Spyware, Viruses, & Security forum

Alert

NEWS - October 24, 2012

by Carol~ Forum moderator / October 24, 2012 2:53 AM PDT
Hackers steal data from compromised Barnes & Noble payment terminals

""Sophisticated criminal effort" plants malicious code on devices in 9 states."

Criminal hackers planted malicious code in payment card keypads used at 63 Barnes & Noble stores across the United States and siphoned account data belonging to people who used them, company officials have warned.

The tampering, which first came to light on September 14, was limited to one hacked keypad in 63 stores located in California, New York, and seven other states, according to a press release published on Wednesday morning. The "sophisticated criminal effort" captured payment card and personal identification numbers of people who used the terminals, and some of that data has been used to make unauthorized purchases, according to The New York Times.

The company emphasized that its customer database is secure and that the breach had no effect on purchases made through the Barnes & Noble website. The security of Nook and Nook mobile apps is also unaffected.

Continued : http://arstechnica.com/security/2012/10/hackers-steal-data-from-compromised-barnes-noble-payment-terminals/

Also:
Point-of-Sale Terminals Compromised at 63 Barnes & Noble Locations
More Than 60 Barnes & Noble Stores Suffer Credit Card Breach From Compromised Keypads
Card readers in Barnes & Noble stores hacked by crooks
Post a reply
Discussion is locked
You are posting a reply to: NEWS - October 24, 2012
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - October 24, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Compete Inc. Settles FTC Privacy Charges
by Carol~ Forum moderator / October 24, 2012 4:01 AM PDT

"The company has admitted that its Web tracking software collected usernames, passwords, credit card numbers, Social Security numbers and more."

The FTC recently announced that Compete Inc. has agreed to settle charges that it violated federal law by using its Web tracking software to collect extensive amounts of personal data without disclosing that fact to users.

"Boston, Massachusetts-based Compete Inc. agreed to obtain end users' consent before collecting future data on their browsing history, according to a release published on Monday by officials with the Federal Trade Commission," writes Ars Technica's Dan Goodin. "The company also agreed to delete or anonymize the consumer data it has already collected and to provide directions for removing tracking software installed on the computers of many of the people whose data was collected."

"The company tracks the browsing habits of people who download its software and then sells that data to clients so they can improve their website traffic and sales," explains The Register's Brid-Aine Parnell.

Continued : http://www.esecurityplanet.com/network-security/compete-inc.-settles-ftc-privacy-charges.html

Also:
FTC smacks down security sloppiness by web analytics company Compete
Two analytics companies to settle charges for online user tracking

Collapse -
Windows 8 Security Solutions Certified by AV-Test
by Carol~ Forum moderator / October 24, 2012 4:02 AM PDT
Windows 8 is almost here. Is your PC's security software ready for it? Researchers at German research lab AV-Test report that over four dozen antivirus and security suite products from almost 20 vendors are ready for use on Windows 8 (32- and 64-bit editions).

Certification Testing

AV-Test conducts ongoing certification tests under Windows XP and Windows 7, reporting results every two months. Products earn up to six points for protecting clean test systems from attack, repairing test systems already infested with malware, and doing it all without causing problems for the user. Products that accumulate a total of 11 points (out of a possible 18) receive certification.

Andreas Marx, CEO of AV-Test, explained that the current Windows 8 report is presented as a market survey rather than a comprehensive test. "All products in the list are carefully tested by us on Windows 8," said Marx, "but not against the entire set of static and dynamic tests yet." The standard full test takes about two months, while many of the tested products weren't even fully ready for Windows 8 until last week. "All tests we're usually covering have been performed, but only against a limited set of samples," continued Marx. For example, a static detection test uses 10,000 samples rather than the usual 130,000.

Continued : http://securitywatch.pcmag.com/none/304280-windows-8-security-solutions-certified-by-av-test

From AV-Test: Market Overview - Security Products for Windows 8
Collapse -
Bogus Windows License Spam is in the Wild
by Carol~ Forum moderator / October 24, 2012 4:02 AM PDT

GFI Labs Blog:

For everyone's information:

Below is a screenshot of a new spam run in the wild, and the sender (whoever he, she, or it is) presents to recipients a very suspicious but very free license for Microsoft Windows that they can download.

