Dumb hacker tweets FourSquare location while hacking Ashton Kutcher

 Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security  No Responses »
Jan 162012
 
Dumb hacker tweets FourSquare location while hacking Ashton Kutcher

Computerworld

by Darlene Storm

January 16, 2012

 

 

Idiots, the world is full of them and sometimes that includes stupid social media hackers. Poor password practices allow Twitter accounts to be compromised every day, but yesterday several high profile Twitter accounts were hacked, Ashton Kutcher, the Huffington Post, and actor Eric Stonestreet. What makes this interesting is the degree of stupidity committed when hijacking Kutcher’s account . . . at the very least, tweeting via a FourSquare check-in would be consider a dumb hack.

Ashton Kutcher is known to many people as the star of Dude, Where’s My Car?, That ’70s Show, Two and a Half Men, and as Demi Moore’s husband. After the breakup with Moore, Kutcher is rumored to be in a romantic relationship with actor/singer/screenwriter Lorene Scafaria. Kutcher has over 9 million followers on Twitter and the alleged “new” relationship is what the hacker focused on to cause havoc. Of course all of the fake tweets have been deleted, but Ashton Kutcher (@aplusk) had both his FourSquare and connected Twitter acounts hacked. Those deleted false tweets were preserved and posted on Celebrity Tweet which has the classy tagline of “Stalk Celebrities on Twitter!”

 

No you can’t find her house with the above links as they were deleted. While the hacker may have thought tweeting locations to Kutcher’s alleged new love interest was clever, the hacker was not bright enough to realize his or her own location was broadcast via FourSquare. It took Kutcher about six hours to realize his accounts were compromised, but then he tweeted:

 

 

Those tweets have also been deleted, but Kutcher’s one warning remains. Whoops, it seems the not-too-smart social media hacker may be about to be Punk’d.

 

 

It’s certainly not the first time Kutcher’s Twitter account has been compromised, but as an angel investor in many tech projects including Foursquare, it’s unknown if this hack might be additionally embarrassing for him. As seen by his quick cyber-sleuthing of this hacker, he’s generally clever. Softpedia reported that Kutcher implemented a sneaky promotion for FourSquare in an episode of Two and a Half Men where “Kutcher plays an internet billionaire who sold his company to Microsoft.” In one episode, “his laptop is plastered with stickers from startups, several of which he’s an investor in. Stickers for Foursquare, GroupMe, Hipmunk, Chegg and Flipboard are visible. Kutcher has invested in Foursquare, Hipmunk and Flipboard.”

As for the other ‘high profile’ compromised Twitter accounts yesterday, after a hacker tweeted lame comments@HuffingtonPost tweeted an apology, “Sorry about that, Twitterverse! We know we’ve been hacked and are working to resolve the issue as quickly as possible.”

Stonestreet, an actor who plays Cameron on ABC’s Modern Family, discussed his hacked Twitter account while on the Golden Globe red carpet. According to Zap2it, Stonestreet told Ryan Seacrest that he didn’t know his Twitter account was hacked and promoting diet pills until followers “started tweeting to ask him if he took the diet pills himself.” When Seacrest asked what could be done about the hacker, Stonestreet replied, “Hunt him down and punch them in the face. Just kidding.” But @ericstonestreet tweeted, “my account was hacked. but any of you that took that as a chance to be a d**k can kindly see yourself out the door.”

 

Direct Link:  http://blogs.computerworld.com/19585/dumb_hacker_tweets_foursquare_location_while_hacking_ashton_kutcher

 Posted by at 19:27  Tagged with: , , , , , , , , , , , , , , , , , , , ,

Android vs iOS vs BlackBerry: Which is the most secure holiday gift?

 Articles of Interest, Firearms, Weapons & Personal Safety, Social Media, Technology & Digital Security  No Responses »
Jan 022012
 

Android vs iOS vs BlackBerry: Which is the most secure holiday gift?

 

Which smartphone and tablet OS provides the best security?

