Tag Archives: security

Silicon Valley’s opposition to cybersecurity bill mounts as US Senate prepares to vote

A controversial bill that aims to thwart hacking highlights the tension between the need for security and the desire for privacy.

Which matters more to you: curbing the onslaught of daily cyberattacks or protecting your online privacy?

That will be the crux of the debate Tuesday as the US Senate prepares to vote on the latest version of a controversial cybersecurity bill.

The aim of the Cybersecurity Information Sharing Act (CISA) seems straightforward. The bill’s backers say it will create a system that lets companies share evidence of hackers’ footprints with one another and the US government, without the risk of being sued for breaking privacy-protection or antitrust laws.

Proponents say CISA will make it easier for the government to coordinate threat responses among the banks, retailers, service providers and tech giants that are most often under attack, proponents say. That makes sense, given that security experts for decades have been urging companies to share information about hack attacks.

Opponents, including more than 20 of the biggest companies in the tech industry, argue that the bill doesn’t do enough to protect the privacy of individuals and could lead to mass government surveillance. The Computer and Communications Industry Association trade group, which represents Amazon, Google and Microsoft among others, wrote an open letter earlier this month saying the bill doesn’t do enough to limit the government’s “permissible uses of information shared.” It could even “cause collateral harm,” the CCIA said.

Apple and file-sharing service Dropbox added their voices to the dissent last week. “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy,” Apple said in a statement to the Washington Post. Security collaboration “should not come at the expense of users’ privacy,” Dropbox’s head of global public policy also told the newspaper. The two companies declined to comment further.

The sharing debate

It’s not like agencies and companies aren’t already alerting each other to attacks. The Department of Homeland Security detailed its current data-sharing practices in a letter to the Senate earlier this year, saying it has sophisticated and speedy processes for companies to share information on cyberthreats. Facebook this year launched ThreatExchange, a forum for member companies to share cybersecurity threats they see on their websites and databases. Companies in the financial and retail sectors have their own forums as well.

“When the government says it wants us to get better at sharing information, it really means that it wants us to provide information to the government that we are not already sharing,” said Andrew Conway, a researcher at Cloudmark, which analyzes cybersecurity information shared by its customers and also participates in ThreatExchange. “However, there is a downside to doing that: the potential loss of trust in American companies,” Conway said.

There’s plenty of evidence to support the concerns on both sides of the debate. This year alone, hackers grabbed the Social Security numbers of 21.5 million current and previous federal employees, and swept up United Airlines’ flight manifests. They broke into Anthem, the No. 2 health insurer in the US,compromising personal data of up to 80 million current and former members and employees. They also leaked the identities of 30 million users of adultery website Ashley Madison.

Privacy advocates only need mention Edward Snowden to make their point. The former National Security Agency contractor has leaked tens of thousands of documents revealing massive government surveillance of US citizens.

The conflict over CISA centers on whether it could give the government even greater license to spy on Americans. Advocates say it won’t.

“It is not an intelligence collection bill,” CISA co-sponsor Sen. Dianne Feinstein (D-Calif.) wrote in an opinion piece last year in the San Jose Mercury News. Companies must remove personal information before sending it, and the government can incur “strong penalties for abuses,” she said.

Randy Sabett, a former NSA cryptography engineer who now specializes in privacy and data protection at law firm Cooley, said the bill makes it clear that any information gathered can only be used for six specific cybersecurity-related purposes. This is designed to prevent it from becoming a dragnet for personal information.

“Having a skeptical view of the government is a healthy attitude to have,” Sabett said. But that’s not the same thing as saying “every time a company shares your personal information with the government, the government does bad things,” he said.

Don’t believe it, said Mark Jaycox, legislative analyst at Electronic Frontier Foundation, a digital-rights advocate. “The bill eviscerates privacy law and protections in current law, and expands the amount and type of information that can be shared,” he said.

Even senior staff of the Department of Homeland Security agree. Giving information directly to law enforcement and intelligence organizations “could sweep away important privacy protections,” Deputy Secretary Alejandro Mayorkas wrote in a letter to Sen. Al Franken (D-Minn.). The bill as written “raises privacy and civil liberties concerns,” Mayorkas noted.

