http://www.informationweek.comInformationWeeken-usCopyright 2012, UBM LLC.2013-05-24T11:47:00ZBug hunter releases proof-of-concept exploit for unpatched zero-day Windows vulnerability,http://www.informationweek.com/security/vulnerabilities/google-researcher-reveals-zero-day-windo/240155559?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/cloud-computing/software/google-apps-to-microsoft-office-365-10-l/240154989"><img src="http://twimgs.com/informationweek/galleries/automated/993/GoogleApps_Office365_01_tn.jpg" alt="Google Apps To Microsoft Office 365: 10 Lessons" title="Google Apps To Microsoft Office 365: 10 Lessons" class="img175" /></a><br /><div class="storyImageTitle">Google Apps To Microsoft Office 365: 10 Lessons</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span></div> <!-- /KINDLE EXCLUDE --> Google security researcher Tavis Ormandy this week published full details for a zero-day Windows vulnerability, including proof-of-concept (PoC) exploit code. <P> Vulnerability information provider Secunia said the exploit involves a "less critical" flaw in the Windows kernel driver (win32k) that could allow an attacker to create a denial of service or gain privilege escalation. "The vulnerability is caused due to an error within 'win32k.sys' when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege," according to <a href="http://secunia.com/advisories/53435/">Secunia's vulnerability report</a>. The bug reportedly exists in Windows 7 and Windows 8, and possibly other versions of Windows. <P> Microsoft didn't immediately respond to an emailed request for comment about the reported flaw, but according to news reports, the company has <a href="http://www.computerworld.com/s/article/9239477/Google_engineer_bashes_Microsoft_s_handling_of_security_researchers_discloses_Windows_zero_day">confirmed the vulnerability</a>. "We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating," Dustin Childs, a spokesman for Microsoft's security response group, told <em>Computerworld</em>. "We have not detected any attacks against this issue, but will take appropriate action to protect our customers." <P> <strong>[ Experts worry public-private security information sharing would do as much to help vs. fight potential attackers. Read <a href="http://www.informationweek.com/security/vulnerabilities/dhs-eyes-sharing-zero-day-intelligence-w/240154972?itc=edit_in_body_cross">DHS Eyes Sharing Zero-Day Intelligence With Businesses</a>. ]</strong> <P> Ormandy's full disclosure of a zero-day Windows vulnerability -- without any prior notification to Microsoft to give it time to release a fix -- drew criticism from fellow security researchers. "Dropping write-what-where PoC is almost the same as dropping 100% reliable exploit," said <a href="https://twitter.com/NTarakanov/status/336607866339344384">"vulnerability assassin" Nikita Taraanov</a> via Twitter. A <a href="http://minsky.gsi.dit.upm.es/semanticwiki/index.php/Category:Write-what-where_Condition">write-what-where vulnerability</a>, according to a vulnerability remediation website, refers to "any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow." <P> Some have questioned why Ormandy couldn't have restricted himself to a less detailed vulnerability announcement, which could have enabled researchers with similar knowledge to validate the flaw, without serving up a fully made exploit to would-be attackers. "Can't get what's the problem: text description is enough to make and test your own attack idea implementation," said security researcher <a href="https://twitter.com/d_olex/status/336752212204191744">Oleksiuk Dmytro via Twitter</a>. <P> Ormandy, a Switzerland-based British information security researcher who works at Google -- charged with keeping the company's products secure -- appears to have a beef with Microsoft. "Note that Microsoft treat vulnerability researchers with great hostility, and are often very difficult to work with," Ormandy said in a <a href="http://blog.cmpxchg8b.com/2013/05/introduction-to-windows-kernel-security.html">post to his personal blog</a> this month. "I would advise only speaking to them under a pseudonym, using tor and anonymous email to protect yourself." <P> According to Ormandy, he first spotted spotted the bug earlier this year in a component of the Windows kernel driver. "Testing win32k under memory pressure, this causes an EPATHOBJ to end up in userspace. Anyone want to investigate?" <a href="https://twitter.com/taviso/status/309157606247768064">tweeted Ormandy</a> in March. <P> On May 15, Ormandy <a href="http://blog.cmpxchg8b.com/2013/05/introduction-to-windows-kernel-security.html">posted additional details</a> about the apparent vulnerability on his personal blog, offering pointers on where "to start looking to look for exploitation opportunities, possibly turning this into code execution." <P> On May 17, Ormandy disclosed further details. "The bug is really nice, but exploitation when allocations start failing is tricky," he said in an <a href="http://seclists.org/fulldisclosure/2013/May/91">email to the Full Disclosure mailing list</a>. "As vuln-dev is dead, I thought I'd post here, I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation," he said. <P> He said the flaw seemed to be present at least in Windows 7 and 8, although it might affect all versions of Windows. "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed," he said, referring to Microsoft's <a href="http://www.informationweek.com/security/client/black-hat-microsoft-enhances-sdl-offerin/222601024">Security Development Lifecycle</a>. <P> By May 20, Ormandy reported that he'd discovered "<a href="http://seclists.org/fulldisclosure/2013/May/111">a really cute trick</a>" that could be used to exploit the vulnerability. "Anyone want to volunteer to write it up over the weekend?" he said. Nine hours later, with no replies, he continued: "I guess I'm talking to myself, maybe this list is all about XSS now." <P> The isn't the first time that Ormandy, a veteran bug hunter, has released a zero-day vulnerability with little, if any, warning. In 2010, for example, <a href="http://www.informationweek.com/security/vulnerabilities/java-zero-day-vulnerability-revealed/224202510">Ormandy published details</a> of an unpatched, zero-day Java vulnerability. The same year, he released details for a newly discovered, 17-year-old Windows vulnerability, and also filed a vulnerability alert directly with Microsoft about a Help Center bug that could be used to execute a near-silent exploit of a targeted Windows XP and Windows Server 2003 system. Just five days after privately alerting Microsoft to the latter flaw, <a href="http://www.informationweek.com/infrastructure/remote-access/microsoft-security-vulnerability-disclos/225600410">Ormandy publicly released full vulnerability details</a> and proof-of-concept exploit code. <P> Partially as a response to those unannounced disclosures, Microsoft in 2010 released, and then updated in 2011, its <a href="http://www.informationweek.com/windows/security/microsoft-updates-vulnerability-disclosu/229402062">coordinated vulnerability disclosure policies</a>, pointedly dropping its previous "responsible disclosure" nomenclature. According to Microsoft, some security researchers had a strong emotional response to tying vulnerability disclosure to notions of responsibility.2013-05-23T11:35:00ZBipartisan report argues that businesses should be allowed to retrieve stolen intellectual property from attackers' networks.http://www.informationweek.com/security/attacks/strike-back-if-china-steals-ip-companies/240155480?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->When online attackers operating from China or other countries steal corporate secrets, let businesses strike back and retrieve stolen information from attackers' networks. <P> That gloves-off approach is just one of many recommendations for combating industrial espionage outlined in a new <a href="http://www.ipcommission.org/report/IP_Commission_Report_052213.pdf">report</a> from the Commission on the Theft of American Intellectual Property, which is headed by the former director of national intelligence, Dennis Blair, as well as Jon Huntsman, who's served as the governor of Utah as well as U.S. ambassador to China. <P> "<a href="http://www.nytimes.com/2013/05/22/world/asia/as-chinese-leaders-visit-nears-us-urged-to-allow-retaliation-for-cyberattacks.html">China is two-thirds of the intellectual property theft problem</a>, and we are at a point where it is robbing us of innovation to bolster their own industry, at a cost of millions of jobs," Huntsman told <em>The New York Times</em>. "We need some realistic policy options that create a real cost for this activity because the Chinese leadership is sensitive to those costs." <P> <strong>[ For another viewpoint, read <a href="http://www.informationweek.com/security/vulnerabilities/dont-blame-china-for-security-hacks-blam/240149309?itc=edit_in_body_cross">Don't Blame China For Security Hacks, Blame Yourself</a>. ]</strong> <P> The report offers 21 specific recommendations, including increasing the budget of the FBI and Department of Justice to investigate trade theft and amending U.S. counter-espionage laws to allow businesses that suffer intellectual property (IP) theft to sue foreign organizations for damages. It also advocates longer-term measures, such as rating countries on their ability to protect IP, as well as ensuring that U.S. officials "push to move China, in particular, beyond a policy of indigenous innovation toward becoming a self-innovating economy." <P> Indigenous innovation refers to the Chinese government's current policy of investing billions of dollars for research and development in Chinese technology businesses. But according to the Organization for Economic Cooperation and Development, <a href="http://www.economist.com/node/21549938">too much of that money goes into development</a> and not enough into research, creating an environment in which homegrown innovation fails to flourish, in part because of piracy. <P> The IP Commission's report echoes that assessment, noting that "with rare penalties for offenders and large profits to be gained, Chinese businesses thrive on stolen technology." According to estimates cited in the report, China accounts for between 50% and 80% -- depending on the industry -- of the world's IP theft. <P> "I've often told victims the quote by David Etue, that one only need worry about the enemy who understands that <a href="http://policeledintelligence.com/2013/05/23/strikeback-commission-on-ip-theft-report-gets-all-ronin-on-china/">they can spend $1 billion to compete with you or $10 million to steal what you developed</a>," said Nick Selby, CEO of StreetCred Software, on the Police-Led Intelligence blog. "This report bears that concept out." <P> But the report also urges U.S. businesses to take the information security threat more seriously, saying that too many organizations fail to master <a href="http://www.informationweek.com/security/management/do-you-play-bug-patch-game-badly/231000715">vulnerability management practices</a> or layered defenses. <P> As noted, the commission's report calls for businesses to be allowed to recover stolen IP from attackers' networks -- "without damaging the intruder's own network" -- and to prevent stolen information from being used, through legal means. The report also calls on Congress to pass laws allowing businesses to pursue "a range of more aggressive measures that identify and penalize illegal intruders into proprietary networks," provided those measures avoid collateral damage. <P> "Only when the danger of hacking into a company's network and exfiltrating trade secrets exceeds the rewards will such theft be reduced from a threat to a nuisance," said the report. <P> The report comes as many businesses are seeking terms of engagement for responding to online attacks. Currently, businesses have some latitude in how they respond, such as being able to <a href="http://www.informationweek.com/security/attacks/9-facts-play-offense-against-security-br/240012792">conduct reconnaissance</a> of suspected malicious infrastructure or socially engineering attackers -- <a href="http://www.informationweek.com/government/security/strike-back-at-hackers-get-a-lawyer/240004510">corporate counsel permitting</a>. But questions remain. For example, can -- or should -- businesses be allowed to <a href="http://www.informationweek.com/security/cybercrime/should-cios-hire-cyber-pinkertons/240155186">hire the equivalent of cyber-Pinkertons</a> to take the fight to online attackers? <P> Not everyone agrees with the IP Commission's strike-back recommendations. "This is a remarkably bad idea that would harm the national interest," said James A. Lewis, senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), in an essay titled <a href="http://csis.org/publication/private-retaliation-cyberspace">"Private Retaliation in Cyberspace."</a> <P> "Our goal is to make cyberspace more stable and secure, not less. Endorsing retaliation works against that goal in many ways, all damaging," he said. <P> Furthermore, state-sanctioned retaliation could backfire. "The United States is also a leading proponent of the Budapest Convention on Cybercrime, to which we and many other countries are signatories," Lewis said. "Under this convention, private retaliation would be a crime. The victim could reasonably ask the United States to assist in an investigation and extradite those found guilty. They could then bring suit against the perpetrators in U.S. courts." <P>2013-05-23T10:13:00ZAuthentication measure comes in wake of Syrian Electronic Army account hacks, further security steps coming.http://www.informationweek.com/security/management/twitter-two-factor-security-combats-take/240155457?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know " title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /> <span class="inlinelargerView">(click image for larger view)</span><br /> <div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div> </div> <!-- /KINDLE EXCLUDE --> Moving to combat months of high-profile account takeovers, Twitter Wednesday announced the implementation of a voluntary, two-step authentication system. <P> "Today we're introducing a new security feature to better protect your Twitter account: login verification," said Jim O'Leary, a member of the social site's product security team, in a <a href="https://blog.twitter.com/2013/getting-started-login-verification">Twitter blog post</a>. "This is a form of two-factor authentication. When you sign in to twitter.com, there's a second check to make sure it's really you. You'll be asked to register a verified phone number and a confirmed email address." <P> The new feature, which is being gradually rolled out, is designed to block account takeovers via "email phishing schemes or a breach of password data elsewhere on the Web," he said. The latter threat refers to attackers being able to access a Twitter account if a user has <a href="http://www.informationweek.com/security/client/passwords-tips-for-better-security/231000545">reused a password</a> elsewhere. <P> "It's great that Twitter has released this feature, which significantly raises the bar for broad-based attacks," said Mark Risher, CEO of Impermium, via email. "As an optional feature, however, we now need to ensure that users opt-in and utilize it; two-factor does nothing if you haven't configured it in advance." <P> To activate the new security feature, visit Twitter's account settings page, then check "Require a verification code when I sign in." If enabled, every Twitter login will result in a six-digit PIN code being sent via SMS to the account holder's registered mobile phone. Temporary passwords can also be generated to authorize logins from Twitter-compatible applications. <P> <strong>[ Is there a better way to authenticate users? Read <a href="http://www.informationweek.com/security/storage/dropbox-adopts-single-sign-on-technology/240155403?itc=edit_in_body_cross">Dropbox Adopts Single Sign-On Technology</a>. ]</strong> <P> Twitter's information security move comes in the wake of an <a href="http://www.informationweek.com/security/attacks/who-is-syrian-electronic-army-9-facts/240155028">ongoing campaign by the Syrian Electronic Army</a>, which has compromised numerous news and media outlets' Twitter feeds to broadcast propaganda in support of Syrian President Bashar al-Assad. Last month, the group seized control of multiple Associated Press Twitter accounts and <a href="http://www.informationweek.com/security/attacks/twitter-battles-syrian-hackers/240153424">issued a hoax tweet</a> that President Obama had been injured by explosions at the White House, which generated a temporary downturn in the U.S. stock market. The group's repeated takeovers of Twitter accounts -- belonging to everyone from the BBC and National Public Radio to Reuters and the <em>Onion</em> -- have been a <a href="http://www.informationweek.com/security/attacks/ap-twitter-hack-lessons-learned/240153626">security embarrassment for Twitter</a>. <P> But Twitter's new two-step authentication offering has <a href="http://www.informationweek.com/security/management/twitter-two-factor-authentication-too-li/240153672">already been criticized</a> by security experts as a half measure. "Dear @twitter, forget about SMS! Use authenticator apps," <a href="https://twitter.com/5ean5ullivan/status/337479663888781312">tweeted Sean Sullivan</a>, security adviser at F-Secure Labs, referring to the apps such as Google Authenticator and Microsoft Authenticator that can be used to generate one-time passwords on Android, iOS and Windows Phone mobile devices. <P> Questions also remain about whether Twitter is monitoring for unusual access patterns, as Facebook now does. "We hope that Twitter has incorporated proactive monitoring in addition to this authentication feature," said Impermium's Risher. "Locking the front door is important, but without intelligent systems determining when, how and whether to allow access -- even for people with the 'key' -- account hijacking vulnerabilities will persist." <P> Twitter, however, said that login verification is only a first step. "This release is built on top of Twitter via SMS, so we need to be able to send a text to your phone before you can enroll in login verification (which may not work with some cellphone providers)," said O'Leary. "However, much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future. Stay tuned." <P> In the meantime, don't expect two-step authentication to block all account takeovers, warned "The Shadow," a member of the Syrian Electronic Army's "Special Operations Division." "It will definitely make it harder on Twitter, but this was never our primary attack vector," <a href="http://www.vice.com/en_ca/read/speaking-with-the-sea-about-hacking-the-onions-twitter-account">The Shadow told <em>Vice</em></a> magazine. "Nevertheless, there are still some security holes in Twitter's model that we hope to exploit in the future so no one should get too comfortable, we are not going to give up." <P> Furthermore, as demonstrated by <a href="http://www.informationweek.com/security/attacks/zeus-botnet-eurograbber-steals-47-millio/240143837">malware such as the banking Trojan Zitmo</a> -- short for "Zeus in the mobile" -- mobile devices can be infected with malicious software that intercepts a one-time mobile transaction authorization number (mTAN) sent via SMS. That means that if an attacker obtains a valid username and password, they can also use the on-demand mTAN to access a target's banking site or authorize an unusual transaction. <P> As Twitter continues to develop new security features, the business faces yet another threat: patent litigation. "Big reveal: 1 billion+ Two-Step-Authentications on the Internet weekly. I invented it. Here's proof," tweeted Mega and Megaupload founder Kim Dotcom (aka Kim Schmitz), referencing the <a href="https://www.google.com/patents/US6078908">"Method for authorizing in data transmission systems" patent</a> that he filed in 1998 and which was published in 2000. According to the patent grant, it "relates to a method and to a device for the authorization in data transmission systems employing a transaction authorization number (TAN) or a comparable password." <P> "Google, Facebook, Twitter, Citibank, etc. offer two-step authentication," <a href="https://twitter.com/KimDotcom/status/337331891940229120">Dotcom tweeted</a>. "Massive IP infringement by U.S. companies. My innovation. My patent." Given that Dotcom is currently a <a href="http://www.informationweek.com/security/storage/kim-dotcom-plans-mega-ipo/240149924">fugitive from justice</a> in the United States, it's not clear if any patent infringement lawsuits he might file would be enforceable. <P> But Dotcom isn't the only one claiming to have invented two-step authentication. When Microsoft debuted two-factor authentication in April, authentication technology vendor <a href="http://www.banktech.com/management-strategies/strikeforce-technologies-files-patent-su/240152030">StrikeForce Technologies sued Microsoft subsidiary PhoneFactor</a>, as well as technology vendor Fiserv and financial services firm First Midwest Bancorp, claiming that it was the sole patent holder for "out-of-band authentication." According to news reports, a StrikeForce investor said that the company plans to extend its patent-infringement suit to other businesses that now offer two-factor authentication.2013-05-22T13:48:00ZDropbox says any off-the-shelf or homegrown identity management system can be configured to automatically sign users into its service.http://www.informationweek.com/security/storage/dropbox-adopts-single-sign-on-technology/240155403?