and redirect the incoming SMS including the transaction authorisation codes that come into the infectd mobiles. Another similar trojan is SPITMO (SpyEye-In-The-Mobile) with nearly the same functionality as ZITMO except for some change in how it works.
Continue reading “Internet Banking & Mobile Banking users beware – ZITMO & SPITMO is here !!”
OWASP (Open Web Application Security Project) has come up with a top 10 risks for the mobile technology. This list is in the ‘beta’ stage. The list, released on 23rd September 2011, has been under a 60 day review period and is due for a final version release any time. When released, this will be the first official version of OWASP top 10 for mobile applications. The current list of OWASP Top 10 Mobile Risks (Release candidate) is reproduced below: Continue reading “OWASP ‘Top 10 Mobile Risks’ – Part 1”
We often mistype domain names when we are searching the web or trying to access a website. For e.g. we type instead of gmail.com, we may type gamil.com or icicibank can be typed as icici bank. Researchers have now shown that by creating ‘doppelganger’ (German origin-meaning duplicate or double) domains it is possible to steal information. A extract of the article has been included here.
Continue reading “Typosquatting-Use of Doppelganger Domains to steal data”
Hackers are known to be very clever and smart — which they need to be to remain one step ahead of the IT Security Professionals and the law administrators. However, here are some interesting “dumb moves” by Hackers that helped the officials track them down. Extracted from an article by Alan Wlasuk, and from a recent “PC World” article.