What drones can do for you

From a PR standpoint this is not a good time to be a drone. Most mentions of drones in the media are not particularly flattering. You hear about military drones, predator drones, pepper-spray-bullet drones--yes, really--and drones used by creepy guys. Any mention of the word drone is usually followed by the potential threatsdrones pose to our safety and our privacy.

It could really hurt someone's feelings... if drones were capable of having feelings, I suppose.

But it turns out that drones have a software side, too. And it's not just because design maven Martha Stewart has been posting pictures of her Connecticut farm taken by a DJI Phantom drone. Even with regulations limiting commercial drone use in the US and elsewhere, hobbyists, scientists, videographers and others have discovered numerous ways for drones to do good, save lives and make the world a happier place. Here are five great examples.

Drones can give us new perspectives

Because they can go where most people can't, drones can help give us a view we normally couldn't enjoy. And that enables new ways to learn, understand, and express ourselves. Take a DJI Phantom--available for less than $1500--fit it with a GoPro camera, and set it loose in the skies above Manhattan, and you'll get an appreciation for how drones can enhance your outlook on things.

Drones can help us see the world

Traveling to remote parts of the globe can be thrilling; it can also be costly. Riding along, virtually, with a drone, can help you see places you might not otherwise get to visit, and you don't even have to update your pasport. Travel By Drone crowdsources drone videos from around the world, offering a unique view of the places you may someday get a chance to visit for real.

Hackers Using DDoS to Distract Infosec Staff

Hackers are increasingly using DDoS attacks as a kind of 'smokescreen' that helps them carry out data breaches.

Your organization is more likely to come under a distributed denial of service (DDoS) attack than ever before, according to a new report. But if you end up on the receiving end of a DDoS attack, that may be the least of your worries.

That's because hackers are using DDoS attacks as decoys to occupy security staff while they attack their networks and steal data, according to Susan Warner, a DDoS product specialist at cloud-based DDoS mitigation service provider Neustar.

Presenting the findings of her organization's latest DDoS Attacks and Impact Report at the recent InfoSecurity Europe 2014 conference, she said, "These attacks are increasingly being used as a smokescreen. If a company is caught flat-footed by the DDoS attack, IT staff are tied up in the moment of crisis. That is an ideal opportunity for hackers to attack."

DDoS attacks are typically thought to be carried out for one of four reasons: for fun - by mischievous hackers or script-kiddies; for revenge - perhaps by a disgruntled ex-employee; to try to make some political or social point; or to try to extort money from victims in exchange for ceasing the attack.

But, said Warner, if you are a criminal then why bother getting involved in extortion if you can use the DDoS attack as a smokescreen while you go in and steal IP and other valuable data?

DDoS Link to Data Breaches

It turns out that 55 percent of all DDoS targets in the report were also victims of security breaches where attackers stole funds, customer data or intellectual property. In just under half of cases, the victims had viruses or other malware installed or activated on their systems during the DDoS attack.

It's usually not possible to prove that the perpetrators of the DDoS attack were also those responsible for the network infiltrations, but it seems likely that the two would be connected. It's possible, of course, that once a company comes under a DDoS attack other hackers take advantage of this to attack as well. This is less likely, though, given that just over three quarters of all attacks last less than a day.

That gives little time for opportunist "third party" hackers to carry out reconnaissance and successfully breach perimeter defenses -- especially as the victim is under a DDoS attack, making it hard, by definition, for these hackers to reach the victim's network in the first place. (The perpetrators of the DDoS attack can launch hack attacks during lulls, which they can time as they please.)

So if your company comes under a DDoS attack - and about 60 percent of companies do come under attack every year according to the report - is there any way of telling if the attack is a smokescreen for other hacker activities?

Warner recommends watching for two warning signs:

Shorter, more intense DDoS attacks: criminals who use DDoS as a smokescreen don't need to disrupt your business for a long time. But they do need to make the attack intense enough to try to make your IT staff drop everything and concentrate on mitigating it.

