Βρήκατε το site σας hacked; ... Πιστεύετε ότι αυτό είναι όλο;

Βρήκατε το site σας hacked;
Πιστεύετε ότι αυτό είναι όλο;
Αυτό που δεν ξέρετε είναι ότι αυτός που έχει εισέλθει στην ιστοσελίδα σας μπορεί να άφησε περισσότερο από ένα index!

Insider θέλει να προειδοποιήσει τους ιδιοκτήτες ότι υπάρχει κίνδυνος και κανείς δεν μιλάει

Όταν κάποιος έχει πρόσβαση στα αρχεία της ιστοσελίδας σας μπορεί να κάνει ό, τι θέλει και αυτό περιλαμβάνει ανέβασμα / κατέβασμα αρχείων
Θα παρουσιάσω μερικές από τις πιθανές ενέργειες που μπορεί να κάνει ένας χάκερ στο τερματικό σας:

•      Η πιο απλή και ορατή δράση την αλλαγή ή αντικατάσταση του index ώστε να αποδείξουν ότι είχαν πρόσβαση
•      Μια άλλη επιλογή είναι για τους εισβολείς να αντιγράψουν τα πάντα  ή να κλέψουν τα σημαντικά πράγματα και η ζημία είναι μεγαλύτερη από μια απλή ... You are hacked by ... ...
•      Αυτό που πολλοί αγνοούν και είναι πολύ σοβαρό είναι ότι ο εισβολέας μπορεί να χρησιμοποιήσει το χώρο για  δράση ενάντια σε άλλους δικτυακούς τόπους ή ανθρώπους. Μπορεί να φορτώσει στον host  μεθόδους για να κλέψουν τα προσωπικά δεδομένα των ατόμων που επισκέπτονται το site, ή να χρησιμοποιεί το χώρο υποδοχής για:

                                                            Stealer / Keyloger / Phishing / Rat
                                                          / Botnet / DDosser /  Shell
 
Τα παραπάνω είναι αρκετά επικίνδυνα, γιατί αν βρεθούν ... Είστε ένοχοι επειδή είναι στο χορό σας και για να ξεφύγετε θα πρέπει να το αποδείξετε μπροστά στο νομο

Για την καλύτερη κατανόηση έχω ένα πολύ ενδιαφέρον παράδειγμα

http://www.voiceofnigerians.com/

Εάν το index δεν θα είχε αλλαχτεί θα ήταν μια απλή ιστοσελίδα ... και τώρα όταν βλέπετε μπορείτε να πείτε ότι είναι μια απλή hacked ιστοσελίδα

Αλλά ... κοιτάξτε εδώ

 http://www.voiceofnigerians.com/Main/

Αυτά είναι όλα τα αρχεία ενός ιού που ονομάζεται SpyEye ... virus με το οποιο o χάκερ μπορεί να κλέψει  προσωπικά δεδομένα, όπως πιστωτικές κάρτες, προσωπικούς λογαριασμούς, ... αλλά επίσης χρησιμοποιείται για επιθέσεις εναντίον άλλων sites/forums

Γι 'αυτό δεν είναι αρκετό για να δείτε αν το site σας είναι online .... επιθεωρήστε τα αρχεία σας όσο συχνά μπορείτε και αν δεν ξέρετε ... ζητήστε βοήθεια για να έχετε ένα ασφαλή site/forum για να μην μπείτε σε μπελάδες


 Stay close and you wiil see more

Prodefence.org

Found your site hacked ? ... Do you think that's all?

Found your site hacked ?
Do you think that's all?
What you do not know is that he who has entered in your site can leave little more than an index!

Insider  wants to warn site/forum owners that there's danger and no one speaks

When someone has access to site files can do whatever he wants and that includes uploading / downloading files
I will present some of the possible actions that can be a hacker in your host:

• The simplest and visible action is changing or replacing index show that's all he had access
• Another option is for intruders to copy everything found or steal important things and such damage is greater than a simple ... You are hacked by ...
• What many ignore and is very serious is that the intruder can use the site for action against other websites or people. He can load on the host diferent hacking methods to steal personal data of those who visit the site, or use the host site for:

                                                         Stealer / Keyloger / Phishing / Rat
                                                         Botnet's / DDosser's/ Shell's
The above are quite dangerous because if they are found ... you are guilty because it's your host and to escape the trouble you have to fight with the law

To better understand i have a very interesting example

http://www.voiceofnigerians.com/

if the index would have changed would be a simple site ... and now when you see you can tell it's a simple hack

But ... look here

http://www.voiceofnigerians.com/Main/

These are all files of a virus called SpyEye ... virus that hackers steal personal data such as credit cards, personal accounts, ... but also is used for attacks against other sites


So it is not enough to see if your site is online .... inspect your files as often as you have and if you do not know ... ask for help to have a secure site not to get into trouble

Stay close and you wiil see more

Prodefence.org

Facebook Valentine’s Day Theme Leads to Trojan

As Facebook users are preparing for Valentine’s Day, cybercriminals are relying on the fact that lovebirds may be tempted to install a so-called Valentine’s theme to make their profiles more special.

Trend Micro researchers came across one of these scams that attempts to dupe victims into downloading a malicious Trojan that later places itself in the browser with the purpose of aiding the crooks make tons of money.


Facebook customers who fall for the phony advertisement and click it are taken to a website that displays a large Install button. Once clicked, the page prompts the user to download a file called FacebookChrome.crx, identified by the security firm as Troj.Fookbace.A.

Upon execution, the Trojan not only executes a script that’s capable of displaying ads from other sites, but it also installs itself on the browser as an extension named Facebook Improvement.

After it’s successfully installed, the malicious extension monitors web activities, redirects sessions to survey pages that request sensitive information, performs likejacking attacks, and posts ill-intended messages on behalf of the victim.

Experts believe that these attacks are specially designed to target Chrome users, but they work just as well with Mozilla Firefox. Facebook members that utilized Internet Explorer are directly taken to the survey site because the extension doesn’t work on this certain browser.

Facebook users are advised not to click on ads that offer a Valentine’s Day theme, or any similar element, and refrain from providing sensitive information such as phone numbers or credit card data online.

Of course, with the large number of legitimate apps out there, it’s hard to tell real applications apart from fake ones. This is why experts recommend the use of an up-to-date antivirus solution, since most security programs are able to detect these malicious plots.

Finally, if by mistake you’ve already installed the browser extension, you can go to your browser’s settings menu and remove it before it causes too much damage.

news.softpedia.com

Hundreds of WordPress Sites Compromised to Serve Phoenix Exploit Kit

The latest malicious campaign begins at the point where cybercriminals compromise a few hundred websites based on WordPress 3.2.1 and alter them to redirect visitors to a domain that serves the malicious Phoenix Exploit Kit.