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /><div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span></div><!-- /KINDLE EXCLUDE -->Cloud-storage service Dropbox announced Wednesday that its Dropbox for Business service now offers single sign-on (SSO) via the Security Assertion Markup Language (SAML) standard. <P> Effective immediately, any off-the-shelf or homegrown identity management system that's compatible with SAML can be configured to automatically sign users into Dropbox. <P> "SSO lets users <a href="https://www.dropboxatwork.com/2013/05/get-one-step-closer-to-your-work-with-single-sign-on/">sign in just once</a> to a central identity provider, like Active Directory, and securely gain access to all of their business apps," said Dropbox engineer Alex Allain in a blog post. "And because a company's existing trusted identity provider is in charge of the authentication process, admins don't have to worry about managing multiple applications." <P> <strong>[ Social log-ins a la Facebook are becoming more common. Read <a href="http://www.informationweek.com/internet/google/google-taunts-facebook-with-sign-in-chal/240149495?itc=edit_in_body_cross">Google Taunts Facebook With Sign-In Challenge</a>. ]</strong> <P> Dropbox claims it's used in 2 million unique businesses, and 95% of the Fortune 500 companies. Tying cloud services like Dropbox into an enterprise Active Directory or LDAP server enables IT managers to centrally provision users; for example, they can give users access to specific services when they're hired, offer role-based access, and ensure that <a href="http://www.informationweek.com/security/attacks/10-best-ways-to-stop-insider-attacks/232602440">access gets immediately discontinued</a> for employees who leave the company. <P> Centralized provisioning also lets businesses <a href="http://www.informationweek.com/security/management/how-password-strength-meters-can-improve/240155209">enforce password policies</a> to ensure that users choose strong passwords, and lets them require access using <a href="http://www.informationweek.com/security/management/twitter-two-factor-authentication-too-li/240153672">two-factor authentication</a>, <a href="http://www.informationweek.com/security/attacks/rsa-upgrades-malware-defenses-for-bank-t/240142390">adaptive authentication</a>, or other multi-factor approaches. <P> To make it easier for businesses to use Dropbox SSO, the company has worked with multiple identity management companies, including Centrify, Okta, OneLogin, Ping Identity and Symplified, <a href="http://www.informationweek.com/cloud-computing/infrastructure/dropbox-for-business-right-for-you/240152788">to integrate their services with Dropbox</a>. <P> Dropbox's approach to SSO, <a href="http://www.informationweek.com/cloud-computing/software/dropbox-for-business-adds-active-directo/240152645">announced last month</a>, is based on <a href="http://www.informationweek.com/security-assertion-markup-language/16600124">SAML</a>, an XML-based standard for transmitting authentication and authorization information via the Internet that's designed to allow users to authenticate once, then access any SAML-compatible service, whether it's located on the premises or hosted in the cloud. <P> "By adopting this open standard, <a href="http://www.onelogin.com/dropbox-for-business-support-of-saml-based-single-sign-on-marks-a-milestone-in-cloud-app-security/">Dropbox is making life easier for end users</a> while at the same time allowing IT to tightly control employee access to the application -- which is the biggest advantage of the SAML standard," said Thomas Pedersen, CEO of OneLogin, in a blog post. He said his company's related offering, OneLogin for Dropbox, is free, although adding additional applications and capabilities costs extra. <P> "When a company like Dropbox jumps on the SAML bandwagon, it becomes a significant validation that cloud application security and ease of use can be mutually reinforcing," Pedersen said. "IT departments and end users both win."2013-05-22T10:50:00ZDetective accused of hiring hackers to obtain webmail access credentials for 30 targets, accessing federal crime-information database without authorization.http://www.informationweek.com/security/attacks/fbi-arrests-nypd-detective-on-hacking-ch/240155332?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know " title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /> <span class="inlinelargerView">(click image for larger view)</span><br /> <div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div> </div> <!-- /KINDLE EXCLUDE --> The Department of Justice Tuesday announced the arrest of New York City Police Department (NYPD) detective Edwin Vargas, 42, on computer hacking charges. <P> Vargas, a 20-year veteran of the police force, has been accused of ordering hacks of at least 43 personal email accounts belonging to at least 30 people, 19 of whom are current NYPD employees, including fellow detectives. He's also accused of paying the service to provide credentials for accessing a target's cellphone records. <P> According to a complaint unsealed Tuesday in federal court, from April 2010 to October 2012, "Vargas paid certain email hacking services to hack into numerous email accounts which did not belong to him, in order to obtain the login credentials for those accounts." <P> The primary target of Vargas' alleged surveillance operation was reportedly his former girlfriend, who's also an NYPD employee. <a href="http://www.nytimes.com/2013/05/22/nyregion/bronx-officer-accused-of-hiring-e-mail-hackers.html">Police officials told</a> <em>The New York Times</em> that the couple had a child together, but had broken up. <P> <strong>[ If a full-on cyberwar breaks out, what should you do? <a href="http://www.informationweek.com/security/cybercrime/should-cios-hire-cyber-pinkertons/240155186?itc=edit_in_body_cross">Should CIOs Hire Cyber Pinkertons?</a> ]</strong> <P> The investigation was conducted by the FBI, together with the NYPD's internal affairs bureau. Law enforcement officials told the <em>Times</em> that during the course of an investigation into a <a href="http://www.informationweek.com/security/vulnerabilities/schwartz-on-security-bling-botnets-sell/229000930">pay-for-hacking operation</a> being run from Los Angeles, investigators discovered evidence that some NYPD employees' email accounts had been hacked, which lead them back to Vargas. <P> FBI investigators said that a digital forensic review of Vargas' hard drive revealed that he'd accessed online cellphone records for July to September 2012, for at least one of his targets. He allegedly also accessed records that listed the phone numbers of everyone to whom the account holder had sent text messages. <P> According to the complaint, in November 2011, Vargas also accessed the <a href="http://www.fbi.gov/about-us/cjis/ncic">National Crime Information Center</a> (NCIC), which is a centralized database used by U.S. law enforcement agencies to track crime-related information, and obtained information on at least two of the NYPD officers for whom he'd already obtained online email access credentials. <P> According to the complaint, which was filed Monday by FBI special agent Samad Shahrani, who's part of the bureau's Cyber Criminal Intrusion Squad, email hacking services such as the one Vargas allegedly employed typically accept an email-account hacking order, then provide the client with a screenshot of the targeted account's homepage and message saying that the requested account credentials have been obtained and used successfully. At that time, they demand payment, typically by credit card, PayPal or another online payment processor. Shahrani said that after reviewing Vargas' bank and PayPal records, he identified about $4,050 that had been paid to email hacking services, at a rate of $50 to $250 per hacked account. <P> Vargas has been charged with conspiracy to commit computer hacking and unauthorized access to a law enforcement database. <P> "Of all places, the police department is not a workplace where one should have to be concerned about an unscrupulous fellow employee," said George Venizelos, who heads the FBI's New York office, in a statement. "Unlike the email accounts, the defendant didn't need to pay anyone to gain access to the NCIC database. But access is not authorization, and he had no authorization."2013-05-21T13:16:00ZAttackers were after U.S. government surveillance requests for undercover Chinese operatives, say former government officials.http://www.informationweek.com/security/attacks/google-aurora-hack-was-chinese-counteres/240155268?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /><span class="inlinelargerView">(click image for larger view)</span><br /><div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div><!-- /KINDLE EXCLUDE -->A high-profile information security attack against Google in late 2009 -- part of what was later dubbed Operation Aurora -- was a counterespionage operation being run by the Chinese government. <P> Former government officials with knowledge of the breach said attackers successfully accessed a database that flagged Gmail accounts marked for court-ordered wiretaps. Such information would have given attackers insight into active investigations being conducted by the FBI and other law enforcement agencies that involved undercover Chinese operatives. <P> "Knowing that you were subjects of an investigation <a href="http://www.washingtonpost.com/world/national-security/chinese-hackers-who-breached-google-gained-access-to-sensitive-data-us-officials-say/2013/05/20/51330428-be34-11e2-89c9-3be8095fe767_story.html">allows them to take steps to destroy information</a>, get people out of the country," a former U.S. government official with knowledge of the breach told the <em>Washington Post</em>, which first reported the news. But the official cautioned that the attack also could have been a subterfuge operation by Chinese intelligence agencies designed to trick U.S. intelligence agencies into believing false or misleading information. <P> <strong>[ What are the facts behind Chinese hacks? Read <a href="http://www.informationweek.com/security/attacks/china-denies-us-hacking-accusations-6-fa/240149058?itc=edit_in_body_cross">China Denies U.S. Hacking Accusations: 6 Facts</a>. ]</strong> <P> The new Operation Aurora revelations came after a Microsoft official last month disclosed that his company had apparently been targeted by the same attackers -- unsuccessfully, he said -- at the same time as Google. <P> "What we found was the <a href="http://www.cio.com/article/732122/_Aurora_Cyber_Attackers_Were_Really_Running_Counter_Intelligence">attackers were actually looking for the accounts that we had lawful wiretap orders on</a>," David W. Aucsmith, senior director of Microsoft's Institute for Advanced Technology, told a government IT conference hosted by Microsoft in Redmond, Wash., last month, CIO.com first reported. <P> "So if you think about this, this is brilliant counter-intelligence. You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way," said Aucsmith. "Presumably that's difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That's essentially what we think they were trolling for, at least in our case." <P> <a href="http://googleblog.blogspot.co.uk/2010/01/new-approach-to-china.html">Microsoft's recounting of the attacks stood in sharp contrast to Google's</a> disclosure, published in early January 2010. "In mid-December [2009], we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google," said a blog post by Google's chief legal officer, David Drummond. <P> At the time, having a major business publicly blame the Chinese government for having launched an information security attack against its systems was rare. <P> The successful attack against Google was dubbed Operation Aurora by security firm McAfee because attackers reportedly employed the Aurora (a.k.a. Hydraq) Trojan horse application. At the time, however, Google said its investigation into the attack found that "at least twenty other large companies from a wide range of businesses -- including the Internet, finance, technology, media and chemical sectors -- have been similarly targeted." Google also disclosed that a second branch of the attack had compromised multiple <a href="http://www.informationweek.co.uk/security/vulnerabilities/google-hackers-targeted-chinese-and-viet/224200944">Chinese and Vietnamese activists' Gmail accounts</a>. <P> All told, the Operation Aurora attacks reportedly <a href="http://www.washingtonpost.com/wp-dyn/content/article/2010/01/13/AR2010011300359.html">targeted at least 34 companies</a>, including Adobe, Juniper, Rackspace, Symantec, Northrop Grumman, Morgan Stanley and Yahoo. <P> At the time, Bruce Schneier, chief security technology officer of BT, said that the <a href="http://www.schneier.com/blog/archives/2010/01/me_on_chinese_h.html ">Google attackers exploited wiretap backdoors</a> mandated by the U.S. government to access the activists' accounts. "In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access," according to Schneier. "Systems like these invite misuse: criminal appropriation, government abuse and stretching by everyone possible to apply to situations that are applicable only by the most tortuous logic." <P> The Operation Aurora attacks became the basis for what's now known as an <a href="http://www.informationweek.com/security/cybercrime/advanced-persistent-threats-get-more-res/232600562">advanced persistent threat (APT) attack</a>. <P> Last year, Symantec reported that the <a href="http://www.informationweek.co.uk/security/attacks/google-aurora-attackers-still-on-loose-s/240006930 ">Aurora gang was still at work</a>, and operating with a <a href="http://www.informationweek.com/security/vulnerabilities/so-you-want-to-be-a-zero-day-exploit-mil/231902813">large budget</a>. "The group seemingly has an unlimited supply of zero-day vulnerabilities," according to Symantec. "The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent."2013-05-21T11:32:00ZGuantanamo Bay Naval Base authorities turn off Wi-Fi and social media after Anonymous threatened to shut them down.http://www.informationweek.com/security/cybercrime/anonymous-threatens-gitmo-us-locks-down/240155262?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know " title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /> <span class="inlinelargerView">(click image for larger view)</span><br /> <div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div> </div> <!-- /KINDLE EXCLUDE --> A threat by the Anonymous hacktivist collective has led to all Wi-Fi communications at the Guantanamo Bay Naval Base in Cuba being disabled. <P> Army Lt. Col. Samuel House <a href="http://hosted.ap.org/dynamic/stories/C/CB_GUANTANAMO_HACKING_DEFENSE?