Imagine Never Being Alone

Someone looking over your shoulder, recording every computer keystroke; reading and listening to your private Skype conversations; using your phone’s microphone and camera to monitor you and your colleagues, without you even knowing it.

Thousands of human rights defenders and journalists, who, in every corner of the planet, work to expose some of the world’s most shocking abuses and injustices do not have to imagine this.

They are victims of a sophisticated new form of unlawful surveillance. Some governments are already using state-of-the-art technology to effectively place virtual spies in the offices and living rooms of human rights defenders and journalists.

Most of those targeted don’t even know they are being spied on until they are shown copies of emails and videos of themselves and their colleagues, which were secretly extracted from their own laptops. This "evidence" often surfaces while the activists are being beaten up in dingy detention cells, punished for their legitimate work or forced to "confess" to crimes they didn't commit. Go to download section

Human rights activist and blogger Ahmed Mansoor is one of them. A national of the United Arab Emirates, Ahmed was released from jail in 2011. He was sent there after he signed a pro-democracy petition and because he owned an online discussion group, which the government had blocked a year earlier because it included comments that were critical of the authorities. After his release, Ahmed found that his movements were at times monitored and he was physically assaulted twice. He later realized his computer had been infected with spyware that helped the authorities to monitor his every move. His email and Twitter accounts were also hacked.

This kind of sophisticated spyware is a dream weapon against human rights defenders. It is increasingly being used across the world, even in countries that claim to defend fundamental freedoms.

The software is being developed and manufactured in countries including the UK, Germany and Italy and sold to governments across the world without adequate regulation to ensure that it is not being used to facilitate human rights violations.

"This new form of surveillance seems to be taken out of the pages of 1984 and it is becoming increasingly popular. Surveillance used to be carried out by intercepting communications but now governments can actually get inside the devices and monitor everything from there, as if they were in the room," said Marek Marczynski, Head of Military, Security and Police at Amnesty International.

And even though the European Union has recently pledged to adopt some regulations on the trade of surveillance equipment, this harmful technology is developing at a very fast pace.

Detekt

Reacting to the increasing numbers of activists being arbitrarily arrested and brutally interrogated on the basis of information illegally taken from them, technical experts have been playing a “cat and mouse” game to combat surveillance against people exercising their freedom of expression and association. Some of those experts partnered with Amnesty International, Digitale Gesellschaft, the Electronic Frontier Foundation and Privacy International to launch a new tool to fight it.

Detekt is a simple software that identifies if a computer running the Microsoft Windows operating system has been infected with spyware, alerting its users to take action.

Claudio Guarnieri, one of the brains behind the tool, says Detekt responds to a growing call for help coming from activists since 2012.

"We started researching countries selling surveillance equipment to other governments and we found that a German company sold this technology to the Bahrain authorities and that it was used against protesters during the uprising [since February 2011]. Everything unfolded from there with countries including Morocco, Tunisia, Ethiopia and a bunch of others also using it," Claudio explained.

"So many countries are now using these technologies that it would actually be easier to think about the ones who are not. If you put a red dot in a map for every country using it, the view is quite shocking. Some examples are Bahrain, Morocco, the UAE, Oman, Ethiopia, Sudan, Uzbekistan, Kazakhstan, Azerbaijan, Indonesia, Malaysia, Australia, India, Mexico, Panama, UK, Germany, amongst others," Claudio said.

The Coalition Against Unlawful Surveillance Exports, of which Amnesty International is a member, estimates the annual global trade in surveillance technologies to be worth US$5 billion and growing.

One of the firms that has been developing these types of spyware is FinFisher, a German firm that used to be part of UK-based Gamma International. They developed the spyware FinSpy which can be used to monitor Skype conversations, extract files from hard discs, record microphone use and emails, and even take screenshots and photos using a device’s camera.

According to research carried out by Citizen Lab and information published by Wikileaks, Finfisher was used to spy on prominent Bahraini human rights lawyers and activists, including some living in the UK.

Saeed Al-Shehabi, a Bahraini political activist currently living in the UK, is one of those targeted by FinSpy. In July 2014, Privacy International published information pointing to Gamma International’s sales of software services to the Bahraini authorities.

"We knew that the Bahraini authorities spied on activists in Bahrain but we didn’t think it was possible for them to do it here in the UK too. I’m scared because you never know how much information they have on you, how they can distort it and use it. This makes you feel very unsafe. Detekt seems like a very useful tool. It is priceless for activists like me," Saeed said.

Security vs human rights

Organizations working against unlawful targeted surveillance are often accused of developing tools that could hinder legitimate government work against organized crime.

But experts like Claudio argue that the problem is the near absolute lack of control, legal frameworks and guidelines for the use of these intrusive technologies.

"There’s no transparency on how these technologies are being used, by whom and in what kinds of circumstances. The only thing we know is that they are being used a lot to stop activists and journalists. We want to initiate a debate to try and understand how things actually work because everything is being done in secret. We need more transparency on that, on the legal, moral and political implications of the use of these technologies," Claudio said.

The hope is that Detekt will not only provide human rights defenders, journalists, lawyers and activists with some sense of security but also open a debate on the broader need for regulation of the development, sale and use of surveillance technology.

“The surveillance technology market is out of control. We desperately need strong legal regulations to bring it in line with human rights standards. The negative consequences and dangers of the uncontrolled use of these powerful technologies are enormous and they need to be controlled,” said Marek Marczynski.