Different pressures

In other words, the CISA vote will be marked by heated debate.

Jen Ellis, vice president at cybersecurity company Rapid7, said a law that sets guidelines for information sharing could avoid a loss of trust if it were written carefully and included strong civil liberties protections. She doesn’t believe CISA is that bill. What’s more, privacy advocates and tech companies will likely never be comfortable with a bill that wipes out liability for companies that share customer information, she said. That provision might appeal to retailers and banks, but not the Apples and Dropboxes of the world.

“Tech companies have a totally different pressure,” Ellis said. “Their pressure is the justified paranoia that their customer base has that they’re going to get into bed with the government.”

That takes us to Tuesday’s debate. CISA’s final wording will depend in large part on whether the Senate thinks you care more about security or privacy.

Advertisements
Tagged , , , ,

Why do companies keep getting hacked?

Police are investigating a sustained attack on the TalkTalk website that might have let hackers get at details of the firm’s four million customers.

The breach is the third big cyber-attack that TalkTalk has suffered in the last year.

It is not clear who was behind the attack or why they targeted TalkTalk – but it is far from the only company that keeps being hit.

Why does this keep happening?

A caped figure at a computerImage copyrightThinkstock

Almost every large company is being bombarded with cyber-attacks all day, every day.

About one million new malicious programs are created every day, according to security firm Symantec. That is a lot to defend against – and that does not include the many other ways attackers try to get at their targets.

Some attacks are crude and are easy to defend against. Others are more cunning and try to trick people into opening booby-trapped email messages. The most dangerous attacks exploit security holes that most people have not discovered yet in widely-used software.

Surely companies have defences that can stop attacks?

A computer with a padlock on it

Worse still, it is often hard for companies to correlate the information provided by each separate system, says Darren Thomson, European technology boss at security firm Symantec. This can mean security teams spend time chasing false positives or problems that look serious but are not the current biggest threat they face.

And technology cannot always help if somebody in an organisation opens a booby-trapped attachment on a phishing email.

Many attackers are increasingly exploiting human frailty because cyber-defences seem to have improved far faster than people.

And even the best security is weakened if a company insider decides to betray their employer.

What happened to TalkTalk?

TalkTalk logoImage copyrightTalkTalk

Details are scant but it looks like there were two elements to the breach.

The first was a distributed denial of service (DDoS) that tried to knock over TalkTalk’s servers by hitting them with lots of data.

There are hundreds if not thousands of these kinds of attacks every day, says Roland Dobbins from Arbor Networks, a company that helps firms block the massive data flows.

These attacks simply try to knock sites offline. Often, says Mr Dobbins, they can be used as a smokescreen to distract security staff from other activity. Other groups have used them to steal cash or data.

The DDoS assault on TalkTalk seems to have been accompanied by another attack which sought to get at its customer database. That is why the company has warned that personal information might have been accessed.

But TalkTalk has been hit three times…

Jamie OliverImage copyrightPA
Image captionThe website of chef Jamie Oliver was hit by attackers several times over a period of months

Other high-profile sites have been hit several times by cyber-attacks. The website of celebrity chef Jamie Oliver suffered three successive attacks centred on malicious adverts. Breaches have, unfortunately, become a fact of life for any company that uses the web for business – which is pretty much all of them.

The website Have I Been Pwned? gathers information on stolen data and now has a database of more than 223 million accounts that were stolen in a variety of hacks over the last few years.

“Five out of six firms that we talked to in a 2014 survey had been breached,” said Mr Thomson. “And given that it can take 230 days to spot a breach that sixth might have been hit but just didn’t realise it yet.”

Preparing for the worst

Data centreImage copyrightReuters
Image captionAttackers seek to infiltrate a network and then hang around so they can get at saleable data

Many companies now prepare for the day they will be breached rather than expect technology to keep them safe and secure all the time.

Often attackers can get into a corporate network using stolen staff credentials but that just gets them a foothold. From there they need to explore, expand and gather network privileges that help them get at the data they really want to steal.