Steve Hunt and the Neohapsis team provide a guide for holiday gift-givers (or any gadget lover).

By Steve Hunt and Neohapsis
December 14, 2011 

CSO

As the holiday season approaches, smartphones and tablets are some of the most in-demand items for anyone with even a hint of gadget love in their DNA. Coverage of these exciting new tools is full of hype about new features (SIRI) and also new fears (Carrier IQ). With the sheer volume of marketing and fear being thrown around—eclipsing even the number of holiday songs on the radio—it can be hard for even well-informed users to discern meaning from marketing when it comes to security on mobile devices.

 

[Also see 5 questions to ask about tablet security | Creating a smart mobile device security policy]

 

It’s a bit like gifting a car: The right choice can greatly improve the recipient’s life, while a bad choice could leave them with problems for years to come. This guide is to help you with the security side of the decision, to enable you to take it into account and make the right choices for that special someone (or special self!)

Neohapsis Labs (an independent security think tank based in Chicago) has looked into the general security issues and distilled them down to this short guide (a more detailed report will be released early next year). While there are many available choices of device, the main security decision is what platform to get. There are some main contenders at present (iOS, Android, Blackberry) and a few aspiring players (e.g. Windows Phone, Meego, WebOS, Bada). We are not covering Symbian due to Nokia’s recent decision to move to windows phone 7 in 2012. We will focus on the differences between the platforms and not go into any cross-platform issues such as widespread use of mobile analytics packages to track users for advertising purposes.

 

Android

Google’s Android operating system is the most widely deployed platform on tablets and smartphones at present, with a large number of vendors providing their own customized versions. Integrating smoothly with many Google services, Android is rapidly evolving with the latest version (the very well reviewed Ice Cream Sandwich) offering a slew of new features.

Unfortunately, when it comes to security, Android still has a long way to go. The large delay in releasing fixes for security issues is problematic as it requires a different release for each carrier, manufacturer and model. As a result, many Android devices are stuck using old and insecure versions of the operating system.

When it comes to applications, the primary source of applications is the Android Market, which contains tens of thousands of applications, most of them free. These applications are uploaded by developers and go through no review before being published, allowing fast turnaround, but leaving the door open for malicious apps to linger until Google hits the remote kill switch to remove them from devices (as has happened numerous times). Alternatively, curated markets such as the Amazon Appstore show promise for preventing malicious apps getting in—however they also have drawn complaints for the slow rollout of application updates.

Because it uses a very flexible model for applications, Android apps can do things that cannot be done on the other platforms. A user is notified what an application will be allowed to do at install time, and can choose to install it or not. Once installed, third party apps can (if authorized at install time) read and send messages, make and receive calls, access the internet and turn the microphone or camera on and off.

Because users are not very good at either reading or understanding the implications of these permissions, Android applications have been caught sending and receiving premium rate calls and messages, recording users keystrokes or sounds, tracking user locations, or even containing botnet-style malware as might be found on a desktop machine. There are quite a few third party solutions available that purport to secure your device, but their effectiveness is in many cases under question.

The flexibility of Android makes it a great choice for a highly capable user, but it can require quite a bit of knowledge to keep secure in the long run—often this will require that users root the device and install their own custom updates directly if the carrier does not provide them. Clearly not for the technical novice!

 

Blackberry

While Android is taking the biggest bite out of the consumer market, Blackberry has been very much the jewel of the business world. With its users being likened to drug addicts for their dependence upon the device, RIM’s Blackbery devices have earned the designation Crackberry. Even President Obama couldn’t part with his device, reportedly much to the irritation of the Secret Service and delight of Research in Motion.

Security and control are some of the main selling points of Blackberry, with the ability to completely encrypt data, tightly control what is done with the device, restrict what individual applications can and cannot do, require tunneling of any and all internet traffic through the company’s servers, control apps and much more. The downside is that this control comes at a cost, and the ease of management to keep your device secure can be time consuming for a non-enterprise user.