Lack of extortion or political demands: If there's no ransom demand or call for some action to satisfy a socio-political cause, that might indicate that the perpetrators are using the DDoS attack as a smokescreen. But they could also issue demands as a further smokescreen, so don't fall into the trap of believing that just because they have issued demands they are not also working away behind the scenes to breach your network.

When it comes to defending against DDoS attacks, the fact that some may be smokescreens for other type of attacks has important security implications.

Human Resources

The most important of these is not to let your IT staff become focused on mitigation to the extent that they take their eye off the ball when it comes to the rest of your corporate security, warned Warner. "You need someone (or a team) to deal with the DDoS attack, and someone else (or another team) worries about everything else."

It's also important not to underestimate how many people may be required to mitigate a DDoS attack. The number of attacks that required more than 10 people in an organization to "put out the fire" more than doubled between 2012 and 2013, according to the Neustar research.

DDoS Now Shorter, More Intense

One particularly interesting finding of the report is that DDoS attacks appear to be getting shorter in duration. In 2012 63 percent lasted less than a day, whereas last year that number was 77 percent. And while 13 percent lasted more than a week in 2012, that number fell to less than 3 percent in 2013. That's another clue that smokescreen attacks are on the increase.

Another interesting tidbit: In 2013 the number of DDoS attacks that involved a bandwidth of between 1Gbps and 5Gpbs almost trebled, although the vast majority were less than 1Gbps. Attacks that use DNS responses to amplify traffic volumes are making it easier than ever for small-time hackers to launch very large bandwidth attacks.

DDoS Mitigation Tips

The best way to cope with a DDoS attack is to be prepared for one before it happens. Here are four important preparations:

• Nominate a DDoS leader in your company who is responsible for acting should it come under attack
• Ensure you understand your typical inbound traffic profile so you can recognize when you are coming under attack as soon as possible
• Have emergency contacts for your ISP or hosting provider in hand
• Put a DDoS plan in place with your ISP or host, so that it can begin mitigation or divert your traffic to a mitigation specialist with a minimum delay

50,000 sites hacked through WordPress plug-in vulnerability

A critical vulnerability found recently in a popular newsletter plug-in for WordPress is actively being targeted by hackers and was used to compromise an estimated 50,000 sites so far.

The security flaw is located in MailPoet Newsletters, previously known as wysija-newsletters, and was fixed in version 2.6.7 of the plug-in released on July 1. If left unpatched, it allows attackers to upload arbitrary PHP files on the Web server and take control of the site.

MailPoet Newsletters has been downloaded almost 2 million times from the official WordPress plug-in repository to date.

Several days ago researchers from Web security firm Sucuri spotted an automated attack that injected a PHP backdoor file into many WordPress sites. A deeper analysis revealed that the attack exploited the MailPoet file upload vulnerability patched at the beginning of the month.

“The backdoor is very nasty and creates an admin user called 1001001,” the Sucuri security researchers said Wednesday in a blog post. “It also injects a backdoor code to all theme/core files. The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place.”

The Sucuri free website scanner, which people use voluntarily, detects a few thousand sites compromised by this attack every day, according to Daniel Cid, chief technology officer at Sucuri. However, Sucuri estimates that up to 50,000 sites were infected so far, he said Thursday via email.

Some sites that didn’t have MailPoet installed or were not even using WordPress were also compromised, because of what Cid calls cross-contamination. If one Web hosting account has a WordPress site vulnerable to this attack, the PHP backdoor uploaded through it can infect all sites hosted under that same account.

“On most shared hosting companies—GoDaddy, Bluehost, etc.—one account can not access files from another account, so the cross-contamination would be restricted to sites within the same account,” Cid said. However, in other cases, “if the server is not properly configured, which is not uncommon, then [the infection] can spread to all sites and accounts on the same server.”

The injection script used in the initial attack had a bug that damaged legitimate site files, resulting in obvious errors. That’s no longer the case, as attackers fixed their code and the latest variation of the malware no longer breaks websites, Cid said.