M86 Security Labs researchers came across around four hundred of these sites.

Using a clever strategy, the masterminds that run this scheme didn’t compromise the sites’ main page, instead they hid a malicious HTML page to the Uploads folder so it wouldn’t be detected to easily.


Since they’re using the compromised sites only to bypass URL reputation mechanisms, spam filters and other security policies, they’re not relying on regular users to visit the infected pages, instead they send out spam emails containing a link to the webpage that serves the exploit kit.

Websense described these emails not long ago, reporting that they’re designed to confuse the recipient and determine him to click on the link without giving it too much thought.

“Hello! Look, I’ve received an unfamiliar bill, have you ordered anything? [LINK] Please reply as soon as possible, because the amount is large and they demand the payment urgently,” reads the malicious message.

Once the link is clicked, the user, that at this stage becomes a victim, is taken to the compromised site redirecting to a Russian domain where the exploit is hosted.

The Phoenix Exploit Kit probes for vulnerabilities in Internet Explorer, Adobe Reader, Flash and Java, these being the applications that users fail to update most often.

An interesting observation made by the experts is that the exploit kit is not designed to target Google Chrome customers. For no obvious reason, the source code is written in a way to make sure that those who utilize Chrome are excluded.

Security solutions providers are keeping close tabs on these malicious elements, but to make sure they’re protected, users are advised never to click on suspicious links that come in suspicious emails.

news.softpedia.com

With Masters Still at Large, the Kelihos Botnet Returns

Right after Microsoft and Kaspersky disrupted the activity of the Kelihos/Hlux botnet, a week ago the Redmond company having managed to identify one of its masterminds, researchers found that the botnet returned with some interesting new techniques.

Kaspersky Lab Experts reveal that the method they utilized to bring down the botnet, the sinkholing method, has its advantages, but they admit that if the masters are still at large, they can set up similar botnets.


And this is exactly what they did. Not long after the world learned of the good guys’ victory, researchers found new samples that appeared very similar to the initial version.

One of the differences between the two variants is in the communication protocol and the way it encrypts and packages Kelihos/Hlux messages.

In the newer version, the order of the encrypting operations was changed, and since this makes no sense as there aren’t any advantages, experts believe that someone obtained the source code and modified the order of encryption stages to make it look different.

Also concerning encryption, the later samples were found to have different encryption keys and RSA keys. However, this is a more predictable move and since there are two different RSA keys, it’s very likely that two groups are in possession of each of the keys, allowing them to control the botnet.

The tree structure of the old Kelihos is pretty much the same, except for the fact that the hash algorithm for the fields’ name is no longer used, the names now being composed of 1-2 characters.

The last difference is in the way packets are formed. Now, every packet includes the calculated data checksum in its header.

Kaspersky researchers concluded that it was impossible to completely neutralize a botnet just by taking over the control of the controller machines, instead, the most effective way to disable a botnet being the identification of the individuals running it.

news.softpedia.com

Lookout: Android.Counterclank Found by Symantec Not Malware

Security solutions provider Symantec alerted Android users a few days ago on the existence of an Android Trojan called Android.Counterclank, which they catalogued as an information-stealing piece of malware. However, Lookout, a mobile security firm, questions those claims, reporting that Counterclank is just an aggressive form of ad network.

Symantec’s report found that the Trojan was being bundled with popular apps on the Android Market and it had already infected as much as 5 million devices.


They identified Counterclank as a minor modification of Android.Tonclank, a threat that has the features of a bot, its main purpose being to swipe private information.

Applications such as Hit Counter Terrorist, CounterStrike Hit Enemy, Counter Strike Ground Force and Counter Elite Force were served on the official Android Market with a malicious code that’s inserted as a package called Apperhand.

On the other side of the fence, Lookout also took a peek at these applications and they concluded that even though the Apprehand SDK was “an aggressive form of ad network that should be taken seriously,” it couldn’t really be considered malware.

“The average Android user probably doesn’t want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behavior,” Lookout researchers write.

“In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar.”

Lookout has been studying mobile advertising SDKs since some of them began using more aggressive tactics to promote their adverts, including pushing notifications, dropping search icons on the device’s desktop, and pushing bookmarks to the browser.

Since ad networks are becoming an important part of the mobile ecosystem, we’ve contacted Lookout to request an interview that may further clarify the use of these elements and their impact on customers. Stay tuned to find out more.

news.softpedia.com

Disability app designed by London terrorism survivor Disability app designed by London terrorism survivor

 

By Jonathan WeinbergTechnology reporter


A severely injured survivor of the 7/7 bombings has created a smartphone app to help people with disabilities travel around London more easily.

Daniel Biddle lost both his legs, spleen and left eye after a bomb exploded on a tube train in July 2005.

His Ldn Access app details step-free access, ramps and usable toilet facilities at thousands of venues.

Mr Biddle says he created it after finding that his wheelchair had made many venues become inaccessible.

"What happened on 7/7 robbed me of the ability to just go anywhere," he said.

"I can think of numerous instances where I've stopped somewhere to use the toilet or gone to a restaurant only to find it is impossible. There is such a lack of useful information for people in a wheelchair, those with learning difficulties or people with a visual or hearing impairment."Icon controls

Venues covered by the program include hotels, theatres, restaurants, pubs and attractions.

The app was created with the help of Mr Biddle's friend Tobi Collett.

It works by using location-based technology to pinpoint where a user is, providing intuitive icons and simple terminology to make their choices from, breaking down bigger categories such as restaurants into smaller specific ones such as Chinese or Indian.



Tapping the icons brings up the information needed to make an informed choice as to whether a destination will meet the needs of the user's disability.

Mr Biddle said: "We made the app very intuitive because someone with dexterity problems, or arthritis in their hands, may not be able to type out long words. It's just a simple push on a simple icon."

The app also contains a section devoted to the Olympics, with accessibility information for each venue and nearby places to visit.

It also works offline, meaning even being underground on the Tube is no barrier to knowing where it is possible to get off easily.Improved access

The two friends first came up with the idea nearly a year and half ago, after which they provided the necessary information to a professional coder.

"We had to identify which venues we wanted to list based on location and accessibility, then use each venue's website and a telephone access audit where necessary," said Mrs Collett.

"To double check we then took to the streets and visited random locations listed in the app."

The program differs from other related apps on the market, including Parking Mobility and Toilet Map, because it is not limited to specific tasks such as where to find a disabled parking bay or an accessible public lavatory.