 

[Also read Al Sacco's Mobile predictions for 2012: Security, payments, Windows phone and more on cio.com]

 

Blackberry App World, the source for third party applications, offers a degree of review over all submissions. However, source code is not reviewed by RIM, and only so much can be understood of application behavior. While Blackberry hasn’t been targeted by nearly the same amount of spyware or malware as Android, there have been instances of nefarious applications and spyware-trojaned carrier updates.

The ability to lock down and secure Blackberry devices is definitely a plus, but because much of it was designed with enterprises in mind it can get a bit complex for a standard user unless they are careful. The release of more consumer oriented devices based upon Blackberry 10 shows promise, but as it is unreleased at present, this one should stay on hold for individual users for now.

 

IOS (iPhone / iPad / iPod Touch)

In a market where the market leader is represented by a green robot, and the trailer (Blackberry) is likened to a notoriously addictive drug, the company with second-place market share has a level of customer loyalty and satisfaction often described as a cult. (All of which gives you some idea about how seriously people take these devices!) We are, of course, talking about Apple’s iOS, the platform where it seems every new addition will sell more than the predecessor no matter what they do.

iOS is a slower-moving and far more tightly controlled platform than Android, with features designed to give a consistent, fluid, and controlled experience. As a result, the platform is great for doing things within Apple’s designs, but beyond that it is by design inflexible. Because of the level of control Apple exerts over iOS, users cannot patch vulnerabilities until Apple releases an update – which in sometimes takes months and in many cases older devices are not compatible with the updates and so are never patched.

 

[See a security-approved smartphone!]

 

For applications there is the Apple app store, which Apple can be quite restrictive over. There have been many reported instances of applications being rejected for mysterious/unknown reasons, most famously Google’s voice app in 2009. Because applications are all granted the ability to do everything allowed (with the exceptions of some things such as notifications and reading location) there are no complex permissions for users to keep track of and manage. While there has been at least one instance of a malicious app getting into the App Store, the most notable example was only a researcher’s proof of concept.

Also of note though is the parallel ecosystem surrounding Jailbroken (where users have forcibly removed Apple’s software protections) Apple devices. Jailbreaking gives users the ability to give devices new features, protect themselves from issues which Apple has not yet fixed, and install unapproved (or pirated) applications. At the same time, however, the removal of these protections potentially leaves users more vulnerable from a security perspective, as happened with the ikee worm in 2008.

iOS devices are a good balance when it comes to security, but this does come at a cost of flexibility that more experienced smartphone/tablet users may not like.

 

Windows Phone 7 and Other Aspirants

There are numerous other potential contenders in the smartphone space, most notably Microsoft’s Windows Phone 7, but also including the Linux Foundation’s Meego and Samsung’s Bada. Symbian (formerly pushed by Nokia) and WebOS (formerly from HP) may in future rise or reappear as contenders, but at this stage they have both been dropped by their main proponents and open-sourced and so we will wait and see.

The other platforms all have their own pluses and minuses when it comes to security, and they seem to have learned from the experiences of the big players. However, they also all have much smaller market shares so we will not discuss them here. In particular we will be keeping a close eye on Windows Phone 7 as the relationship between Microsoft (big software) and Nokia (big hardware) may provide some interesting results for enterprise consideration.

Conclusions

security comparison of android, iOS, blackberry

 

So, which platform should you buy from a security standpoint? For most users the answer will be iOS, but for the technically experienced Android can work if they are careful. However, if a user is willing to jailbreak they can get many of Android’s benefits anyway. Blackberry may be a good choice from a security standpoint, but generally those who want a consumer device will prefer the others for non-security reasons. Windows Phone and the other platforms may be good in future, but at present there probably has not been enough exposure to make this risk a good long term bet, especially after what happened to the touchpad.