Sounds too good to be true? It probably is. [Screenshot]

From: {random email address}
Subject: Re: Fwd: Order N [redacted]
Message body:
Welcome,

You can download your Microsoft Windows License here -

Microsoft Corporation


Clicking the hyperlinked text leads recipients to a number of .ru websites hosting the file, page2.htm (screenshot below), which contains obfuscated JavaScript code that loads the Web page fidelocastroo(dot)ru(colon)8080/forums/links/column(dot)php. [Screenshot]

This spam is a launchpad for a Blackhole -Cridex attack on user systems.

Continued : http://www.gfi.com/blog/bogus-windows-license-spam-is-in-the-wild/

Collapse -
Offensive Facebook email leads to Blackhole malware attack
by Carol~ Forum moderator / October 24, 2012 4:02 AM PDT

Facebook users are warned to be on their guard against unsolicited emails they might receive suggesting that someone has left an offensive comment about them on their wall. [Screenshot: Malicious Email]

Hi,

[REDACTED] commented on your Wall post.

[REDACTED] wrote: "you piece of shit!!!"

See the comment thread

Reply to this email to comment on this post.

Thanks,
The Facebook Team


Of course, if you were alert you would hopefully notice that whoever sent out the emails has done a pretty poor job at disguising the message as though it were really from Facebook - take a look at that From: address for instance,

comments@faceb00k.com

But there is always the danger that some computer users will be tricked into clicking on the link.

Continued : http://nakedsecurity.sophos.com/2012/10/24/offensive-facebook-email-leads-to-blackhole-malware-attack/

Collapse -
Many Security Products Fail Exploit Blocking Test
by Carol~ Forum moderator / October 24, 2012 4:02 AM PDT

[Screenshot: Client-side Exploit Anatomy]

No application or operating system is perfect. Perfection just isn't possible. An imperfection that allows malefactors to take control of your computer or execute arbitrary code is called a vulnerability, and the attack that does the dirty deed is called an exploit. Until the vendor patches a newly-discovered vulnerability, consumer and business users must depend on their security software to protect against attack. In a recent test by NSS Labs, quite a few security products proved seriously ineffective at blocking exploits.

Exploits Collected

The CVE (Common Vulnerabilities and Exposures) dictionary lists many years worth of exploits. Each exploit gets a unique reference number, first the current year and then the exploit's order of discovery within the year. So, for example, CVE-2008-4844 is the 4,844th exploit discovered in 2008.

The exploits used by NSS Labs for testing have all been public for months or even years. Yes, several of them date back to 2008. Researchers made their selection based on severity and prevalence of the exploits, and included attacks on Windows, Internet Explorer, Firefox, Acrobat, QuickTime, and other widely used applications.

Continued : http://securitywatch.pcmag.com/none/304206-many-security-products-fail-exploit-blocking-test

Collapse -
The snapshot of rising cybercrime
by Carol~ Forum moderator / October 24, 2012 5:19 AM PDT

Based on the "Verizon 2012 and 2011 Data Breach Investigations Reports", organizations can now view snapshots of how cybercrime is affecting the financial services, health care, retail and hospitality sectors.

The communications and networking company has released the profiles with the aim of allowing firms to better understand the anatomy of a data breach -- and how best to protect against them. Information protection is fast becoming an urgent issue in all of these sectors -- as well as how best to protect intellectual property (IP).

"Understanding what happens when a data breach occurs is critical to proactive prevention," said Wade Baker, Verizon managing principal, RISK team. "Through our more targeted analysis, we are hoping to provide answers to businesses around the globe that want to protect not only their data but their reputation."

So, what were the reports key findings?