Instead there it offers a wider range of access information covering everything from bingo halls to the Wembley Arena.



The Leonard Cheshire Disability charity is already involved with another app - Do Some Good - which allows people to rate the accessibility of their local High Street, but it welcomed the idea of other developers offering associated software.

"A directory of accessible places is a very useful tool. 40% of disabled people that we surveyed reported they'd had difficulties using shops and services in the past year," said Guy Parckar, the organisation's campaigns manager.

At present Ldn Access only works on Apple's iOS devices after becoming live last night on the tech firm's App store.

But Mr Biddle and Mrs Collett hope to reinvest money earned from downloads to create versions for Blackberry, Android and Windows Phone, as well as similar programs for other cities across the UK.

"With this app we hope to use the latest technology to change people's mindsets and show how the disability isn't the problem, the lack of access is the problem," said Mr Biddle.

"Technology can be great for improving independence and we hope this allows the disabled to decide what they want to do, and just go out and do it."

Caution on Twitter urged as Britons barred from US

Holidaymakers have been warned to watch their words after two British friends were refused entry to the US on security grounds after a tweet.

Before his trip, Leigh Van Bryan wrote that he was going to "destroy America".

He insisted he was referring to simply having a good time - but was sent home.

Trade association Abta told the BBC that the case highlighted that holidaymakers should never do anything to raise "concern or suspicion in any way".

The US Department for Homeland Security picked up Mr Bryan's messages ahead of his holiday in Los Angeles.

The 26-year-old bar manager wrote a message to a friend on the micro-blogging service, saying: "Free this week, for quick gossip/prep before I go and destroy America."

He told the Sun newspaper that he and his friend Emily Bunting were apprehended on arrival at Los Angeles International Airport before being sent home.

"The Homeland Security agents were treating me like some kind of terrorist," Mr Bryan said.

"I kept saying they had got the wrong meaning from my tweet."No joke

Abta, which represents travel companies in the UK, said holidaymakers need to learn to be ultra-cautious when it comes to talking about forthcoming trips, particularly after 9/11.



"Posting statements in a public forum which could be construed as threatening - in this case saying they are going to "destroy" somewhere - will not be viewed sympathetically by US authorities," it told the BBC.

"In the past we have seen holidaymakers stopped at airport security for 'joking' that they have a bomb in their bag, thoroughly questioned and ending up missing their flights, demonstrating that airport security staff do not have a sense of humour when it comes to potential risk."

In another tweet, Mr Bryan made reference to comedy show Family Guy saying that he would be in LA in three weeks, annoying people "and diggin' Marilyn Monroe up".

Mr Bryan told the newspaper that he was questioned for five hours about his Twitter messages.'Tweeter account'

After the interview, Homeland Security's reported: "Mr Bryan confirmed that he had posted on his Tweeter website account that he was coming to the United States to dig up the grave of Marilyn Monroe.

"Also on his tweeter account Mr Bryan posted he was coming to destroy America."



The US Customs and Border Protection agency said in a statement that it tried to maintain a balance between "securing our borders while facilitating the high volume of legitimate trade and travel that crosses our borders every day".

It added: "We strive to achieve that balance and show the world that the United States is a welcoming nation."

Mr Bryan is not the only person to suffer from a misjudged tweet. In January 2010, Paul Chambers tweeted that he would blow snow-affected Robin Hood Airport in Doncaster "sky high!" if it was not reopened in time for him to see his girlfriend.

He was fined £385 plus £2,600 in costs - a sum which actor Stephen Fry offered to pay on Mr Chambers' behalf.

EU probes Samsung over possible patent rights 'abuse'

Samsung's patent deals are being looked into by the European Commission.

Competition regulators are investigating whether the firm used some of its intellectual property rights to "distort competition in European mobile device markets".

The commission says it wants to know if Samsung has failed to live up to a commitment to license key technologies to rivals.

The action comes as the company is involved in patent battles with Apple.

A spokesman for Samsung said it did not have a statement to make on the case at this time.

The inquiry centres on Frand commitments - a promise by industry players to license innovations that are essential to an industry standard on fair, reasonable and non-discriminatory terms.

This means that the owner cannot discriminate who gets to use its invention and that its fee cannot be excessive.

The commission notes that in 1998 Samsung offered an "irrevocable commitment" to the European Telecommunications Standards Institute to respect Frand terms.

But the regulator says that: "In 2011, Samsung sought injunctive relief in various member states against competing mobile device makers based on alleged infringements of certain of its patent rights which it has declared essential to implement European telephony standards."Lost lawsuits

The South Korean firm has made more than a dozen patent claims against Apple in Germany, the Netherlands, France and Italy relating to 3G-essential technologies.

So far the courts have ruled against Samsung in the cases - in part because it was felt that the firm had failed to live up to its Frand commitments.

However, patent consultant Florian Mueller, who has blogged about the various cases, notes that: "The European Commission can't wait until Samsung finally wins a ruling based on such a patent and enforces it, potentially causing irreparable harm."

A spokesman for the European Commission confirmed that it had instigated the proceedings. He said that the commission had not received an official complaint from Apple or any other company about the matter.Counter-attacks

Samsung has also been on the receiving end of patent and design-rights litigation.

Some analysts view its lawsuits as a response to Apple's legal attack.

The iPad-maker succeeded in having two of its competitors' tablets banned from sale in Germany last year forcing a redesign.

The ruling against the Galaxy Tab 10.1 was upheld by the Düsseldorf Higher Regional Court today.

Experts say the commission's intervention is likely to further complicate matters.

"It is really difficult for Samsung to have the commission wading in when none of its competitors have made a complaint," said Vicki Salmon, a member of the UK's Chartered Institute of Patent Attorneys.

"At a time when there is a lot of litigation between companies it doesn't help to be on the receiving end of an official inquiry."

DHS Locks Up UK Tourists for “Terrorist” Tweets

A couple of tourists made some jokes on Twitter before vacationing in the US. Unfortunately for them, the Department of Homeland Security (DHS) picked up on their tweets, considered them a threat to national security, and gave them a not-so-friendly welcome when they arrived.

According to The Sun, Leigh Van Bryan and Emily Bunting were picked up at Los Angeles International Airport by armed guards, handcuffed and locked up for 12 hours overnight after they were flagged by the DHS as a potential threat.


The tweets that put them in this situation were a couple of jokes in which van Bryan posted to friends his plans to “destroy America” and dig Marilyn Monroe up from her grave.

