Orome1 writes: Corero Network Security has disclosed a new DDoS attack vector observed for the first time against its customers last week. The technique is an amplification attack, which utilizes the LDAP: one of the most widely used protocols for accessing username and password information in databases like Active Directory, which is integrated in most online servers. While experts have so far only observed a handful of short but extremely powerful attacks originating from this vector, the technique has potential to inflict significant damage by leveraging an amplification factor seen at a peak of as much as 55x. When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit scale attacks could soon become a common reality and could significantly impact the availability of the Internet.
itamblyn writes: It what appears to be the first example of a new approach in investigative policing, Ontario Provincial Police are using cell phone tower logs to reach out to potential witnesses in an unsolved homicide case from 2015.
CBC reports (http://www.cbc.ca/news/canada/ottawa/frederick-john-hatch-homicide-cellphone-texts-1.3821821) that police "will be sending texts to about 7,500 people on Thursday to ask for information" to individuals that were, according to the cell phone tower logs, within the tower area near the time of the incident.
While we have heard lots of stories about cell phone tower logs being used in policing before (they are even discussed at length in Season 1 of Serial), I think this is the first case where they have been used to actively contact potential witnesses.
A news release by the police states that the texts will ask the recipient to "voluntarily answer a few simple questions to possibly help the Ontario Provincial Police solve this murder". CBC reports that "Investigators will also consider calling the numbers of people who don't respond voluntarily, but they would be required to obtain another court order to do so."
On one hand, this seems like the natural progression from the traditional approach of canvassing local residents by putting up flyers and knocking on doors. Indeed, the investigators use the term "digital canvas" to describe their plan.
On the other hand, I think one can reasonably ask — Are we OK with this approach? For example, presumably, it would be possible to get a better view of who was in the area by checking credit card transaction logs for all stores within the area. License plate readers and speed cameras might also give information about which vehicles were in the area. There are many levels of tracking that could be used simultaneously as a means of generating lists. The question is, do we want this to happen whenever there is a major crime? A minor one? Maybe this is just how things work now, and it really is no different than walking around, knocking on doors. I figured it was worth a discussion at the very least.
Okian Warrior writes: Earlier today the website DailyKos reported on a smear campaign plot to falsely accuse Julian Assange of pedophilia. An unknown entity posing as an internet dating agency prepared an elaborate plot to falsely claim that Julian Assange received US$1M from the Russian government and a second plot to frame him sexually molesting an eight year old girl.
eionmac writes: https://www.signin.service.gov.... UK Government has contracted out its ability to verify an individual contacting government about tax, social security etc. and published the limited password field to 8 to 12 characters , these being limited to upper case or lower case A to Z, a to z, and numbers zero to 0. Thus security is based on a published password field length and characteristics. This is most insecure practice as it aids ability to crack password as characteristics of field are known to all and sundry interested parties of evil intent. Why not use PGP email digital signatures? Much more secure in password phrase lengths.
quarrieoriard writes: Banks may face formal inquiry into whether they can refuse to reimburse victims conned into transferring money into fraudsters’ accounts
UK banks should do more to protect customers tricked into transferring money to fraudsters, according to a consumer body that has lodged a “supercomplaint” with financial regulators. The move by Which? means banks could now face a formal investigation into whether they can continue refusing to reimburse victims.
The organisation submitted its first supercomplaint this year in the same week that official data revealed that fraud in the UK payments industry had soared by 53% as criminals develop increasingly sophisticated tactics to steal bank customers’ cash.
Which? said banks should “shoulder more responsibility” when someone is conned into transferring money to another person’s account, just as they reimburse customers who lose money due to scams involving debit and credit cards or fraudulent account activity.
Some customers have lost considerable sums. In March this year the Guardian featured the case of Sarah and David Fisher, who were conned out of £25,000 after a fraudster posed as their builder and emailed them a fake invoice that was virtually identical to the one they were expecting.
The explosion in online and mobile banking means UK consumers now make more than 70m bank transfers a month, compared with just over 100m in a whole year just a decade ago. Which? claims that “protections have not kept up”.
Using its legal powers, the organisation has submitted a supercomplaint to the Payment Systems Regulator, the watchdog for the UK’s £75tn payment systems industry, which must now respond within 90 days.
There are many financial frauds that directly target customers, such as phishing emails and phone- and text-based scams. However, among the biggest growth areas are impersonation and deception scams where fraudsters hack into someone’s email account and then pose as the builder, solicitor, landscape gardener or other tradesperson that the consumer has legitimately employed. Typically, the victim receives an invoice via email, which does not rouse suspicion because they were expecting it. It looks authentic and is usually for the correct amount – however, unbeknown to the consumer, the bank account number and sort code have been changed to those of the fraudster.
This is what happened to the Fishers, from north-west London. Last October they received a genuine invoice for building work that was being carried out, then what appeared to be a follow-up email from the same firm with a fresh invoice attached that included “our new banking details”. The couple duly paid the requested £25,000, and while it quickly emerged they had been scammed, by the time the bank that operated the account used to accept their money was alerted, the cash had been withdrawn.
Almost a year after the incident, they have yet to recover a penny of their money. Sarah Fisher, a record label manager, told the Guardian this week that the police had identified the fraudster as someone living in Denmark. As a result, the case was “not being progressed” and had effectively come to a halt.
She added: “We took it to the financial ombudsman, who said that Barclays [which operated the account] had not behaved improperly.” However, she said their MP, Tulip Siddiq, had said the case raised important issues and intended to pursue the matter in parliament.
