Posts

Posted on

Hackers Can Steal Your ATM PIN from Your Smartwatch Or Fitness Tracker

As your day-to-day apparel and accessories are turning into networked mobile electronic devices that attach to your body like smartwatch or fitness band, the threat to our personal data these devices collect has risen exponentially.

A recent study from Binghamton University also suggests your smartwatch or fitness tracker is not as secure as you think – and it could be used to steal your ATM PIN code.

The risk lies in the motion sensors used by these wearable devices. The sensors also collect information about your hand movements among other data, making it possible for

“attackers to reproduce the trajectories”

of your hand and

“recover secret key entries.”

In the paper,

titled

Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN,”

computer scientists from the Stevens Institute of Technology and Binghamton University used a computer algorithm that can guess your password and PIN with about 80% success rate on the first attempt, and over 90% of the time with 3 tries.

Retrieving Passwords and PINs Using this Algorithm

Researchers say their “

Backward PIN-Sequence Inference

” algorithm can be used to capture anything a person type on any keyboard – from automatic teller machine or ATM keypads to mobile keypads – through infected smartwatches, even if the person makes the slight hand movements while entering PINs.

“The team was able to record millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand’s pose,” reports Phys.org.

Although the researchers do not name specific wearable devices that are vulnerable, they note that attackers can record information about your hand movements…

…either directly by infecting your wearable device with malware or remotely by intercepting the Bluetooth connection that links your wearable device to your phone.

The bottom Line:

The team says it doesn’t have any robust solution to prevent this attack but recommends manufacturers and developers to confuse attackers by inserting

“a certain type of noise data”

that would allow the device to be still used for fitness tracking, but not for guessing keystrokes.

Another way is to take a low-tech approach – Always enter your passwords or PINs with the hand that is not having a wearable device with the highly sophisticated motion tracker.

via https://ift.tt/29zohdi

Posted on

SWIFT Hackers Steal $10 Million From Ukrainian Bank

A Ukrainian bank has become the latest victim of the widespread cyber attack on global banking and financial sector by hackers who target the backbone of the world financial system, SWIFT.

Hackers have reportedly

stolen $10 Million

from an unnamed bank in Ukraine by exploiting the SWIFT international banking system, according to an independent IT monitoring organization called the Information Systems Audit and Control Association (ISACA).

Swift or the Society for Worldwide Interbank Financial Telecommunication is the global banking messaging system responsible for managing Billions of dollars in money transfers each day between financial institutions worldwide.

The ISACA branch in Ukraine, who has been hired by the targeted bank to investigate the heist, disclosed that some unknown hackers were able to compromise the bank’s security in similar way they

hacked Bangladesh central bank

and stole $81m (£56m), the Kyiv Post reports.

"At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars," ISACA reportedly said in a release.

The Swift hackers have already made a number of victims, including Bangladesh central bank, the Banco del Austro (BDA) bank in Ecuador and an unnamed commercial bank.

Also Read: How did Bank Hackers Go Undetected?

In February, Swift hackers managed to

steal $81 Million cyberheist

at the Bangladesh central bank’s account in the New York Federal Reserve through by hacking into SWIFT network using a piece of

malware that manipulated logs

and erased the fraudulent transactions history, and even prevented printers from printing those transactions.

The second incident

targeted an unnamed commercial bank

where malware installed on SWIFT was used against the banks’ PDF reader which was being used by the bank to check statement messages.

An Ecuadorian bank called Banco del Austro (BDA) also

lost about $12 million

in the cyber heist carried out at the beginning of last year by attacking the Swift global network.

In all incidents, the hackers have exploited flaws in banks funds’ transfer initiation environments, before messages being sent over SWIFT.

Here’s how Swift hackers target banks:

  • Uses malware to circumvent local security systems of a target bank.
  • Gains access to the SWIFT international messaging network.
  • Sends fraudulent messages via SWIFT to initiate money transfers from accounts at larger banks.

The recently attacked bank in question had not yet been named, as investigators are restricted by strict non-disclosure agreements until the Ukrainian bank itself agrees to go public with information.

via https://ift.tt/297pHgn

Posted on

Scan All Apps on Your Android Mobile Against Viruses and Malware


At Gizmo’s Freeware, we recommend using VirusTotal which is a free web application to scan a given file or a website’s URL to check if it contains any viruses, trojans, worms or other malware, or if the website is clean.

If you’re using an Android mobile device, VirusTotal also has an app too for you to scan all the apps, including user and system apps installed on your mobile and it is free…Read more

via https://ift.tt/28Vpme6

Posted on

Hacking Cars Getting Easier and More Dangerous

If your car is in any way connected to the Internet, it can get hacked into. You know it’s only a matter of time before hackers begin infiltrating motor vehicles in droves, being that vehicles are plagued with hundreds to thousands of security vulnerabilities.

via https://ift.tt/28TFrzL

Posted on

(IN)SECURE Magazine issue 50 released

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Issue 50 has been released today.