“The Homeland Security agents were treating me like some kind of terrorist. I kept saying they had got the wrong meaning from my tweet,” van Bryan said.

Unfortunately for them, the jokes weren’t considered funny by US law enforcement and after being held in separate cells, they were put on a flight back home.

Bunting had nothing to do with the tweets, but she was suspected of acting as a lookout while they dug up Monroe’s grave.

“Officials told us we were not allowed into the country because of Leigh's tweets. We just wanted to have a good time on holiday. That was all Leigh meant in his tweets,” 24-year-old Emily said.

By now it shouldn’t be a secret to anyone that the DHS monitors a large number of sites in search for things like cyber criminals, terrorists, biological weapons, and anything else that may pose a danger to national security.

So, were the actions of US authorities out of line, or were they acting in a justified manner considering the large number of potential threats targeting the country? The DHS didn’t comment on the issue, but the incident will surely cause some waves.

In the meantime, be careful what you write on social media websites.

news.softpedia.com

Australian Taxation Office Phishing Email Offers Tax Refund

Even though tax refunds should be processed and paid out by now, cybercriminals who probably had a great season continue to launch Australian Taxation Office (ATO) spam campaigns that promise tax refunds to unsuspecting users.

The latest malicious email variant informs recipients that they’re eligible to receive a tax refund, Sophos’ Paul Ducklin reports.

“Please submit the tax refund request and allow us 6-9 days in order to process it,” reads part of the phony notification.


To make everything as legitimate looking as possible, the crooks even come up with an excuse for the delay.

“A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline,” the message concludes.

The main purpose of the email is to try to convince the recipient to open the attachment and provide highly sensitive information.

Once the attachment is opened in a browser, a well-designed form appears on the screen, requesting the user to provide data such as name, date of birth, address, city, postcode, sort code, card number, expiry date and card verification number.

If the Continue button is clicked, all the information is submitted to a server in the US.

Fortunately, this variant is detected by Sophos products as being malicious and the submission URL is blocked.

Even so, users are advised to take a few precaution measures to make sure they’re protected against these phishing expeditions.

First of all, never provide sensitive information, especially credit card details, in response to an email. Legitimate institutions will never send you such notifications because they're aware of the large number of fraud attempts.

Also, always take a good look at the sender’s email address. In this case the emails come from an ato.com.au domain, but the legitimate domain is actually ato.gov.au.

news.softpedia.com

Council fined £140k for leaking kids' sensitive info

The Information Commissioner's Office (ICO) has fined Midlothian council £140,000 for disclosing sensitive personal data about children and their carers to the wrong people on five separate occasions.
The commissioner said that the five breaches, which took place between January and June 2011, were all serious.

One of them happened when papers about the status of a foster carer were sent to seven healthcare professionals, none of whom had any reason to see the information.

It took place in January 2011 and did not come to light until March, when the council began an investigation. This did not prevent further similar incidents taking place in May and June, however.
In another case, minutes of a child protection conference were sent in error to the former address of the mother's partner, where they were opened and read by an unauthorised person. The papers also contained personal data about the mother, who made a complaint to her social worker about the incident.
Investigations by the ICO found that all five breaches could have been prevented if the council had put adequate data protection policies, training and checks in place.
Midlothian is the first organisation in Scotland to be fined by the ICO.
In addition to imposing a fine, the information commissioner has ordered Midlothian to improve the security of personal data. The council has said has that it will now check all its records to make sure they are up to date, as well as updating its existing data protection policy to include specific provisions for the handling of personal data by social services staff.
Ken Macdonald, assistant information commissioner for Scotland, said: "The serious upset that these breaches would have caused to the children's families is obvious and it is extremely concerning that this happened five times in as many months.
"I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure."

theregister.co.uk

Google, Facebook, Microsoft in PHISH-FIGHTING smackdown

Google, Facebook and other internet heavyweights are collaborating together to back a standard designed to curtail phishing by improving the collaboration between legitimate senders and receivers of emails.
Microsoft, Yahoo and PayPal are teaming up to push DMARC (Domain-based Message Authentication, Reporting & Conformance), an email authentication specification designed to make it easier to filter and block spoofed messages that attempt to trick users into handing over personal data or passwords to scam sites.

Email senders often use standards such as SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) for authenticating their messages but email receivers have tended not to rely on the technology because legitimate but unauthenticated messages might be sent from a given domain – ie: they are not necessarily spoofed as adoption of standards by senders is so patchy.

DMARC seeks to codify how email authentication can be introduced into a provider's infrastructure. Once DMARC is introduced, a sender could set policies to easily request providers to discard unauthenticated email, getting rid of spoofed-domain phishing emails in the process. The specification also creates a mechanism for email providers to send detailed reports back to email senders, creating a feedback loop that would help catch gaps in authentication systems.

Authentication needs support of both receiver and sender

George Bilbrey, co-founder of email certification firm Return Path, said both the organisation sending the emails and the entity that receives them need to support DMARC. However this is not as much a problem as it might seem. Fifteen per cent of emails received by Gmail, for example, already meet DMARC, a standard that has quietly been rolled out by many firms over the 18 months prior to its public launch on Monday.
Bilbrey said DMARC has a good chance of succeeding where other email authentication approaches have come up short because "it already has an installed base and builds on existing standards and technologies".
"It's not going to eliminate phishing but is still a big step forward, specifically in preventing spoofed email from domains that support DMARC from getting through," he told El Reg.
Return Path is one of 15 early backers of DMARC, a cross-industry standard that its backers hope to eventually hope to release as a draft IETF process.
In the past, spammers have often been early adopters of authentication technology. For example, in the early days of SPF, most of the domains that contained valid SPF records were spammer domains.
However Paul Wood, an anti-spam expert at Symantec.cloud (formerly MessageLabs), said it would be wrong to dismiss the potential of the new standard simply because previous approaches had misfired. He said: "[DMARC] is important because it enables the owner of an email domain to publish a policy that for the first time defines how *they* want emails from their domain to be handled, rather than leaving it up to the receiving servers to make that judgement. It also means that they can request the receiving servers to feedback via a monitoring channel (an email address or URI) to collect the messages that don't meet the policy criteria.
"The idea being that they can then see for the first time a much clearer picture of who is spoofing their domains and on what scale. This feedback loop is really there to help them tighten up their policy and define what to do with non-conforming messages – such as drop them, or report them. They can also define what percentage of their email should be blocked, so initially they may elect this to be a low number, increasing it gradually to 100 per cent over time," he added.