The length of time it can take to realise that a breach has taken place gives attackers a long time to bed in, explore and escalate their access. Companies are getting better at spotting that anomalous behaviour but the advantage often still lies with the attackers.

Many companies employ ethical hackers to test their security systems and properly encrypting customer data helps ensure any stolen information is useless to attackers, or expensive to sell.

TalkTalk will have questions to answer if it emerges that hackers were able to steal unencrypted customer information.

Tagged , , , , ,

Malicious adware’s latest trick is replacing your whole browser

On Friday, infosec celebrity Swift on Security pointed out a new piece of adware called the “eFast Browser.” It does the kind of malicious crap that we’ve all seen quite often over the years: throwing pop-up and pop-under ads on your screen, putting other ads into your web pages, pushing you towards other websites with more malware, and (of course) tracking your movements on the web so that nefarious marketers can send more crap your way.

But what’s nefariously intriguing about this software is that it isn’t trying to hijack your current browser, it’s straight-up replacing it. As reported by Malwarebytes, eFast tries to delete Chrome and take its place, hijacking as many link and file associations as it can. Its icon and window looks a lot like Chrome’s and it’s based on the open source Chromium project in the first place, so it acts a lot like Chrome too. The software comes from a company calling itself Clara Labs, which is actually behind a slew of similar browsers with names like BoBrowser, Tortuga, and Unico.

The weird thing about this software is that it’s actually kind of good news, security wise. As Swift on Security points out, it’s easier for malware to just try to replace your browser than it is to infect it. That’s because Chrome moved toward locking down extensions by requiring that they come through Google’s web store (and thereby Google’s code review and code signing). Mozilla’s Firefox and Microsoft’s Edge browsers are moving in the same direction. So while replacing your whole browser isn’t totally new for malware, the fact that it’s the best vector for attack now might be.

According to PCrisk, eFast and its ilk try to get on your computer by burrowing themselves into the installers for free software from dubious sources on the web. It should be relatively easy to avoid installing it and, fortunately, should also be relatively easy to uninstall if you’ve found it on your computer.

Tagged , , , , , ,

Online Attacks on Infrastructure Are Increasing at a Worrying Pace

Over the last four years, foreign hackers have stolen source code and blueprints to the oil and water pipelines and power grid of the United States and have infiltrated the Department of Energy’s networks 150 times.

So what’s stopping them from shutting us down?

The phrase “cyber-Pearl Harbor” first appeared in the 1990s. For the last 20 years, policy makers have predicted catastrophic situations in which hackers blow up oil pipelines, contaminate the water supply, open the nation’s floodgates and send airplanes on collision courses by hacking air traffic control systems.

“They could, for example, derail passenger trains or, even more dangerous, derail trains loaded with lethal chemicals,” former Defense Secretary Leon E. Panetta warned in 2012. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”

It is getting harder to write off such predictions as fearmongering. The number of attacks against industrial control systems more than doubled to 675,186 in January 2014 from 163,228 in January 2013, according to Dell Security — most of those in the United States, Britain and Finland.

And in many cases, outages at airports and financial exchanges — like a computer outage that took down computers at airports across the country late Wednesday, including Kennedy International Airport in New York and Logan Airport in Boston — are never tied to hacks.

But it’s clear hackers are trying.

The Department of Homeland Security last year announced that it was investigating an attack against 1,000 energy companies across Europe and North America. In 2012, 23 gas pipeline companies were hacked by online spies, according to a Homeland Security report. Private investigators later linked the attack to China.

Last year, in a disclosure overshadowed by the news of the attack on Sony, a German federal agency said that in an attack at an unnamed steel mill, hackers had managed to jump from the company’s corporate network to its production systems, causing significant damage to a blast furnace.

And in an extensive attack at Telvent, an information technology and industrial automation company now owned by Schneider Electric, Chinese hackers made off with its product source code and blueprints to facilities operated by its customers, which include 60 percent of the pipeline operators in North America.

For now, dire predictions of destructive online attacks on American targets ignore the fact that the actors with the ability to cause the gravest harm to America’s critical infrastructure — China and Russia and allies like Israel and Britain — are sufficiently deterred from doing so by fear of retaliation or because of longstanding trade and diplomatic relationships. And attacks by those aggressively trying to get such a capability — Iran, North Korea and Islamic militant groups — are still several years off.