(IN)SECURE Magazine issue 50

Table of contents

  • Securing the future: Best practices for keeping corporate information safe during an M&A
  • Executive hot seat: Ron Green, Executive VP, CISO at MasterCard
  • 7 tips to get the absolute best price from security vendors
  • How CISOs can bridge the gap between their organizations’ IT and security needs
  • Risk management: Risks are lurking everywhere
  • Report: Infosecurity 2016
  • Internet of Fail: How modern devices expose our lives
  • Executive hot seat: Sumedh Thakar, Chief Product Officer at Qualys
  • Security: Missing from DevOps thinking?
  • The life of a social engineer: Hacking the human
  • What 17 years as an infosec trainer have taught me.

via https://ift.tt/28Z4wdk

Posted on

Tenable Supports ISO/IEC 27001/27002 and CIS Critical Security Controls

According to the Trends in Security Framework Adoption Survey, research conducted by Dimensional Research on behalf of Tenable, adoption of security frameworks is at an all-time high. Your organization might adopt a security framework for many good reasons, including:

  • Identifying security gaps requiring additional investment. Comparing existing security controls to those recommended by an established security framework can highlight weaknesses that require additional controls.
  • Communicating business risk to executives and board members. Business leaders are often familiar with financial controls and will quickly grasp the concept of security controls. They will understand budget requests to implement controls needed to mitigate cyber risk.
  • Building a foundation to efficiently meet multiple compliance requirements. Rather than tackling each compliance requirement with ad hoc controls, a security framework can provide a single, extensible foundation to meet multiple compliance requirements.
  • Discussing security with external stakeholders. Major customers, cyber insurance suppliers and other business partners may have questions about an organization’s security program, and security frameworks provide a structured format for discussion.
  • Meeting due care/due diligence standards to limit liability. Many organizations have a legal obligation to understand the cybersecurity risks they face and then to implement appropriate controls that manage that risk. Failure to adequately manage risk may expose the organization, its executives and board members to legal action. For example, a U.S. appeals court recently ruled that the Federal Trade Commission has authority to pursue lawsuits accusing organizations of failing to properly safeguard consumers’ information.

Using multiple frameworks

Many organizations—44% according to the above mentioned survey—are using more than one framework. Some organizations are using a different framework in different parts of their businesses. However, many organizations are using multiple frameworks in a single business area. They are creating their own composite framework based on multiple published frameworks. This makes sense because the Center for Internet Security Critical Security Controls (CSC), ISO/IEC 27001/27002 (ISO 27K) and NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) frameworks are just that—frameworks. They are not strict standards designed to be adopted without at least some tailoring. The following snippets taken from each standard substantiate this:

  • CSF: “The Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources,” and “The Framework is adaptive to provide a flexible and risk-based implementation that can be used with a broad array of cybersecurity risk management processes.”
  • ISO 27002: “This International Standard may be regarded as a starting point for developing organization-specific guidelines. Not all of the controls and guidance in this code of practice may be applicable.”
  • CSC: “But this is not a one-size-fits-all solution, in either content or priority. You must still understand what is critical to your business, data, systems, networks, and infrastructures… ”

Tenable solutions

Recognizing the flexibility of these frameworks, Tenable has just released a comprehensive set of report, dashboard and Assurance Report Card (ARC) templates that support ISO 27K and CSC (formerly referred to as the SANS Top 20). You can easily tailor them to meet your specific needs. For example, you can mix and match components designed to support various frameworks, as the dashboard below shows. It includes components initially created for CSF, ISO 27K and CSC frameworks, which you could rename as desired to match your internal language. Additionally, you could easily design your own dashboards leveraging a template or by starting from scratch.

Tailored hardware asset management dashboard
Create a composite dashboard using components designed to support different frameworks

In addition to customizing reports, dashboards and ARCs, you can apply dynamic asset lists to reuse a single template with assets for different business systems. This is especially useful with ARCs because you can set different pass/fail thresholds for different business systems as needed to mitigate different risk levels. The following example displays the status of three different business systems relative to the CSC Foundational Cyber Hygiene controls. Notice the different thresholds for the CRM system and the financial reporting system.

CRM financial SCM top 5 ARC
Set specific pass/fail criteria for different business systems

More information

If your organization is using one or more security frameworks, Tenable can help you automate your technical controls and help you assess and communicate their status. Please visit the following pages for additional information:

Keep up with the latest from Tenable! Subscribe to the Tenable Blog by clicking Blog email updates on the Blog Home Page.

via https://ift.tt/28Mrs1b

Posted on

Gmelius Adds Tons of Scheduling, Snoozing, Tweaking, and Customization Options to Gmail

Chrome/Opera/Safari/Firefox (Beta): It’s been a while since we highlighted Gmelius, the add-on that cleans up Gmail’s interface and strips out ads. It’s grown since then, and now has features to send emails later on a schedule, snooze them, bundle in useful reminders, block email trackers, and more.

Back in the day, Gmelius’ biggest feature was that it removed ads from Gmail. Now, it can do a lot more. For example, it blocks email tracking attempts, and lets you “snooze” emails you want to deal with later to get them out of your inbox and have them reappear when you want to see them, and it can schedule drafts to send at a later date and time.

The add-on also makes email templates and canned responses much easier to use, and includes support for rich elements like GIFs and attachments to those canned replies. Finally, Gmelius includes a built-in to-do list manager. There are also other smaller features, like the option to generate return receipts if you tend to get emails from someone who nags you over and over about whether you got their message, and the option to send and label, so you can both reply to a message and organize it at once. It also includes a search plug-in, so you can search your Gmail inbox right from your browser’s URL bar.

To be fair, there are other apps, like Boomerang or Google’s own Inbox, that offer similar functionality, many of them for free. By comparison, you can sign up for Gmelius for free, but its best and most useful features are behind a $5/month price tag. Even so, if you use a Gmail or Google account for work, or just like all of that control in one place, it’s might be worth the dough. It’s available for Chrome, Opera, and Safari, with a beta version for Firefox available now.

Gmelius

via https://ift.tt/28QSa5R