Cost and privacy issues

Wood added a note of caution over the technology, saying that outstanding cost and privacy issues needed to be addressed: "I believe there may be some concerns over the privacy side, particularly when it relates to failed messages being set to an external email address that wasn't the recipient.
"I'm not sure what the best current practice says about this, but I expect as we see more implementation guidelines appearing over the coming months, these sorts of issues can be addressed. There may be costs associated with the setup, but mostly from a configuration and testing perspective. This is likely to put more pressure on ISPs and mail providers to support these technologies in order to safeguard their clients. We certainly welcome this initiative as it is likely to be very effective at stopping spoofing and phishing attacks," he added.
The security expert added that DMARC could easily co-exist alongside other more established groups in this area, such as the Anti-Phishing Working Group.
"This new body is different to APWG and others, as it forms the policy decision on what the senders want receivers to do should their messages fail DKIM/SPF. With the weight of some big early adopters it could really help obvious spoofing attempts, and should be seen as complementary to the APWG and other technology such as SPF and DKIM," he concluded.

theregister.co.uk

Sexy Girls Puzzle: Android Trojan or eager ad-slinger?

Security researchers are split on the seriousness of an Android "malware" campaign that some estimates suggest may have "infected millions" of smartphones via gaming apps from Google's Android Market.
"Android.Counterclank" – a piece of code described by Symantec as a Trojan and by Lookout Mobile Security as part of "an aggressive form of ad network" – can be found in over 13 different mobile gaming apps – including Sexy Girls Puzzle and Counter Strike Ground Force – from three different publishers, according to Symantec. The security software biz said that legitimate games are sometimes repackaged with Trojan horse malware and uploaded to the Android Marketplace in order to infect users.

Kevin Haley, a director with Symantec's security response team, told Computerworld that the apps might have infected anywhere between one and five million users. However, Symantec's official write-up describes Counterclank as a low-risk threat that is easy to remove, hasn't spread very far and has probably only infected 1,000 smartphone users.

Both Symantec and rival Lookout acknowledge that Counterclank lifts information from the user's phone, which includes the browser settings and (in the case of some but not all games) SIM serial and IMEI numbers.
However, while Symantec classes Counterclank as a Trojan, Lookout disagrees.
"Some companies are calling this a botnet or malware. Lookout has some concerns about the functionality, however at this time, and as far as we can tell, it does not meet the standard to be classified as malware or a 'bot'," said Lookout. "Consumers should take these apps very seriously as they appear to tread on privacy lines, but they are not necessarily malicious."
Instead of describing the suspicious apps as Trojans, Lookout characterises Sexy Girls Puzzle and Counter Strike Ground Force as the fruit of a software development kit (SDK) for a mobile advertising network, identified as "Apperhand", and said it ought to be taken seriously.
"The average Android user probably doesn’t want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behaviour," a blog post by Lookout explains. "In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar."
"Malware is defined as software that is designed to engage in malicious behavior on a device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud. Apperhand doesn’t appear to be malicious, and at this point in our investigation, this is an aggressive form of an ad network – not malware," it added.
Lookout researchers wrote that the Apperhand SDK is similar to a previous mobile advertising SDK – ChoopCheec (AKA Plankton) – that "crossed several privacy lines in the data it collected about users" when it first appeared last year.
Even though Plankton has been modified since, it still does a number of things, such as "pushing" notification ads, dropping a search item on desktops or automatically adding bookmarks, that are liable to give more privacy-conscious mobile users the fear.

theregister.co.uk

Google spews out 'privacy' email to Sky punters too

Sky users have joined Virgin Media subscribers in receiving emails directly from Google about its new privacy policy.
Sky customers received the email from the Chocolate Factory warning them about the controversial changes to its privacy policy, which was quickly followed by an email from Sky about the error.

"We understand that you may have recently received an email to this address from Google with the subject title: 'Changes to Google Privacy Policy and Terms of Service'," the email read.

"We'd like to apologise for any confusion this email may have caused. It was sent in error and should be ignored.
"Google's technology supports the Sky email service, and hence supports your @sky.com address. However, as a @sky.com email subscriber, your only relationship is with Sky. Please be reassured that Sky's Terms and Conditions and Privacy Notice apply and not Google's."

However, the thing that most people are taking issue with is how Google had their email address in the first place and what other uses the search giant might be putting those addresses to.
In a FAQ section on the erroneous email, Sky explained that Google had to have everyone's email address to provide email services to Sky, but the address was the only information the Chocolate Factory had and it hadn't shared it with anyone else.
A Virgin Media spokesperson said the same thing to The Register.
"All Google literally has is an email address that they provision to us," he said, adding that the firm needed to know these addresses so it could allocate storage to each address.
He also confirmed that Virgin Media's privacy policy superseded Google's so customers would not be affected by the changes.
A Google spokesperson said that the Chocolate Factory was busy informing all its customers about its policy changes, including the administrators of enterprise organisations using Google Apps.
"If an enterprise organisation uses Google Apps to provide email to its own employees or customers, Google is contacting only the administrator at that organisation because it has a contract that defines how we handle and store their data," the spokesperson said.
"Due to a glitch in our system, we misclassified some Google Apps email accounts as consumer Gmail accounts and mistakenly sent these users email notifications about the Privacy Policy. While Google provides the backend service that powers these users’ email accounts, we do not have any direct relationship with these users and contacted them in error."

theregister.co.uk

How to navigate Google's privacy options

When Google announced it was revising its privacy policies last week, it caused quite an uproar in many technical circles (not just Google+ circles either). In this post I will try to provide a summary of the changes, but more importantly what your options are to maintain your privacy while utilizing Google services.
Google's new policy takes effect on March 1st, 2012. If you are totally unhappy with the direction they are going with privacy, you still have one month to grab all of your data and choose a new search engine/email/cloud/social network.
Disclaimer: I am not a lawyer and my views are simply my interpretation of information posted publicly by Google.

So what actually changed? To be fair not a whole lot. Google has consolidated more than 60 individual privacy policies into one, with the exception of a few services (Wallet, Chrome/Chrome OS and Books).
Most of the controversy surrounds Google's statements regarding their intention to share more information between Google services like search, Google+ and Gmail.
This was already allowed under the current privacy policy, Google is just expressing its intent to begin exercising that policy.
This data sharing will occur if you are currently logged into a Google account like Gmail, Google+, Youtube or any other Google services.
What options do you have for limiting the amount of information Google gathers and how they use it?

• Advertising: Personally identifiable information (PII) will not be shared with Google ad networks unless you opt-in. Non-PII is shared between Google services and its ad networks by default. You can opt-out of ad personalization using Google Ads preferences page. Don't forget there are two sections "Ads on Search and Gmail" and "Ads on the Web". There are also ad cookie plugins that will persistently block ad personalization available for Chrome and Firefox (beta).
  
