Tuesday, August 26, 2014

Ad by cosstminn | Close This Ad Technology Russian Hackers Amass Over a Billion Internet Passwords

By NICOLE PERLROTH and DAVID GELLESAUG. 5, 2014

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.

Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.

Alex Holden of Hold Security said most of the targeted websites were still vulnerable. Credit Darren Hauck for The New York Times

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”

Mr. Holden, who is paid to consult on the security of corporate websites, decided to make details of the attack public this week to coincide with discussions at an industry conference and to let the many small sites he will not be able to contact know that they should look into the problem.

There is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target by hackers in Eastern Europe.

And in October, federal prosecutors said an identity theft service in Vietnam managed to obtain as many as 200 million personal records, including Social Security numbers, credit card data and bank account information from Court Ventures, a company now owned by the data brokerage firm Experian.

But the discovery by Hold Security dwarfs those incidents, and the size of the latest discovery has prompted security experts to call for improved identity protection on the web.

“Companies that rely on user names and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at the research firm Gartner. “Until they do, criminals will just keep stockpiling people’s credentials.”

Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers.

So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.

But selling more of the records on the black market would be lucrative.

While a credit card can be easily canceled, personal credentials like an email address, Social Security number or password can be used for identity theft. Because people tend to use the same passwords for different sites, criminals test stolen credentials on websites where valuable information can be gleaned, like those of banks and brokerage firms.

Like other computer security consulting firms, Hold Security has contacts in the criminal hacking community and has been monitoring and even communicating with this particular group for some time. Continue reading the main story How to Keep Data Out of Hackers’ Hands

For people worried about identity theft and privacy, the discovery by Hold Security of a giant database of stolen data is highly personal. But there are steps everyone can take to minimize the hackers’ impact.

The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are thought to be in Russia.

“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”

They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools.

Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as an SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.

“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.

By July, criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.

“Most of these sites are still vulnerable,” said Mr. Holden, emphasizing that the hackers continue to exploit the vulnerability and collect data.

Mr. Holden said his team had begun alerting victimized companies to the breaches, but had been unable to reach every website. He said his firm was also trying to come up with an online tool that would allow individuals to securely test for their information in the database.

The disclosure comes as hackers and security companies gathered in Las Vegas for the annual Black Hat security conference this week. The event, which began as a small hacker convention in 1997, now attracts thousands of security vendors peddling the latest and greatest in security technologies. At the conference, security firms often release research — to land new business, discuss with colleagues or simply for bragging rights.

Yet for all the new security mousetraps, data security breaches have only gotten larger, more frequent and more costly. The average total cost of a data breach to a company increased 15 percent this year from last year, to $3.5 million per breach, from $3.1 million, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM.

Last February, Mr. Holden also uncovered a database of 360 million records for sale, which were collected from multiple companies.

“The ability to attack is certainly outpacing the ability to defend,” said Lillian Ablon, a security researcher at the RAND Corporation. “We’re constantly playing this cat and mouse game, but ultimately companies just patch and pray.” Nicole Perlroth reported from San Francisco and David Gelles from New York City.

Friday, June 13, 2014

Your Secrets Aren't Safe

Data thieves are after your most private info—when you use Wi-Fi and shop online, and even when you store files in the cloud

Monday, April 07, 2014

Now drones are being used to expose bank details and passwords

Hackers manage to access 150 phones an hour through Wi-Fi Experts in London have proved it's possible to use drones to steal data They modified an aircraft capable of tapping into a phone's Wi-Fi settings Once it had access, it was able to read and steal personal information Called Snoopy, the drone takes advantage of smartphones that actively search for networks From this it can also see networks those devices have accessed in the past During tests, hackers exposed credit card information and passwords By Sarah Griffiths News that hovering drones can now steal passwords from unsuspecting phones will do little to ease fears that the widespread use of unmanned aircraft could infringe upon our privacy. Hackers in the U.S have managed to 'steal' information, including Amazon passwords, bank details and even people’s home addresses using an aircraft. While it might sound like the crime of the century, the exercise was an experiment to show it is possible to use drones to tap into a smartphone’s Wi-Fi settings and access valuable information