 

In short, our recommendation for each type of phone user:

Non-technical person: iOS (iPhone/iPad/iPod touch)

Techie: iOS/Android

Business user: Blackberry / iOS (but check what the company standard is first)

 

Note: Others have reached similar conclusions on these points; for instance see Symantec

 

Security industry veteran Steve Hunt is CTO of Neohapsis Labs.

Read more about wireless/mobile security in CSOonline’s Wireless/Mobile Security section.

 

 

Direct Link:  http://www.csoonline.com/article/696493/android-vs-ios-vs-blackberry-which-is-the-most-secure-holiday-gift-?source=ctwartcso

 Posted by at 20:06  Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

ALERT: New Java Attack Rolled Into Exploit Kits

 Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security  No Responses »
Dec 112011
 

New Java Attack Rolled Into Exploit Kits

Krebs On Security

Nov / 2011

 

A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the criminal underground. The exploit, which appears to work against all but the latest versions of Java, is being slowly folded into automated attack tools.

 

The exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update. Not sure whether you have Java or what version you may be running? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button.

A few weeks back, researcher Michael ‘mihi’ Schierl outlined how one might exploit this particular Java flaw. Over the weekend, I stumbled on a discussion in an exclusive cybercrime forum about an exploit that appears to have been weaponized along the same lines as described by Schierl. Below is a recording of a video posted by one of the members that shows the attack in action.

 

Java exploits are notoriously successful when bundled into commercial exploit packs, software kits that can turn a hacked Web site into a virtual minefield for Web users who aren’t keeping up to date with the latest security patches.  Users would need only to browse to a booby-trapped site with a version of Mozilla Firefox or Internet Explorer that is running anything older than the latest Java package, and the site could silently install malware (according to a miscreant selling access to the exploit, it does not run reliably against Google Chrome for some reason).

Because Java is cross-platform, this attack could theoretically be used to infiltrate non-Windows systems, such as computers running Mac OS X (Apple issued its own update to fix this flaw and other Java bugs earlier this month). For now, though, I’ve only heard about it being used to target Windows PCs: It is slowly being incorporated into the BlackHole exploit kit, one of the most widely-deployed exploit packs on the market today.

Reached via instant message, the hacker principally responsible for maintaining and selling BlackHole said the new Java exploit was being rolled out for free to existing license holders. For all others, the exploit can be had for a $4,000 price tag, in addition to the cost of a BlackHole license, which goes for $700 for three months, $1,000 for six months, or $1,500 per year. The author of BlackHole also sells his own hosted solution, in which customers can rent bulletproof servers with pre-installed copies of his kit for $200 a week, or $500 per month.

 

Article Video

 

I stand by my advice urging those who don’t need Java to junk it; most people who have it won’t miss it. For those who need Java for the occasional site or service, disconnecting it from the browser plugins and temporarily reconnecting when needed is one way to minimize issues with this powerful program. Leaving the Java plugin installed in a secondary browser that is only used for sites or services that require Java is another alternative.

 

Direct Link:  http://krebsonsecurity.com/2011/11/new-java-attack-rolled-into-exploit-kits/

 

 

 Posted by at 20:00  Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Exploited Apps Depend On Attack Vector

 Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security  No Responses »
Dec 112011
 

Exploited Apps Depend On Attack Vector

While some data shows Java to be the most attacked software application, other software gives the program a run for the title
DarkReading
By Robert Lemos, Contributing Editor
Dec 06, 2011

 

During the Thanksgiving weekend, the Blackhole exploit kit got an update. A developer for the popular criminal toolkit for creating malicious programs added a new exploit for a recently patched vulnerability in the Java Runtime Environment. Within a few days, the exploit was incorporated into the Metasploit penetration-testing toolkit, as well.

The scenario has become a common occurrence: Security researchers or cybercriminals develop an attack for a just-discovered flaw and add the exploit into their point-and-click attack kits. Soon, a relatively unknown attack becomes a quickly growing threat seen by a large population. It’s a trend that has repeated itself many times, says Joshua Talbot, security intelligence manager for Symantec.