• Streetview: Google will honor requests to blur pictures of you, your family, your car or your home. Simply find the offending image on Google Streetview and click "Report a problem".
  
• Web History: Google keeps track of your search terms and items you have clicked on when using Google services. You can control what information they keep, or opt-out altogether using its Web History Controls.
  
• Google Chat: Google keeps records of your conversations with others when using Google Chat by default. If you want to prevent them from logging your chat sessions you can go "Off the record" to disable the logging.
  
• Google Analytics: Many websites use Google Analytics to track usage information, page views, and anonymous browser statistics. Google have released a plugin (beta) for IE, Firefox, Chrome, Safari and Opera that will opt you out of data collection on these web pages.
  
• Search Personalization: Google customizes search results based upon what you click and search for. This is done whether you are signed into a Google account or not unless you have opted out.

Unfortunately, much like Facebook, Google has decided that customization is so darned convenient that you must opt-out of these features if you don't like them.
The good news is that nearly all the information you share with Google is under your control and often has flexible options available on how that data is shared.
Another technique I have used to limit Google's ability to tie together my search results with my use of Gmail, Google+ and YouTube is to open an Incognito window (Chrome), Private Browsing (Firefox) or InPrivate Browsing (IE) when using Google services that require me to sign in.
This way I can browse in my normal browser window, not signed in, with my opt-out cookie for personalization and still access other Google services without the two browsers cross-pollinating.
If you have a Google account you can view a complete list of data Google is storing on you on the Google Dashboard page.
Google has also provided page called "Good to know" linking to their management tools, policies and other information regarding your information and how it is used.
In summary, no reason to panic. Google hasn't changed much related to its policy, but will start using more of your data than before. If you don't want to quit Google you can exercise some of the above options to retain control of how your information is used.

 

                          nakedsecurity.sophos.com

Music licensing firms target personal web users

Two music licensing businesses have launched rival services targeted at individual users, small businesses and not-for-profit organisations.

For a fee, Cuesongs and Ricall Express offer permissions to use well-known background tracks for videos posted to sites such as YouTube and Facebook.

They could feature on wedding videos or online company adverts.

Analysts say the companies fill a gap in the market, but warn it will still be difficult to convince people to pay.App developers

Both the UK-based firms launched their new businesses at the Midem music industry festival in Cannes.

Cuesongs is backed by the singer Peter Gabriel and offers recordings from Sony Music and several independent rights holders. It is operating an invitation-only trial for the time being.

Ricall's new division builds on an existing service offered to the broadcast and gaming industries. It includes tracks from EMI Music as well as independent publishers.

Examples of the customers they hope to attract include couples wishing to add music to their wedding video before uploading it to the internet, film festival entrants, small businesses making web adverts, school clubs and smartphone app developers.

"By introducing low prices and easy online access, Cuesongs is creating a new market for music, to satisfy a huge untapped demand that can begin to provide new income streams for artists," said Mr Gabriel.

Ricall's commercial development vice-president, Phil Bird, said: "There have been many automated sync platforms over the years.Commercial activities

"However, none have managed to find the holy grail of selling well-known commercial music for the 'long tail' of users."






The firms suggest that if their "micro-usage" services prove popular then more rights holders will be willing to license their material.

The Music Publishers Association trade body welcomed their entry into the market.

"These services look to provide proper controls and safeguards for creators, whilst at the same time easing access and simplifying the process for those small businesses wanting to use music," said the MPA's spokesman, Will Lines.

"We are not talking here about individual web users paying to upload a clip of their child dancing to the radio as a YouTube clip.

"Rather, this is aimed at the thousands of small businesses using social media in their commercial activities."'Moral weight'

Industry watchers say that many potential licensees have been perplexed by the complexity of rights management since different copyrights exist for the lyrics, score and recording of a song. That means that three or more parties might have to give permission before a track could be used.

They say the one-stop shop nature of the new services solves that problem, and will give extra moral weight to music labels' demands that unlicensed material be removed from the web.

However, many users may still decide to avoid payments.

"If the target clients post videos via YouTube, they may well already be covered to an extent by Google's blanket licences with the big record companies and collecting societies," said Chris Cooke, co-founder of the business music network CMU.

"That said, under Google's agreements rights owners can exercise a veto to have any video that 'syncs' their music removed at any point, even though they are being paid a royalty every time that video plays. A licence will remove that risk, and allow video makers to post their content beyond YouTube.

"Whether bedroom video makers will immediately see that as a benefit worth paying for I'm not sure, though more established independent directors may be more easily convinced."

Cidrex Trojan Breaks CAPTCHA to Create Yahoo! Email Account

There has been a lot of debate lately on how challenging it is to create a software that can automatically break CAPTCHA security codes, some researchers even issuing advisories regarding the creation of strong CAPTCHAs.
However, security experts found that a component of the ZeuS-like Cidrex Trojan was able to break the security tests to create email accounts.

Websense researchers came across a variant of Cidrex, a banking Trojan, that not only infects computers with the purpose of stealing sensitive data from their owners, but it also manages to create Yahoo! email accounts to spam others.


This certain version of the malware spreads via emails containing a shortened link which points to the Blackhole exploit kit. If the exploit is successful, the Trojan is downloaded to the infected machine.

Cidrex then looks for sensitive information that later allows cybercriminals to access social media and banking accounts, and sends all the acquired data back to a command and control server.

The malware also comes with a spamming module that uses backdoor components, permitting it to perform browsing activities. Using these rights, the Trojan creates email accounts that are utilized to send malicious emails with the purpose of increasing the bot’s size.

Normally, if CAPTCHAs were strong, automated tools would have a hard time creating accounts, but experts showed that with just six attempts this malevolent element breaks the security test and creates a Yahoo email account without much difficulty.

This is done by harvesting the image that represents the CAPTCHA and sending it with an HTTP POST request to a CAPTCHA-breaking server that outputs a response in JSON format.

As we know, if the string entered by the user while creating an account is incorrect, he is allowed to try again numerous times until he (or she) succeeds. That’s exactly what this component does.

It sends the images representing the codes to the server until the attempt is successful and even though it doesn’t work every time, on some occasions it works perfectly.

Check out the proof of concept video presented by Websense.

news.softpedia.com

DMARC Anti-Phishing Standard to Protect Email Accounts

Some of the major technology firms, including Google, Microsoft, AOL and Yahoo, joined their forces in creating a powerful email standard that should protect inboxes from spam and phishing messages.