Before proceeding with the download, make sure you have read all the instructions and disclaimers. Currently, Windows 8.1 is not supported.

Please beware that Detekt is a best effort tool. While it may have been effective in previous investigations, it does not provide a conclusive guarantee that your computer is not compromised by the spyware it aims to detect. The tool is provided as is, without warranties or guarantees of any kind.

Read More

The Ghost of Christmas Yet to Come

Attention holiday shoppers, beware of cyber criminals who are out to steal money and personal information. Scammers use many techniques to defraud consumers, from phishing e-mails offering too good to be true deals on brand-name merchandise to offering quick cash to victims who will re-ship packages to additional destinations. Previously reported scams are still being executed today.

Consider these stats

• During Christmas period of 2013, online spending was about £13 billion (over US$20 billion) according to Sage Pay.
• In the UK 2013, 61% of people did at least half of all their Christmas shopping online. This is only set to increase.
• On 2014, 95% of online shoppers will use companies’ click-and-collect services.
• eBay expected 2,7 million Christmas-related searches in August. (yes August!!!)
• Some e-commerce businesses achieve 80% of their total annual revenue during the Christmas period.

While monitoring credit reports on an annual basis and reviewing account statements each month is always a good idea, all of us should keep a particularly watchful eye on our personal credit information at this time of year. Scrutinizing credit card bills for any fraudulent activity can help to minimize any losses. Unrecognizable charges listed on a credit card statement are often the first time consumers realize their personally identifiable information has been stolen.

Bank transactions and correspondence from financial institutions should also be closely reviewed. Bank accounts can often serve as a target for criminals to initiate account takeovers or commit identity theft by creating new accounts in the victims’ name. Consumers should never click on a link embedded in an e-mail from their bank, but rather open a new webpage and manually enter the URL (web address), because phishing scams often start with phony e-mails that feature the bank’s name and logo.

When shopping online, make sure to use reputable sites. Often consumers are shown specials on the web, or even in e-mail offers, that look too good to be true. These sites are used to capture personally identifiable information, including credit card numbers, addresses and phone numbers to make fraudulent transactions. It’s best to shop on sites with which you are familiar and that have an established reputation as trusted online retailers.

If you look for an item or company name through a search engine site, scrutinize the results listed before going to a website. Do not automatically click on the first result, even if it looks identical or similar to the desired result. Many fraudsters go to extreme lengths to have their own website appear ahead of a legitimate company on popular search engines. Their website may be a mirrored version of a popular website, but with a slightly different URL.

Purchases made on these sites could result in one or more of the following consequences: never receiving the item, having your credit card details stolen, or downloading malware to your computer. Before clicking on a result in a search engine, inspect the URL of the destination website. Look for any misspellings or extra characters such as a period or comma as these are indicative of fraud. When taken to the payment page of a website, again verify the URL and ensure it is secure by starting with "https", not just "http".

Here are some additional tips you can use to avoid becoming a victim of cyber fraud:

• Do not respond to unsolicited (spam) e-mail.
• Do not click on links contained within an unsolicited e-mail. Ask yourself: "Why am I being asked to click here?" If you’re not sure, don’t click!
• Be cautious of e-mail claiming to contain pictures in attached files; the files may contain viruses. Only open attachments from known senders. Scan the attachments for viruses if possible. Ask yourself: "Does this look authentic?"
• Avoid filling out forms contained in e-mail messages that ask for personal information.
• Always compare the link in the e-mail to the link you are actually directed to and determine if they match and will lead you to a legitimate site.
• Log on directly to the official website for the business identified in the e-mail instead of "linking" to it from an unsolicited e-mail. If the e-mail appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.
• Contact the actual business that supposedly sent the e-mail to verify that the e-mail is genuine.
• If you are requested to act quickly or there is an emergency that requires your attention, it may be a scam. Fraudsters create a sense of urgency to get you to act quickly.
• Remember if it looks too good to be true, it probably is not.

For organisations:

• Ensure your staff are educated ahead of the Christmas period. Phishing presents as much danger to businesses as it does individuals.
• Get a penetration test now before the Christmas period to test the security of your networks and systems.

Read More

Security Impediments the Use of Electronic Transactions

European consumers show wary regarding online shopping and online transactions, despite the fact that, in recent years, both specific transaction categories indicate significant growth. Therefore according to research by Kaspersky Lab and B2B International, 44% of European Internet users feel vulnerable during online shopping and online transactions. Meanwhile, 38%, users stated they would use electronic payment systems frequently if they felt protected by digital scams. Given these attitudes, it seems that there is a lack of trust towards the security measures taken by providers of electronic payment.

Research shows that 62% of Europeans are afraid of financial fraud on the Internet, while showing many cases where users do not feel comfortable. For example, 34% of Europeans who make online payments feel that even the official mobile application of financial companies needs more protection measures to provide real security. Moreover, 44% said they stopped a process electronic payment in the middle, as they doubted the safety of the transaction.

The level of protection against digital fraud is an important criterion for users when choosing an online store or a financial service. 61% of Europeans surveyed, said that they would prefer companies that offer additional security measures to protect their financial data. Furthermore, 71% expect from banks, electronic payment systems and electronic stores to protect their computers and portable consumer devices by financial fraud.

At the same time, many users know they need to implement their own security measures, in addition to measures that provide payment service providers. While 22% of users gives full responsibility for the security of financial transactions to banks and 14% believe that the users themselves are solely responsible for their protection, the majority (59%) of respondents believe that the economic data should be the responsibility of both. This demonstrates that users are willing to accept new tools by financial institutions that will help them deal with online fraud, as they understand their own share of responsibility.