Hackers have proved that it is possible to steal information, including Amazon passwords, bank details and even home addresses from smartphones that have Wi-Fi turned on, using specially adapted drones (a stock image of a quadcopter is pictured)

The test was conducted in London and the group will share their findings at the Black Hat Asia cybersecurity conference in Singapore next week, CNN reported. The drone, known as Snoopy, seeks out smartphones that have Wi-Fi turned on. It then makes use of built-in technology which can see what networks the phones have accessed in the past. In theory, almost any drone could be adapted to do this. HOW CAN A DRONE STEAL SOMEONE'S IDENTITY? The drone, known as Snoopy, seeks out smartphones that have Wi-Fi turned on. It then makes use of built-in technology which can see what networks the phones have accessed in the past. In theory, almost any drone could be adapted to do this. Phones 'noisily' reach out to networks, according to the experts. Snoopy looks for this activity and when hovering nearby it emits a signal masquerading as another network. The phone ‘trusts’ that it is accessing a trusted Wi-Fi network but instead connects to the quadcopter's network. Snoopy can then intercept everything a smartphone sends and receives and allows skilled hackers to see passwords, bank details and the phone's location. . London-based Sensepost security researcher Glenn Wilkinson, said: ‘Their phone will very noisily be shouting out the name of every network its ever connected to. 'They'll be shouting out, “Starbucks, are you there?...McDonald's Free Wi-Fi, are you there?”’ When this happens, Snoopy hovers nearby and emits a signal masquerading as another network and the phone ‘thinks’ it is accessing a trusted Wi-Fi network. However, when it connects to the quadcopter’s network, Snoopy will intercept everything a smartphone sends and receives using a complicated method described by the company. Wilkinson said: ‘Your phone connects to me and then I can see all of your traffic.’ He is able to see the websites a person visits, any credit card information entered or saved, their location, usernames and passwords. In the wrong hands, this could potentially leave a mystified smartphone user out of pocket. The hackers managed to gain access by looking at a unique identification number known as a Media Access Control (MAC) address. This number matches web traffic to a specific device. To demonstrate the effectiveness of the technology, Wilkinson spent an hour with CNN showing them how he could obtain network names and GPS coordinates for 150 smartphones used by Londoners. While collecting metadata and network names is not strictly illegal, intercepting passwords and credit card details with the intent of using them is. The ethical hackers said they're demonstrating the technology to highlight how vulnerable smartphone users can be. The drones might seem even more threatening to people than remote hackers because the aircraft can hover close to potential ‘victims’ are incredibly mobile. There is a prospect that the technology could be put to good use for law enforcement purposes, however, such as identifying looters in a riot. While it is not thought that anyone is currently using this snooping technique in the real world, smartphone users can protect themselves by shutting off their Wi-Fi when they are not using it, or only access secure networks.

Friday, December 06, 2013

10 Ways to Protect Yourself Against Identity Theft

Protecting yourself against identity theft is always easier than having to clear your name and credit record after the fact. It can take a lot of your time and even some of your own money to clear your name if you are a victim. So, here are 10 things you can do to help protect yourself from becoming one of the 9.9 million victims of identity theft.

#1. Guard your social security number, PINs, passwords and account numbers. Are you walking around with your social security card in your wallet, on your checks and maybe even on your driver’s license? Do you have all your passwords and account numbers written out and shoved in your wallet or purse? If you do, you could make it really easy for a thief to open accounts in your name. Only give out your social security number when absolutely necessary, generally for tax purposes or when applying for credit. For job applications, driver’s license and school identification, your social security number is not usually required. When asked for your Social Security Number for things like driver’s licenses or student IDs, first ask if it is possible to not have it printed on these items. If that isn’t possible then find out how your information will be used and what measures will be taken to protect it..