DMARC, or Domain-based Message Authentication, Reporting & Conformance, is actually a technical specification created with the purpose of reducing email-based abuse by addressing issues of the email authentication protocols.


These problems are related to the sender policy framework (SPF) and domain keys identified mail (DKIM) mechanisms utilized by most mailbox providers that are currently experiencing difficulties in telling apart potentially dangerous packages from legitimate ones.

Since there isn’t a way for them to monitor or to receive feedback regarding their authentication practices, senders are having difficulties, which DMARC hopes to resolve.

The new standard allows senders to indicate that their emails are protected by SPF or DKIM, also informing the recipient on what must be done in case none of the authentication methods passes.

“DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation,” DMARC reveals.

In the upcoming period, the draft specifications will be submitted to the Internet Engineering Task Force (IETF) as part of the process of making this an official Internet Standard that can be used and improved by anyone.

Spamming and phishing is on the rise and security solutions providers are struggling to keep up with all the new tricks used by cybercriminals to spread their malicious schemes.

Lately, they’ve been replicating legitimate emails so well that it has become highly problematic for users and spam filters to tell them apart from legitimate notifications coming from diverse organizations.

Since their names are often utilized in phishing emails, the Bank of America and Fidelity Investment are also on board with this project.

news.softpedia.com

Drive-by Spam Emails Infect Computers Without Links or Attachments

Up until now, most malicious emails that were designed to spread a virus or a Trojan required some user interaction, but new variants discovered by German security experts automatically infect a device when the email is opened in the email client.

Many security savvy users know that, as long as you don’t click on a link or open an attachment that comes with a suspicious looking email, you should be safe.

Unfortunately, this is about to change since researchers from eleven Research Team came across this improved variant which consists of HTML emails that contain a JavaScript designed to automatically download malware when the message is opened.


This malicious technique is similar to the one utilized in drive-by downloads in which compromised websites are altered to serve malevolent elements to users that visit them.

This specific scenario involves emails that come from a spoofed Federal Deposit Insurance Corporation (FDIC) address, informing the recipient of a banking security update.

“Your Wire and ACH transactions have been temporarily suspended. Please open the attached document for more information,” reads the email.

The problem is that the attachment automatically loads inside the email, unleashing whatever may be hiding in it.

The good news is that there are a couple of safety measures that can be applied to mitigate these threats.

First of all, you must make sure that the email account is properly protected against spam and malware with all the filters updated.

Secondly, these schemes only work if the recipient’s email account is configured to display HTML content. By setting the account to display emails in pure-text format only, the HTML isn’t loaded and as long as the actual attachment remains unopened, the user’s computer remains unharmed.

http://news.softpedia.com

Scammers reveal features of brand new iPhone 5.. or do they?

It's widely anticipated that, at some point this year, Apple will announce the iPhone 5.
What it will look like, and what new features or technology it will include, remains a closely-guarded secret in Cupertino - not that that is going to stop Apple websites and fanboys speculating rapidly.
But if you're a scammer you don't need to wait for an official launch from Apple. You can start using the mythical iPhone 5 as bait right now.
Take this scam, for instance, which we have seen on Tumblr.

Tumblr Staff blog
Sponsor Apple Computer, Inc
Promotion iPhone 5
We are happy to announce that Tumblr and Apple have joined together in a promotion to giveaway FREE iPhone 5's to each one of our users!
CLICK ON THE LINK BELOW TO GET YOUR OWN

Be sure to reblog this post so that others will have the same opportunity to get their own phone. Nothing better than starting your day off with a gift from us. We hope you enjoy!

Wow! Is that really true? That every user of Tumblr can claim a free iPhone 5? That would be pretty big news if it were true (and a strange marketing move by Apple).
Of course, the message is not true, and the post isn't really by Tumblr's staff.
If you click on the link you are taken to a scam webpage that breathlessly claims that the new iPhone 5 includes:

• Increased Display with 3D graphics
• 4G Capabilities
• Increased Battery Life
• 8-megapixel Camera
• FaceTime over Cellular Network

But they'll put the pressure on you if you're not tempted and try to browse away from the page, displaying warnings that if you don't take the five minute survey, you'll be missing out on the chance of receiving Apple's latest gadget.

The scammers want you to enter your email and other personal information. You have no way of telling what they're going to do with it, but don't be surprised if you're spammed in the future or subscribed against your wishes to a premium rate mobile phone service.
Scammers don't need to wait for the iPhone 5 to be released - they can start using it as bait right now.

/nakedsecurity.sophos.com

The FBI vs the FTC: the battle for user privacy in social media

There's no doubt about it: The US has mixed motives when it comes to user privacy in social media.
That became obvious this week with the juxtaposition of the FBI voicing its voracious desire to suck up social media data vs. the FTC's 1) recent bemoaning of Facebook's and Google's wanton privacy policy changes and 2) call for a one-stop shop to tweak privacy settings.
On the more-user-data-the-better side is the FBI, which is asking for ideas on developing an application that can sift through social media to feed its intelligence-gathering appetite.
On January 19, the agency put out a Request For Information (RFI) on a data-mining application that could monitor Facebook, Twitter, news and other sites for real-time information.

On the agency's wish list is the ability to automatically search and scrape social networking and open-source news sites for information about breaking world events. At a minimum, the FBI wants to keep a watch on, and to translate into English, social networking material in 12 foreign languages.
As pointed out by InformationWeek's Elizabeth Montalbano, the FBI is certainly not the first or only US agency interested in mining social networking for breaking news, clues to public opinion or early warnings about global events.
The CIA, the Department of Homeland Security (DHS) and the Intelligence Advanced Research Projects Agency (IARPA) are also researching for better ways to milk the social media cow to further their respective missions - be it surveillance or disaster preparedness.
Why should we care that the FBI wants to better reap intelligence? The agency's RFI comes swaddled in the dialect of benevolent care for national security. From the document:

Intelligence analysts will monitor social media looking for threatening responses to news of the day such as major policy announcements by the federal government, for responses to natural disasters like an earthquake or hurricane, or indicators of pending adverse events.