According to analysts at Kaspersky, this reluctance hinders the development of the electronics transactions industry. To encourage the active use of electronic payments, banks, online stores and e-payment systems are required to assure users that it is safe towards digital criminals. A solution for the payment service providers is to provide additional levels of protection against financial fraud attempts, which are specially designed for safety of online or mobile banking and payments. The presence of this additional protection, reassures users directly, giving them confidence that their money are safe.

Read More

Let's Make HTTPS the Standard and not the Exception

On November 18th, EFF announced Let’s Encrypt, a new certificate authority (CA) initiative that we have put together with Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan that aims to clear the remaining roadblocks to transition the Web from HTTP to HTTPS.

Although the HTTP protocol has been hugely successful, it is inherently insecure. Whenever you use an HTTP website, you are always vulnerable to problems, including account hijacking and identity theft; surveillance and tracking by governments, companies, and both in concert; injection of malicious scripts into pages; and censorship that targets specific keywords or specific pages on sites. The HTTPS protocol, though it is not yet flawless, is a vast improvement on all of these fronts, and we need to move to a future where every website is HTTPS by default.With a launch scheduled for summer 2015, the Let’s Encrypt CA will automatically issue and manage free certificates for any website that needs them. Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.

The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires. We’re all familiar with the warnings and error messages produced by misconfigured certificates. These warnings are a hint that HTTPS (and other uses of TLS/SSL) is dependent on a horrifyingly complex and often structurally dysfunctional bureaucracy for authentication.

The need to obtain, install, and manage certificates from that bureaucracy is the largest reason that sites keep using HTTP instead of HTTPS. In tests conducted by EFF, it typically takes a web developer 1-3 hours to enable encryption for the first time. The Let’s Encrypt project is aiming to fix that by reducing setup time to 20-30 seconds. You can help test and hack on the developer preview of Let's Encrypt agent software.

Let’s Encrypt will employ a number of new technologies to manage secure automated verification of domains and issuance of certificates. It will use a protocol called ACME between web servers and the CA, which includes support for new and stronger forms of domain validation. It will also employ Internet-wide datasets of certificates, such as EFF’s own Decentralized SSL Observatory, the University of Michigan’s scans.io, and Google's Certificate Transparency logs, to make higher-security decisions about when a certificate is safe to issue.

The Let’s Encrypt CA will be operated by a new non-profit organization called the Internet Security Research Group (ISRG). EFF helped to put together this initiative with Mozilla and the University of Michigan, and it has been joined for launch by partners including Cisco, Akamai, and Identrust.

The core team working on the Let's Encrypt CA and agent software includes James Kasten, Seth Schoen, and Peter Eckersley at EFF; Josh Aas, Richard Barnes, Kevin Dick and Eric Rescorla at Mozilla; Alex Halderman and James Kasten and the University of Michigan.

Read More

The Imitation Game: Historical Figures of Cryptanalysis

The Imitation Game was released in the United Kingdom on 14 November 2014, and will be released theatrically in the United States on 28 November 2014. The film portrays the race against time by Alan Turing and his team of code-breakers at Britain's top-secret Government Code and Cypher School at Bletchley Park, during the darkest days of World War II. The motley group of scholars, mathematicians, linguists, chess champions and intelligence officers had a powerful ally in Prime Minister Winston Churchill who authorized the provision of any resource they required. The film spans the key periods of Turing's life: his unhappy teenage years at boarding school; the triumph of his secret wartime work on the revolutionary electro-mechanical bombe that was capable of breaking 3,000 Enigma-generated naval codes a day; and the tragedy of his post-war decline following his conviction for gross indecency, a now-outdated criminal offence stemming from his admission of maintaining a homosexual relationship.

As you can understand rating films is not in the scope of this blog, so we will deal with two of the characters that are legends in information security history.

Alan Turing (Benedict Cumberbatch)

Alan Mathison Turing, OBE, FRS  [Order of the British Empire] [Fellows of the Royal Society] (23 June 1912 – 7 June 1954) was a British mathematician, logician, cryptanalyst, philosopher, pioneering computer scientist, mathematical biologist, and marathon and ultra distance runner. He was highly influential in the development of computer science, providing a formalisation of the concepts of "algorithm" and "computation" with the Turing machine, which can be considered a model of a general purpose computer. Turing is widely considered to be the father of theoretical computer science and artificial intelligence.

During World War II, Turing worked for the Government Code and Cypher School (GC&CS) at Bletchley Park, Britain's codebreaking centre. For a time he led Hut 8, the section responsible for German naval cryptanalysis. He devised a number of techniques for breaking German ciphers, including improvements to the pre-war Polish bombe method, an electromechanical machine that could find settings for the Enigma machine. Winston Churchill said that Turing made the single biggest contribution to Allied victory in the war against Nazi Germany. Turing's pivotal role in cracking intercepted coded messages enabled the Allies to defeat the Nazis in several crucial battles. It has been estimated that Turing's work shortened the war in Europe by as many as two to four years.

After the war, he worked at the National Physical Laboratory, where he designed the ACE, among the first designs for a stored-program computer. In 1948 Turing joined Max Newman's Computing Laboratory at Manchester University, where he assisted development of the Manchester computers and became interested in mathematical biology. He wrote a paper on the chemical basis of morphogenesis, and predicted oscillating chemical reactions such as the Belousov–Zhabotinsky reaction, first observed in the 1960s.