In order to protect their WordPress websites from this attack, administrators should update the MailPoet plug-in to the latest version, which at this time is 2.6.9. Version 2.6.8 of the plug-in, released on July 4, addressed an additional security issue.

Why two-factor log-ins are a good idea

I've recently spoken about improving your general security by using longer, easier-to-remember passwords , but there are also many services now offering a two-factor or two-step log-in option. So what is it?

More formally known as two-factor authentication, this is a security procedure that requires you to input both a password and a code that is generated to be typed in at the moment you are logging in. This second factor means that someone would not only need your password, but also your smart phone or whatever other device is used to deliver you the code.

If you're a Google user, you can add this to your Google log-in — even game company Blizzard offers it for gamers. And, of course, your bank can offer such added security, too.

If you're looking for that extra something to make your log-in security rock solid, look for two-factor authentication.

Protect your device from malicious ads

The chances of encountering a malware-bearing ad on your phone or tablet are increasing. But blocking ads on mobile is neither easy nor very effective. Here's a better approach to ad-blocking on your device.

Much attention has been paid this week to the Heartbleed security hole that has affected hundreds of thousands of Web servers. Read staff writer Richard Nieva explain how you can protect yourself from the Hearbleed bug.

In a nutshell, the best protection is to change your Web passwords. All of them. In a post from December 2011, I explained how you can master the art of passwords.

There's not much consumers can do to guard against infected servers, but there's plenty we can do to prevent becoming the next victim of the growing legion of malware purveyors. In a nutshell, don't click that link. This goes double for links in apps on our mobile devices, which generally aren't as well protected as PCs.

According to the Cisco Security Blog's March 2014 Threat Metrics released earlier today, advertising is the most likely source of malware on mobile devices, increasing from 13 percent of mobile malware occurrences in February 2014, to 18 percent last month. Business sites were the source of 13 percent of mobile malware encounters in March, down from 20 percent the previous month; video sites accounted for 11 percent of mobile infections in the most recent month, compared to only 7 percent in the preceding month, according to the report.

Don't be tricked into a malicious click

Security vendor Blue Coat Systems' 2014 Mobile Malware Report points out the increasing danger of ads on mobile devices. According to the report, Web ads supplanted pornography as the most frequent source of mobile malware, accounting for just under 20 percent of all mobile "threat vectors" in February 2014, compared to only 5.7 percent in November 2012; porn-based threats decreased to 16.5 percent of mobile malware encounters from more than 22 percent in the earlier period.

Malware authors target Android phones

Researchers report the number of malicious apps available on the Google Play store continues to grow. Your best defense is a security app, a cautious approach to downloads, and a close eye on your bank and credit card statements.

Most of us do whatever we can to avoid coming into contact with malware. Ispends his workdays attracting the stuff.

As Blue Coat Systems Director of Threat Research, Brandt uses a "honey pot" Internet server intended to catch malware purveyors in the act. While Brandt was demonstrating the honey pot to me, I told him it was as if he were living on the edge of a volcano.

"It's more like watching a bank of video security cameras focused on a high-crime area," he said. Brandt's surveillance server is completely sandboxed, which allows his team of security analysts to keep tabs on the doings of the Internet's bad guys without any risk to real data or systems.

Brandt described a recent encounter he had with a malicious app that found its way onto his Android phone. "I had downloaded an unrelated app a few hours earlier. [Out of nowhere], I get a text message on the phone thanking me for subscribing [to a $4-a-month service]." The malware had managed to sign Brandt up for the subscription from his phone without requiring any permissions.

"If it hadn't been for that message, I would have had no notice of the unauthorized charge until I saw it on my credit card bill," Brandt explained. This highlights two of the things phone users need to do to protect themselves: keep a close watch on their bank and credit card statements, and respond right away to challenge illegitimate charges.

Without a security app, your phone is exposed

The convergence of phone malware and workers connecting their phones to organizations' internal networks is causing IT managers to lose sleep, according to Brandt. "BYOD [Bring Your Own Device] makes it nearly impossible for IT to prevent their networks from being exposed," he explains.