Yes, of course we want our intelligence agencies to have advanced intelligence when it relates to terrorism or natural disasters. But do we really want these agencies to have better ways to pinpoint us if they associate our online personas with given keywords, rightly or wrongly drawing assumptions and gathering ever-more information that can and will be used against us in a court of law?
On the other side sits the FTC, and thank goodness it's attempting to act as a counterbalance.
At a talk on Tuesday morning at a cybersecurity forum in Washington D.C., FTC Commissioner Julie Brill took Google and Facebook to task for violating user privacy, saying the companies “learned ... the hard way” from the FTC that they should not change user privacy settings without getting expressed, affirmative approval from users.
The FTC last year charged Facebook with unfair and deceptive practices, settling the matter in November by subjecting the company to regular privacy audits for the next 20 years.
The FTC also in the past year charged Google with deceptive privacy practices in its rollout of the Buzz social network, which had baffling privacy controls. Buzz was eventually rolled into Google+, while Google was also given a 20-year privacy audit decree.
In a prepared statement (.PDF), Ms. Brill had this to say about Facebook's broken promises on user privacy:

We called Facebook out for promises it made but did not keep. It told users it wouldn’t share information with advertisers, and then it did; and it agreed to take down photos and videos of users who had deleted their accounts, and then it did not.

And this to say about Google's failings:

We believed that Google did not give Gmail users good ways to stay out of or leave Buzz, in violation of Google's privacy policies. We also believed that users who joined, or found themselves trapped in, the Buzz network had a hard time locating or understanding controls that would allow them to limit the personal information they shared. And we charged that Google did not adequately disclose to users that the identity of individuals who users most frequently emailed could be made public by default.

Are social media sites playing fast and loose with user privacy, ignoring even their own policies?
Ms. Brill is calling for a one-stop shop for users to easily control, from one centralized site, their privacy settings.
Would that help if companies such as Google and Facebook have difficulty abiding by their own policies? Especially if such sites don't even delete personal information in accordance with users' directions to do so?
I hope Ms. Brill gets her one-stop privacy shop. I hope that it ushers in real power to users to control what they choose to share and keep private. I hope that the settlements with Facebook and Google bring about more faithful adherence to their own policies.
With intelligence agencies eager to data mine our personal lives to ever finer degree while the FTC fights for our rights to keep that information private, there does indeed seem to be some discordance in the US.
Hopefully, such apparent cross-signals indicate the push and pull of a healthy democracy.
But in lieu of a one-stop privacy shop, may we all learn to guard our privacy before the FBI et al. get their hands on ever-more sophisticated means to track us.

nakedsecurity.sophos.com

Technology firms create DMarc to fight phishing

A crackdown on "phishing" scams has been announced by 15 of the top technology companies.

Email providers such as Google and Microsoft will work with companies like Paypal and the Bank of America to improve authentication.

Phishing attacks typically involve scammers posing as familiar companies in an attempt to trick users into sharing personal information.



This co-ordinated effort aims to make this more difficult.

The Domain-based Message Authentication, Reporting and Conformance (DMarc) - as the coalition is known - has released plans to produce a "feedback loop" between email receivers and senders.

The initiative is the first significant attempt to bring together both email and service providers along with key security organisations.

DMarc said this industry-wide involvement - which covers the receivers, senders and intermediaries of email use - will mean email providers will for the first time be able to reliably filter out unwanted emails, rather than use "complex and imperfect measurements" to determine threats.

It will mean an agreed standard for authenticating legitimate emails arriving at the inboxes of AOL, Gmail, Hotmail and Yahoo customers.

It will verify messages from Facebook, Paypal, American Greetings, Bank of America, Fidelity and LinkedIn.Vulnerable

"Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the internet as a whole," explained Paypal's Brett McDowell, chair of DMarc.

"Industry co-operation - combined with technology and consumer education - is crucial to fight phishing."

Email security firms Agari, Cloudmark, eCert, Return Path and Trusted Domain Project complete the collaboration.

More companies will join the open standard as it is developed.

Paypal spokesman Rob Skinner explained how the initiative is intended to make things easier for the most vulnerable part of the security chain - the human.






"Half the problem is, with the best will in the world and improving technology, ultimately it's still down to the user to decide [to open an email]," he told the BBC.

"The key point is trying to block emails from getting to someone's inbox - taking the worry and concern out of people's minds and doing it for them."

As one of the internet's most ubiquitous payment companies, Paypal often finds itself impersonated by scammers.

"We've acknowledged it's been an issue," Mr Skinner said.

"We've had a stack of initiatives over the years to cut down on it. Fraudsters target any company that is well known, has a lot of customers, and operates across the globe.

"We recognise our responsibility to do something about it."
bbc

Megaupload users face data deletion US prosecutors warn

US prosecutors have said that data belonging to Megaupload users and stored by third parties could be deleted as soon as Thursday.

Users have been unable to access data since the file-sharing service was raided.

The warning was made in a letter filed by the US Attorney's Office, the Associated Press news agency reported.



Megaupload's lawyer Ira Rothken told the agency that at least 50 million users had data which could be deleted.

Mr Rothken said that freezing of Megaupload's funds meant it was unable to pay those who were storing its data.

In the letter prosecutors said that the data which might be deleted was being held by the storage companies Carpathia Hosting and Cogent Communications Group.

Neither they nor the US Attorney's Office have responded to emails from the BBC.

Mr Rothken told the agency that he was "cautiously optimistic" that a deal could be done to save the data from being wiped.

He said that the data would be needed by the defence.Legitimate data

Megaupload was shut down on 19 January.

It had about 150 million registered users, making it one of the most popular file-sharing services in the world.

US authorities are seeking to extradite founder Kim Dotcom, also known as Kim Schmitz, and three other defendants from New Zealand to the US.

Prosecutors have accused it of costing copyright holders more than $500m (£320m) in lost revenue.

But a number of users have said that they have been unable to access legitimately uploaded material as a result of the legal action.

After the shutdown one user tweeted, "I'm vehemently against copyright infringement: the files I lost were created & owned by me for my job."

bbc

Embassy of Kazakhstan hacked by Anonymous Supporters

The official website of Embassy of Kazakhstan in Delhi having SQL injection Vulnerability, and Hacker with codename - Abs0luti0n has successfully Extract the database tables info and leak it on a pastebin note including Admin's Username and Password.

Hacker said,"Lately we have been experimenting on some new large targets which will be unveiled soon. However today while we were cruising around in our lulzmobile,we set sights momentarily on another outdated weak vehicle and with great ease put the pedal to the metal, ran all the lights and flew straight through our accquired target."

SQL Injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command which is executed by a web application, exposing the back-end database. Attackers utilize this vulnerability by providing specially crafted input data to the SQL interpreter in such a manner that the interpreter is not able to distinguish between the intended commands and the attacker’s specially crafted data. The interpreter is tricked into executing unintended commands.

SQL injection can be prevented if you adopt an input validation technique in which user input is authenticated against a set of defined rules for length, type, and syntax and also against business rules.

 

 

thehackernews.com