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2013-05-20-14-10-34">told the Associated Press</a> that disabling the Wi-Fi across the base was a preventive measure, designed to address a threatened disruption by Anonymous. Authorities at the base also blocked all access to Facebook, Twitter and other social media services. <P> "You shut the Wi-Fi down in GTMO, we will shutdown Guantanamo," read a subsequent post to the <a href="https://www.facebook.com/Crypt0nymous/posts/588729937824732">Crypt0nymous News Network's Facebook page</a>. <P> The initial threat arrived earlier this month, with Anonymous announcing via Pastebin that <a href="http://pastebin.com/0VaQ3cJK">"#OpGTMO" would run</a> from May 17 to May 19. It also detailed a related "Twitter Storm package," urging people to flood Twitter with related messages using preset hashtags, as well as "phonebomb" their senators and representatives. <P> "We, the people and Anonymous, will not allow the most expensive prison on earth to be run without any respect for international laws," read an Anonymous press release, referring to the <a href="http://en.wikipedia.org/wiki/Guantanamo_Bay_detention_camp">Guantanamo Bay detention camp</a>. "We stand in solidarity with the Guantanamo hunger strikers. We will shut down Guantanamo." <P> <strong>[ Is India in the security hotseat usually reserved for China? Read <a href="http://www.informationweek.com/security/attacks/apt-attacks-trace-to-india-researcher-sa/240155225?itc=edit_in_body_cross">APT Attacks Trace To India, Researcher Says</a>. ]</strong> <P> The Anonymous operation was meant to highlight the 100th day of a hunger strike being held at the base by prisoners protesting their length of incarceration, as well as conditions at the base. According to news reports, as of Monday, 103 of 166 prisoners at the base were continuing a hunger strike. <P> It's not clear whether the Army's disabling of all Wi-Fi on Guantanamo may have been the disruption that Anonymous was intending. <P> The threats from Anonymous aren't the first information security concerns to confront Guantanamo Bay Naval Base. Last month, a Guantanamo war court judge ordered pretrial hearings to be delayed after defense attorneys reported that since February, key documents had gone missing from their systems and prosecutors' files -- which they didn't open -- had suddenly appeared on their systems, <a href="http://newsandinsight.thomsonreuters.com/Legal/News/2013/04_-_April/Guantanamo_pretrial_hearing_delayed_as_legal_files_vanish/ ">Reuters reported</a>. Defense attorneys also reported signs that their internal base emails and Internet searches were being monitored by a third party. In response, the chief defense counsel for the tribunals, Col. Karen Mayberry, ordered all defense attorneys -- civil and military -- to immediately stop using government-issued computers. <P> In other Anonymous news, the collective earlier this month announced Operation Petrol (#OpPetrol), in conjunction with SaudiAnonymous and a hacker known as AnonGhost, who was a key figure in this month's #OpUSA attacks, which multiple critics <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">derided as "FlopUSA"</a> for being more bark than bite. <P> First announced on May 10 via Pastebin, <a href="http://pastebin.com/8KWUwJdy">#OpPetrol is designed</a> to target oil-producing nations as well as petroleum companies, and scheduled for June 20. <P> The operation's stated raison d'etre is to avenge an alleged "petro-dollar" conspiracy involving Muslim countries selling oil in dollars, rather than local currency. "The new world order installed their own rules so that they can control us like robots," according to the post. <P> Countries designated as targets for attack include the United States, Canada, England, Israel, China, Italy, France, Russia and Germany. The campaign's organizers also designated as targets the governments of Saudi Arabia, Kuwait and Qatar. <P> Some related attacks have already been disclosed, including a purported leak of 16 Saudi government email access usernames and passwords in plaintext, which was uploaded on May 12 to Pastebin. <P> As that suggests, organizations that might be targeted by these attacks shouldn't wait until June 20 to perform a threat assessment and lock down vulnerable systems. "As we know from past events, actors may be compromising sites now only to release the results as part of the operation," according to a blog post from <a href="http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/What-to-Expect-from-OpPetrol/ba-p/6071747">security researchers at HP</a>. "Potential targets may have already seen activity that could later be associated with this announcement." <P> That said, many security experts expect #OpPetrol to be a non-starter. "Given the trends so far, we anticipate that this operation will mirror #OpUSA," said HP. "We do not anticipate #OpPetrol to be a large success."2013-05-21T09:37:00ZMulti-year hacking campaign targeted mining companies, legal firms, Pakistan, Angolan dissidents and others in Pakistan, the U.S., Iran, China and Germany.http://www.informationweek.com/security/attacks/apt-attacks-trace-to-india-researcher-sa/240155225?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know" title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /> <span class="inlinelargerView">(click image for larger view)</span><br /> <div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div></div> <!-- /KINDLE EXCLUDE --> A multi-year advanced persistent threat (APT) campaign that targeted the government of Pakistan, as well as global businesses operating in mining, automotive, engineering, military and finance sectors, among others, appears to have been run from India. Organizations targeted for industrial espionage were located in numerous countries, including the United States, Iran, China and Germany. <P> Those findings come from <a href="http://enterprise.norman.com/resource_center/unveiling_an_indian_cyberattack_infrastructure-a_special_report">"Unveiling an Indian Cyberattack Infrastructure,"</a> a new report from Norwegian security software vendor Norman that documents an <a href="http://www.informationweek.com/security/cybercrime/advanced-persistent-threats-get-more-res/232600562">APT campaign</a> that began in 2010, if not earlier. According to the report, the APT campaign and related, malicious infrastructure has served "primarily as a platform for surveillance against targets of national security interest that are mostly based in Pakistan and possibly in the United States." <P> Report co-author Snorre Fagerland, a principal security researcher in the Malware Detection Team at Norman Shark in Norway, said in an interview: "What we found surprised us a little bit, because we started out anticipating the Chinese, but the indicators we found pointed toward India." <P> <strong>[ Would better passwords have made a difference? Read <a href="http://www.informationweek.com/security/management/how-password-strength-meters-can-improve/240155209?itc=edit_in_body_cross">How Password Strength Meters Can Improve Security</a>. ]</strong> <P> Researchers also found multiple references to Appin, an Indian information security software vendor and "ethical hacking" training company. References included "appin" and "appinbot" in "cleartext project and debug path strings," according to Norman's report, and some domains used in the APT attacks appeared to have been registered with a corporate Appin email address before being hidden. <P> Norman's report said the Appin name-dropping is no smoking gun. "Maybe someone has tried to hurt Appin by falsifying evidence to implicate them," said the report. "Maybe some rogue agent within Appin Security Group is involved, or maybe there are other explanations." But Adam Meyers, director of intelligence at CrowdStrike, <a href="http://www.darkreading.com/attacks-breaches/commercialized-cyberespionage-attacks-ou/240155245">told DarkReading</a>: "I think it is highly unlikely Appin is not involved." <P> Contacted for comment, a spokesman for Appin in New Delhi strongly dismissed any suggestion that his company was connected with the APT campaign. "The Appin Security Group is no manner connected or involved with the activities as sought to be implied in the alleged report," he said in an emailed statement. "The reference to Appin Security Group in the report is malafide and made purely with an intention to slur the good name of Appin Security Group in the industry." <P> This isn't Norman's first foray into malware research. In Nov. 2012, the company discovered an unrelated, <a href="http://www.informationweek.co.uk/security/attacks/espionage-malware-network-targets-israel/240115326">botnet-driven malware espionage campaign</a> focused on Middle Eastern targets in Israel and Palestine. <P> Norman undertook a similar investigation -- on its own initiative -- after Norwegian telecommunications company Telenor reported experiencing a network breach on March 17, 2013. "We arrived at the conclusion that Telenor was not an isolated case, but part of a much larger attack pattern emanating from India," said Fagerland in a related <a href="http://blogs.norman.com/2013/security-research/the-hangover-report">blog post</a>. "This conclusion is backed up by indicators found in malware, similar related cases, domain registrations, hosting details and other available data from our own extensive dataset as well as public data." <P> The APT attackers chiefly employed spear-phishing emails to compromise targets. Some emails tried to trick recipients into opening attached, malicious documents that attempted to exploit <a href="http://www.symantec.com/connect/blogs/operation-hangover-qa-attacks">known vulnerabilities</a>. Other emails included a link to a website designed to launch a phishing attack. According to Norman, no <a href="http://www.informationweek.co.uk/security/attacks/microsoft-hacked-joins-apple-facebook-tw/240149323">watering hole attacks</a> have been seen. <P> The APT campaign is sizeable: more than 600 domains have been spotted and over 800 samples of malware -- some customized for specific targets -- recovered. "As far as I know, this is one of the largest command and control infrastructures I've seen by any APT group, certainly outside of China," said Fagerland. Norman's report said all signs point to the campaign being "conducted by private threat actors with no evidence of state sponsorship." <P> Malware developers used relatively simple development tools and techniques, and outsourced some work to freelancers, for example via the Elance virtual marketplace. "I like the use of Elance for tool development. Way to keep those costs down," the Bangkok-based vulnerability buyer and seller known as "the Grugq" said <a href="https://twitter.com/thegrugq/status/336398189886316544">via Twitter</a>. <P> Furthermore, "the attackers were not very good at covering their tracks," said Fagerland. "We found for example several open drop folders where they had uploaded stolen data." Attackers often left their project management notes behind too. "Curiously, many of the executables we uncovered from related cases contained cleartext project and debug path strings," according to the report. "It is not very common to find malware with debug paths, but these particular threat actors did not seem to mind leaving such telltale signs, or maybe they were unaware of their presence." Language used in the project notes further suggests that at least some of the project team was Indian. <P> Fagerland said that a <a href="http://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/">report published last week</a> by ESET malware researcher Jean-Ian Boutin, describing an APT campaign that appeared to be targeting Pakistan, was part of the APT campaign analyzed in Norman's report. ESET likewise ascribed the attack to India based on numerous fronts, including the hours worked by attackers and reference to "Ramu Kaka," which "is a typical Bollywood-style servant in a house," according to Boutin. "Considering that this variable is responsible for achieving persistence on the system, this definition is a good fit." <P> Norman's researchers found that the command-and-control infrastructure used by the APT attackers was used to target the Chicago Mercantile Exchange, which publicly reported that a failed phishing attempt had been launched against it. The malicious infrastructure was also used to infect an Angolan activist's OS X systems with a Trojan backdoor, which wasn't discovered until the activist attended last week's Oslo Freedom Forum, according to a <a href="http://www.f-secure.com/weblog/archives/00002554.html">blog post</a> from Sean Sullivan, security advisor at F-Secure Labs, which is analyzing the malware. Sullivan said the malware was signed with a legitimate Apple developer ID in the name of "Rajinder Kumar." <P> What can be deduced from the finding that the same attack infrastructure used against Pakistan government targets was also used to infect an Angolan activist's Mac with a backdoor Trojan? "That's an interesting side branch of this operation," said Fagerland. It suggests the botnet's controllers "could be hiring out the infrastructure to other attackers," or offering targeted attacks as a service. <P> Norman shared its findings with Norwegian law enforcement agencies in advance of releasing its report. Although the timing may be coincidental, attackers' behavior has since changed. "We have reason to believe that at least some information from this report was known to some people in India some time ago, and since then, some things have changed," said Fagerland. "Whole branches of this command and control infrastructure have gone silent." <P> But he said that the timing could just be a coincidence.2013-05-20T12:31:00ZYahoo breach could have compromised 10% of all Yahoo user credentials. Meanwhile, Syrian Electronic Army targets <i>The Financial Times</i>.http://www.informationweek.com/security/attacks/yahoo-japan-data-breach-22m-accounts-exp/240155216?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/attacks/the-syrian-electronic-army-9-things-we-k/240155028"><img src="http://twimgs.com/informationweek/galleries/automated/994/Syrian-Electronic-Army-Tank_01_tn.jpg" alt="The Syrian Electronic Army: 9 Things We Know " title="The Syrian Electronic Army: 9 Things We Know" class="img175" /></a><br /> <span class="inlinelargerView">(click image for larger view)</span><br /> <div class="storyImageTitle">The Syrian Electronic Army: 9 Things We Know</div> </div> <!-- /KINDLE EXCLUDE -->Yahoo disclosed Friday that a breach at Yahoo Japan may have exposed 22 million login names to attackers. <P> "We don't know if the file [containing 22 million user IDs] was leaked or not, but we can't deny the possibility, given the volume of traffic between our server and external terminals," read a statement issued Friday by Yahoo Japan. Yahoo is the country's most-visited website, and is jointly owned by Yahoo and Japanese network operator <a href="http://www.informationweek.co.uk/mobility/3g/what-softbank-sees-in-sprint/240008446">Softbank</a>. <P> Yahoo Japan posted a link to a related breach notification on its homepage, and said it was contacting affected users and had strengthened network security in the wake of the attack. Yahoo Japan also recommended all users -- as of last year, the company had about 24 million users -- change their passwords, and added a tool on its homepage that allowed users to check if their ID was at risk from the suspected breach. <P> <strong>[ Defense Department and Google are partnering to tighten cloud user authentication. Read more at <a href="http://www.informationweek.com/government/security/google-disa-launch-user-id-pilot/240155181?itc=edit_in_body_cross">Google, DISA Launch User ID Pilot</a>. ]</strong> <P> Yahoo Japan's users, however, can't change their login IDs -- which sometimes appear publicly; for example, when users post comments on shopping sites -- without losing access to their current account's email and stored data, <a href="http://www.pcadvisor.co.uk/news/security/3448048/yahoo-japan-says-22-million-user-ids-may-have-been-stolen/">reported</a> <em>PC Advisor</em>. But after Yahoo Japan discovered malware on its servers last month that had extracted -- but not exfiltrated -- information relating to 1.27 million of its users, the company added a "Secret ID" capability, which allows users to use a separate ID only for logging on. <P> Yahoo officials said they discovered the unauthorized access Thursday. The potential data breach affects 10% of Yahoo's user base. <P> Yahoo was last in the data breach headlines in July 2012, when the company confirmed that an "older file" containing <a href="http://www.informationweek.co.uk/security/attacks/yahoo-password-breach-new-risks/240003653">450,000 usernames and passwords</a> associated with its Yahoo Voices service had been leaked online. At the time, it said that only 5% of the leaked passwords were still valid. "D33Ds Company" took credit for the hack, saying it had been accomplished via SQL injection attack. The group said it had leaked the information "as a wake-up call, and not as a threat" to Yahoo to fix the vulnerability, the specifics of which the hackers didn't publicly detail. <P> In other hacking news, the <em>Financial Times</em> (FT) Friday became the latest victim of Syrian hackers, after its website and multiple Twitter accounts were compromised via spear-phishing attacks. "Syrian Electronic Army Was Here," read 12 posts to various <em>FT</em>Twitter feeds. Multiple fake messages were also posted to the newspaper's Twitter account. <P> The Syrian Electronic Army <a href="https://twitter.com/Official_SEA12/status/335397478352449536">claimed</a> to have compromised 17 of the newspaper's Twitter accounts as well as its website, and posted what it said was the username and password ("Gar1eth") for a marketing executive at the paper. <P> "We have now locked those accounts and are grateful for Twitter's help on this," said Robert Shrimsley, the managing editor of FT.com, <a href="http://www.ft.com/cms/s/0/7a091972-bef3-11e2-a9d4-00144feab7de.html">reported</a> the <em>FT</em>. <P> The newspaper is the latest media organization to have seen its Twitter feeds hacked by the <a href="http://www.informationweek.com/security/attacks/who-is-syrian-electronic-army-9-facts/240155028">Syrian Electronic Army</a>, which supports Syrian President Bashar al-Assad. The group has preciously compromised an Associated Press feed, which it used to issue a <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">fake alert that explosions had occurred</a> in the White House. Other targets have included the BBC, the <a href="http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800"><i>Guardian</i></a>, National Public Radio and <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">satire site <em>The Onion</em></a>. <P> Earlier this month, Twitter <a href="http://www.informationweek.co.uk/security/intrusion-prevention/twitter-to-news-outlets-more-takeovers-a/240154094">warned news and media outlets</a> to expect further attacks. <P> To halt Twitter account takeovers, security experts have recommended using a dedicated PC for tweeting, or employing an intermediary social media management such as Hootsuite to block the spear-phishing attacks the group often uses to obtain credentials. They've also <a href="http://www.informationweek.co.uk/security/management/twitter-two-factor-authentication-too-li/240153672">called on Twitter</a> to implement two-factor authentication. But a "secret ID" service of the Yahoo Japan variety would also help Twitter users, since all Twitter usernames are already public, meaning would-be attackers only need to obtain a password to hack into an account. <P> As with previous Syrian Electronic Army takeovers, some of its <em>FT</em> tweets advanced the group's stated aim "[defending] the Syrian nation against the vicious lying media campaign," referring to perceived inaccuracies in reporting on the Syrian civil war. One bogus <em>FT</em> tweet, for example, read: "Jabhet A-Nosra terrorists executed innocent citizens," referring to the militant jihadist group that currently controls large parts of the rebel-held areas of northern Syria. Some leaders of that group recently <a href="http://www.telegraph.co.uk/news/worldnews/middleeast/syria/10067318/Syria-Jabhat-al-Nusra-split-after-leaders-pledge-of-support-for-al-Qaeda.html">pledged allegiance to al-Queda</a>. <P> Interestingly, the <em>FT</em> last month <a href="http://www.ft.com/cms/s/0/2f67e77a-acf8-11e2-9454-00144feabdc0.html">interviewed</a> a self-described member of the Syrian Electronic Army who calls himself "Th3Pr0." "All the countries who support the terrorists groups in Syria are targets for us -- their media/government website/social media accounts," Th3Pr0 said. "Our demands [are] to stop suspending our accounts and domain names so we can enjoy the 'Freedom speech of America.'" <P> <i>Antivirus systems alone can't fight a growing category of malware whose strength lies in the fact that we have never seen it before. The <a href="http://www.darkreading.com/AdvancedThreats/util/9727/download.html?k=axxe&cid=article_axxe">How To Detect Zero-Day Malware And Limit Its Impact</a> report examines the ways in which zero-day malware is being developed and spread, and the strategies and products enterprises can leverage to battle it. (Free registration required.)