Turing was prosecuted in 1952 for homosexual acts, when such behaviour was still criminalised in the UK. died in 1954, 16 days before his 42nd birthday, from cyanide poisoning. An inquest determined his death a suicide; his mother and some others believed it was accidental. On 10 September 2009, following an Internet campaign, British Prime Minister Gordon Brown made an official public apology on behalf of the British government for "the appalling way he was treated." The Queen granted him a posthumous pardon on 24 December 2013.

Joan Clarke (Keira Knightley)

Joan Elisabeth Lowther Murray, MBE [Member of the Most Excellent Order of the British Empire] (née Clarke; 24 June 1917 – 4 September 1996) was an English cryptanalyst and numismatist. She worked as a code-breaker at Bletchley Park during World War II. Joan Elisabeth Lowther Clarke was born on 24 June 1917 in West Norwood, London, the youngest child of Dorothy (née Fulford) and the Rev William Kemp Lowther Clarke, a clergyman. She had three brothers and one sister.

She attended Dulwich High School for Girls in south London and won a scholarship to attend Newnham College, Cambridge where she gained double first degree in mathematics and was a Wrangler.

Clarke and fellow code-breaker Alan Turing became very good friends at Bletchley Park. Turing would arrange their shifts so they could be working together, as well as spending a lot of their free time together. In the spring of 1941, Turing proposed marriage to Clarke and subsequently introduced her to his family. After admitting his homosexuality to his fiancée, who was reportedly "unfazed" by the revelation, Turing decided that he could not go through with the marriage and he broke up with Clarke in the summer of 1941. After the war Clarke worked for GC&CS where she met Lieutenant-Colonel John Kenneth Ronald Murray and got married. Shortly after their marriage John Murray retired from GC&CS due to ill health and the couple moved to Crail in Scotland. They returned to work at GC&CS in 1962 where Clarke remained until 1977 when she retired aged 60.

Following her husband's death in 1986, Clarke moved to Headington, Oxfordshire, where she continued her research into coinage. During the 1980s she assisted Sir Harry Hinsley with the appendix to volume 3, part 2 of British Intelligence in the Second World War. She assisted historians studying war-time code breaking at Bletchley Park. Due to continuing secrecy among cryptanalysts, the full extent of her accomplishments remains unknown. On 4 September 1996, Joan Clarke Murray died at her home in Headington.

Read More

ENISA Set to Establish a Framework for Cyber Security Competitions

Today the European Union Agency for Network and Information Security (ENISA) announced the planning of the 1st pan-European Cyber Security Competition in 2015. The competition is organised jointly in collaboration with experienced organisations from EU Member States for students.

The Organizing Committee of the 1st pan-European Cyber Security Challenge is composed of the following representatives: 

• Norbert Pohlmann - Cyber Security Challenge Germany;
• Joe Pichlmayr — Cyber Security Challenge Austria;
• Andrei Avădănei —DefCamp Romania; 
• Raúl Riesco- INTECO Spain;
• Okonweze Austen — Cyber Security Challenge UK;
• Bernhard Tellenbach — Swiss Cyber Storm;
• Demosthenes Ikonomou- ENISA and
• Rafael Tesoro-Carretero- EC DG CONNECT.

Cybersecurity competitions — the status in Europe

ENISA also publishes a new report analyzing the current situation concerning cybersecurity- challenge competitions in Europe. The experience gathered constitutes the basis for the development of the pan-European competition on cybersecurity.

The European Cyber Security Challenge Competition 2015 aims to be the result of a public–private partnership comprised of capable players, aiming at improving the ICT educational approach to Europe’s digital citizens.

The report provides a general overview of existing cybersecurity- challenge competitions in Member States and outlines a roadmap for a future pan-European cyber-challenge competitions. The first part presents the experience of five countries while the second comprises of a short ‘how to’ guide containing the steps in organizing a challenge. The third part gives details on concrete developments concerning a pan-European challenge. The last part of the report contains several recommendations that should be taken into account. Graphics providing additional content are provided in the annex.

Read More

Οverview of the advanced persistent threats (APT) in first half of 2014

The Advanced Threat Report for EMEA provides an overview of the advanced persistent threats (APT) targeting computer networks that were discovered by FireEye during the first half of 2014 in EMEA. Motivated by numerous objectives, threat actors are evolving the level of sophistication to steal personal data and business strategies, gain a competitive advantage or degrade operational reliability.

This report summarizes first half of 2014 data gleaned from the the company's Dynamic Threat Intelligence (DTI) cloud.

Based on this information and insight, the company reports the following:

• Malware attacks—especially advanced targeted attacks—have nearly doubled in the first half of 2014
• The UK and Germany were the most targeted countries
• Government, financial services, telecommunications and energy were the most targeted verticals.

Government, Financial Services and Telecom organizations represent more than 50% of total APT detections, and all are considered strategic industries.

Non-targeted cybercrime is a growing and serious risk to individuals and organisation in EMEA. Asstated in the report, the authors behind two popular remote access tools (RATs), njRAT and h-w0rm, likely reside in Kuwait and Algeria. While both tools used in targeted attacks against companies in the energy and telecommunications sector, they have also been used in run-of-the-mill phishing and cybercrime attacks as well. Cyber criminals will often harvest credential or financial information through logging keystrokes or grabbing credentials stored by a web browser. FireEye expects that high-profile organisations in the Middle East and North Africa, particularly government and military entities, face a high risk of targeting by hacktivists based inside and outside the region.