“Despite all the talks of a cyber-Pearl Harbor, I am not really worried about a state competitor like China doing catastrophic damage to infrastructure,” said Michael V. Hayden, former head of the National Security Agency. “It’s the attack from renegade, lower-tier nation-states that have nothing to lose.”

Just how far off are they? That is the question troubling policy makers at the National Security Council and intelligence and law enforcement agencies. Federal officials have repeatedly warned that Islamic State militants have been exploiting social media for recruitment, and are developing tools to break into their enemies’ systems.

Those capabilities were sufficient to prompt the assassination of Junaid Hussain, the chief of the Islamic State’s cyberarmy, who was killed by an airstrike in Syria in August. But for now, federal officials say, the Islamic State does not have a significant ability to cause damage through online attacks.

“It’s not easy to pull off a spectacular attack,” said James A. Lewis, a security expert at the Center for Strategic and International Studies in Washington. “People are always saying in theory they can do something, but it’s not at the level of a Pearl Harbor or a 9/11.”

Mr. Lewis added: “Could someone acquire the ability to cause a blackout? That’s something to worry about, but the only people who could pull it off don’t have any interest in doing so.”

Most security experts point to the attacks last year at Sony — where hackers leaked internal documents and destroyed the company’s servers — as an example of the destruction that is possible now, and a harbinger of what may come.

There were warnings the year before the Sony hacking that such an incident was possible. In a carefully planned attack in 2013, North Korean hackers knocked out almost 50,000 computers and servers for several days at South Korean banks and media companies.

Less sophisticated attackers are more likely to continue to pursue social media campaigns and isolated attacks, rather than take down parts of the power grid, said Ralph Langner, an independent security expert who was the first to attribute Stuxnet, a virtual weapon used against Iranian nuclear centrifuges, to the United States and Israel.

But the attacks that have rattled American government officials the most were similar attacks at Saudi Aramco, the world’s largest oil company, and RasGas, the Qatari oil giant, in 2012.

At Aramco, the hackers replaced the data on employees’ hard drives with an image of a burning American flag. United States intelligence officials say Aramco’s attackers were hackers in Iran, although they offered no specific evidence to support the claim. Mr. Panetta, then secretary of defense, called the Aramco sabotage “a significant escalation of the cyberthreat.”

Forensics specialists who were called in to analyze the Aramco attack said there was evidence the attackers probed the network that connects the company’s pipelines but were never able to cross from Aramco’s corporate network to its production systems. The same was true for a similar attack at RasGas two weeks later. Hackers tried and failed to hit the Qatari petroleum company’s production systems, but successfully took its corporate networks and servers offline.

But the attack on the German steel mill, disclosed last year, suggests that hackers are increasingly finding ways to cross that threshold. Just last week, it was announced that a group of hackers penetrated the Snohomish County Public Utility District in Washington State. The hackers, members of the Washington State National Guard, had been invited to test the utility’s defenses, and the results were frightening. They were able to break in with an email in under 22 minutes.

Joe Weiss, a crusader for industrial control security and founder of Applied Control Solutions, a consulting firm, is not surprised. He manages a database of 750 incidents that affected control systems and said he was most disturbed that most of them were not classified as attacks at all.

“What that tells you is that not only do we not have the mitigation, we don’t even have any type of adequate forensics to know this is happening, and whether it was intentional or unintentional,” he said.

The Department of Homeland Security tweeted late Wednesday evening that the computer outages at airports were due to a “brief outage that lasted 90 minutes” on the United States Customs and Border Protection’s computer processing systems.

But Mr. Weiss said in most cases, forensics investigations were still not adequate enough to nail down the real source of such incidents. He said the same was true across the electric, water, oil, gas, and nuclear industries.

“It’s not like with weapons, where you know where it’s coming from,” Mr. Weiss said. “With cyber- and control systems, you don’t necessarily know.”

“Will there be a cyber-Pearl Harbor? Most likely,” Mr. Weiss added. “Will we know it’s cyber? Most likely not.”