According to security firm RiskIQ's recent study, the number of malicious apps on the Google Play store increased by 388 percent from 2011 to 2013. Meanwhile the percentage of malware apps removed by Google each year went from 60 percent in 2011, to just 23 percent in 2013. The percentage of malware apps on the Google Play store jumped from 3 percent in 2011 to 9 percent in 2012, and to almost 13 percent in 2013, according to RiskIQ's research.

7 best practices for smartphone security

1.Set a lock code

From email to texts, phonebook entries, and pictures, your phone has lots of personal information that's potentially accessible to prying eyes. Bottom line: if you take your phone out of your house, you should definitely use a lock code. You can use a 4-digit PIN or an actual password with letters, numbers, and characters, as Kent German points out. This will help keep nosy people or thieves from easily accessing your information.

2.Enable 'Do Not Track' in your mobile Web browser

Any information you provide on a website is collected and likely used for serving you relevant advertisements. The Do Not Track option asks websites to refrain from collecting your data. The Google Chrome browser for Android and Safari on iOS will allow you to set up Do Not Track. While enabling this option does not guarantee that your data will not be collected, some websites will adhere to your preference.

3.Block your phone number when necessary

When you call a business that might collect your number, it’s a good idea to thwart its efforts. As Dennis O’Reilly points out, many places will collect your number, any information attached to it, and then use it for profit.

If you don’t want to toggle number blocking on and off just for businesses, you might consider using Google Voice to call businesses. Then you can very easily block any incoming call that isn’t in your phone book.

4.Avoid answering spam calls

There are a lot of telemarketing services that will call your phone just to determine if the number actually reaches a person. Once that happens, your number is put on a list that is sold to other companies, and you'll receive even more spam calls and possibly texts. If you’re not on an unlimited plan, you may incur additional charges for text messages you didn’t want to receive in the first place.

Instead of picking up and confirming your number, use a caller ID solution to figure out who is trying to reach you. On Android, check out Current Caller ID by Whitepages, which will display caller information as small window on the incoming call screen. On iOS, you’ll have to use a slightly different approach: install Truecaller and take a screenshot of an incoming call for the app to identify the caller (the app creators say that currently there is no way to intercept the call process).

5.Use a recovery app to find a lost or stolen device

Panic strikes as you realize that your smartphone isn’t in your pocket. Where was I last?! When did I set the phone down? Did I drop it when I got out of my car? With the recovery apps on Android and iOS, you can lock down access to your device and even find its current GPS location.

6.Add owner contact info to your device

If your device gets lost in the wild and some good samaritan finds it, how will they find you? For this reason, you should add enough contact information to the device that can be used to contact you. For instance, you don’t need to provide your whole name -- maybe just a first name and last initial-- and a phone number of a friend or relative that can get in touch with you about your lost device. Think of it like a pet tag for your Android or iPhone.

7.Stay physically secured

Despite all your efforts blocking access to your apps, number, or other information, you are still faced with the threat of someone physically stealing your device. To combat this, Jessica Dolcourt recommends keeping a firm grip, putting the device in a hard-to-access place (tight front pocket, deep pocket in bag), and refraining from advertising the fact that you have an amazing new device. Hopefully these tips will keep your phone from taking an unwanted excursion with a thief.

Free Active Phishing Sites Repository Launched by FraudSense

Download complete phishing feed here OPENPHISH

A new source for checking the latest active phishing websites, called OpenPhish, has become available online, from FraudSense, a company that offers anti-phishing intelligence services.

OpenPhish is similar to PhishTank in that it provides real-time information about the URLs that have been identified as phishing.

But the difference consists in the fact that it provides the targeted brand on the main page and, more importantly, it offers intelligence about the cyber crooks, collected from FraudSense’s systems. 

This refers to emails that are associated with the threat actors, metadata and statistics, and even the kit used to create the phishing site. Such details do not accompany all entries of the phishing feed, though, as the service makes them available only to paying customers.