Saudi Arabia, Turkey and Qatar (not displayed on the map) have a 10%, 9% and 5% detection rate respectively.

The report concludes that five success factors are:

1. Assume you and your organisation is a target and that your existing security controls can be bypassed
2. Establish a cyber-risk framework that enables the business with board level sponsorship
3. Establish an incident response/management service in a SOC/CIRT team to be able to detect and react to an APT event quickly
4. Enhance your visibility with external threat intelligence to understand who might attack you and how to avoid the tools, techniques and procedures they use
5. Bring in the right technology that could identify an APT.

Read More

Fraud Quiz #01

Test your resolve against fraud. Answer 10 questions regarding fraud and scams and post your score at the comments section. It is not a contest so you don't have to be competitive.

House rules

• Use the Student login tab and just give a nickname.
• You must finish the test to record your score.
• You can take the test as many times as you want, but please take it once.

By pressing Start, you will be redirected to https://testmoz.com/ to take the quiz.

Good luck!

Read More

Startups Awarded in Cyber Security & Privacy, by EIT ICT Labs

It is a big challenge to protect security and privacy of enormous amounts of data being collected, processed and stored in the cyber space. Lack of timely technical solutions may put at risk privacy and liberty of citizens and may endanger the growth of ICT-enabled products and services, whereas security breaches can have significant negative impact on people’s lives, jobs and property. The existing gaps between currently available techniques and the situation in practice should be filled by innovative solutions following the "privacy & security by design" paradigm.

This can stimulate innovative applications, e.g. related to social networks, e-payment, e-voting, e-health, smart spaces and smart energy, as well as cloud computing, big data and Internet of Things. Special attention should be devoted to privacy-preserving digital identity management, user profiling, intrusion detection and prevention and protection against malicious software, especially for mobile platforms and applications.

From 479 teams across the EU that applied for the Idea Challenge in autumn, 230 ideas addressed the topics Internet of things and Cyber Security & Privacy. On November 13th, the best 21 startups in these two categories were invited to present their ideas at pitch finals in Trento and Stockholm. At these events, which were initiated by EIT ICT Labs and its partners Trento Rise and STING, a jury consisting of industry experts, investors, business accelerators, and entrepreneurs selected the best six teams based on the quality of innovation and their respective business model.

EIT ICT Labs is one of the first Knowledge and Innovation Communities set up by the European Institute of Innovation and Technology, as an initiative of the European Union. By linking education, research and business, EIT ICT Labs empowers ICT top talents for the future and brings ICT innovations to life. EIT ICT Labs’ partners represent global companies, leading research centres, and top ranked universities in the field of ICT.

Cyber Security & Privacy

First place, 40.000 €: CHINO - from Italy - provides safe and regulatory compliant data storage for mobile health applications, giving to application developers the opportunity to focus on users' needs.

Second place, 25.000 €: Cleafy - from Italy - defends and certifies web-page source-code integrity in real time.

Third place, 15.000 €: Sentryo - from France - protects critical industrial networks against cyber attacks and provides network managers with full awareness over the situation.

Read More

Smartphones, Tablets and Fraud

Consumers rely on their mobile devices on an ever-growing basis to keep them connected. Smartphones and tablets provide them with access to each other through email, messaging, and social media while also putting financial services and shopping in the palm of their hands. And each and every one of these activities holds value for criminals in search of account credentials and PII to sell or misuse. Unfortunately, for all of the potential that mobile devices represent, the apathy of every mobile stakeholder is undermining the security of mobile devices and the accounts of their users. Protecting Android, iOS, and Windows mobile device users from fraud will require a concerted effort by all stakeholders to eliminate vulnerabilities, encourage security-minded behaviors, and to leverage all the security benefits that mobile devices have to offer.

The study, conducted by Javelin Strategy & Research and sponsored by online authentication solutions firm Nok Nok Labs, polled more than 5.600 U.S. adults in 2013 to determine their mobile habits on Android, iOS and Windows devices.

Key Findings

Android, iOS, and Windows mobile users are undermining their security by reusing passwords more often than the average consumer. These mobile users are about 25% more likely than all consumers to use the same password to access more than one online account. This motivates criminals to target them and their devices to secure credentials with the expectation that they will facilitate access to a variety of the victim’s valuable accounts and services.

Heavy reliance on one-time passwords is placing Android users’ financial accounts at risk. 41% of Android users take advantage of one‐time passwords (OTPs) with their financial accounts. The prevalence of mobile malware for Android capable of intercepting OTPs sent by text (i.e., Short Message Service or SMS) is contributing to the rate of fraud these users experience. Mobile users prefer fingerprint authentication, which bodes well for Apple and Samsung. Fingerprint scanning is preferred by Android, iOS, and Windows mobile users among the prevailing biometric modalities. Recent moves by Apple and Samsung to expand fingerprint-based authentication is likely to be well received and will subsequently bolster the preference for this modality. One in five or fewer Android, iOS, or Windows mobile device users are truly protecting their data from a physical intrusion. While using a password, or better yet a fingerprint, to protect the lock screen can effectively deter some attempts to physically access a mobile device, more safeguards are needed to dissuade professional criminals. Unfortunately the use rates of remote wipe software and disk

Mobile users desperately want to protect their devices from vulnerabilities in outdated OSs, but updates are not always convenient or available. Updating the OS can be hampered by limited availability from carriers and manufacturers in the case of Android or because of how an update has the potential to undermine performance after installation in the case of iOS.