</i>2013-05-20T11:01:00ZColor-coded password-strength meters nudge users to improve the strength of their important passwords, but have little effect on unimportant ones.http://www.informationweek.com/security/management/how-password-strength-meters-can-improve/240155209?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /><div class="storyImageTitle">10 Top Password Managers</div><span class="inlinelargerView">(click image for slideshow)</span></div><!-- /KINDLE EXCLUDE -->Want your site's users to build better passwords? Then provide "password strength" meters to show if a proposed password carries a low (red), medium (yellow) or high (green) level of security. <P> According to the first-ever study of password meters' effectiveness -- delivered this month at the CHI human-computer interaction conference in Paris -- such meters aren't just window dressing or empty <a href="http://en.wikipedia.org/wiki/Security_theater">security theater</a>. Meters result in stronger passwords when users are forced to change existing passwords on "important" accounts, according to the <a href="http://research.microsoft.com/apps/pubs/?id=192108">"Does My Password Go up to Eleven?" research study </a> from researchers at the University of California at Berkeley, University of British Columbia and Microsoft Research. In addition, they found that graphical design variations between different types of meters "likely have a marginal impact" on user adoption. <P> The usefulness of password meters wasn't a given; no previous research had explored whether they led people to pick stronger passwords. "The original purpose of the experiment was to see whether meters based on social pressure would yield an improvement, since we didn't expect existing meters to be effective," said primary report author and University of California at Berkeley <a href="http://guanotronic.com/~serge/">research scientist Serge Egelman</a> via email. "We were surprised that one, meter design doesn't appear to matter much, and two, meters do work under certain circumstances." <P> <strong>[ Honeywords, or fake passwords, could help businesses better detect breach attempts. Read more at <a href="http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334?itc=edit_in_body_cross">Sweet Password Security Strategy: Honeywords</a>. ]</strong> <P> As emphasized by the report title's <a href="http://en.wikipedia.org/wiki/Up_to_eleven">"This Is Spinal Tap" film reference</a>, when it comes to passwords, more (entropy) equals more (security). That's why standard <a href="http://www.informationweek.co.uk/security/client/passwords-tips-for-better-security/231000545">password security advice</a> -- at least currently -- is to pick a password that has at least 12 characters, mixing letters, numbers and symbols. Whatever the rules, however, password meters provide simple and immediate visual feedback about what constitutes "strong enough." <P> The researchers' conclusions are based on comparing forced password resets in the presence of password meters to those without such meters. "We performed a laboratory experiment to examine whether these meters influenced users' password selections when they were forced to change their real passwords," the researchers explained. "We observed that the presence of meters yielded significantly stronger passwords." <P> They also found that the meters didn't seem to cause memorability problems for users, and suggested that people forgetting passwords was more related to forced expiration dates, which <a href="http://www.schneier.com/blog/archives/2010/11/changing_passwo.html">not all cryptography experts see as always necessary</a>. <P> The researchers' password-meter findings, however, come with a caveat. In a second study they conducted, users were asked to create a password for an unimportant account. "In this scenario, we found that the meters made no observable difference: participants simply reused weak passwords that they used to protect similar low-risk accounts," they said. <P> Egelman said that although password meters are effective when used for important passwords, perhaps they shouldn't be used at all for unimportant passwords. "People have a finite amount of memory, which shouldn't be wasted protecting resources that are unimportant -- e.g., low-value accounts. I think the bigger problem is that most passwords are highly susceptible to offline attacks," he said. "Whereas when users do not select popular passwords -- e.g., [in] the top 100/1,000/10,000 -- online attacks are relatively unsuccessful. This suggests that a much more efficient solution is to prevent offline attacks from occurring." <P> Using proper network security controls and <a href="http://www.informationweek.co.uk/security/application-security/password-police-cite-evernote-mistakes/240150250">strong cryptography to secure passwords</a> so that they can't be retrieved by hackers and decrypted offline, however, has nothing to do with password-strength meters. "This responsibility lies solely with the websites who store the passwords, not the users," Egelman said. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-17T10:07:00ZSyrian hackers claim to battle American imperialism, media bias and Angelina Jolie.http://www.informationweek.com/security/attacks/who-is-syrian-electronic-army-9-facts/240155028?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_securityBeware patriotic Syrian hackers holding a media grudge. <P> That's one takeaway from the ongoing exploits of the Syrian Electronic Army, a self-described group of grassroots Syrian hackers who support Syrian President Bashar al-Assad. <P> During the country's two-year -- and counting -- civil war, the Syrian Electronic Army has been deployed as a propaganda tool to correct perceived slights or misinformation being disseminated via media outlets that the group sees as sympathetic to Syrian rebels. Its modus operandi is to compromise the Twitter and Facebook accounts of its targets, which are predominantly media outlets. The group's most well-known exploit to date was seizing control of multiple Associated Press (AP) Twitter feeds, then using them to issue bogus messages, including the <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">following alert</a> on April 23: "Breaking: Two Explosions in the White House and Barack Obama is injured." <P> In the wake of that tweet, the White House confirmed that the president was unharmed, that there had been no explosions and that the FBI was investigating the hoax tweets. Due to automated high-speed trading systems set to monitor Twitter feeds, however, the news triggered a temporary downturn in the U.S. stock market that briefly erased $200 billion in value. According to <a href="http://blog.thepro.sy/" target="_blank">Th3 Pr0</a> (pronounced "the pro"), the self-described 18-year-old "leader of special operations department" for the Syrian Electronic Army -- personal website tagline: "proud to be pro-Assad hacker" -- the hack was in retaliation for Network Solutions having seized the group's domain names, as well as for the United States "supporting the terrorist groups in Syria." <P> "We generally target the most malicious media, especially those who refuse to cover both sides of the war," a member of the SEA's "Special Operations Division," known as the Shadow, <a href="http://www.vice.com/en_ca/read/speaking-with-the-sea-about-hacking-the-onions-twitter-account" target="_blank">told <em>Vice</em></a> magazine. <P> Other media outlets targeted by the group have included CBS, AFP, Sky News Arabia and E! Online, with the hackers using a seized Twitter feed at the celebrity news site to announce earlier this month that Justin Bieber was gay, before telling Bieber fans they'd been "trolled." That followed its March compromise of multiple BBC Twitter accounts, which the group used to post anti-Semitic rants as well as to offer the following report via the BBC's Twitter weather feed: "Saudi weather station down due to head-on collision with camel." <P> In May, meanwhile, the group <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">seized control of the Twitter account for satire site the <em>Onion</em></a>. "UN retracts report of Syrian chemical weapon use: 'Lab tests confirm it is Jihadi body odor,'" reported one hoax tweet. Another said that the Onion's CEO said he regretted "taking Zionist money to defame Syria." <P> Obviously, the hacking group has its own perspective on not only the Syrian conflict, but what constitutes balanced reporting. For example, another hoax tweet -- posted to a <a href="http://www.informationweek.co.uk/security/vulnerabilities/5-steps-to-prevent-twitter-hacks/240005178">hacked a Reuters Twitter account</a> last year -- read: "White house spokesperson says financial and technical support given to #AlQaeda operatives in #Syria." <P> As that tweet illustrates, the Syrian Electronic Army persistently attempts to reframe the country's civil war as a conflict perpetrated by foreign powers that are arming terrorists and bringing them into the country in a bid to overthrow the legitimate Syrian government. <P> The hackers' perspective parallels more widespread, pro-Assad propaganda based on accusing many Western media outlets of not just bias, but also "persistent media warmongering, faking news and fabricating &#8230; stories." That's according to a report on the <a href="http://www.syrianews.cc/western-mainstream-propaganda-outlets-falling/" target="_blank">Syria News website</a>, which claimed that "terror NATO sponsors" were "airlifting, training, arming, financing and smuggling Al-Qaeda terrorists" into Syria. <P> <em>Photograph courtesy of Flickr user <a href="http://www.flickr.com/photos/christiaantriebert/7955551210/" target="_blank">Christiaan Triebert</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The Syrian Electronic Army emerged soon after the Syrian uprising began in 2011, defacing Facebook pages with pro-Assad messages that ranged from sweet -- "I love Bashar" -- to threatening. Anti-Assad activists said at the time that the group was founded by former intelligence agents and hardcore Assad supporters. <P> In September 2011, the group defaced Harvard University's website with a picture of Assad, and threatened retaliation against the United States for supporting the uprising. The defacement was signed with this message: "Syrian Electronic Army were here." The group also targeted the websites for <em>Newsweek</em>, Oprah Winfrey and Brad Pitt, after his partner, <a href="http://www.huffingtonpost.com/2011/09/27/syrian-electronic-army_n_983750.html" target="_blank">Angelina Jolie</a> -- a U.N. special envoy -- visited Syrian refugees in Turkey. <P> A subsequent hoax tweet said that Angelina Jolie -- after she visited a Syrian refugee camp in Jordan in December 2012 -- had admitted that "Jordan is to blame for the Syrian refugees' atrocious conditions." Links included with the tweets redirected to malicious websites, as the group had done with its CBS Twitter account takeover. <P> Jolie appears to be an ongoing source of anger for the SEA. "We know the likes of Jolie, who under the 'humanitarian' cover, only serve American imperialism," said the Shadow. <P> <em>UNHCR Special Envoy Angelina Jolie meets with a young Syrian refugee in the Bekaa Valley, Lebanon.</em> <P> <em>Photograph courtesy of &copy;UNHCR/J. Tanner.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The bigger picture is that the Syrian Electronic Army is serving as a propaganda tool in the ongoing, bloody two-year Syrian civil war. To date, the conflict has likely killed at least 94,000 people, although new information suggests that combatants are underreporting causalities, and more than 120,000 people may have been killed, according to the <a href="http://syriahr.com/en" target="_blank">Syrian Observatory for Human Rights</a> (SOHR). <P> "The number of documented casualties since the beginning of the Syrian uprising [March 18, 2011] exceeds 94,000 people," according to a <a href="https://www.facebook.com/syriaohr/posts/369140923194252">post to the group's Facebook account</a>. "The SOHR estimates that the actual number of violent deaths is more than 120,000, due to the tens of thousands of captives, detainees and forcibly disappeared persons. As well as the secrecy of all combatant sides about the actual number of dead during clashes." <P> At least 41,000 of the soldiers and civilians killed were Alawites, which is the sect of President Bashar al-Assad, <a href="http://www.reuters.com/article/2013/05/14/us-syria-crisis-deaths-idUSBRE94D0L420130514" target="_blank">reported Reuters</a>. The <a href="http://www.reuters.com/article/2011/12/23/us-syria-religion-alawites-idUSTRE7BM1J220111223" target="_blank">Alawite sect</a> spun off from Shi'ite Islam and comprises about 12% of Syria's population. The Alawites were an oppressed minority until 1970, when President Assad's father Hafez took control of the country via a coup. <P> The Syrian civil war grew out of nonviolent protests against four decades of rule by the Assad family. The 2011 protests were comprised largely of Sunni Muslims, a sect that comprises about 70% of Syria's population, as well as Syrian Kurds, who are an ethnic minority. The government's violent crackdown on the so-called Arab Spring protests helped trigger a full-blown conflict between the Assad regime and factions seeking to remove his Ba'ath Party from power. <P> <em>Image courtesy of Flickr user <a href="http://www.flickr.com/photos/freestylee/5553097042/" target="_blank">Freestylee</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The Syrian Electronic Army most likely wasn't created to serve as a social media nuisance operation for revenging perceived slights against the Assad regime, perpetrated by Western media. So, where did it come from? <P> By <a href="http://english.al-akhbar.com/node/14718" target="_blank">some accounts</a>, the group began as a grassroots movement, staffed by "volunteers without any known backing" who proved their mettle, gaining the support of Assad "loyalists" as well as the head of the country himself. <P> But according to a <a href="http://www.npr.org/2013/03/13/174121130/syrian-cyber-rebel-wages-war-one-hack-at-a-time" target="_blank">National Public Radio report</a> in March 2013, the Syrian Electronic Army was launched by the Syrian government in 2011 to use Facebook to identify, track and facilitate the arrest -- and according to critics of the regime, torture -- of anti-government activists. <P> Syrian hacker Ahmad Heidar ("Harvester") told NPR that in the summer of 2011, as protests in Syria began to spread and intensify, a government recruiter signed him up to the new unit, which operated from an underground bunker filled with state-of-the-art computer equipment. Heidar was told that working for the unit would count toward his mandatory national military service, and one of his tasks was to hack into the Facebook and Skype accounts of arrested activists, to remove all traces of their anti-government work. <P> In response to the report, the Syrian Electronic Army last month <a href="http://www.informationweek.co.uk/security/attacks/anonymous-takes-down-north-korean-websit/240152985">hacked into the National Public Radio Twitter feed</a>. <P> <em>Photograph courtesy of Flickr user <a href="http://www.flickr.com/photos/james_gordon_losangeles/7436274754" target="_blank">James Gordon</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The Syrian Electronic Army has more than passing ties to Assad. Although the Syrian leader trained in Britain as an eye doctor, in the 1990s he headed Syria's Computer Society -- pushing for better computer education for the country's children -- before succeeding his father as president of the country in 2000. Interestingly, the Syrian Electronic Army's first domain name "was registered by the Syrian Computer Society," Helmi Noman, a senior researcher at the Citizen Lab at Toronto University, <a href="http://edition.cnn.com/2013/04/24/tech/syrian-electronic-army/index.html" target="_blank">told CNN</a>. <P> In addition, the domain is "hosted on the network of the Syrian government, which is interesting because it's the first time we've seen a group with questionable activities being hosted on a national computer network," he said, though he also noted that it's not proof that the hackers are government-funded. <P> A recent <em>Guardian</em> report, however, said the Syrian Electronic Army is bankrolled by <a href="http://www.guardian.co.uk/world/2011/jun/17/syria-richest-man-promises-giveaway" target="_blank">Assad's billionaire cousin Rami Makhlouf</a>, and that the group recently relocated from Syria to Dubai. "Makhlouf pays the pro-regime hackers for their activities, and they typically earn $500-$1,000 for a successful attack," according to the <em>Guardian</em>. "They also get free accommodation and food. Sometimes Syrian government officials tell the SEA which western sites to hack; on other occasions the SEA selects its own targets." <P> In response to that report, the Syrian Electronic Army <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">seized more than 11 <em>Guardian</em> Twitter feeds</a>, using them to decry the British paper's "lies and slander about Syria." <P> A <a href="http://www.syrianews.cc/western-mainstream-propaganda-outlets-falling/" target="_blank">pro-Assad media outlet</a> likewise dismissed the paper's reporting. "Dubai is located in the United Arab Emirates, some 3,000 kilometers away from Damascus, but sitting in London thinking how to amuse the readers with fancy tales, our best guess is the authors, especially Mr. Harding, thought Dubai is somewhere in Syria, or Damascus is somewhere near Dubai." <P> <em>Photograph courtesy of Flickr user <a href="http://www.flickr.com/photos/wwworks/4006194802/" target="_blank">woodleywonderworks </a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>Is the Syrian Electronic Army based in Syria? After <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria reestablished its Internet connection</a> last week -- following a blackout that lasted approximately 24 hours -- security experts wondered when the hackers might resume their attacks. <P> With that question floating around the Internet, the group responded: "But wait ... we are in Dubai!" read a <a href="https://twitter.com/Official_SEA12/status/332256636624334848">tweet</a> from the @Official_SEA12 Twitter account. <P> The Dubai quip was made in response to the aforementioned <a href="http://www.guardian.co.uk/technology/2013/apr/29/hacking-guardian-syria-background" target="_blank"><em>Guardian</em> report</a> last month that "according to defectors from inside its ranks, the group moved last year from Damascus to a secret base in Dubai." <P> The group's members later clarified that they were in Syria, and had been affected by the Internet outage. "Unfortunately it is true, though mobile phones worked intermittently due to a large number of Syrians using them as an alternate form of communication," said