#2. Monitor bank statements and credit card statements. Make sure you’re looking at your bank and credit card statements regularly, checking for any suspicious activity, such as withdrawals or purchases you didn’t make. If you don’t receive paper statements, make sure you are using online banking to check your statements often. The more frequently you are checking your accounts, the quicker you would catch the theft and contain the possible damage. .

#3. Shred documents. You should shred anything that has personal information on it, like past account statements and any of those pre-approved credit card offers that don’t interest you. You might also consider calling 1-888-5-OptOut or visiting www.optoutprescreen.com to be removed from any future mailing lists for those types of offers. Just know that there might be some good offers out there that you might miss out on. .

Click on the thumbnail to view full-size. Secure Site Example #4. Make sure websites are secure. Whether you’re shopping, banking or paying bills, you need to make sure that the information you share online is secure and won’t be shared with anyone else. Anytime you are about to share personal information, such as your Social Security number, credit card information or bank account number, make sure the site is secure by looking for two things: a yellow lock in the lower right-hand corner of your browser and the “s” on the end of http: in the URL line of your browser. If you don’t see these, find someplace else to shop. .

#5. Be cautious when sharing computers. If you share a computer with a roommate, or use a computer at a library or computer lab, make sure you clear all cookies when you are finished using the computer and always make sure you log out and delete your log in from the computer’s memory. .

#6. Guard your laptop, cell phone, PDA and other technology against theft. Laptops, cell phones and PDAs are hot targets for thieves, so make sure you keep close watch on these items and use strong passwords with a combination of upper and lower case letters, numbers and symbols to protect your data. #7. Keep copies of cards and documents. It’s a good idea to keep a copy of all your identification and credit cards, as well as other important documents, in case they are stolen. This is especially helpful if one or more of your credit cards goes missing because you’ll have the 1-800 numbers and account numbers so you’ll easily be able to call the credit card company and cancel your card. .

#8. Treat mail with care. Always deposit any outgoing mail containing personally identifying information in a post office collection box or at the post office, rather than in an unsecured mailbox. And make sure you get your mail every day. You might consider contacting your bank, credit card provider and other companies that send you bills to switch to paperless billing. If you're planning to be away from home and have no one that can pick up your mail for you, contact the U.S. Postal Service to request a vacation hold. The USPS will hold your mail at your local post office until you can pick it up or can begin receiving it again. .

#9. Avoid phishing scams. Never give out your personal information on the phone, through the mail or via the Internet unless you are sure you know who you're dealing with. Identity thieves may pose as representatives of banks, Internet service providers (ISPs), or government agencies to get you to reveal your Social Security number, account numbers and other identifying information. .

#10. Be cautious when using the ATM. If you’re using a walk-up ATM, a gas pump, a grocery store card swipe machine or any other public debit or credit machine, make sure to keep an eye on the people around you to ensure they’re not “shoulder surfing,” or watching you as you enter in your PIN. Also make sure you take any receipts with you when you are finished with your transaction. Be on the lookout for any unusual equipment on the ATM to ensure a skimming device has not been attached. Another good tip is to cover the keyboard while entering your PIN so that it cannot be recorded by a hidden camera or seen by someone close by.