Android and iOS users face a significantly higher rate of fraud than the average consumer, but the reasons differ. Users in both camps display similarly poor password and security habits, which are contributing to their risk of being victimized. More specifically, it is mobile malware that is spurring the fraud experienced by Android users, while the attractiveness of iOS users’ income has placed them in the crosshairs of fraudsters.

Passwords are the typical first line of defense for online accounts, and in some cases they are the only means by which an account is secured from unauthorized access. Given the= breadth of available apps and services that mobile users have at their fingertips that require a password, it is unsurprising that convenience has taken a back seat to security. Mobile users have fallen into the “password trap,” reusing the same passwords for multiple sites and services. As a result, they are exposing their online accounts to a greater risk of compromise and eventual misuse.

Ultimately, the multitude of threats facing mobile devices and the habits of their users are conspiring to create an environment where fraud can flourish. Not every device owner experiences fraud at similar rates, though:

• Among Windows mobile device users, 4.8% experienced identity fraud in 2013, which is 10% below the rate at which all consumers were victimized (5.4%).13 This can partially be attributed to the smaller share of the mobile device market they represent, which makes them less attractive targets, but could also be the result of other factors such as the use of non-SMS-based two-factor authentication common to Microsoft services, such as Outlook.
• Android users face the most serious threat from malware and are placing their financial accounts at risk when relying on SMS-based OTPs for authentication, both of which contribute to a rate of identity fraud that is 31% higher than what all consumers experienced last year (7.1% vs. 5.4%, respectively).
• Despite owning devices far less prone to malware infection than Android, 7.3% of iOS users experience identity fraud that is 36% higher than average (5.4%). This is because of their substantial market share, which makes them higher profile targets, the use of Apple services, which rely heavily on a single set of credentials, and users that have higher-than-average incomes, which make them more attractive to fraudsters.

For more details read the full Javelin report titled SMARTPHONES, TABLETS, AND FRAUD: When Apathy Meets Security

Read More

eConference on Mobile Security

SC Magazine UK  is running a Mobile Security eConference on 25th November 2014. Best of all it's FREE! As a cherry on top, if you are a CISSP or SSCP you can get some CPE credits.

Attackers follow the money – or in infosec terms, the data. And that makes mobile an attractive target, as data increasingly goes mobile, with mobile banking, social networking, web surfing and the blurring of work and business use – as well as being a tracking device with a microphone and camera.  So what are the issues?  First comes policy - whether it’s BOYD, COYD, BOYE, or any of the new acronyms to have sprung up, and how do we tackle the issues. Then there is the device, the operating system, the apps that run on it, and how to integrate them into our overall security approach and risk appetite. What do we do to prevent data leakage, whether accidental or deliberate, and how do we secure data beyond the perimeter. And finally – what are we going to do about Google Glass and other wearable technology?

Registration is quick, simple and - did I mention it - free. After you register, you will be able to log in to the event starting at 07:00 AM EST on Nov 25, 2014.

Read More

How does Trust looks like?

A trustmark is a sign displayed on an eCommerce website, it has the purpose to provide an independent guarantee of the trustworthiness and reliability of the webshop.

The aim of trustmarks is to guarantee the quality and security of the online transaction. In some countries, there are trustmarks and trustmark providers that inform consumers whether the website complies with a certain set of rules. The trustmarks can be certified according to a national certification scheme and supervised by the competent authority, or based on mutual agreements. Trustmarks can boost consumer confidence in cyberspace. However, trustmark schemes are often unknown to consumers. As a result, consumers in EU can find it difficult to identify reputable e-merchants in other EU markets and are therefore reluctant to shop online from another country.

The Digital Agenda for Europe clearly pursues the creation of an online internal market, putting in place policies fostering cross-border eCommerce in the EU. One of the key factors of eCommerce, be it cross-border or at national level, is trust between the parties: the purchaser and the merchant. Trustmarks can play a role in establishing trust relations. Trustmarks are especially useful for smaller e-shops that are not (yet) a strong online brand of their own.

The e-Mark U Trust Competition invited all EU design/art students to submit their most innovative designs. Students from all over the European Union were invited to design a simple, original and clever trustmark which conveys a sense of trust and reassurance and indicates that Internet users can carry out their online transactions in a safe, convenient and secure way. On 15 September 2014, 95 logos were submitted within the deadline. The winner and the final ranking will be announced in 2015.

The three finalists, in random order, are:

Image by ELSE

Image by EUSAFE

Image by Noblesse Oblige

Remember, in a few months one of these will be a medal of honor for any site capable of earning it!

Read More

Biometrics

The oldest method of authentication and so is largely accepted as a biometric, is signature. There are two subtypes of signature verification systems, static and dynamic. In the later subtype, speed, velocity, pressure, angle of the pen and the number of times the pen is lifted from the pad, is be measured while in static subtype only the image of the signature is used. The dynamic signature verification is more secure and reliable than static signatures. Shortcomings of signature biometrics include inconsistency, for example, signatures lack permanence, which means that may change under the influence of illness, emotions, age, etc. These systems render performance only in verification mode and not in identification mode.

Fingerprint verification has the advantage that no two individuals possess the same fingerprints, not even identical twins, though suffers from a few disadvantages. Dry, wet, damaged or dirty skin may affect the quality of the fingerprint. With fingerprints, the attacking technology is as easy as the defending technology, this fact has been proven by many successful security attacks. Tsutomu Matsumoto of the Yokohama National University victoriously counterfeited numerous fingerprint based biometric systems into accepting fake fingers made of gelatin gaining an 80% success rate. It is also difficult to acquire fingerprint features for some classes of people like manual laborers or elderly people. In spite of these shortcomings, modern fingerprint recognition algorithms are researched because of their applicability and entailment. For instance, almost always in forensic scenarios latent prints are the only trace for fraud identifications.