Tagged , , ,

Target stores attacked by pornographic pranksters

Gina Young was shopping at US superstore Target on Thursday morning – when she and the other shoppers suddenly heard a surprising announcement over the loudspeaker.

Explicit audio from a pornographic film was blasted out for all to hear. And it kept playing. And playing. For 15 minutes.

Young, who was shopping with her three-year-old twin boys, uploaded the clip to Facebook. (Obvious warning: it has rude audio.)

“People were up in arms,” she wrote. “Some people threw their things down and walked out. Others were yelling at employees.”

As pranks go, it’s fairly low-grade. But Target has a problem. Staff at the store in Campbell, a small city just south of San Jose, were all but powerless to stop it due to how the PA system is designed.

And it’s not an isolated incident. According to local media, it’s at least the fourth time this prank has happened since April. In one instance, a store had to be evacuated.

So what’s going on? Are mischievous staff causing trouble? Have Target’s systems been hacked?

‘Control of the intercom’

Well not quite – but the cause is interesting, and yet another example of how systems are left with vulnerabilities by creators who never imagined people might have malicious intent.

An email obtained by the BBC, sent by company bosses to Target store managers across the US on Friday afternoon, outlines a weakness in the store’s PA system being used to carry out the prank.

I’ve removed a key detail for obvious reasons.

“Non-Target team members are attempting to access the intercom system by calling stores and requesting to be connected to line [xxxx],” it reads.

“If connected, callers have control of the intercom until they hang up.

“We are actively working to limit intercom access to the Guest Services phone only. In the meantime, inform all operators to not connect any calls to line [xxxx].”

So in other words, if you ring up Target and ask to be put through to a certain extension, you’re suddenly live on the PA system for as long as you like.

Hardly the hack of the century, granted, but a reminder that there are people out there that will find even the most obscure vulnerabilities and exploit them.

Target interior

Red faces

Target’s spokeswoman Molly Snyder would not confirm the authenticity of the email, but told the BBC: “We are actively reviewing the situation with the team to better understand what happened and are taking steps to help ensure this doesn’t happen again.

“Because this is an active investigation, I’m unable to share additional details, but we want our guests to know that we take this very seriously.”

Target should be acutely aware of weak systems. The retailer was at the centre of a huge hack attack storm last year.

Some 40m shoppers had their banking details stolen, and the company ended up paying out $10m (£6.5m) in compensation.

There is little danger of any repercussions over this porn prank – just a few red faces. And perhaps some suddenly very inquisitive children.

Tagged , , ,

Man arrested for allegedly selling hacked military info to terrorists

Ardit Ferizi of Kosovo was arrested in Malaysia on terrorism charges and is set for extradition to the US.

A Kosovan man has been arrested in Malaysia after allegedly hacking into databases containing the personal information of 1,351 US military and government employees and passing the information to the Islamic State in Syria.

Ardit Ferizi, 20, is known in hacking circles as “Th3Dir3ctorY” and leads a group called Kosova Hacker’s Security, the US Department of Justice said Thursday. Malaysian police accused Ferizi of passing the names, locations, phone numbers, email addresses and passwords of US military and federal employees to Junaid Hussain of the Islamic State between June and August to help incite terrorist acts against them. He’s set to be extradited to the United States.

“Early investigation found the suspect communicated with [a] right hand man…of IS terrorist group in Syria to hack a few servers containing information and details of US security personnel and team,” Reuters reported the Malaysian Police as saying. “The details were then transferred to the operation unit of the IS group for further action.”

Ferizi’s alleged actions demonstrate how computer attacks and conventional warfare are blending and, as a result, how the Internet allows IS to reach beyond its power base in the Middle East and North Africa. IS also has been adept at using social media campaigns to spread its message and attract recruits around the world.

Islamic State’s hacking division tweeted the news that it had gotten the information with a link to a 30-page document containing the stolen details in hopes of encouraging attacks against the individuals.

“We are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands,” the document read, according to the US Attorney’s Office.

Describing Ferizi as a “terrorist hacker,” Assistant Attorney General for National Security John Carlinsaid the case is the first of its kind.