the Shadow. "These kinds of cuts do not affect the terrorists operating in Syria as they have their own US-supplied communication equipment. The blackout effectively shut down our operations, we are glad to be back." <P> Ditto, no doubt, for an eight-hour blackout that -- according to data provided by Arbor Networks -- began at about 8:30 a.m. Eastern Time on May 15, and lasted until just after 4 p.m. The cause of the blackout isn't known, although Internet monitoring firms suspect last week's blackout was due to the civil-war-torn country's weak infrastructure. <P> <em>Zones of control in Syria courtesy of <a href="http://www.flickr.com/photos/edans/5400848923/" target="_blank">Wikipedia</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>How does the Syrian Electronic Army compromise targeted Twitter or Facebook accounts? According to an <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">account published by the <em>Onion</em></a>, the attackers used spear-phishing emails that included an apparent link to a <em>Washington Post</em> story, but which really lead to a malicious website that requested users input their Gmail credentials. Attackers then used that information to gain access to Twitter accounts with that email on file. <P> While no other media outlets have offered details of how they were compromised, security experts suspect that phishing attacks were also <a href="http://bits.blogs.nytimes.com/2013/05/10/details-emerge-about-syrian-electronic-armys-recent-exploits/" target="_blank">used against AP and Human Rights Watch</a>, with the phishing email links redirecting to Google or Microsoft webmail sites. <P> In the wake of the AP breach, Twitter was reportedly testing a two-factor authentication system. Once implemented, such a system should make it more difficult for attackers to compromise accounts via spear-phishing attacks. <P> The Syrian Electronic Army, however, has promised to continue compromising Twitter accounts. "It will definitely make it harder on Twitter, but this was never our primary attack vector," said the Shadow. "Nevertheless, there are still some security holes in Twitter's model that we hope to exploit in the future so no one should get too comfortable, we are not going to give up." <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>The Syrian Electronic Army's hacking remit has limits. Notably, the group last week denied reports that it claimed to have hacked into a primary Israeli critical infrastructure system. "We would like to announce that in response to the unfair and illegal attacks, taken place by Israel on DATE, SEA has penetrated one of the main infrastructural systems (SCADA) in Haifa and managed to gain access to some sensitive data. Also SEA is now able to cause irrecoverable damages to the Israeli's infrastructural systems," read an email sent to some news outlets and signed as being from the Syrian Electronic Army (SEA), which included a link to a PDF file meant to <a href="https://cdn.anonfiles.com/1367855605244.pdf" target="_blank">validate the supposed control system intrusion</a>. <P> But a member of the Syrian Electronic Army <a href="http://news.softpedia.com/news/Syrian-Electronic-Army-Claims-to-Have-Hacked-Israeli-Critical-Infrastructure-Systems-351779.shtml">told Softpedia</a> that the email was a fake, and said the group never emails media outlets. <P> <em>Photograph courtesy of Flickr user <a href="http://www.flickr.com/photos/christiaantriebert/7955548656/" target="_blank">Christiaan Triebert</a>.</em> <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>Beyond hoax hacking reports, the Syrian Electronic Army has faced a few other recent challenges, such as having multiple domains seized by its domain registration firm. "After we communicated with the host/domain names company 'Network Solutions' [it] ... said that the reason for shut down the domains names is 'U.S. sanctions,'" according to a <a href="http://sea.sy/article.php?id=1939&lang=en" target="_blank">post</a> to the group's subsequently launched site, <a href="http://sea.sy" target="_blank">sea.sy</a>. It said the seized domains were syrian-es.org, syrian-es.com and syrian-es.net, and that it would continue to use its backup domain, syrianelectronicarmy.com. <P> "Current domain registration information for syrian-es.com, syrian-es.org, and syrian-es.net shows that the current registrant is OFAC Holding," according to a <a href="http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Understanding-the-Syrian-Electronic-Army-SEA/ba-p/6040559" target="_blank">report </a> published by HP Security Research. "OFAC is the Treasury Department Office of Foreign Assets Control under their Office of Terrorism and Financial Intelligence." <P> Domain names aren't the only online real estate that the Syrian Electronic Army is having difficulty retaining. As the group has used Twitter accounts to publicize attacks, Twitter has <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">suspended those accounts</a>, creating a whack-a-mole situation that saw the introduction of new account "@Official_SEA," which Twitter subsequently froze, leading to multiple variations. Currently the count stands at @Official_SEA12, which the group has held for a relatively long time, suggesting that it has stopped using the account to announce its latest Twitter hacks. <P> <strong>RECOMMENDED READING</strong> <P> <a href="http://www.informationweek.co.uk/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">Anonymous OpUSA Hackathon: Mostly Bluster</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-battles-syrian-hackers/240153424">Twitter Battles Syrian Hackers</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/twitter-preps-two-factor-authentication/240153539">Twitter Preps Two Factor Authentication After AP Hoax</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504">How Syrian Electronic Army Unpeeled The Onion</a> <P> <a href="http://www.informationweek.co.uk/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Hacktivists Hit Guardian Twitter Feeds</a> <P> <a href="http://www.informationweek.co.uk/security/management/syria-back-online-after-internet-blackou/240154412">Syria Back Online After Internet Blackout</a>2013-05-17T09:06:00ZWhile mobile network operators are creating a global database to track stolen smartphones, some police say that's not enough. http://www.informationweek.com/security/mobile/smartphone-theft-what-is-best-defense/240155038?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /><div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span></div><!-- /KINDLE EXCLUDE -->The latest smartphones might feature screens with unparalleled colors and clarity, cutting-edge cameras, and the ability to run a bewildering array of apps. But why don't they build in better loss prevention? <P> That's the gist of a plea issued this week by New York attorney general Eric T. Schneiderman, who's written to the CEOs of Apple, Google, Microsoft and Samsung, urging them to "help crack down on cell phone theft" by making it more difficult for thieves to wipe stolen devices' memory and resell the devices. <P> "This is a multi-billion dollar industry that produces some of the most popular and technologically advanced consumer electronic products in the world," said Schneiderman in a statement. "Surely we can work together to find solutions that lead to a reduction in violent street crime targeting consumers." <P> <strong>[ Fend off gadget thieves with these tips. Read <a href="http://www.informationweek.com/security/mobile/ipad-heist-at-jfk-highlights-mobile-tech/240142140?itc=edit_in_body_cross">iPad Heist At JFK Highlights Mobile Tech Risks</a>. ]</strong> <P> Apple, Google, Microsoft and Samsung -- <a href="http://www.informationweek.com/mobility/smart-phones/google-not-impressed-with-motorola-smart/240149714">plus Motorola</a>, which is owned by Google -- control 90% of the U.S. smartphone market. All four except Google build some type of recovery capabilities into their devices. For Android, there are add-ons available in the Google Play online store. <P> But Schneiderman is not satisfied. He said his office is investigating whether the manufacturers -- such as Apple, which advertises its products' "safety and security by design" -- have engaged in deceptive trade practices by not combating the theft problem more forcefully. "I seek to understand why companies that can develop sophisticated handheld electronics and operating systems ... cannot also create technology to render stolen devices inoperable and thereby eliminate the expanding black market on which they are sold," wrote Schneiderman in his letters to the manufacturers. <P> Wielding both carrot and stick, Schneiderman in his letter suggested that he'll be seeking details of how much each of the four smartphone manufacturers earns from consumers paying to replace products that have been stolen. "I would be especially concerned if device theft accrues to your company's financial benefit through increased sales of replacement devices," he said. <P> Schneiderman's outreach comes as <a href="http://online.wsj.com/article/SB10001424127887324031404578481420456602076.html">mobile network operators are in the process of creating a global database for tracking stolen smartphones</a>, <em>The Wall Street Journal</em> reported this week. But some police officials have said that the voluntary database won't do enough to deter smartphone theft. <P> Violent smartphone and tablet robberies are on the rise. According to the Attorney General's office, comparing all of 2011 to the first nine months of 2012, smartphone thefts in New York City increased by 40%. Such robberies have been dubbed "Apple picking," given thieves' apparent penchant for iOS products. But according to a 2011 New York Police Department study, only 30% of devices stolen from subways and buses were manufactured by Apple. <P> New York City ranked ninth in a list of the top 10 cities that reported the greatest numbers of 2011 phone thefts, which was <a href="https://www.lookout.com/news-mobile-security/lookout-lost-phones-30-billion">compiled by security vendor Lookout Mobile Security</a>. The study found that phone theft was most prevalent in Philadelphia, followed by Seattle and Oakland. The most likely place for a New Yorker to lose his phone was in a fast-food restaurant. By Lookout's estimates, based on its finding that the average consumer loses or misplaces one device per year, stolen cell phones could cost U.S. consumers $30 billion in replacement costs. <P> Schneiderman's office said that Lookout will be advising the New York state government -- pro bono -- on approaches to combating device theft.2013-05-16T13:26:00ZGroup's 50-day hacking spree compromised websites run by Sony, CIA, Arizona State Police, Westboro Baptist Church and more.http://www.informationweek.com/security/attacks/lulzsec-hackers-sentenced-in-london/240155060?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_securityLulzSec Hacker "Topiary" famously tweeted: "You cannot arrest an idea." <P> Perhaps not, but in the case of Topiary, revealed to be <a href="http://www.informationweek.com/security/management/lulzsec-members-confess-to-ddos-attacks/240002706">Jake Davis</a>, now 20, you can be sentenced to 24 months in a "young offenders institute" for two counts of conspiracy to impair the operation of a computer, to be followed by a five-year <a href="http://www.cps.gov.uk/legal/s_to_u/serious_crime_prevention_orders_(scpo)_guidance/">serious crime prevention order</a> that can restrict where he can travel and which jobs he'll be allowed to take. <P> Davis' sentence was handed out in a London courtroom Thursday, where he appeared this week for sentencing with Ryan Cleary (<a href="http://www.informationweek.com/security/attacks/lulzsec-takes-hit-keeps-on-hacking/231000223">Viral</a>), Mustafa al-Bassam (<a href="http://www.informationweek.com/security/cybercrime/scotland-yard-arrests-lulzsec-anonymous/231600755">Tflow</a>) and Ryan Ackroyd (<a href="http://www.informationweek.com/security/attacks/lulzsecs-top-3-hacking-tools-deconstruct/231000983">Kayla</a>). All were participants in the Anonymous spin-off known as LulzSec, which launched online attacks against numerous organizations' websites, including the CIA, Britain's Serious Organized Crime Agency (SOCA) and National Health Service (NHS), 20th Century Fox, News International, and <a href="http://www.informationweek.com/security/attacks/fbi-busts-suspected-lulzsec-hacker-in-so/231602040">Sony Pictures Entertainment</a>, from which it also leaked customer credentials and credit card numbers. <P> <strong>[ Want to know how the feds are trying to stop hacktivists? Read <a href="http://www.informationweek.com/security/attacks/fbi-briefs-bank-executives-on-ddos-attac/240154858?itc=edit_in_body_cross">FBI Briefs Bank Executives On DDoS Attack Campaign</a>. ]</strong> <P> Cleary, 21, was sentenced to 32 months in prison followed by a five-year serious crime prevention order. Ackroyd, 26, was sentenced to 30 months. Al-Bassam, meanwhile, who was only 16 -- and still a high school student -- when LulzSec embarked on its 50-day hacking spree, received a 20-month suspended sentence. The 18-year-old was also ordered to perform 300 hours of community service, and must submit to a <a href="http://en.wikipedia.org/wiki/Sentencing_in_England_and_Wales ">supervision order</a> -- aka probation -- for six months. <P> At the four men's sentencing hearing Wednesday, prosecutor Sandip Patel accused them of <a href="http://www.informationweek.com/security/attacks/lulzsec-hacker-pirates-face-sentencing/240154940">being "latter-day pirates."</a> (In fact, one ASCII art logo used by LulzSec, aka "The Lulz Boat," featured a pirate ship with a "LOL" flag.) "This is not about young immature men messing about. They are at the cutting edge of a contemporary and emerging species of criminal offender known as a cybercriminal," Patel said. <P> British police arrested Cleary on June 20, 2011, followed by al-Bassam on July 19, Davis on July 27 and Ackroyd on September 1. All four men subsequently <a href="http://www.informationweek.com/security/attacks/lulzsec-hackers-plead-guilty-to-cia-sony/240152582">pleaded guilty</a> to some or all of the hacking charges filed against them. <P> "This has been a long and complex investigation conducted with the assistance of our international partners," said Charlie McMurdie, the London Metropolitan Police detective superintendent who heads the Police Central e-Crime Unit. "After initially being alerted by the FBI to criminal activity on British soil, we came to arrest Ryan Cleary and quickly began unpicking LulzSec, who had been running riot, causing significant harm to businesses and people." <P> According to investigators, Ackroyd took the lead on researching and executing many of the group's hack attacks, and Cleary assisted by offering the use of his botnet to generate <a href="http://www.informationweek.com/security/attacks/ddos-tools-flourish-give-attackers-many/232600497">distributed denial-of-service attacks</a> that disrupted targeted sites and servers. Meanwhile, al-Bassam trolled for exploitable vulnerabilities in websites and maintained LulzSec's website, while Davis acted as spokesman, managing <a href="https://twitter.com/LulzSec">the group's Twitter account</a> and issuing press releases. <P> "Theirs was an unusual campaign in that it was more about promoting their own criminal behavior than any form of personal financial profit," McMurdie said. "In essence, they were the worst sort of vandal -- acting without care of cost or harm to those they affected, whether that was to cause a company to fold and so costing people their jobs, or to put at threat the thousands of innocent Internet users whose logins and passwords they made public." <P> "In the case of the police force whose employee details they revealed, the group's reckless publication of confidential material could very well have threatened lives," he said. <P> A police digital forensic investigation of computers seized during LulzSec raids found "indecent material" relating to child pornography on one of Cleary's computers. Cleary has pleaded guilty to two counts of making indecent images of children, and one count of possessing those images. He's due to be sentenced on those charges on June 12, 2013. <P> LulzSec's leader, U.S. hacker Sabu, whose real name is Hector Xavier Monsegur, was arrested by the FBI in June 2011 and <a href="http://www.informationweek.com/security/attacks/lulzsecs-sabu-was-identity-thief-not-rob/232602184">turned informer</a>. At the request of U.S. prosecutors, who said he's assisting in investigations, he has yet to be sentenced.2013-05-16T10:31:00ZDHS proposal would give private businesses access to the government's stockpile of zero-day secrets for a fee.http://www.informationweek.com/security/vulnerabilities/dhs-eyes-sharing-zero-day-intelligence-w/240154972?