As palmprint comprises wider area than any other biometric traits, it can be used even in fallacious conditions like burns, boils, cuts, dirt and oil stains on palms. Also when fading of palm texture occurs due to lot of physical work with hands.

Hand Geometry systems measure demographic aspects like thickness and width of the palm, length and width of fingers, and so on. Because of its adaptability, ease of measurement and storage, hand geometry based systems are highly acceptable than finger-print based systems. But because of its biometric properties it is only suitable for verification and fails in identification mode. There is also a high number of false positives. It always has to be associated with some other biometric trait for perfect authentication.

Hand Vascular Pattern makes use of infrared light to produce an image of a person's vein pattern in their face, wrist or hand, as veins are stable through one's life. The vein pattern recorded by any device like video camera is used as a personal code which is acutely laborious to duplicate. The fact that the use of this biometric needs no physical contact with the sensor and that it provides notable convenience and no performance degradation even with scars or hand contamination makes this physiological biometric a reliable one. 

From facile edge-based algorithms to advanced pattern recognition methods, a wide range of techniques have been proposed for face recognition. Numerous existing face recognition techniques succeed with frontal faces of similar sizes and even with distorted facial images. While in reality, this presumption may not hold good as human face is dynamic in nature hence has a high degree of variability in its appearance, making face detection an intricate problem in computer vision. Factors such as changing hairstyles, beard, mustache and aging only make righteous face recognition more difficult. Bruce Schneier, in his book "Beyond Fear" calculated the math and stated that if a face detection system is 99,9% accurate, still it would generate 10.000 false alarms for every single real terrorist in 10 million civilians.

Iris is a thin annular structure around the pupil of the human eye. Its complex pattern is constructed of many idiosyncratic features such as fibers, freckles, furrows, arching ligaments, ridges, serpentine vasculature, rings, rifts and corona. All these establish a distinctive signature for human authentication. Patterns in human iris have abundance of invariance. Iris patterns emerge during the eighth month of the fetal term and remain stable throughout the life time of an individual. On the lines of precision, report successful authentication across millions of cases without a single failed test. Given its non-invasive nature and affordable hardware solutions, iris based authentication systems have become an indispensable tool for many high-security applications. Apparently, both iris and retina recognition would not work for visually-impaired people and people suffering from serious eye illnesses.

Retinal scanning based systems use infrared illumination while acquisition and compare images of the blood vessels in the back of the eye, the choroidal vasculature. Apparently, retina recognition not only is futile for people suffering from serious eye illnesses but also raises privacy issues in case of misuse of acquired data.

Complex Eye Movements is a very recent biometric trait which was brought to light by Komogortsev et al. and Kasprowski et al. They carried out considerable research on CEM and established commendable results. In Complex Eye Movements are combined with Oculomotor Plant Characteristics where a mathematical model for eye and its associated muscle movement is established when eyes respond to a stimuli. This Biometric is still in its infancy but seems to be a non-counterfietable Biometric. But in regard to its ease-to-acquire and easy-to-use, justification is still void.

Voice verification identifies myriad characteristics of a human voice like frequency, nasal tone, cadence, inflection to recognize the speaker. Voice recognition systems take advantage that they do not require expensive input devices and can even accomplish the recognition task in the background while the person speaks without explicitly forcing the users to spend time to do the same. But like all other biometrics, voice systems have their fair share of shortcomings, for instance, record and play attacks in fixed-text models, also some people might skillfully duplicate/imitate others' voices. Voice of an individual may also change with age, illness, mental state, etc.

Gait is the pattern of movement of the limbs of animals, including humans, during locomotion over a solid substrate. Examples of gaits include jogging, running, walking, jumping, sitting down, picking up an object or climbing stairs. According to the performance of gait recognition systems is below what is required for use in biometrics as this biometric recognition system is confounded by the following factors viz, terrain, injury, footwear, any kind of training to the human body, passage of time.

Body Odor is a contact-less biometric that confirms a person's identity by analyzing the olfactory properties of the human body scent. Cambridge university has developed electronic sensors to gather the human odor, usually from the non-intrusive areas, such as the back of the hand. Each human smell is made up of chemicals known as volatiles. Each chemical of the human odor is extracted by the biometric recognition system and converted into a unique data string. But privacy of the individual will be compromised while using this biometric as body odor carries an amount of sensitive personal information.

DNA 99.7% of human DNA is shared. 0.3% (1 million nucleotides) is variable and so is unique. These variable regions, called Short Tandem Repeats (or STRs), can be examined to distinguish one person from another. DNA samples can be isolated from a sample such as saliva, blood, hair, tissue or semen. But it suffers from the following complications: (i) DNA matching is not done in real-time, a physical sample must be taken unlike other biometric systems which use an image or a recording, (ii) invasion of civil liberties, (iii) storage of DNA and (iv) extraction and process time. DNA based biometric system cannot be easily simulated but is invasive and arduous to setup.

