Posted on

Second Hacker Group Targets SWIFT Users, Symantec Warns

A second hacking group has sought to rob banks using fraudulent SWIFT messages, cyber security firm Symantec said on Tuesday. The group is said to be using the same approach that resulted in $81 million in the high-profile February attack on Bangladesh’s central bank. From a Reuters report: Symantec said that a group dubbed Odinaff has infected 10 to 20 Symantec customers with malware that can be used to hide fraudulent transfer requests made over SWIFT, the messaging system that is a lynchpin of the global financial system. Symantec’s research provided new insight into ongoing hacking that has previously been disclosed by SWIFT. SWIFT Chief Executive Gottfried Leibbrandt last month told customers about three hacks and warned that cyber attacks on banks are poised to rise. SWIFT and Symantec have not identified specific victims beyond Bangladesh Bank. Symantec said that most Odinaff attacks occurred in the United States, Hong Kong, Australia, the United Kingdom and Ukraine.



Share on Google+

Read more of this story at Slashdot.

via https://ift.tt/2dNAvji

Posted on

This Infographic Shows the Common Ways Scammers Try to Phish Your Account

Chances are if your email or social media account has ever been compromised, you accidentally gave your credentials to the scammers yourself. The most common way to infiltrate an account is called phishing, in which people trick you into handing over your login info to false websites that look legitimate.

Phishing attacks aren’t new, of course, and there’s likely a deluge of such emails in your spam folder, but it’s still the leading cause of compromised accounts. This graphic from Digital Guardian highlights how you can spot phishing attempts in your inbox and how to avoid them. Whether it’s weird attachments that prey on your curiosity or spoofed links that take you to a false login page that imitates a familiar brand, there are a variety of techniques that scammers use to engineer their way into your account (often just to proliferate more spam). And it’s not just email; beware of shady text messages from unknown numbers or people posing as IRS agents requesting your private info.

Have a look at the graphic below for a thorough look at common phishing methods.

Don’t Get Hooked: How to Recognize and Avoid Phishing Attacks (Infographic) | Digital Guardian

via https://ift.tt/2dL5oHK

Posted on

The Difference Between Two-Factor and Two-Step Authentication

You know you should use two-factor authentication everywhere you can, but there’s also “two-step” authentication, which may come off like the same thing. They’re really not. Here’s the difference, and what you should know about both.

Old security heads will know the difference here just because of the names, but since they’re often used interchangeably by companies looking to obfuscate the difference, it’s worth highlight the separation between them. This thread at StackExchange sums up the difference well for anyone unfamiliar, or who doesn’t get the nuance. This answer from tylerl teases out the nitty details:

Two-factor authentication refers specifically and exclusively to authentication mechanisms where the two authentication elements fall under different categories with respect to “something you have”, “something you are”, and “something you know”.

A multi-step authentication scheme which requires two physical keys, or two passwords, or two forms of biometric identification is not two-factor, but the two steps may be valuable nonetheless.

A good example of this is the two-step authentication required by Gmail. After providing the password you’ve memorized, you’re required to also provide the one-time password displayed on your phone. While the phone may appear to be “something you have”, from a security perspective it’s still “something you know”. This is because the key to the authentication isn’t the device itself, but rather information stored on the device which could in theory be copied by an attacker. So, by copying both your memorized password and the OTP configuration, an attacker could successfully impersonate you without actually stealing anything physical.

The point to multi-factor authentication, and the reason for the strict distinction, is that the attacker must successfully pull off two different types of theft to impersonate you: he must acquire both your knowledge and your physical device, for example. In the case of multi-step (but not multi-factor), the attacker needs only to only pull off one type of theft, just multiple times. So for example he needs to steal two pieces of information, but no physical objects.

The type of multi-step authentication provided by Google or Facebook or Twitter is still strong enough to thwart most attackers, but from a purist point of view, it technically isn’t multi-factor authentication.

So what does this all mean for you? Well, nothing really—if a service offers two-step or two-factor, you should absolutely enable it, and it’s not like a service will give you a choice between the two. There are differences between types of two-factor, and you should absolutely choose the best one for you, but the bottom line is that being aware of the differences will help you understand exactly how secure your most important accounts really are.

Two-Step vs. Two-Factor Authentication – Is there a difference? | StackExchange

Photo by Brianetta.

via https://ift.tt/2dPpC34

Posted on

Google WiFi is a router that simplifies whole-home wireless

Those rumors of Google giving WiFi routers another shot? They’re true. Meet Google WiFi, a router designed entirely in-house… and with a few nice advantages over the OnHub line. Apart from being much smaller (no vase-like design here), its big trick is its ability to create an Eero-style mesh network. You only have to add additional units to your network to improve coverage — there’s a Network Assistant app that makes it easy to add more routers and improve your signal.

Companion software also lets you control the devices linked to the router, such as enabling or disabling their connections. You’ll have to wait until December to get Google WiFi (pre-orders start in November), but the pricing at least hits the sweet spot. Routers cost $129 each, and you can get a three-pack for $299 if you need to blanket your home.

Click here to catch all the latest news from Google’s fall event.