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_securityThe Department of Homeland Security (DHS) Wednesday offered to help private businesses zero in on the zero-day vulnerabilities being used to compromise their networks. The DHS pitch: We'll share intelligence gleaned from the U.S. government's vast stockpile of zero-day vulnerabilities -- purchased from bug hunters and resellers -- to help block zero-day threats. <P> "It is a way to share information about known vulnerabilities that may not be commonly available," Homeland Security secretary Janet Napolitano said Wednesday at the Reuters Cybersecurity Summit in Washington, D.C., <a href="http://mobile.reuters.com/article/article/idUSBRE94E11B20130515?irpc=932">reported Reuters</a>. <P> Private businesses would pay for the service, which would be offered by telecommunications firms and defense contractors. <P> The DHS proposal is a continuation of the February 2013 <a href="http://www.informationweek.com/security/attacks/fbi-briefs-bank-executives-on-ddos-attac/240154858">executive order</a> and related presidential policy directive issued by President Obama, which created a public-private cyber-threat <a href="http://www.informationweek.com/government/security/white-house-cybersecurity-executive-orde/240148460">information sharing regime</a>, as well as voluntary private sector cybersecurity standards. <P> The executive order expanded the Enhanced Cybersecurity Services program -- formerly known as the <a href="http://www.informationweek.com/government/security/feds-isps-team-on-cybersecurity-for-defe/230800180">Defense Industrial Base pilot</a> -- to share threat information, including classified intelligence, with defense contractors, telecommunications and other critical-infrastructure firms that have appropriate security clearances. <P> Enhanced Cybersecurity Services participants include AT&T, Northrop Grumman and Raytheon. <P> <strong>[ Threat-intelligence sharing must balance security against privacy. Read <a href="http://www.informationweek.com/security/management/cispa-20-house-intelligence-committee-fu/240152923?itc=edit_in_body_cross">CISPA 2.0: House Intelligence Committee Fumbles Privacy Again</a>. ]</strong> <P> Rep. Mike Rogers (R-Mich.), chairman of the House Intelligence Committee, lauded the DHS plan because the black-box approach wouldn't expose U.S. threat intelligence to other countries. "This can't happen if you post it on a website," he said. "We have to find a forum in which we can share it, and 10 providers serve 80% of the market. We have classified relationships with a good number of them." <P> Rogers is also the co-author of the Cyber Intelligence Sharing and Protection Act (CISPA), the second version of which recently passed in the House but stalled in the Senate. The legislation has proposed indemnifying any business that shares network scans with U.S. government agencies, in a bid to crowdsource threat detection. But the suggestion has drawn the <a href="http://www.informationweek.com/security/attacks/laws-cant-save-banks-from-ddos-attacks/240152324">ire of privacy and civil rights groups</a>, which object to giving blanket immunity to any business that shares customer and employee information -- potentially including full texts of all emails sent and received via business networks -- with intelligence agencies. <P> Outsourcing zero-day-vulnerability scanning to a private business, however, would seem to obviate related privacy concerns, since network providers already scan their customers' network traffic for some signs of attack. <P> The offer of shared threat intelligence is a <a href="http://www.informationweek.com/government/security/cybersecurity-executive-order-leaves-tou/240148510">crucial incentive</a> for getting private businesses to agree to participate in the government's cybersecurity program, which is designed in large measure to better secure the critical infrastructure, which is largely owned by private businesses. <P> To date, the <a href="http://www.informationweek.com/security/vulnerabilities/so-you-want-to-be-a-zero-day-exploit-mil/231902813">large sums of money</a> on offer for buying zero-day vulnerabilities have seen the bug-buying restricted to organizations, <a href="http://www.informationweek.com/security/vulnerabilities/blackhole-botnet-creator-buys-up-zero-da/240145769">criminal gangs</a> or governments with deep enough pockets, and presumably a need to put the vulnerabilities to use. "The only people paying are on the offensive side," former NSA employee and <a href="http://www.informationweek.com/security/mobile/apple-excommunicates-ios-cracker/231902576">renowned smartphone hacker Charlie Miller</a>, who's now a security researcher at Twitter, told Reuters. <P> Furthermore, some <a href="http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510">information security experts have warned</a> that the move to share threat intelligence gathered by the NSA and other agencies could further bolster the <a href="http://www.informationweek.com/security/attacks/weaponized-bugs-time-for-digital-arms-co/240008564">bug vulnerability marketplace</a> and potentially direct tax dollars to anti-U.S. hackers who are expert bug hunters, as opposed to spending that money on defense. <P> Others have said that the United States has an obligation to serve Americans by disclosing what it knows about zero-day threats. "If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users," former White House cybersecurity advisor Richard Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't." <P> The U.S. government's apparent emphasis on playing cyber offense comes as critics have accused the government of lagging on defense. "NSA, CIA and military are now #1 buyers of exploits, while DHS, which is responsible for cyber defense, has lost most of its top officials," said Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, via <a href="https://twitter.com/csoghoian/status/334150855085391872">Twitter</a>.2013-05-15T11:38:00ZFour members of Anonymous spinoff faced sentencing Wednesday for leaking data and launching distributed denial of service attacks against Sony.http://www.informationweek.com/security/attacks/lulzsec-hacker-pirates-face-sentencing/240154940?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->Four men accused of launching online attacks under the banner of LulzSec appeared in a London courtroom Wednesday for sentencing. <P> Ryan Cleary, 21; Jake Davis, 20; Ryan Ackroyd, 26; and Mustafa Al-Bassam, 18, had previously plead guilty to hacking charges as part of LulzSec's online attack sprees, which caused tens of millions of dollars in damages. All had been remanded on bail pending their sentencing hearing. <P> "<a href="http://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-Home-Office-agency.html">The defendants are colloquially known as cyber attackers</a> based in the U.K. and elsewhere and they waged what was an undoubtedly sophisticated and orchestrated campaign between February and September 2011," prosecutor Sandip Patel told the sentencing hearing, reported Britain's <em>Daily Mail</em>. <P> <strong>[ Busted! Sometimes hackers make mistakes. Read <a href="http://www.informationweek.com/security/attacks/how-south-korea-traced-hacker-to-pyongya/240152702?itc=edit_in_body_cross">How South Korea Traced Hacker To Pyongyang</a>. ]</strong> <P> At press time, lawyers for the four LulzSec participants had yet to present mitigating factors to the sentencing hearing, over which Judge Deborah Taylor is presiding. The hearing is expected to conclude Wednesday or Thursday. <P> Patel told the court Wednesday that the men's information security attacks were "anarchic self-amusement" that lacked even the political ethos espoused by some Anonymous participants, reported Reuters. <a href="http://news.yahoo.com/lulzsec-hackers-cutting-edge-cyber-crime-court-told-135823354.html">"They saw themselves as latter-day pirates,"</a> he said. "They identified vulnerable computer systems, when they found them they would break into them and pillage them." <P> The damage that resulted from the group's exploits could be extensive. <a href="http://www.informationweek.com/security/attacks/pwnie-award-highlights-sony-epic-fail-an/231300255">Sony said it cost $20 million</a> in clean-up costs after LulzSec hacked into Sony servers and published customers' credentials and credit card numbers. The Pentagon said it spent $120,000 on cleanup following a LulzSec hack. <P> "This is not about young immature men messing about. They are at the cutting edge of a contemporary and emerging species of criminal offender known as a cyber-criminal," Patel said. <P> Over the course of its short existence, LulzSec compromised numerous sites, defacing some, launching <a href="http://www.informationweek.com/security/management/lulzsec-members-confess-to-ddos-attacks/240002706">distributed denial-of-service (DDoS) attacks</a> against others, and sometimes seizing and publishing sensitive data to Pastebin, Pirate Bay or its own site. <P> The group's <a href="http://www.informationweek.com/security/cybercrime/lulzsec-claims-credit-for-cia-site-taked/230800019">DDoS targets included the CIA</a>, News International, Britain's Serious Organized Crime Agency, Sony and <a href="http://www.informationweek.com/security/attacks/anonymous-continues-westboro-church-atta/240145120">Westboro Baptist Church</a>. Other victims included the Arizona State Police, 20th Century Fox, News International, Britain's National Health Service, and the Serious Organized Crime Agency (SOCA), which is responsible for investigating computer crimes in Britain. <P> Patel said that LulzSec was lead by U.S. hacker <a href="http://www.informationweek.com/security/vulnerabilities/hacker-sabu-worked-nonstop-as-government/232602334">Sabu</a>, whose real name is Hector Xavier Monsegur. Unbeknownst to his fellow LulzSec participants, Sabu was <a href="http://www.informationweek.com/security/attacks/lulzsecs-sabu-was-identity-thief-not-rob/232602184">quietly busted</a> by the FBI in June 2011 and immediately turned informer. Despite LulzSec participants' attempts to <a href="http://www.informationweek.com/security/privacy/lulzsec-suspect-learns-even-hidemyasscom/231602248">mask their true identities</a> -- even to each other -- Sabu helped the bureau and its overseas cybercrime investigation counterparts round up the other members. <P> According to prosecutors, Davis (aka Topiary) was in charge of LulzSec's communications strategy, and maintained its Twitter feed and website. <a href="http://www.independent.co.uk/news/uk/crime/british-lulzsec-hactivists-stole-passwords-and-credit-card-details-from-hundreds-of-thousands-of-people-court-told-8617450.html">He "smirked in the dock"</a> Wednesday when prosecutors detailed his role in LulzSec, reported Britain's <em>The Independent</em>. <P> Ackroyd, a former soldier who pretended to be a 16-year-old girl named Kayla, helped select targets and conduct reconnaissance. He was "probably the most sophisticated known conspirator," said Patel, and had a reputation for being a "highly sophisticated rooter." Meanwhile, Bassam (tFlow) also helped identify <a href="http://www.informationweek.com/security/attacks/anonymous-hackers-helper-it-security-neg/232602226">websites sporting known vulnerabilities</a> that could be exploited. Authorities said he was still a high school student when LulzSec was in operation. <P> Prosecutors told the court that Cleary (aka Viral) -- unlike Sabu, Ackroyd, Davis and Bassam -- wasn't a core member of the group, but was desperate to take part, and <a href="http://www.informationweek.com/security/attacks/lulzsecs-top-3-hacking-tools-deconstruct/231000983">provided his botnet</a>, built over six years, for LulzSec's exploits. "At any one time he had up to 100,000 computers directly and actively under his control," said Patel. <P> Cleary previously plead guilty to possessing "indecent images" relating to child pornography, which investigators found on hard drives seized during the investigation. After being granted conditional bail in June 2011, he was again -- temporarily -- taken into custody after attempting to contact Sabu in December 2011. <P> Patel, who characterized Cleary as being "trigger happy," said the LulzSec participant earned up to $4,500 per month by <a href="http://www.informationweek.com/security/vulnerabilities/cheap-botnets-a-boon-to-hackers/225200501">renting his botnet out</a> to other attackers.2013-05-14T13:14:00ZFBI expedited security clearances so it could share classified info on Operation Ababil, a distributed denial of service attack.http://www.informationweek.com/security/attacks/fbi-briefs-bank-executives-on-ddos-attac/240154858?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->The FBI recently granted one-day clearances to security officers and executives at numerous banks so it could share classified intelligence on the Operation Ababil campaign that's been disrupting U.S. financial websites for almost a year. <P> The videoconference briefings detailed "who was behind the keyboards" of the attacks, FBI executive assistant director Richard McFeely told the Reuters Cybersecurity Summit Monday, <a href="http://www.reuters.com/article/2013/05/13/us-cyber-summit-fbi-banks-idUSBRE94C0XH20130513">reported</a> Reuters. McFeely is in charge of the bureau's criminal and cyber investigations. <P> The Operation Ababil distributed-denial-of-service (DDoS) attacks, which typically target a handful of the country's top banks every week, have disrupted the websites of such financial institutions as Bank of America, BB&T, JPMorgan Chase, Capital One, HSBC, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. The attacks have resulted in customers sometimes being unable to access online or mobile banking services. <P> <strong>[ What's happening when bank sites go down? Read <a href="http://www.informationweek.co.uk/security/attacks/bank-hacks-7-misunderstood-facts/240008566?itc=edit_in_body_cross">Bank Hacks: 7 Misunderstood Facts</a>. ]</strong> <P> Banks targeted as part of Operation Ababil have been frustrated by the lack of arrests or apparent progress in the case, McFeely said. But he said that some indictments -- currently under seal -- have been issued for suspects' arrest. Suggesting that the suspects are operating in countries that have no extradition treaty with the United States, he said that the hackers might be caught when they travel to other countries. "The first time we bring someone in from out of the country in handcuffs, that's going to be a big deal," he said. <P> McFeely said the bureau has been attempting to keep cybercrime victims up-to-date in the past, admitting that the FBI was "terrible" about doing so in the past. "That's 180 degrees from where we are now," he said. <P> The self-proclaimed Muslim hacktivist group Izz ad-Din al-Qassam Cyber Fighters has claimed credit for the banking website disruptions, which it said are retaliation for the posting to YouTube in July 2012 of a film that mocks the founder of Islam. U.S. government officials, however, have accused the group of <a href="http://www.informationweek.co.uk/security/attacks/banks-hit-downtime-milestone-in-ddos-att/240152267">being a front for Iran</a>. Members of the group have responded by saying they're apolitical and hail from multiple countries. <P> Despite the bank attacks having been previewed in advance and now more often than not simply occurring every week, banks -- after spending millions of dollars on <a href="http://www.informationweek.co.uk/security/attacks/ddos-attack-bandwidth-jumps-718/240153084">countermeasures</a> -- have been unable to fully block the DDoS campaign. In part, that's because attackers have managed to <a href="http://www.informationweek.co.uk/security/attacks/bank-attackers-used-php-websites-as-laun/240144413">exploit thousands of PHP websites</a> that include known vulnerabilities and install attack toolkits, which they remotely control to queue up attacks against designated banks. <P> The sheer scale of the DDoS attacks and the number of compromised websites is astounding. The Department of Homeland Security and FBI have reportedly been liaising with cybersecurity officials in 129 other countries and shared details of a total of 130,000 IP addresses that have been used in the attacks. <P> The bureau's classified bank executive briefing comes in the wake of President Obama's <a href="http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity">"Improving Critical Infrastructure Cybersecurity" executive order</a>, issued in February, which instructed the Department of Homeland Security to "expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators." Critical infrastructure, the vast majority of which is privately owned, refers to the energy, oil, water, telecom, finance and transportation industries. <P> Some members of Congress have been calling for new laws to <a href="http://www.informationweek.co.uk/security/attacks/laws-cant-save-banks-from-ddos-attacks/240152324">indemnify businesses that share cyber-attack information</a> with law enforcement agencies. But the FBI's outreach effort suggests that public-private information sharing is already occurring. <P> McFeely did, however, report that the bureau has faced difficulty gathering information about online attacks from victims, for example from defense contractors wary of speaking to the FBI. Interestingly, recent news reports suggest that online attacks against defense contractors -- attributed to China -- have been <a href="http://www.informationweek.co.uk/security/government/china-tied-to-3-year-hack-of-defense-con/240154064">much more successful than previously disclosed</a> in public, and resulted in the compromise of data relating to the latest drone and robot technologies, and might have undermined the combat reliability of the Lockheed Martin F-22 Raptor.2013-05-14T11:30:00ZApple's waiting list to bypass security controls on latest-generation iPhone and iPad devices means months-long delays for law enforcement investigators.http://www.informationweek.com/security/encryption/apple-iphone-decryption-backlog-stymies/240154842?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Apple is overwhelmed by requests from law enforcement agencies to decrypt seized iPhones, and its waiting list is so long that it <a href="http://news.cnet.com/8301-13578_3-57583843-38/apple-deluged-by-police-demands-to-decrypt-iphones/">may take months</a> before new requests get handled. <P> That revelation, first reported by CNET, was gleaned from a search warrant affidavit for a seized iPhone last summer by a federal agent who was investigating a Kentucky man on crack cocaine distribution charges. <P> The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) agent, Rob Maynard, said in court documents that he'd "attempted to locate a local, state or federal law enforcement agency with the forensic capabilities to unlock" an iPhone 4S seized during the investigation, but every contacted law enforcement agency said that it "did not have the forensic capability." Apple, meanwhile, told him that the wait time for recovering data from an iPhone -- which the technology firm copied to a USB key then provided to investigators -- was approximately seven weeks, though Maynard ultimately had to wait about four months. <P> The ATF case highlights that technology companies, including Apple, must comply with court orders to unlock devices they build or sell. But it also revealed that Apple is somehow able to bypass the security controls built into its latest-generation devices. "That is something that I don't think most people realize," Christopher Soghoian, principal technologist with the ACLU's Speech, Privacy and Technology Project, told CNET. "Even if you turn on disk encryption with a password, these firms can and will provide the government with a way to get your data." <P> <strong>[ Who can you trust? Check out <a href="http://www.informationweek.com/security/client/microsoft-tech-support-scams-why-they-th/240154756?itc=edit_in_body_cross">Microsoft Tech Support Scams: Why They Thrive</a>. ]</strong> <P> Does court-ordered data retrieval <a href="http://www.informationweek.com/security/privacy/7-facts-about-geolocation-privacy/240005824">infringe on people's privacy rights</a>? "It's important to note that both cops and legislation tend to trail criminals in the adoption of new technologies," said Nick Selby, a Texas police officer and the CEO of StreetCred Software, which provides fugitive case management software to law enforcement agencies, via email. "It's important to question whether police may be going too far, but it is equally important to consider criminals' use of these technologies to abet, and in some cases actually commit, crimes." <P> Many judges have granted warrants to law enforcement agencies to retrieve data from -- or that's associated with -- mobile devices or their radio frequency (RF) communications. "Recent rulings encourage law enforcement to better develop their mobile device and RF chops. For example, in <a href="http://www.informationweek.com/security/mobile/lose-the-burners-court-okays-prepaid-pho/240005614">U.S. vs. Skinner</a> last August, the U.S. Court of Appeals for the 6th Circuit ruled that police may track the signals emanating from wireless devices like a cellphone owned by a person," Selby said. "The fact that the court found that users do not have a reasonable expectation of privacy in the data given off by a voluntarily procured, pay as-you-go cellphone means that we can expect to see more use cases like these." <P> Is Apple putting cases at risk by not complying more quickly with court orders? In the ATF investigation, the attorney for the 24-year-old defendant, Mark Edmond Brown, filed a motion to suppress the evidence gathered from the defendant's iPhone, given the delay in retrieving it. <P> But U.S. district court judge Karen Caldwell wrote in an opinion that the ATF was "placed on a waiting list by the company" -- referring to Apple -- for what had been a court-ordered seizure, meaning it was backed by a warrant. "The court finds nothing in the record to demonstrate any evidence of bad faith or unnecessary delay in procuring assistance from Apple to unlock the phone," she wrote. <P> In October 2012, Brown -- a convicted felon -- <a href="http://www.justice.gov/usao/kye/news/2012/2012-10-31-lawton.html">pleaded guilty</a> to possessing firearms, and according to CNET, last month pleaded guilty to a charge of conspiracy to distribute less than five kilograms of crack cocaine. <P> If Apple didn't unlock iPhones for law enforcement agencies in response to a court order, would police have any other options? Some police forces have been testing <a href="http://www.informationweek.com/mobility/smart-phones/london-police-test-smartphone-data-dump/240000766">smartphone data dump kits</a> to allow investigators to easily retrieve data without having to use an external lab or appeal to a device manufacturer or carrier. <P> But recent iOS devices appear tough to crack. For example, Russian digital forensics toolmaker Elcomsoft says its <a href="http://www.informationweek.com/security/mobile/ios-4-hardware-encryption-cracked-by-for/229700041">iOS Forensic Toolkit</a> -- only sold to law enforcement agencies, <a href="http://www.informationweek.com/security/encryption/cracking-bin-ladens-hard-drives/229402923">intelligence agencies</a> and professional forensic investigators -- can "acquire bit-precise images of Apple iOS devices in real time" from all iPhone, iPad and iPod Touch devices that run iOS 3, iOS 4 and iOS 5. But the iPhone 5, released last year, and which ships with iOS6, doesn't appear to be unlockable with the Elcomsoft tool.2013-05-13T12:09:00ZReaders detail "frozen DNS Trojan" cold calls and "repairs" that lead to $882 in unauthorized wire transfers.http://www.informationweek.com/security/client/microsoft-tech-support-scams-why-they-th/240154756?