Thursday, November 15, 2012

12 Scams Of Christmas

Fake holiday help. Getting a seasonal job can be a great idea. In fact, it is one of our 5 best ways to make more money. But there are people out there preying on those who need work. Common scams include all manner of work-from-home jobs. If the so-called employer asks for money upfront or your Social Security number, you might be on the verge of becoming a victim rather than an employee. Fake charities. Don't give money to any charity -- even spare change -- without checking them out first. And that's something you can't do if someone is on your porch, at an intersection, or on the sidewalk asking for money. Read "4 tips to find the right charity" and visit the FTC's website to review a charity checklist. Fake-check scams. If someone is giving you money, how can you be scammed? The answer involves the fake checks Stacy mentioned. In these instances, buyers want what you're selling on sites like eBay or Craigslist. Their next step is to offer you a cashier's check for more than your asking price, on the condition that you return the difference. Weeks later, you are informed by your bank that the check was a phony, and you're now out your money and your goods. The American Bankers Association has some tips to avoid being a victim, but in short, avoid cashier's checks in situations like this and never return any difference in cash. Counterfeit merchandise. In New York and other major cities, it is common to see street vendors selling watches and purses that appear to be high-end, name-brand goods. The modern version of these scams is to sell the merchandise online where the buyer has even less opportunity to inspect it. As Stacy said, beware of items that are priced well below their competitors, and be sure to buy from an authorized retailer. Fake vacation rentals. This growing scam involves people who advertise a property they don't own. Sometimes the scammer goes to the effort of hijacking the real owner's email, as in this case recently reported in The Washington Post. Other times, the scammers merely show pictures of a place they pretend to represent. You send them money and show up to find you have no place to stay. Solution? Take every possible step to ensure you're dealing with the true owner of the property, and always pay by credit card, not wire transfer. Nondelivery of stuff bought online. Whether it's an online store, eBay or Craigslist, this scam is avoided by knowing who the seller is. Be suspicious of deals that seem too good to be true. Fortunately, eBay protects buyers from this scam, and credit card users can request a chargeback if goods are not delivered. Also, keep in mind that Craigslist always recommends conducting transactions in person so that you know exactly what you are receiving. Email scams. Many scams start with email, so be skeptical of anything that shows up in your inbox. Some messages involve references to recent events, such as a natural disaster or the death of a public figure. Others purport to award lottery winnings or the transfer of wealth from a foreign country. Don't ever respond to unsolicited email. Phishing scams. Here's how this works: You get an email that appears to be from a legitimate company, like your bank, that insists you log in at their website. You're then directed to a copycat site that steals your user name and password. If you have doubts about an email, don't reply. Instead, call the company or open up a new browser window and go directly to their website. Check out these anti-phishing tips from the Securities and Exchange Commission. The "items-off-of-a-truck" scam. A friend of mine once paid hundreds of dollars for a stereo system that was barely worth the carton it came in. He was a victim of one of the roving gangs of scammers masquerading as delivery men. They park a truck in a parking lot and offer items for sale at big discounts. At best, the goods will be low-quality knockoffs. At worst, you could be receiving stolen goods. Limited quantities. An unscrupulous online merchant advertises a fantastic product -- often cameras or electronics -- at an unbeatable price. But when you place your order, you're told they have limited quantities of that particular item. If the seller demands additional purchases to get the deal, or can't produce a tracking number within 48 hours of any sale, cancel your order through your credit card company and move on. Bait and switch. This might be the oldest trick in the book, but it still happens. A seller advertises a popular product at a great price. When you attempt to buy it, either online or in person, you're told the product is sold out, or not as good as a similar model at a higher price. Before you know it, you're paying more than you intended for something you weren't planning on buying. Layaway plans. Retailers are bringing back layaway, but sometimes with a catch -- not exactly a scam but something to look out for. You have to pay upfront fees and make regular payments. Fail to make the payments, and you could end up losing the fee and paying a "restocking" charge. To avoid feeling scammed by a layaway plan, be sure to closely examine the terms and conditions. And if you can, avoid these plans entirely by saving all year, then paying cash. Bottom line? Ninety-nine percent of scams happen when we're too gullible, too greedy, in too much of a hurry, or when we're feeling especially charitable. Be generous this holiday season, but be vigilant.