Source: Google WiFi

via https://ift.tt/2dt1Pm8

Posted on

High-Tech Card Rolled Out By French Banks Replaces CSC Number Every Sixty Minutes To Prevent Fraud

French digital security firm Oberthur Technologies has come up with a method for making stolen cards useless after an hour. Called the Motion Code, the card replaces the fixed, three-digit Card Security Code (CSC) that sits next to your signature with a miniature display that shows a new number every 60 minutes. From a PopularScience report:In order to combat the rise of online credit card theft, several French banks are partnering with security company Oberthur Technologies to create a credit card with a security code that is constantly changing so that within an hour, a stolen number will be useless. Online credit card fraud is a rapidly growing problem. Thieves can steal your credit card info in a number of ways, such as hacking various consumer websites, or phishing, where they trick you into handing over your information yourself. Once they have your credit card numbers, thieves can go on a spending spree until you or your bank notice, and by the time that happens you can wind up with thousands of dollars in debt. Many banks try and combat this problem by flagging suspicious transactions, but this is an imperfect system that can miss real fraud and accidentally catch legitimate use. Now, two French banks, Societe Generale and Groupe BPCE, are introducing a new system to prevent fraud.



Share on Google+

Read more of this story at Slashdot.

via https://ift.tt/2d0Mkmg

Posted on

Checklist: IoT security and privacy

The Online Trust Alliance (OTA) released the consumer IoT security and privacy checklist, which contains steps consumers can take to help increase the security, privacy and safety of their connected home and wearable technologies.

checklist IoT security

OTA recommends consumers utilize this checklist to regularly reassess their security and privacy settings on their IoT devices. Not unlike changing the batteries on a smoke detector once a year, consumers should tune up and optimize IoT device settings regularly.

While many people cite safety as a top reason for buying smart devices and homes, conclusive research shows that security and privacy concerns are the biggest barriers to IoT adoption. OTA hopes that by having consumers play an active role in their smart device’s security and privacy, it will not only increase the security and privacy of those devices but also boost consumer confidence in them.

“In this increasingly complex world of connected devices, consumers cannot take it for granted that their devices remain safe, secure and private year after year,” said Craig Spiezle, Executive Director Online Trust Alliance. “As people acquire more devices, the long term risks to their family and community rise exponentially.”

From connected home to health and fitness devices, consumers are realizing significant benefits from the Internet of Things, but the devices’ growing complexity and popularity make them difficult to manage. As devices age and become unsupported, many risk becoming insecure while still collecting and potentially sharing vast amounts of personal data.

Checklist: IoT security and privacy

  • Inventory all devices within your home and workplace that are connected to the Internet and network. Router reports can help determine what devices are connected to your network. Disable unknown and unused devices.
  • Contact your ISP to update routers and modems to the latest security standards. Change your router SSID to a name which does not identify you, your family or the device.
  • Check that contact information for all of your devices are up-to-date including an email address regularly used to receive security updates and related notifications.
  • Confirm devices and their mobile applications are set for automatic updating to help maximize protection. Review their sites for the latest firmware patches.
  • Review all passwords creating unique passwords and user names for administrative accounts and avoid using the same password for multiple devices. Delete guest codes no longer used. Where possible implement multi-factor authentication to reduce the risk of your accounts being taken over. Such protection helps verify who is trying to access your account—not just someone with your password.
  • Review the privacy policies and practices of your devices, including data collection and sharing with third parties. Your settings can be inadvertently changed during updates. Reset as appropriate to reflect your preferences.
  • Review devices’ warranty and support policies. If they are no longer supported with patches and updates, disable the device’s connectivity or discontinue usage of the device.
  • Before discarding, returning or selling any device, remove any personal data and reset it to factory settings. Disable the associated online account and delete data.
  • Review privacy settings on your mobile phone(s) including location tracking, cookies, contact sharing, bluetooth, microphone and other settings. Set all your device and applications to prompt you before turning on and sharing and data.
  • Back up your files including personal documents and photographs to storage devices that are not permanently connected to the Internet.

“As millions of cars, apps and household devices connect to the Internet, we need to discuss the privacy implications and resolve key questions about data ownership and management,” said Washington State Chief Privacy Officer, Alex Alben. “For the IoT to thrive in the long term, consumers will have to trust that their data and concerns about personal privacy are addressed, and OTA’s recommendations are a positive step to accomplishing this.”

via https://ift.tt/2dsjYBh

Posted on

Raptor WAF – C Based Web Application Firewall

Raptor WAF is a Web Application Firewall made in C, using DFA to block SQL Injection, Cross Site Scripting (XSS) and Path Traversal.

Raptor WAF - C Based Web Application Firewall

DFA stands for Deterministic Finite Automaton also known as a Deterministic Finite State Machine.

It’s essentially a simple web application firewall made in C, using the KISS principle, making polls using the select() function, it’s not better than epoll() or kqueue() from *BSD but it is portable.

Features

WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend against most commonly SQL Injections and XSS attacks.

  • Block XSS, SQL Injection attacks and path traversal
  • Blacklist IPs to block users using config/blacklist ip.txt
  • Supports IPv6 and IPv4 for communication

Coming in the Future

  • DoS protection
  • Request limits
  • Rule interpreter
  • Malware detection for uploads
  • SSL/TLS Support

Do bear in mind this is an early stage almost PoC tool and not really production tested or ready, I think it’d be a great project to contribute to and most people don’t need a super complex WAF – just something REALLY reliable, stable, performant and blocks 80-90% of the common attacks.

Other options for a WAF:

NAXSI – Open-Source WAF For Nginx
Amazon AWS Web Application Firewall (WAF ) Launched
ModSecurity – Open Source Web Application Firewall

You can download Raptor WAF here:

raptor_waf-0.2.zip

Or read more here.

via https://ift.tt/2cNozQ4