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/windows/operating-systems/8-things-microsoft-should-fix-in-windows/240154570"><img src="http://twimgs.com/informationweek/galleries/automated/991/Windows-Blue-Blue-1st-screen_tn.jpg" alt="Windows Blue" title="LinkedIn: 10 Important Changes" class="img175" /></a><br /> <span class="inlinelargerView">(click image for larger view and for slideshow)</span><br /> <div class="storyImageTitle">8 Things Microsoft Should Fix In Windows Blue</div> </div> <!-- /KINDLE EXCLUDE --> Consumers: Hang up on anyone who cold-calls offering Windows technical support, never believe an Internet pop-up that reports your PC is infected with malware, and, above all, don't ever install software from an untrusted source who offers to rid your PC of viruses, perhaps for free. <P> If people followed those precepts, they'd avoid the hassle and expense of scammers out to make a quick buck. But Microsoft technical support scams continue to be alive and well, sticking victims with bills of between $50 and $450 for security smoke and mirrors, or sometimes perpetrating financial fraud that costs far more. <P> According to a 2011 Web survey of 1,298 people conducted by British consumer rights watchdog <em>Which?</em>, 3% of respondents said they'd <a href="http://conversation.which.co.uk/technology/microsoft-phone-scam-cold-calling-protect-yourself/">allowed scammers to log onto their PC</a> and 2% gave them money. Interestingly, 3% said they weren't sure if a technical support cold call had really been a scam or not. <P> Here's a hint: Cold callers offering tech support advice are scammers. Here are six recent examples of how these fraudsters operate. <P> <strong>1. Scammers Reuse Scripts.</strong> <P> The con artists behind telephone repair scams often <a href="http://www.informationweek.com/security/management/microsoft-windows-support-call-scams-7-f/240005023">reuse the same script</a>, which often begins: "I'm calling from Microsoft. We've had a report from your Internet service provider of serious virus problems from your computer." <P> <strong>[ Tired of being stuck in password hell? See <a href="http://www.informationweek.com/security/client/10-top-password-managers/240153906?itc=edit_in_body_cross">10 Top Password Managers</a>. ]</strong> <P> One reader emailed Saturday to say that he'd received "an almost word for word phone call on my landline." After hanging up, he alerted his telephone company. "All they could offer was ... a call trace, and to notify my local police. Which I may pursue," he said. <P> <strong>2. South African Targeted By StartControl.</strong> <P> Another reader, a retired South African systems programmer, emailed last week to report that he'd been targeted by telephone scammers offering technical support. First, they asked him to press the Windows start button, then enter this URL: www.startcontrol.com. That took his browser to a site labeled as <a href="http://www.startcontrol.com/pin.php">BeAnywhere support express</a>, which prominently features the following message: "Please insert the reference supplied to you," with the reference referring to a six-digit PIN. "They even give you a six-digit PIN, that's where I stopped them, 19 minutes later," he said. <P> <a href="http://www.beanywhere.com/">BeAnywhere</a> is legitimate remote-control software. But who is Startcontrol.com? According to Alexa, <a href="http://www.alexa.com/siteinfo/startcontrol.com">Startcontrol.com has been operating for 10 years</a> and ranks in the top 3.8 million of all websites globally. It appears that 77% of search engine traffic to the site involves Arabic speakers. A link to the website's "Termos of Service," however, lead to a "server error: 404 - File or directory not found" message. <P> The site's whois listing says that the domain was registered by GoDaddy, which lists the site's administrative and technical contact as being based in Portugal. But an email sent to the listed whois contact bounced back with an error message that the account didn't exist. Likewise, the telephone number listed in the whois entry appears to be bogus; a call to that number lead to BSPI - Intelligent Business Solutions. An employee at the firm said his company, which resells Sophos security products, has no affiliation with startcontrol.com, and that he'd never before heard of the company. <P> GoDaddy.com didn't immediately respond to an abuse report filed Friday morning for www.startcontrol.com. <P> <strong>3. Support Routines Might Be Real-Time Smokescreens.</strong> <P> One risk from allowing scammers to install software on your PC is that the "support application" might be used to disguise fraudulent activities. In April, for example, a reader emailed to say he'd been cold-called by someone claiming to be a Microsoft representative, warning that he had numerous viruses on his computer. The caller offered to remove the viruses and get the PC "running like new" for free, provided he "renew" his software. <P> "He then [asked] for card info which I gave him. Then I [got] an email from Western Union of a transfer of money which I did not authorize so I [checked] my account and found he had taken $882 out," said the reader. "I called Western Union about it and they said there was nothing they could do as the money was picked up and they could not give me the name of who got it." <P> The supposed virus-killing offer seemed to mask fraudulent activity. "He went so far as to show me all the errors he found but, while the program was supposed to be loading, my screen was black and I suspect that was when he was hitting my account," he said.<strong>4. Telephone Scams: Cheap, Easy, Repeatable.</strong> <P> Microsoft support scams succeed in part because they're cheap and easy to run. International call centers -- think boiler rooms -- are often used, situated in an inexpensive labor market such as India, and facilitated via low-cost VoIP telephony. <P> Thankfully, consumer watchdogs have been mobilizing. Last year, the Federal Trade Commission <a href="http://www.informationweek.com/security/privacy/ftc-disconnects-tech-support-telemarketi/240008480">cracked down on some tech support scams</a>, filing charges and freezing assets associated with 14 businesses and 17 people. It said the scam operations had successfully conned tens of thousands of English-speaking consumers in the United States, as well as Australia, Canada, Ireland, New Zealand and the United Kingdom, into paying between $49 and $450 for fake services. <P> At the time, the FTC detailed how many of these scam artists operate: "When consumers agreed to pay the fee for fixing the 'problems,' the telemarketers directed them to a website to enter a code or download a software program that allowed the scammers remote access to the consumers' computers," according to the FTC. "Once the telemarketers took control of the consumers' computers, they 'removed' the non-existent malware and downloaded otherwise free programs." <P> <strong>5. Technobabble Warnings: "Frozen DNS Trojan."</strong> <P> Obviously, support scams often succeed because many consumers don't understand Windows information security intricacies. But con artists often operate on the edge of believability, slowly reeling in even technologically savvy targets, who they might have caught unaware with an impromptu phone call. <P> One reader, for example, emailed earlier this year to say the lure of "free" technical support -- no apparent harm there -- initially caught her off guard. "I just received one of those scam calls from an 800 number obviously from someone in India trying to tell me my computer was infected with a 'frozen DNS Trojan' -- originally he said 'virus' but switched to 'Trojan' later in the call," she said. "I didn't fall for it at all but was curious enough to find out exactly what he was up to. Eventually I told him I knew he was a scammer and didn't believe a word he was saying and hung up." <P> Technobabble aside, she reported almost falling for the scam. "I'm relatively computer savvy and for a brief second I wondered if this was for real," she said. "So if I could be duped (even for a split second) I can see how people get pulled into this type of scam especially when the scammer tries to tell you this is all 'free' for him to show you are infected with this virus or Trojan." <P> <strong>6. Virus Scanners Fake Results.</strong> <P> To try to get their way, scammers might bring psychological pressure to bear. For example, when Jerome Segura, senior malware research at Malwarebytes, was cold-called by tech support con artists he gave them access to a virtual machine. <a href="http://blog.malwarebytes.org/intelligence/2013/04/phone-scammers-call-the-wrong-guy-get-mad-and-trash-pc/">They flew into repair rage</a> when he refused to pay $229 following their fake ministrations. "They got mad and deleted documents and pictures from my (virtual) machine before cutting me off in a very rude way," he said in a blog post. <P> Fake bells and whistles might also be employed. This month, for example, Segura said he decided to call a tech-support number that flashed up in a pop-up advertisement window, <a href="http://blog.malwarebytes.org/intelligence/2013/05/online-pc-support-scams-turning-the-tables/">just to see where it might lead</a>. As before, he gave the tech support person who answered remote access to his PC -- not telling him it was a fully cleaned and isolated virtual machine -- on which he installed, as instructed, <a href="http://www.informationweek.com/security/vulnerabilities/unpatched-remote-access-tools-your-gift/240151523">TeamViewer software</a>, through which the supposed tech-support agent accessed the PC, then ran a downloaded scanner. Just two seconds later, the scanner reported extensive virus infections. Segura said his analysis of the scanner's database found that it was "stuffed with false positives which aren't just accidents, but clearly used to add some drama." <P> Added drama or not, don't fall for tech-support scams. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-10T11:30:00ZCompany founder denies that Huawei employees would ever be forced to spy for China.http://www.informationweek.com/security/vulnerabilities/huawei-ceo-dismisses-security-spying-con/240154630?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_securityThe founder and CEO of Chinese networking equipment manufacturer Huawei, in his first-ever media interview, Thursday dismissed allegations that backdoors may have been built into the company's products to facilitate Chinese espionage. <P> "Huawei has no connection to the cybersecurity issues the U.S. has encountered in the past, current and future," Huawei CEO Ren Zhengfei, 68, told local reporters -- through an interpreter -- while on a visit to New Zealand this week, according to news reports. <P> Since founding the company 26 years ago, Ren had previously refused to conduct media interviews. But during his visit this week to New Zealand, he <a href="http://www.bbc.co.uk/news/business-22460962">agreed to meet</a> with reporters from four of the country's news outlets. <P> In response to reporters' questions, <a href="http://www.stuff.co.nz/business/industries/8651260/Huawei-CEO-gives-first-ever-interview">Ren dismissed allegations</a> that his employees might be colluding with state security services, instead likening the relationship between his company and the Chinese government to that between New Zealand companies and their government, reported Fairfax Media in New Zealand. Furthermore, he said he was confident that his employees would be free to refuse any request from a Chinese intelligence service to spy on a foreign entity. <P> <strong>[ U.S. officials are trying to ratchet up pressure on China. See <a href="http://www.informationweek.com/quickview/senate-bill-calls-for-cyberespionage-wat/3271?wc=4?itc=edit_in_body_cross">Senate Bill Calls For Cyberespionage 'Watch List'</a>. ]</strong> <P> Ren's comments can be read as a criticism of the U.S. singling out Chinese firms Huawei (the world's second-largest telecommunications manufacturer) and ZTE last year in a Congressional report warning that the two companies "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems." Accordingly, the U.S. House of Representatives Permanent Select Committee on Intelligence's Oct. 2012 report <a href="http://www.informationweek.com/security/vulnerabilities/what-huawei-zte-must-do-to-regain-trust/240009190">"strongly encouraged" all U.S. businesses</a> "to seek other vendors for their projects." <P> American businesses appear to be listening. A recent survey of 454 IT professionals conducted by <em>InformationWeek</em> found that the U.S. government's recommendation to avoid Huawei equipment would influence their buying decision-making. Indeed, 37% of surveyed businesses cited the warning as a major concern, and 34% said it would be a deal-breaker. <P> But Ren Thursday downplayed his company's presence in the American market. "Huawei equipment is almost non-existent in networks currently running in the U.S. We have never sold any key equipment to major U.S. carriers, nor have we sold any equipment to any U.S. government agency," he said. <P> His comments echoed those of Huawei executive VP Eric Hu, who last month said, "We are not interested in the U.S. market any more," <a href="http://www.networkcomputing.com/data-networking-management/huawei-quits-us-market/240153472">according to</a> the <em>Financial Times</em>. <P> Despite that apparent vow to quit the U.S. market, the company subsequently <a href="http://www.informationweek.com/quickview/huawei-changes-its-us-market-story/3182">changed its story</a>, saying it would continue to actively sell its products in the United States. "We continue to sell in the U.S. in all three business areas: Device, Carrier Network and Enterprise," Huawei spokesperson Jannie Luong told <em>Network Computing</em> in April. <P> In the wake of the Oct. 2012 Congressional report, Australia, India and the United Kingdom were already evaluating whether they would continue to work with Huawei and ZTE. Notably, India's Research and Analysis Wing -- the government's main intelligence service -- issued a report warning that "Huawei Technologies is known to have links with the People's Liberation Army (PLA) and the ministry of state security of China." <P> In response, Huawei proposed that <a href="http://www.informationweek.com/government/security/huawei-proposes-security-test-center/240009701">Australia create an information security test center</a> to vet the company's products. <P> But fears of Chinese espionage were further compounded this week, after an annual report from the Pentagon to Congress <a href="http://online.wsj.com/article/SB10001424127887323687604578467442670389684.html">directly accused China</a> of running a military cyber-espionage operation that directly accessed U.S. government systems. "China is using its computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic and defense industrial base sectors that support U.S. national defense programs," according to the report. <P> In the wake of that warning, Huawei and ZTE appear to be facing fresh scrutiny by Indian government officials, who said this week that they're creating a testing lab to assess all foreign-built telecommunications and networking equipment. "We know about the concerns of intelligence agencies and are expediting developing [a] system for testing the telecom equipments of foreign manufacturers in networks," an India government telecommunications official <a href="http://www.hindustantimes.com/News-Feed/Chunk-HT-UI-BusinessSectionPage-Infotech/Huawei-ZTE-under-scanner/Article1-1057038.aspx">told India's <em>Hindustan Times</em></a>. <P> Information security experts, however, say that backdoors purposefully built into networking hardware can be <a href="http://www.informationweek.com/security/vulnerabilities/darpa-looks-for-backdoors-malware-in-tec/240143043">notoriously difficult to detect</a>, and warned that devices could also be <a href="http://www.theregister.co.uk/2013/05/10/india_to_test_huawei_and_zte_kit/">clean when purchased</a> but later updated with firmware that enables spying. <P> Furthermore, in a 2012 teardown of the Huawei AR8 and ARE 29 series routers, Felix "FX" Lindner, who heads Berlin-based Recurity Labs, found that the <a href="http://www.informationweek.com/security/management/huawei-zte-4-security-fears/240009248">firmware contained sufficient numbers of coding errors</a> that anyone studying the code base might find ways of remotely compromising the devices without needing to resort to purpose-made backdoors. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-10T09:47:00ZState officials don't know when attackers accessed up to 160,000 Social Security and 1 million driver's license numbers stored in unencrypted format.http://www.informationweek.com/security/attacks/washington-state-courts-reveal-security/240154638?