“Attackers often move in trends and focus on one piece of software until the opportunities are exhausted,” Talbot says.

In the past, attacker have focused on creating files that take advantage of flaws in Microsoft’s Office and Adobe’s PDF format. In 2005, for example, Microsoft fixed more flaws in its Office products than in its other popular-to-pwn product, Internet Explorer.

“It depends on the vector you are looking at,” says Jeremiah Grossman, chief technology officer for Web security firm WhiteHat Security. “If you are attacking through e-mail, you may use one type of attack. If you are attacking a website, another.”

Here are some examples of how the bad guys home in on the hot attack targets:

1. Perennial e-mail favorite: PDFs

Five years ago, cybercriminals attempted to compromise victims PCs by exploiting vulnerabilities in Word and Excel. A few years later, Adobe’s PDF format became the most popular file type for cybercriminals to target.

That remains true today, according to Symantec data. In the past year, more e-mail attacks used flaws in PDF than the next nine most popular file formats, Symantec’s Talbot says.

“Attacking file formats is a good technique to compromise even savvy users,” he says. “If you send an e-mail with a specific context, you have a good chance of success.”

Maliciously crafted document files are frequently used in lower frequency, but more significant, targeted attacks. About one in every 2 million e-mails — or one in every 8,300 e-mail attacks — are highly targeted, Symantec states in its latest Intelligence Report.
2. Browser bane: Java

While file-format vulnerabilities are the most common attack when an attacker attempts to compromise systems through e-mail, browser-based attacks have increasingly focused on Java.

In its latest Security Intelligence Report, Microsoft found that between one-half and one-third of all exploits it detected were attempts to exploit flaws in Java. In total, the company detected almost 27.5 million exploit attempts in 12 months.

“Many of the more commonly exploited Java vulnerabilities are several years old and have had security updates available for them for years,” said Tim Rains, director of trustworthy computing for Microsoft, in a blog post. “This illustrates that once attackers develop or buy the capability to exploit a vulnerability, they continue to use the exploit for years, presumably because they continue to get a positive return on investment.”

3. Web sites: Beware SQL injection

For attackers focused on Web sites and the databases that power dynamic Web properties, the vector of choice is SQL injection, according to WhiteHat’s Grossman.

“If you are attacking Web sites, you are going to use SQL injection,” he says.

Other popular attacks include PHP file include attacks and predictable resource location.

The first line of defense for users and companies is to keep software up-to-date, says Symantec’s Talbot. In most cases, there is a fix for the flaw already available.

For companies that cannot patch their systems in time, adding vulnerability-specific defenses, such as sandboxing a browser or implementing a Web-application firewall, can help buy time for the defender, he says.

“If there are attacks being made in the wild, then disable that technology until the threat is past,” Talbot says.

Direct Link: http://www.darkreading.com/vulnerability-management/167901026/security/security-management/232300045/exploited-apps-depend-on-attack-vector.html

 Posted by at 19:50  Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Symantec confirms Flash exploits targeted defense companies & November attacks delivered in malicious PDFs attached to messages promising a contract guide for 2012

 Articles of Interest, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security  No Responses »
Dec 072011
 

Symantec confirms Flash exploits targeted defense companies
November attacks delivered in malicious PDFs attached to messages promising a contract guide for 2012
Computerworld
By Gregg Keizer
December 7, 2011

Computerworld – Security researchers at Symantec today confirmed that exploits of an unpatched Adobe Reader vulnerability targeted defense contractors, among other businesses.

“We’ve seen [this targeting] people at telecommunications, manufacturing, computer hardware and chemical companies, as well as those in the defense sector,” said Joshua Talbot, senior security manager in Symantec’s security response group, in an interview Wednesday.

Symantec mined its global network of honeypots and security detectors — and located email messages with attached malicious PDF documents — to come to that conclusion.

The inclusion of defense contractors was not unexpected.

