NEWS - April 01, 2014

The current move by auto makers to stuff their vehicles full of networked devices, Bluetooth radios and WiFi connectivity has not gone unnoticed by security researchers. Charlie Miller and Chris Valasek spent months taking apart-literally and figuratively-a Toyota Prius to see what vulnerabilities might lie inside; and they found plenty. Now, another researcher has identified a number of issues with the security of the Tesla S, including its dependence upon a weak one-factor authentication system linked to a mobile app that can unlock the car remotely.

The Tesla S is a high-end, all-electric vehicle that includes a number of interesting features, including a center console touchscreen that controls much of the car's systems. There also is an iPhone app that allows users to control a number of the car's functions, including the door locks, the suspension and braking system and sunroof. Nitesh Dhanjani found that when new owners sign up for an account on the Tesla site, they must create a six-character password. That password is then used to login to the iPhone app.

Continued: http://threatpost.com/researcher-identifies-potential-security-issues-with-tesla-s/105146

Related: Researcher lights fire under Tesla security

Over three quarters (77 per cent) of UK organizations will have Windows XP running somewhere in their IT estate after the April 8th end of support deadline, according to AppSense. 68 per cent of organizations had no plans to pay for extended support despite repeated warnings about the vulnerability of the 12 year-old operating system to exploits and malware.

The survey, of 100 UK IT decision makers, also suggested that while Windows XP is still present in the majority of organizations, it is very much in the minority in terms of penetration with these businesses. 87 per cent of those surveyed had less than 25 per cent of desktop estate still running Windows XP, while on average it is estimated that overall penetration of the operating system is just under 13 per cent.

Continued : http://www.net-security.org/secworld.php?id=16607

Related: Windows XP phantom will haunt majority of businesses after deadline

A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called "BLS Weblearn" is part of a prolific international scheme designed to fleece unwary consumers. This post delves deeper into the history and identity of the credit card processing network that has been enabling this type of activity for years.

At issue are a rash of phony charges levied against countless consumers for odd amounts — such as $10.37, or $12.96. When they appear on your statement, the charges generally reference a company in St. Julians, Malta such as BLS*Weblearn or PLI*Weblearn, and include a 1-888 number that may or may not work (the most common being 888-461-2032 and 888-210-6574).

I began hearing from readers about this early this month, in part because of my previous sleuthing on an eerily similar scheme that also leveraged payment systems in Malta to put through unauthorized junk charges ($9.84) for "online learning" software systems. Unfortunately, while the names of the companies and payment systems have changed, this latest scam appears to be remarkably similar in every way.

Continued : http://krebsonsecurity.com/2014/03/whos-behind-the-bls-weblearn-credit-card-scam/

March 31, 2014

31 March is World Backup Day, a campaign to persuade us to be more careful about keeping backups of our precious data. The day's catchphrase is "Don't be an April Fool" - urging us to ensure we all have good backups in place in time for 1 April.

Backup basics

If your storage system fails, both in business or at home, any valuable data could be lost for good. So it's essential to back up your data.

Important backups need to be kept separate from master copies. They should be stored on a different medium from the master, and in a different location.

They should certainly not be on the same hard drive, as that one device becomes a single point of failure for the whole set of data. Backing up files locally can provide a quick recourse in the event of accidental deletion, corruption or unwanted change, but you should think of them as spare copies rather than proper backups.

Continued: http://nakedsecurity.sophos.com/2014/03/31/world-backup-day-are-your-important-files-backed-up/

Note: It shouldn't matter if you were unaware yesterday was officially World Backup Day. Today would (also) be an excellent day to begin the practice of routinely backing up your data. Happy World Backup Day!

Bitdefender's "HOTforSecurity" Blog:

Some of the most popular Google mobile apps including Hangouts, Google Maps, Google+, Google Search and Google Voice have been seen recently in the Windows Phone Store retailing at the not-so-bargain price of $1.99, as announced by Windows on winbeta.org.

The site says the applications are fake. In the Android and iOS mobile markets, these services are free of charge. Moreover, the developer's name is misspelled: the valid applications are signed Google Inc, while the new versions are published by Google, Inc.

Designed to empty users' wallets, fake applications can pose serious security and privacy risks by secretly tracking the user's location, leaking email addresses or phone logs to third-parties. What's more, developers can manipulate an Android app's SDK to implement rogue features to intercept text messages or execute man-in-the-middle attacks.

Continued : http://www.hotforsecurity.com/blog/fake-google-apps-leaked-in-windows-phone-store-8269.html

Johannes Ullrich of the SANS Institute claims to have found malware infecting digital video recorders (DVR) predominately used to record footage captured by surveillance camera systems.

Oddly enough, Ullrich claims that one of the two binaries of malware implicated in this attack scheme appears to be a Bitcoin miner. The other, he says, looks like a HTTP agent that likely makes it easier to download further tools or malware. However, at the present time, the malware seems to only be scanning for other vulnerable devices.

"D72BNr, the bitcoin miner (according to the usage info based on strings) and mzkk8g, which looks like a simplar(sp.) http agent, maybe to download additional tools easily (similar to curl/wget which isn't installed on this DVR by default)," Ullrich wrote on SANS diary.

Continued : http://threatpost.com/dvr-infected-with-bitcoin-mining-malware/105167