Continued : http://www.zdnet.com/the-snapshot-of-rising-cybercrime-7000006312/

Related:
Verizon DBIR Analysis: Insiders Often Complicit in Breaches of Intellectual Property
Verizon DBIR Analysis: Opportunistic Attacks Crushing Certain Industries

Collapse -
Bogus Twitter DMs lead to iPad scam, surveys and phishing
by Carol~ Forum moderator / October 24, 2012 5:19 AM PDT

Yesterday's unveiling of the iPad Mini has not lead to a decrease in desirability of its bigger version, and the offer of a free device is still a very effective lure employed by online scammers.

The latest of these "Get a free iPad" starts with Direct Messages on Twitter asking users to check out a picture of themselves with an unnamed woman.

The link offered in the message takes them to a Facebook app page that is set to execute a PHP script as soon as they land on it, and it redirects them to a fake Facebook page.

This page offers them to participate in a iPad 3 (or iPad 2) quality test and says they will be rewarded with a free iPad: [Screenshot]

Unfortunately, that's a complete lie.

"Depending on where users are in the US and UK, they are led to either a survey scam page or a phishing page once they click Click here," warns GFI, while others are redirected to a well-known ad campaign page.

Continued : http://www.net-security.org/secworld.php?id=13831

Collapse -
The 25 worst passwords of the year
by Carol~ Forum moderator / October 24, 2012 6:06 AM PDT
SplashData, which provides password management applications, has published its annual list of the "25 worst passwords of the year". While the top three entries haven't changed from last year's list, there are several new contenders this year with "welcome", "ninja", "mustang", "jesus" and "password1".

Unchallenged as the most used, yet terrible password is still the simple "password", with an ascending sequence of the first six and eight numbers in a row making up the remainder of the top three. Classics like "qwerty", "monkey", "iloveyou" and "master" are still featuring prominently, as are "baseball", "football" and other simple dictionary words.

The list of passwords was compiled by analysing several millions of stolen passwords, resulting from various data breaches and break-ins, which hackers have posted on the internet. Anyone using one of the passwords on the list should obviously change them immediately. In general, it is never a good idea to use simple dictionary words as passwords and anything as obvious as "12345678" is trivially easy to guess.

Continued: http://www.h-online.com/security/news/item/The-25-worst-passwords-of-the-year-1736297.html

Also:
The 25 worst passwords of 2012
The 25 most common passwords of 2012
Here Are the 25 Worst Internet Passwords of 2012
Collapse -
Cyber Scammers Threaten, Harass and Call You at Work
by Carol~ Forum moderator / October 24, 2012 6:06 AM PDT

Detailing some new twists on cyber scams, the Internet Crime Complaint Center released a report on dating and payday loan scams that take it one step further, to the real world and into your pockets.

A series of dating scams initiated on singles websites lead to extortion after users were notified that some of their sexual conversations were posted online, along with their real names and phone numbers. Charging from $9 to $99, scammers promised to have the posts removed and the victim's anonymity preserved. However, the posts remained online even after the victim paid the fees.

"The victims were provided a link to a page on the website that claimed they were a "cheater." Photos of the victims and their telephone numbers were also posted," said the Internet Crime Complaint Center. "There was an option to view and buy the posted conversations for $9. Victims were also given the option to have their names and conversations removed for $99."

Email and telephone scammers harassing and extorting money from victims involved a payday loan that users supposedly forgot to cover. Calling the victims friends and relatives made the story more believable as accurate information on the victim's social security number, bank account number and date of birth were confirmed.

Continued : http://www.hotforsecurity.com/blog/cyber-scammers-threaten-harass-and-call-you-at-work-4045.html

Also: The FBI Warns of Dating Extortion Scams and Payday Loan Schemes

Popular Forums
icon
Computer Help 51,224 discussions
icon
Computer Newbies 10,453 discussions
icon
Laptops 20,090 discussions
icon
Security 30,722 discussions
icon
TVs & Home Theaters 20,937 discussions
icon
Windows 10 1,295 discussions
icon
Phones 16,252 discussions
icon
Windows 7 7,684 discussions
icon
Networking & Wireless 15,215 discussions

CNET EDITORS' CHOICE

Roku Streaming Stick 2016

Roku has the most apps, the simplest interface and the best search, making it CNET's favorite way to stream Netflix, Amazon, Hulu, HBO and all the rest.