Excerpt from: "Bio-inspiring Cyber Security and Cloud Services: Trends and Innovations", by Aboul Ella Hassanien, Tai-Hoon Kim, Janusz Kacprzyk, Ali Ismail Awad  - January 1, 2014 - Springer 

Read More

Seek and Destroy: Operation WireLurker

WireLurker is a malware that infects computers running Mac OS X or Windows and subsequently spreads via USB connected to iOS devices. In order to be able to do so, the virus installs an enterprise provisioning profile on iOS connected devices. Under Windows, the virus only works if the iOS device is jail-broken. The threat is detected (and presumably restricted) to China until now.

If jail-broken please follow the second set of instructions.

At this time Apple has placed in appropriate security measures, but, there is a alight chance that you conceived the malware a while back before Apple took any action. And if you believe that you’re infected, follow these steps:

1. Go to Settings > General > Profile.
2. Check for any unknown profile listed here, if you find one delete it.
3. Check installed apps for any type of strange behavior, and delete all  suspicious apps that you find installed.

It is highly recommended that you do a complete restore of your iOS device from iTunes till a more effective and sure fire solution comes up.

If you’re jail-broken and have suspicions that you are affected by WireLurker, then follow the steps outlined below. If you find the process difficult, then simply do a clean restore of your Apple device using iTunes on the latest currently available public iOS release.

1. Install iFile (from Cydia), or any other way to SSH into your iOS device to access system directories.
2. Navigate to: Library > MobileSubstrate > DynamicLibraries.
3. Look for a file named sfbase.dylib, and if found, you know your device is infected.

Deleting this file does not remove the threat of WireLurker, again it is recommended that you do a complete restore of your device from iTunes.

Read More

International Fraud Awareness Week

InfoSecLeague Joins Movement to Shine a Spotlight on Fraud
International Fraud Awareness Week kicks off Nov. 16, 2014 worldwide

Fraud costs organizations worldwide an estimated 5% of their annual revenues, according to a study conducted by the Association of Certified Fraud Examiners (ACFE). If applied to the 2013 estimated Gross World Product, this translates to a potential projected global fraud loss of nearly $3,7 trillion.

The seriousness of the global fraud problem is why InfoSecLeague announced that it will be participating in International Fraud Awareness Week, Nov. 16-22, 2014, as a supporter to promote anti-fraud awareness and education. The movement, known commonly as Fraud Week, champions the need to proactively fight fraud and help safeguard business and investments from the growing fraud problem.

InfoSecLeague joins hundreds of organizations who have partnered with the ACFE, the world's largest anti-fraud organization and premier provider of anti-fraud training and education, for the yearly Fraud Week campaign.

During Fraud Week, as supporters we will engage in various activities, including: posting articles, news and fraud awareness quiz, and teaming with local media to highlight the problem of fraud.

ACFE President and CEO James D. Ratley, CFE, said that the support of organizations around the world helps make Fraud Week an effective tool in raising anti-fraud awareness.

“The latest statistics tell us that fraud isn’t going away, and companies that don’t have protective measures in place stand to lose the most,” Ratley said. “That’s why it is reassuring to me to see so many businesses, agencies, universities and other organizations involved in the Fraud Week movement. The first step in combating fraud is raising awareness worldwide that it is a serious problem that requires a proactive approach toward preventing it.”

For more information about increasing awareness and reducing the risk of fraud during International Fraud Awareness Week, visit FraudWeek.com.

The 2014 Report to the Nations is available for download online at the ACFE’s website: ACFE.com/RTTN.

About the InfoSecLeague

InfoSecLeague blog is a place of sharing ideas and experiences in the fields of Information Security, Governance and Audit. 

About the Association of Certified Fraud Examiners

Based in Austin, Texas, the ACFE is the world's largest anti-fraud organization and premier provider of anti-fraud training and education. Together with more than 70.000 members, the ACFE is reducing business fraud worldwide and inspiring public confidence in the integrity and objectivity within the profession. For more information, visit ACFE.com.

Read More

Quiz Time #01

Test your wits against others. Answer 15 questions regarding information security and post your score at the comments section. It is not a contest so you don't have to be competitive.

House rules

• Use the Student login tab and just give a nickname. 
• You must finish the test to record your score. 
• You can take the test as many times as you want, but please take it once. 

By pressing Start, you will be redirected to https://testmoz.com/ to take the quiz.

Good luck!

Read More

New standards for cloud computing

The International Organisation for Standardisation (ISO) has released two new standards for cloud computing, in order to bring order to chaos.

There are two standards which have been released by ISO on October 15th; the ISO/IEC 17788, a 16 page overview,Cloud computing – Overview and vocabulary, provides definitions of common cloud computing terms, including those for cloud service categories such as Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). It also specifies the terminology for cloud deployment models such as “public” and “private” cloud. More technical in nature,, and the ISO/IEC 17789, Cloud computig – Reference architecture, contains diagrams and descriptions of how the various aspects of cloud computing relate to one another..

National Institute of Standards and Technology (NIST), defines cloud computing as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources...that can be rapidly provisioned and released with minimal management effort or service provider interaction."

As opposed to the NIST ruling which only proffers platform as a service, software as a service and infrastructure as a service, the ISO ruling has seven distinct cloud service categories, including network as a service (NaaS) and data storage as a service (DSaaS). Similarly, ISO expands on NIST’s 2011 definition on cloud deployment models, adding community cloud to public, private and hybrid.

We are expecting at the end of 2015 some complimentary guidelines, for the hot issue of cloud security, as described on ISO/IEC CD 27017 Code of practice for information security controls based on ISO/IEC 27002 for cloud computing services. Until then, drop a comment as to what you consider a security challenge for cloud services.

Read More