Yesterday, when Adobe warned Reader and Acrobat users that hackers were exploiting a “zero-day” bug on Windows PCs, it credited Lockheed Martin’s security response team and the Defense Security Information Exchange (DSIE), a group of major defense contractors that share information about computer attacks, with reporting the vulnerability.

The DSIE is composed of companies that are also part of what the federal government calls the “Defense Industrial Base,” or DIB. Among the DIB’s members are some of the country’s largest defense contractors, including Boeing, General Dynamics, Lockheed Martin, Northrup Grumman, Pratt & Whitney and Raytheon.

Symantec found attack emails dated Nov. 1 and Nov. 5, 2011.

It also published an image of a redacted email of the attack’s bait — the promise of a 2012 guide to policies on new contract awards — that it said was a sample of the pitches that tried to dupe recipients into opening the attached PDF document.

The message’s subject heading read, “FY12 XXXXX Contract Guide,” and the body simply stated, “FY12 XXXXX contract guide is now available for all contractors of XXXXX. The new guide contains update information of XXXXX policy on contract award process.

Opening the attached attack PDF also executed the malicious code — likely malformed 3-D graphics data — hidden in the PDF, compromising the targeted PC and letting the attacker infect the machine with malware.

That malware, Talbot said, was identical to what was used in early 2010 by hackers exploiting a then-unpatched bug in Microsoft’s Internet Explorer 6 (IE6) and IE7.

Symantec labeled the malware “Sykipot” last year.

“It’s not overly sophisticated,” said Talbot. “It’s a general-purpose backdoor. One of the interesting things about it is that it does use a form of encryption of the stolen information, which helps the attack hide what information is stolen.”

Sykipot encrypts the pilfered data after it has been retrieved from the victimized firm but while it is still stored on the company’s network, as well as when it’s transmitted to a hacker-controlled server.

Those command-and-control (C&C) servers are still operating, Talbot said.

Because of the similarities — using Sykipot, which isn’t widely in play, and exploiting zero-day vulnerabilities — Symantec suspects that the same group of hackers who launched the attacks against IE6 and IE7 last year were also responsible for the Reader-based attacks seen last month.

Microsoft patched the IE6 and IE7 vulnerability on March 30, 2010, in an emergency, or “out-of-band,” update.

Although Symantec found evidence of only the early-November attacks, Talbot said he wouldn’t be surprised if the criminals fired off another information-stealing campaign between now and next week, when Adobe promised to patch the bug in Reader and Acrobat 9.x on Windows, the versions that have been exploited in the wild.

Talbot declined to specify the geographic location of the Sykipot C&C servers, or speculate on the origin of the Reader exploits.

Adobe will patch the Windows versions of Reader and Acrobat 9.x by the end of next week, and has promised to deliver fixes to Reader and Acrobat 9.x to Mac and Unix users, and to Reader and Acrobat 10.x for all platforms, next month.

Symantec has shipped detection signatures for the rogue PDFs to its customers, said Talbot.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld.

Direct Link: http://www.computerworld.com/s/article/9222496/Symantec_confirms_Flash_exploits_targeted_defense_companies?taxonomyId=85&pageNumber=1

 Posted by at 19:06  Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

25 “Worst Passwords” Of 2011 Revealed

 Articles of Interest, Firearms, Weapons & Personal Safety, Social Media, Technology & Digital Security  No Responses »
Nov 242011
 

25 “Worst Passwords” Of 2011 Revealed
FORBES
David Coursey, Contributor
Nov. 21, 2011

If you see your password below, STOP!

Do not finish reading this post and immediately go change your password — before you forget. You will probably make changes in several places since passwords tend to be reused for multiple accounts.

Here are two lists, the first compiled by SplashData:

1. password
2. 123456
3.12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passw0rd
19. shadow
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football

Last year, Imperva looked at 32 million passwords stolen from RockYou, a hacked website, and released its own Top 10 “worst” list:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

If you’ve gotten this far and don’t see any of your passwords, that’s good news. But, note that complex passwords combining letters and numbers, such as passw0rd (with the “o” replaced by a zero) are starting to get onto the 2011 list. abc123 is a mixed password that showed up on both lists.