Victims conned in this way currently have no legal right to get their money back from their bank, said Which?. Banks typically refuse to refund customers on the basis that they made the payment voluntarily. However, Which? said: “Consumers can only protect themselves so far. People cannot be expected to detect complex scams pressuring them to transfer money immediately, or lookalike bills from their solicitor or builder.”
The organisation said banks had invested in security systems to detect and prevent fraud where they were liable to reimburse the victim, but added: “There aren’t sufficient checks if someone is tricked into transferring money directly to another person’s account.”
Which? said it wanted the regulators to formally investigate the scale of bank transfer fraud and how much it was costing consumers, and propose new measures and greater liability for banks to ensure consumers are better protected.
The Payment Systems Regulator confirmed that it had received the supercomplaint and said it would examine the evidence Which? had supplied and gather its own, “to build a clearer picture of the issue and decide a course of action”.
Possible outcomes might include regulatory action, a review or a referral of the complaint to another body.
blottsie writes: Earlier this year, the FBI released a free, online video game featuring sheep in its attempts to fight terrorism recruitment efforts. The game is called The Slippery Slope of Violent Extremism, and it is a real thing that exists. You can play it here.
After journalists filed a FOIA request to find out more about the game, the FBI said it would take two years to respond—a staggeringly long wait that helps expose how the Bureau actively avoids responding to open-records requests.
Lasrick writes: Blockchain technology has been slow to gain adoption in non-financial contexts, but it could turn out to have invaluable military applications. DARPA, the storied research unit of the US Department of Defense, is currently funding efforts to find out if blockchains could help secure highly sensitive data, with potential applications for everything from nuclear weapons to military satellites.
chicksdaddy writes: A common, China-based supplier of circuit boards and software is the common thread that ties together the myriad digital video recorders, IP-based cameras and other devices that make up the Mirai botnet, according to analysis by the firm Flashpoint. ([spam URL stripped])
Weak, default credentials associated with software made by XiongMai Technologies ([spam URL stripped]) was abused by cyber criminals to compromise hundreds of thousands of DVR, NVR (network video recorder) and IP cameras globally. The credentials are written (or "hardcoded") into the software used by over five-hundred thousand devices on public IPs around the world, meaning they cannot be changed and make the devices susceptible to trivial compromise, Security Ledger reported on Monday. ([spam URL stripped])
The Mirai botnet is one of a number of networks of compromised devices that launched crippling denial of service attacks against a number of organizations in Europe and North America. Among the more prominent targets were the French hosting firm OVH and Krebs On Security, an independent cyber security blog that often exposes the deeds of cyber criminals operating distributed denial of service (DDOS) scams. Those attacks were the largest denial of service attacks, measured by the volume of bogus Internet traffic used to cripple their targets. Attacks on Krebs on Security topped 600 Gigabits per second (Gbps) and discrete attacks on OVH tipped the scales at more than 700 Gbps.
According to the Flashpoint analysis, cyber criminals abused the default username and password combination for Xiongmai’s Netsurveillance and CMS software. Those credentials – a user name root and password xc3511 allow anyone to gain access to the administrative interface of the device running the software, typically using the Telnet protocol.
Even worse: Flashpoint said that during its investigation it discovered another vulnerability affecting XiongMai’s software: an authentication bypass vulnerability that allows anyone with knowledge of the IP address of a device running the NetSurveillance or CMS software to bypass authentication and connect to the management interface, provided they know the correct URL. Link to Original Source
prisoninmate writes: Softpedia reports that there's a new project on GitHub, called alwsl, which promises to let you install the Arch Linux operating system on Windows 10's new WSL (Windows Subsystem for Linux) feature, which allows users to run native Linux command-line tools directly on the Windows operating system alongside their modern desktop and apps. For example, Canonical and Microsoft brought Bash on Ubuntu on Windows using the new WSL functionality. For now, the alwsl project, which is developed by a group of German developers that call themselves "Turbo Developers," offers a.bat file that you can use to install Arch Linux on a WSL (Windows Subsystem for Linux) host, but the software is in developer preview stage. The first stable release, alwsl 1.0 will be able not only to install Arch Linux on the Windows Subsystem for Linux host in Windows 10 editions that support it, but also to create and manage users and snapshots. Also, it looks like it will get rolling upgrades just like a normal Arch Linux installation gets. The final release is expected to launch on December 2016, and you can monitor its development progress on GitHub.
An anonymous reader writes: .. the DOJ insists its science is solid, something it bases on confirmation bias. The matches determined in its forensic labs are "scientifically certain" because the DOJ's expert witnesses have said so in court. Not only are outside scientists locked out of examining evidence and forensic processes, but defense lawyers are as well.
schwit1 writes: Your credit card security is pretty broken. It's not your fault, it's just really hard to keep people's money safe, especially online.
Part of the problem is that once your card details are stolen — whether through a phishing attack or by someone copying the digits on the back — fraudsters are free to go on a spending spree until you notice something's up. Normally by the time you get around to actually cancelling your card, it's all too late.
But what if the numbers on your card changed every hour so that, even if a fraudster copied them, they'd quickly be out of date? That's exactly what two French banks are starting to do with their new high-tech ebank cards.
The three digits on the back of this card will change, every hour, for three years and after they change, the previous three digits are essentially worthless, and that's a huge blow for criminals. Link to Original Source
giulioprisco writes: An exotic “impossible” space propulsion technology known as “Cannae Drive,” less known than the EmDrive but equally controversial, made news headlines a few weeks ago with the announcement that it is about to be tested in space. There are speculations that the Cannae Drive could exploit physics known as “Mach Effect.” But perhaps the same physics plays a role in the EmDrive as well.