“National security is compromised by computer intrusions, and Ferizi is charged with obtaining the personal identifying information of US military and government personnel and providing it” to the IS, added US Attorney Dana Boente. “We will investigate and prosecute these cyberattacks to fullest extent of the law.”

If convicted, Ferizi could face 35 years in prison, the Department of Justice said.

Tagged , , ,

Killer USB stick destroys your computer in seconds

Russian hackers have created a USB stick that can instantly fry any machine it is plugged into.

A simple USB stick, created by a Russian security researcher known as ‘Dark Purple’ can instantly fry any machine it plugs into, including your laptop or TV.

In the short video posted by the hackers, the USB is shown in action – all it takes is plugging it into the hacker’s IBM laptop, and it completely kills the machine within seconds.

After the laptop turns off, the demonstrator in the video tries repeatedly to turn it back on but it seems that the USB has blown its circuitry in the process.

The USB destroys laptops by sending 220 volts through the signal lines of the USB interface, rendering anything it is plugging into useless.

Dark Purple claims in a Russian-language blog post that the attack is not just limited to computers, but can used to incapacitate almost anything equipped with a USB drive.

The examples he gives are smart phones that support USB mode, TVs, routers, modems, etc.

His goal, he writes, is to test prototypes of “devices that perform only one function – the destruction of computers.”

Although the laptop looks completely dead after the USB is done with it, Dark Purple claims that it will be restored once the motherboard has been replaced. “It is extremely unlikely that the hard disk or the information on it was damaged,” he wrote.

This is good news as it means hackers who get their hands on the USB won’t be able to wipe the data stored on your computer’s hard drive – which is is probably more valuable to you or your business than the computer itself.

In the past, hackers have used software – lines of code that hide in a webpage or can be transmitted via text message – to wipe or crash phones.

Security researcher warned, “Yet another reason not to plug a USB stick of unknown origin into one of your computers.”

Tagged , , ,

How much is your stolen data worth on the dark web?

A new report reveals how much cyber criminals are willing to pay for stolen data on the dark web

Ever wondered how much your stolen data could be worth? A new report reveals the market value of all the most common types of stolen data available for sale to criminals on the dark web.

The “Hidden Data Economy” report by Intel Security Group’s McAfee Labs draws on years of close work with law enforcement, and ongoing monitoring of online platforms, communities and marketplaces where stolen data is hidden and sold – such as Alphabay and Crypto Market.

The report provides examples of how different types of stolen data are being packaged, and offers an illustration of average prices for different types of data. A few examples include:

  • Average estimated price for stolen credit and debit cards: $5 to $30 in the US; $20 to $35 in the UK; $20 to $40 in Canada; $21 to $40 in Australia; and $25 to $45 in the European Union
  • Bank login credentials for a $2,200 balance bank account: $190
  • Bank login credentials plus stealth funds transfers to US banks:from $500 for a $6,000 account balance, to $1,200 for a $20,000 account balance
  • Bank login credentials and stealth funds transfers to UK banks:from $700 for a $10,000 account balance, to $900 for a $16,000 account balance
  • Login credentials for online payment services such as PayPal:between $20 and $50 for account balances from $400 to $1,000; between $200 and $300 for balances from $5,000 to $8,000
  • Login credentials to hotel loyalty programs and online auction accounts: $20 to $1,400
  • Login credentials for online premium content services such as Netflix: as little as $0.55

Payment card data is perhaps the most well-known data type stolen and sold. A basic offering includes a software-generated, valid number that combines a primary account number, an expiration date, and a CVV2 number.

Valid credit card number generators can be purchased or found for free online. Prices rise based on additional information that allows criminals to accomplish more things with the core data.

This includes data such as the bank account ID number, the victim’s date of birth, and information categorised as “Fullzinfo”, including the victim’s billing address, PIN number, social security number, date of birth, the mother’s maiden name, and even the username and password used to access, manage, and alter the cardholder’s account online.

Online payment service accounts – like PayPal accounts for example – are also sold on the open market, with their prices determined by additional factors.