“We launched OpenPhish to help the global effort in the fight against phishing and cybercrime. Using our automated phishing detection technology, we are able to provide real-time information about phishing sites activity, thus allowing organizations to take immediate action in protecting their users,” a representative of the company told us via email.

FraudSense is based in Tel Aviv and has been founded in 2011. It is focused on providing anti-phishing technology that relies on proprietary detection algorithms leveraging cognition, artificial intelligence and active learning. 

The protection measures for a database used for serving the public website of the European Central Bank (ECB) have been bypassed, the intruder(s) stealing contact information of individuals registered for different events.

The announcement, which has come out today, informs that the intruders have contacted the ECB officials and demanded a ransom in exchange for the data. There is no specification about the amount requested.

It appears that the nefarious act became known after the intruders sent their ransom demand to ECB.

As far as the details accessed are concerned, these were stored separately from any internal ECB system and were not fully encrypted; email addresses, street addresses and phone numbers are accessible in plain text.

The news release states that no market sensitive data was compromised, and that the information on the downloads from the European Bank Website was encrypted.

“The ECB is contacting people whose email addresses or other data might have been compromised and all passwords have been changed on the system as a precaution,” say the officials.

German Police has been informed of the incident and an investigation has been started in order to identify the intruders, who leveraged a vulnerability that has since been addressed on the ECB systems. 

Romanian gang used malware to defraud international money transfer firms
Romanian and French authorities have dismantled a cybercriminal network that infected computers at money transfer outlets across Europe and used them to perform illegal transactions.The gang was also involved in the theft of credit card details through skimming, credit card cloning, money laundering and drug trafficking, Europol announced Thursday.The gang, which was composed mostly of Romanian citizens, infected computers at copy shops that also operated as money transfer franchises in Austria, Belgium, Germany, Norway, the U.K. and other European countries. No details were released about how the computers were infected, but Europol said that the attackers used a remote access Trojan (RAT) program.The Trojan allowed the gang’s members to control the compromised systems remotely and perform unauthorized transactions through them. The attackers used their illegal access to initiate fraudulent money transfers from fictitious senders to real recipients, who then withdrew the money from different money transfer outlets, primarily in Romania, the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) said in a press release.According to DIICOT, the losses to a single unnamed money transfer franchisor exceeded US$800,000, but the total losses resulting from the gang’s activities are estimated at over €2 million (US$2.7 million).Police in France and Romania executed 117 house searches Wednesday and seized large sums of money, luxury vehicles, IT equipment and other evidence. Over 115 individuals were questioned and 65 were detained following the raids.

EBay faces class action suit over data breach

EBay faces a class action suit in a U.S. federal court over a security breach earlier this year.

The consumer privacy class action lawsuit, filed Wednesday by Collin Green, a citizen of the state of Louisiana, alleged that the security breach was the result of eBay’s inadequate security in regard to protecting identity information of its millions of customers.

The e-commerce site’s failure to properly secure the information “has caused, and is continuing to cause, damage to its customers, the putative class members herein,” according to the complaint by Green which asks for class action status.

EBay informed users in May that it was aware of unauthorized access to eBay systems that may have exposed some customer information. The company said there was no evidence that financial data was compromised. The company subsequently advised users to change their eBay passwords as the attack compromised a database containing eBay user passwords.

“The thieves had access to, and reportedly copied, customer names, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth, at a minimum,” according to the lawsuit filed in the U.S. District Court for the Eastern District of Louisiana.

The company did not immediately notify its customers when it first became aware of the February 2014 security breach and instead waited to inform customers until after the news had leaked out of the company, according to the complaint. “eBay’s profit-driven decision to withhold the fact of its security lapse further damaged the class members who were prevented from immediately mitigating the damages from the theft,” it said, while blaming eBay for not adequately securing the data.

EBay could not be immediately reached for comment.

Green, on behalf of himself and others similarly situated, has asked for a jury trial. The combined claims of the proposed class members exceed $5 million exclusive of interest and costs.