iOS 8 to randomize devices vulnerable to Wi-Fi tracking

A rumored privacy upgrade for iOS users is on the way, which would help anonymize devices searching for available Wi-Fi networks.

Over the weekend, Swiss researcher Frederic Jacobs first took note of the plans on Twitter. The feature is expected to be implemented in Apple devices running iOS 8.

“iOS 8 randomises the MAC address while scanning for Wi-Fi networks,” Jacobs revealed on Sunday. “Hoping this becomes an industry standard,” he added, while posting proof of the plans.

Last week, Apple made its first iOS 8 beta available to developers. The operating system’s wide release for the public is scheduled to occur this fall.

Randomizing the MAC address, or unique identifiers assigned to Apple devices, would give users a layer of security against marketers, for instance, which are known to track smartphones (to extract data on consumer shopping habits) via Wi-Fi communications in retail stores.

Source:
http://www.scmagazine.com/ios-8-to-randomize-devices-vulnerable-to-wi-fi-tracking/article/355548/

Posted in Internet, Mobile, Privacy | No Comments

Malwarebytes: With Anti-Exploit, we’ll stop the worst attacks on PCs

Imagine a world where attackers seeking to gain access to your computer are stopped before they can use your technology against you.

That world doesn’t exist yet, but it took a giant step closer to reality with Malwarebytes Anti-Exploit, a new security program for Microsoft Windows released Thursday. The software, which aims to protect users of the world’s most popular operating system software, is powered by exploit-blocking technology that Malwarebytes acquired last year when it bought ZeroVulnerabilityLabs.

By Microsoft’s tally, 1.3 billion people use some version of Windows every day.

The free version of Anti-Exploit will protect against exploits in browsers, their add-ons, and Java, while the $24.95 premium version will also work in Microsoft Office, PDF readers, media players, and software selected by the owner. Anti-Exploit for Business works in conjunction with the Malwarebytes Management Console for enterprise deployment.

Malwarebytes CEO and founder Marcin Kleczynski said that businesses will want to invest in Anti-Exploit as an extra layer of protection against the kinds of attack methods central to the major hacks of late.

Anti-Exploit is “not about the product. It’s about the problem,” Kleczynski said during an interview at Malwarebyte’s office in San Jose, Calif. “Sometimes it catches the exploit so early we can’t show the alert” that it has stopped an attack.

Source:
http://www.cnet.com/news/malwarebytes-finally-unveils-freeware-exploit-killer/#ftag=CAD590a51e

Posted in Internet, Privacy, Security, Software, Windows | No Comments

Banks: Credit Card Breach at P.F. Chang’s

Nationwide chain P.F. Chang’s China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide.

On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang’s locations between the beginning of March 2014 and May 19, 2014.

Contacted about the banks’ claims, the Scottsdale, Arizona-based restaurant chain said it has not yet been able to confirm a card breach, but that the company “has been in communications with law enforcement authorities and banks to investigate the source.”

“P.F. Chang’s takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more,” the company said in an emailed statement. “We will provide an update as soon as we have additional information.”

Source:
http://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs/

Posted in Internet, Privacy, Security | No Comments

It’s official: Malicious hackers have crappy password hygiene, too

Given the amount of time malicious hackers spend bypassing other people’s security, you might think that they pay close attention to locking down their own digital fortresses. It turns out that many of them don’t, according to a recent blog post documenting some of their sloppiest password hygiene.

The post comes from Antonín Hýža, a researcher at antivirus provider Avast. As he was working to analyze a protected PHP shell, he got to wondering how strong the average hacker password was. He then tapped 40,000 samples of backdoors, bots, and shells his company had on hand. Remarkably, 1,255 of the underlying passwords were in plaintext, while another 346 were protected with the easily crackable MD5 hashing algorithm. The resulting 1,601 passwords he had to work with allowed him to see just how poor the bottom four percent of hackers’ passwords were.

The fact that slightly more than three percent of the sample was in the clear was the first sign of just how sloppy some of the criminals Avast tracks are when it comes to password hygiene. These passwords can likely be obtained simply by viewing the scripts of programming languages, or in the case of binary code, by loading them into a hex viewer. As a result, a password with 75 characters, as one hacker set, or the passcode “lol dont try cracking 12 char+” (minus the quotes) chosen by another were easily recovered despite the work that went into trying to make them strong. The lack of any one-way hashing algorithm to obscure the passcodes makes one wonder why the authors bothered at all.

Then there were the passwords themselves. The average length was just six characters, short enough to be brute-force cracked in a matter of minutes in most cases. The passwords also contained a relatively small number of upper-case letters, numbers, and special characters. By sticking mostly to predictable lower-case letters, the hackers significantly reduced the “key space” required to carry out brute-force attacks. That plays to the favor of crackers, since small key spaces take much less time to exhaust. By using a more diverse set of characters to create passwords, key spaces become orders of magnitude larger, a dynamic that can quickly make brute-force cracking unfeasible. Based on a statistical analysis of the recovered passwords, Hýža constructed two character sets that stood the best chance of quickly cracking the remaining undeciphered passcodes. The shorter of the two contained just 28 characters: acdehiklmnorstu01234579!-.@_

Source:
http://arstechnica.com/security/2014/06/its-official-malicious-hackers-have-crappy-password-hygiene-too/

Posted in Internet, Security | No Comments

Malicious major website ads lead to ransomware

Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and others are leading people to malware that encrypts a computer’s files until a ransom is paid, Cisco Systems has found.

The finding comes shortly after technology companies and U.S. law enforcement banded together in a large operation to shut down a botnet that distributed online banking malware and so-called “ransomware,” a highly profitable scam that has surged over the last year.

Cisco’s investigation unraveled a technically complex and highly effective way for infecting large number of computers with ransomware, which it described in detail on its blog.

“It really is insidious,” said Levi Gundert, a former Secret Service agent and now a technical lead for threat research and analysis at Cisco, in a phone interview Friday.

Cisco has a product called Cloud Web Security (CWS) which monitors its customers web surfing and reports if they are browsing to suspected malicious domains. CWS monitors billions of web page requests a day, Gundert said.

The company noticed that it was blocking requests to 90 domains, many of those WordPress sites, for more than 17 percent of its CWS customers, he said.

Source:
http://www.computerworld.com/s/article/9248886/Malicious_major_website_ads_lead_to_ransomware

Posted in Internet, Privacy, Security | No Comments