The report claims that illegal sellers list adverts in the same way as any legitimate seller would – offering guarantees on stolen credit cards – and forums name and shame “bad sellers” who have sold stolen cards that don’t have offer up what was promised

“Like any unregulated, efficient economy, the cybercrime ecosystem has quickly evolved to deliver many tools and services to anyone aspiring to criminal behaviour,” said Raj Samani, chief technology officer for Intel Security in Europe, the Middle East and Africa.

“This ‘cybercrime-as-a-service’ marketplace has been a primary driver for the explosion in the size, frequency, and severity of cyber attacks. The same can be said for the proliferation of business models established to sell stolen data and make cybercrime pay.”

A selection of credit cards in a fan.

The news coincides with the publication of new figures from the Office for National Statistics, showing that cyber crime is now the UK’s most common offence, with 2.5m incidents in the last year.

Cyber crime was previously excluded from official statistics but its inclusion in this latest report has resulted in an overall surge in crime rates of 107 pc – over double.

The most common cyber crimes, offences committed under the Computer Misuse Act, were where the victim’s device was infected by a virus.

Tagged , , , , , ,

French hackers intercept Siri and Google Now to control phones

Researchers claim to have intercepted the digital assistants to control the iPhone and Android devices, broadcasting silent commands from 16 feet away

French researchers claim to have remotely accessed iOS and Android digital assistants and silently delivered commands by using headphones with inbuilt microphones as antennas.

The team from the French government’s Network and Information Security Agency (ANSSI) claim to have discovered “a new silent remote voice command injection technique”, meaning they were able to intercept Siri and Google Now via radio from up to 16 feet away.

An Android device or iPhone with a pair of headphones containing an inbuilt microphone – such as Apple’s standard earbud model – plugged in effectively turns the cord into an antenna, converting electromagnetic waves into electrical signals the phone perceives to be audio commands, without actually speaking a word.

In theory, this means the digital assistants could be hijacked into sending texts or emails, making searches or calls or direct the handset to malicious websites, though the researchers required an amplifier, laptop, antenna and Universal Software Radio Peripheral (USRP) radio.

“The possibility of inducing parasitic signals on the audio front-end of voice-command-capable devices could raise critical security impacts,” researchers José Lopes Esteves and Chaouki Kasmi wrote, as spotted by Wired.

Last month a hacker claimed to have discovered a 30-second method ofinfiltrating a locked iPhone via Siri, which Apple fixed with the updated software iOS 9.0.1.

How to protect yourself

  • Attacks like this are extremely improbable, but in theory could happen. The researchers have suggested the companies improve the shield on their headphone cords, or introduce personalised phrases to wake digital assistants.
  • If you’re really worried, you could disable voice activation or turn the digital assisant on your phone off.
Tagged , , , , , , ,

Malvertising: Daily Mail ads briefly linked to malware

Readers of the Daily Mail’s website were shown fake advertisements that linked to malware, a security company has discovered.

Bogus ads for shoes briefly appeared among the selection of banners displayed on DailyMail.com.

Instead of online shops, the advertisements linked to malware that can expose computers to “ransomware”.

Ransomware encrypts files on a victim’s computer and asks for a payment to decrypt them again.

The practice is known as “malvertising”.

Security company Malwarebytes made the discovery last week and published a report about its findings online.

The report says Malwarebytes contacted the Daily Mail and relevant advertising networks about the issue on Friday.

By Monday morning, the security company was informed that the fake ads had been removed.

Bogus bargains

The banners, purporting to be for an online shoe retailer, were published via a bogus ad server.

From there, they were distributed via an advertising network that presents ads to readers on the Daily Mail’s website.

If a user clicked on one of the ads, they would be redirected to a well known piece of malware called the Angler Exploit Kit, which attacks vulnerabilities in Internet Explorer and Flash.

There are various ways to protect yourself from ransomware, according to Tony Berning, senior manager at software company Opswat.

“To protect against ransomware, users must back up their data regularly,” he said.

“In addition to this, an important defence against ransomware is the use of anti-virus engines to scan for threats.

“With over 450,000 new threats emerging daily, anti-malware engines need to detect new threats continuously, and will inevitably address different threats at different times,” Mr Berning said.

The Daily Mail did not immediately provide a comment.

Tagged , , , , , ,