Last year, Imperva provided a list of password best practices, created by NASA to help its users protect their rocket science, they include:

* It should contain at least eight characters

* It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;” If there is only one letter or special character, it should not be either the first or last character in the password.

* It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address.

Following that advice, of course, means you’ll create a password that will be impossible, unless you try a trick credited to security guru Bruce Schneier: Turn a sentence into a password.

For example, “Now I lay me down to sleep” might become nilmDOWN2s, a 10-character password that won’t be found in any dictionary.

Can’t remember that password? Schneier says it’s OK to write it down and put it in your wallet, or better yet keep a hint in your wallet. Just don’t also include a list of the sites and services that password works with. Try to use a different password on every service, but if you can’t do that, at least develop a set of passwords that you use at different sites.

Someday, we will use authentication schemes, perhaps biometrics, that don’t require so much jumping through hoops to protect our data. But, in the meantime, passwords are all most of us have, so they ought to be strong enough to do the job.

Direct Link: http://www.forbes.com/sites/davidcoursey/2011/11/21/25-worst-passwords-of-2011-revealed

 Posted by at 13:53  Tagged with: , , , , , , , , , , , ,

Bizztrust : The Most Secure Android Phone

 Articles of Interest, Technology & Digital Security  No Responses »
Nov 152011
 

Bizztrust : The Most Secure Android Phone
by THN Reporter
11/12/2011

With companies these days justifiably concerned about the security of the mobile devices provided to their workforce, many workers find themselves carrying around two mobile phones – one for personal use and another for business. Sure, mobile phones aren’t the huge pocket-stretching devices they once were but for the sake of convenience, one is most definitely better than two.

A new German project makes Android phones significantly more secure for business communications–this could change the way people use smartphones, entirely.

The Germans are an efficient lot, and when it comes the quality of their automobiles, well Mercedes Benz, BMW and Audi says it all, don’t they?  The Swedish are also in with a shout for the safest car in the market, but when it comes to having the world’s most secure Android-powered phone, the Germans have it down pat after discovering a method to develop super-secure virtual “work phones” on Android-powered devices.

A version of Android called BizzTrust creates two partitions in Android–one for personal use and another super-secure one for business. The new product has the potential to create headaches for Research In Motion (RIM), which uses security as a major selling point for BlackBerrys.

Features:

    * Protection of business data
    * No restrictions for private use
    * Secure enterprise communication (encryption)
    * Remote management and update
    * Supports bring-your-own-device strategy
    * Automatic policy enforcement

This allows users to install all the potentially dangerous apps they like on the personal partition, while protecting access to business apps and data stored on the other partition. Even if attackers manage to infiltrate an unsecured app, they cannot use it to access company data, and the impact of the attack is confined to the private data on the smartphone.Users are able to switch between work and home functions with two clicks of the touchscreen while a color symbol lets users know whether they’re in the business (red) or personal (green) area.

The modified Android software will debut on Tuesday, October 11 at the it-sa computer security show in Germany. Bizztrust is the end result of a joint effort by the Fraunhofer trade group and the Center for Advanced Security Research Darmstadt (CASED). According to CASED’s Ahmad-Reza Sadeghi, the Android mod “significantly improves the security of today’s mobile terminals at no cost to user-friendliness.” Users toggle between their work and personal virtual phones by playing with a touchscreen slider; non-secure personal applications can be installed to their heart’s content.

That approach may be convenient to workers, but their interests and those of an IT department can differ. Most employees would likely prefer unlimited use of their smartphones, installing and using whatever programs they like even though that can open the door to hackers seeking to attack a business.

Direct Link: http://thehackernews.com/2011/11/bizztrust-most-secure-android-phone.html

 Posted by at 19:33  Tagged with: , , , , , , , , ,
© 2012 G.E. Investigations Blog Suffusion theme by Sayontan Sinha