Monday, October 08, 2012

Skimmers May Use Smartphones To Steal Credit Card Information

) – The increasingly popular radio frequency identification (RFID) credit cards that allow consumers to pay by tapping may be making it easier for crooks to steal valuable information with their smartphones. By tapping machines equipped with radio frequency readers, people can conveniently pay with RFID credit and debit cards without having to enter PIN numbers. According to the owner of Identity Stronghold, Walt Augustinowicz, credit card skimmers made up of about $100 worth of parts easily obtained online can steal enough information to clone credit cards. Similarly, tech-savvy scammers can also use their smartphones to steal information with just a simple tap. As Augustinowicz demonstrated, a hacker can develop a smartphone app or game that looks harmless, but when it gets close enough to an RFID card, the app launches and scans the card’s information and sends the details off to the hacker’s email address. Augustinowicz said that if hackers are talented enough, they can develop RFID information-stealing apps and games that many may mistake as something benign and download them. “Hundreds of people start downloading it, and they just sit back and watch their email box fill up with credit card numbers they can use,” he said. Not all smartphones are at risk for these virus-like apps and games, though. Only phones with near field communication like Google Wallet Android technology that allows for pay by tapping have the safety dangers. pay by tapping have the safety dangers. However, as pay-by-tapping technology becomes more widely used, security expert, Eddie Schwartz, said RFID software will become an industry standard. “It’s a good thing that people are pointing out these vulnerabilities. It forced us as an industry to be more vigilant and to take the necessary steps to protect our assets,” he said. To protect your information, Augustinowicz recommends buying a protective case or wrapping cards in tin foil to block RFID signals.

The Dangers of Using Wi-Fi on Smart Phones

The Dangers of Using Wi-Fi on Smart Phones by Phillip Richards The next time you use your smart phone’s Wi-Fi to access the internet be careful that you are not also exposing yourself to hackers who can actually access information on your phone and login passwords as well. There is a growing threat with the broad use of internet hotspots for hackers to steal information that they gather with fake Wi-Fi gateways. And once these crooks get you to use their Wi-Fi connection they can decrypt the information on your phone and then sell it to 3rd parties or use it themselves to steal your identity. It has been estimated that there are over 100 million smart phone users in the United States alone. And this number continues to grow as smart phones overtake the use of feature phones and the ordinary cell phones that once dominated the market. One of the most useful features of these phones is the ability to access the internet via Wi-Fi. But since this wireless connection to the internet requires no identification, all mobile browsers see is a name of a Wi-Fi hotspot. And even with the best identity theft protection with services like Lifelock and Trusted ID, you are still at risk of identity theft if you access public Wi-Fi hotspots with your smart phone. To make the problem even worse, many smart phones will connect to an available hotspot automatically without the cell phone user doing anything about it. So even if your smart phone is just powered on and just sitting there a crook with the right software and hardware can hack into your personal life when your phone connects to the Wi-Fi connection he has setup. Companies are working on making Wi-Fi more secure, but it is increasingly difficult with more public places making free internet access available. All a hacker has to do is visit a high-traffic public coffee shop or park and setup his own fake Wi-Fi gateway. Then, while a user is surfing the internet and entering usernames and passwords, this information is automatically being picked up with the hacker’s software. Identity thieves are using the information picked up from fake Wi-Fi hotspots to access email accounts, bank accounts, and Facebook accounts and all of this information can be used to steal an identity while the hacker remains completely anonymous. So what can smart phone users do to prevent this? First of all, instead of using a public Wi-Fi hotspot you should just use your phones service provider to access personal accounts. So if you want to check your email, login to Facebook, or check your bank account, just use your phone’s 3g or 4g service. You can still use public Wi-Fi hotspots but only use it for generic internet surfing. Any internet usage that will not give away any personal data should be fine. However, if you know the internet connect is secure you should be ok to use it on your smart phone. If your cell phone has the ability to automatically connect to hotspots whenever they become available you should turn this feature off. Or you can just turn the Wi-Fi off until you know you are going to use it. Having it on just drains your battery anyway, so you really have no reason to leave it on.