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Attackers hacked into Washington state's Administrative Office of the Courts (AOC) servers and obtained copies of up to 160,000 social security numbers and 1 million driver's license numbers, state officials said Thursday. <P> Officials don't know exactly when the breach occurred or how many records -- which could be used to commit identity theft -- were stolen. But they nonetheless attempted to downplay the severity of the incident in media interviews. "The hackers were probably opportunistic," Mike Keeling, IT operations and maintenance manager for the court system, told reporters on a conference call, <a href="http://www.reuters.com/article/2013/05/09/us-usa-hack-washingtonstate-idUSBRE9480YY20130509">reported</a> Reuters. "They were more than likely just fishing for data." <P> Keeling said the failure to store sensitive personal information on a better-protected server, encrypt the data or better lock down servers to prevent network traversal "was an oversight on our part." <P> <strong>[ Is the state spending enough on IT security? Read <a href="http://www.informationweek.com/global-cio/interviews/why-it-spending-is-stuck-in-a-vicious-ci/240154096">Why IT Spending Is Stuck In A Vicious Circle</a>. ]</strong> <P> Washington's court administrator Callie T. Dietz said in a statement: "We regret that this breach has occurred and we have taken immediate action to enhance the security of these sites." <P> Attackers breached the Washington state court systems by exploiting a flaw in Adobe ColdFusion software, which has since been patched by the court's IT department. State officials didn't disclose whether attackers exploited a zero-day vulnerability or a known vulnerability in ColdFusion, or whether a version of the patched software from Adobe was already available at the time of the breach. Answering those questions might be difficult, however, since state officials don't know exactly when the breach occurred, saying only that it seemed to happen after September 2012 and before February 2013. <P> The breach was discovered in February by an unnamed business on the east coast, which was attacked in a similar manner, after which it somehow found signs of a similar intrusion against the Washington state court servers. "They recognized our information in their breach log," Keeling said. <P> State officials at first thought their attackers had only accessed public data. By April, however, investigators at Washington State Consolidated Technology Services and the <a href="http://msisac.cisecurity.org/">Multi-State Information Sharing and Analysis Center</a> found that information exposed during the breach included people's names, as well as social security numbers or driver's license numbers. All of the exposed information related to people who received a DUI citation between 1989 and 2011; were booked into a city or county jail between September 2011 and December 2012; were involved in a traffic case in 2011 or 2012; or were involved in a criminal case filed against them in superior court in 2011 or 2012. <P> To date, state officials said they've identified 94 people whose information was likely stolen by attackers, and said all have been contacted by letter. "We found specific [hacker] footprints in the area where those 94 Social Security numbers were located, so that's why we're reasonably sure that the data was accessed," Keeling said. <P> None of those 94 people were offered data-breach-monitoring services or credit protection, although state officials said they might do so if the data breach victims request them. The state has set up a hotline (1-800-448-5584) and website (<a href="http://www.courts.wa.gov/databreach">www.courts.wa.gov/databreach</a>) to answer questions pertaining to the breach. <P> Washington state's CIO, Michael Cockrill, said the breach hadn't affected the state's executive branch, which is on a separate network. Cockrill also said that Gov. Jay Inslee has charged his office -- together with the state's Consolidated Technology Services department -- with improving the information security posture of the judicial systems. "The AOC data breach is a sobering reminder for every branch and every level of government, that protection of personal and confidential data entrusted to government is a paramount responsibility," he said. <P> Washington joins a list of growing list of states -- including <a href="http://www.informationweek.com/security/attacks/texas-data-breach-exposed-35-million-rec/229401489">Texas</a> and <a href="http://www.informationweek.com/security/attacks/9-lessons-from-utah-data-breach/240000747">Utah</a> -- that in recent years have exposed people's personal information because of state officials' failure to properly secure it.2013-05-09T11:13:00ZAntivirus pioneer and former fugitive from justice in Belize John McAfee shares more about his code-slinging and drug-smuggling past.http://www.informationweek.com/security/antivirus/mcafee-avs-king-of-crazy-resurfaces/240154538?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Remember John McAfee? <P> In November, the information security genius and resident of Belize <a href="http://www.informationweek.com/security/government/6-wacky-mcafee-facts-from-guatemala-with/240144062">turned fugitive from justice</a> after his neighbor was murdered. McAfee alleged that he was being framed by government authorities in retaliation for refusing to satisfy their extortion demands. <P> McAfee subsequently <a href="http://www.informationweek.com/security/antivirus/mcafee-to-be-released-from-guatemalan-pr/240144273">fled to Guatemala</a>, where his <a href="http://www.informationweek.com/security/management/guatemala-arrests-rogue-av-founder-mcafe/240143971">location was revealed</a> by GPS data attached to an uploaded iPhone snap, after which point he was arrested, requested asylum and faked a heart attack, before being <a href="http://www.informationweek.com/security/antivirus/mcafee-back-in-us-crazy-like-a-fox/240144326">denied asylum</a> and deported to Miami. Since then, he relocated to Portland, Ore., where he's been working with a screenwriter, biographer and graphic novelist, while <a href="http://pandodaily.com/2013/01/26/we-hit-portland-strip-clubs-with-john-mcafee/">visiting strip clubs and house-hunting</a>. <P> McAfee offered those tidbits -- and more -- in a Wednesday <a href="http://features.slashdot.org/story/13/05/07/2017203/interview-john-mcafee-answers-your-questions">Q&A with Slashdot</a>. As with his previous blog posts <a href="http://www.whoismcafee.com/">documenting life on the run</a>, McAfee's answers displayed a predilection for hard-boiled fiction, if not gonzo embellishment. <P> <strong>[ A satire site is the first outlet to detail serious news about recent Twitter account takeovers. Read <a href="http://www.informationweek.com/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504?itc=edit_in_body_cross">How Syrian Electronic Army Unpeeled The Onion</a>. ]</strong> <P> With those caveats, here are five of the most interesting takeaways: <P> <strong>1. Belizean Politician Demanded Millions</strong> <P> Asked to comment on reports that he'd suffered harassment and death threats after refusing to "donate" $30,000 to a Belizean politician, McAfee said that there had been an extortion attempt, but for a significantly larger amount of money. "Had it been $30,000 I would have paid it in an instant," he said. "However it was not. It was $2 million." <P> As a result of his failure to pay up, McAfee has claimed that the government killed his dogs, then murdered his neighbor -- fellow U.S. citizen Gregory Viant Faull, 52 -- in a case of mistaken identity. Belizean authorities have <a href="http://www.informationweek.com/security/antivirus/mcafee-founder-says-belize-framing-him-f/240124914">denied all of McAfee's allegations.</a>. <P> <strong>2. Guatemalan Hideout Accidentally Revealed</strong> <P> McAfee's subsequent flight from justice in Belize -- where he was sought for questioning as part of the investigation into Faull's murder, although never charged with any crime -- was documented by <em>Vice</em> editor Rocco Castoro and photographer Robert King. But McAfee's <a href="http://www.informationweek.com/security/mobile/mcafee-av-king-turned-fugitive-surfaces/240143769">arrival in Guatemala was revealed</a> when <em>Vice</em> posted iPhone photographs from which GPS-coordinate-revealing EXIF data hadn't been expunged. At the time, said McAfee, the journalists worried the gaffe would be read as a stunt, allowing them to document the McAfee's resulting incarceration. <P> "To calm things down and to get everyone focused on our need to hastily scram, I told Rocco and Robert that I would take the fall and claim that I manipulated the exif data myself and they would be in the clear," he said. "Satisfied, they got packed, we left 10 minutes before the soldiers arrived, and I did what I said I would do. It was a stupid plan but it did clear the minds of the two journalists long enough to allow them to function properly in the shaky circumstances." <P> <strong>3. Staying Weird In Portland</strong> <P> After being deported to Miami, McAfee said the decision to relocate to Portland, Ore., where he's been <a href="http://pandodaily.com/2013/02/09/we-take-john-mcafee-to-a-gun-shop-where-he-scares-the-hell-out-of-a-jackass/">living large</a>, centered on there being a critical mass of Asian restaurants and good coffee</a>, backed by the "Keep Portland Weird!" ethos regularly espoused on bumper stickers, as well as its proximity to two people who are documenting his life. "The gentleman producing the comic novel of my life (Chad Essley) and the screenwriter for the feature movie of the Belize incident both live here," he said. That <a href="http://www.informationweek.com/security/antivirus/mcafee-founder-sells-rights-to-life-stor/240144207">feature movie</a>, provisionally titled <em>Running in the Background</em>, is different from a separate production that's being developed by the team behind the Warner Bros. comedy <em>Crazy, Stupid, Love</em>, which will be <a href="http://www.informationweek.com/security/antivirus/mcafees-escape-from-belize-turns-movie/240146436">based on "John McAfee's Last Stand,"</a> a story written by Joshua Davis for <em>Wired</em>. <P> <a href="http://www.whoismcafee.com/boston-george-jung-writing-the-official-john-mcafee-biography-titled-no-domain/">McAfee also confirmed</a> that he's tapped former cocaine player and convicted drug trafficker <a href="http://en.wikipedia.org/wiki/George_Jung">George "Boston George" Jung</a> -- the subject of the 2001 biopic <em>Blow</em> -- to write his biography, provisionally titled <em>No Domain</em>. <P> <strong>4. Born To Run, Not Code</strong> <P> In the wide-ranging Q&A, McAfee said that despite launching a pioneering antivirus software business -- the first to distribute antivirus as shareware -- his code-writing prowess would win no awards. "I haven't written code in 20 years. In truth I was a terrible programmer," he said. "I was just good enough though to be able to spot the truly outstanding programmers. At McAfee I hired the best and then stayed out of their hair." <P> Asked to by a reader to comment on the security software that still bears his name, McAfee said he's not been associated with the company, which is now part of Intel, for 21 years. "It's barely a blip in the ocean of associations -- madman, paranoid, child molester, murderer, drug addict, unstable, liar, to name but a few," he said. "Thank god I'm 67 and will probably be too hard of hearing soon enough to have to listen to them rattling around wherever I go. Amy, thankfully, did half the job already by bursting my left eardrum when she tried to shoot me in the head while I slept back in 2011." He didn't specify <a href="http://www.whoismcafee.com/frequently-asked-questions/ ">exactly which Amy</a> he was referring to. <P> <strong>5. Drug-Free 30 Years And Counting</strong> <P> Despite the drug-addict "associations" -- no doubt driven both by his behavior and freely dropped references to the <a href="http://www.informationweek.com/security/antivirus/mcafee-founder-sells-rights-to-life-stor/240144207">designer drug known as bath salts</a> -- McAfee said he's been sober for 30 years. "All this madness stopped in 1982 when my life disintegrated. I joined AA in 1982 and stopped drinking and drugging. [I] have not used any drugs, except for caffeine, nicotine and adrenaline, since," he said in response to a Slashdot question. <P> McAfee emphasized that his eccentricities aren't evidence of recent recreational drug use. "It's odd that people focus on the possibility that I might now be doing drugs (I'm not) and totally ignore the fact that from 1971 to 1982, 99% of my income came from smuggling and selling drugs," he said. "It's a well documented feature of my past life. I was also taking more drugs weekly than most of you will do in a lifetime, and I was a totally indiscriminate user." <P> McAfee said his drug-distribution habit had come at a personal cost. "I had my right testicle shattered by a hammer in 1974 when I ran afoul of some local drug barons in Oaxaca. Its the size of a grape now and shaped like a small frisbee," he said. <P> "I have been in Mexican jails on three separate occasions and, frankly, I cannot recommend them," he added. <P> <i>E2 is the only event of its kind, bringing together business and technology leaders across IT, marketing, and other lines of business looking for new ways to evolve their enterprise applications strategy and transform their organizations to achieve business value. Join us June 17-19 for three days of 40+ conference sessions and workshops across eight tracks and discover the latest insights in enterprise social software, big data and analytics, mobility, cloud, SaaS and APIs, UI/UX and more. <a href="http://www.e2conf.com/boston/?_mc=MP_BTMEDIWKAXE">Register for E2 Conference Boston today</a> and save $200 off Full Event Passes, $100 off Conference, or get a FREE Keynote + Expo Pass! </i>2013-05-09T10:35:00ZSatire site The Onion details multi-pronged Twitter account takeover strategies used by hacktivists.http://www.informationweek.com/security/attacks/how-syrian-electronic-army-unpeeled-the/240154504?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/client/ten-top-password-managers/240153906"><img src="http://twimgs.com/informationweek/galleries/automated/986/password_manager_slideshow_01_tn.jpg" alt="10 Top Password Managers" title="10 Top Password Managers" class="img175" /></a><br /> <div class="storyImageTitle">10 Top Password Managers</div> <span class="inlinelargerView">(click image for slideshow)</span> </div> <!-- /KINDLE EXCLUDE --> Satire site <em>The Onion</em> has offered a glimpse into the techniques used by the Twitter account takeover artists known as the Syrian Electronic Army. <P> The campaign launched by the hacktivist group wasn't complex, although it did involve several waves of attacks, resulting in multiple compromised systems and credentials, according to "<a href="http://theonion.github.io/blog/2013/05/08/how-the-syrian-electronic-army-hacked-the-onion/">How the Syrian Electronic Army Hacked The Onion</a>," posted Wednesday to the satire site's Tech Blog. <P> Here's how the attack commenced: Starting Friday, May 3, a handful of <em>Onion</em> employees received emails that asked them to read a story, and included an apparent <em>Washington Post</em> link. In reality, the link led to a hacked WordPress site, which redirected to a googlecom.comeze.com site that requested their Google Apps credentials, which, if entered, redirected users to their Gmail account. <P> "These emails were sent from strange, outside addresses, and they were sent to few enough employees to appear as just random noise rather than a targeted attack," according to the <em>Onion's</em> attack overview. "At least one <em>Onion</em> employee fell for this phase of the phishing attack." <P> <strong>[ Is it easier to catch a hacker with honey? <a href="http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334?itc=edit_in_body_cross ">Sweet Password Security Strategy: Honeywords</a>. ]</strong> <P> Early Monday morning, attackers used the compromised account to send the same phishing message to more employees. "Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts," according to the <em>Onion's</em> recap. <P> The same day, attackers <a href="http://www.informationweek.com/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">defaced the <em>Onion's</em> Twitter account page</a> and began issuing bogus tweets. In response, the <em>Onion's</em> IT team issued a company-wide alert, telling all employees to reset their Google Apps passwords. But attackers used another account that they'd compromised to issue their own <a href="http://www.informationweek.com/security/attacks/linkedin-users-change-password-now/240001623">password-reset warning</a>. To make this third wave of attacks more difficult to detect, attackers cleverly didn't send the phishing email -- which included a "password-reset link" that instead redirected to the malicious phishing website that requested a user's Google Apps credentials -- to any IT employees. <P> "This third and final phishing attack compromised at least two more accounts," according to the attack overview. "One of these accounts was used to continue owning our Twitter account." At that point, the IT department forced all employees to reset their Google Apps passwords, which allowed them to finally regain control of the accounts and begin a mop-up operation. <P> The Syrian Electronic Army is allied to the regime of President Bashar Al-Assad, and hacktivist group member "Th3 Pr0" told <em>The New York Times</em> that the <em>Onion</em> Twitter account takeover was <a href="http://bits.blogs.nytimes.com/2013/05/06/no-joke-syrians-hack-the-onion/">meant to be revenge</a> for its recent Assad-attributed editorial titled "Hi, In The Past 2 Years, You Have Allowed Me To Kill 70,000 People." <P> What lessons can be learned from the successful Syrian Electronic Army phishing attack against the <em>Onion</em>? The company's IT team reported that "a few simple security measures" would have blocked the attacks. For starters, the attacker connected to compromised accounts from the IP address 46.17.103.125, which is the same domain used to host a <a href="http://46.17.103.125/en/site/index">Syrian Electronic Army leaks website</a>. Obviously, blocking all connections from that IP address, or other sites associated with the group, would be a good start. <P> To help block phishing attacks, the IT team also recommended using one email address system for everyday emails, and an entirely different one for Twitter accounts. In addition, it said that employing an intermediary social media management system such as <a href="http://www.informationweek.com/social-business/news/social_networking_consumer/hootsuite-improves-workflow-approvals-fo/232901555">Hootsuite</a> would make it much more difficult for an attacker to fully compromise an organization's Twitter accounts. <P> For an industry that's predicated on reporting, it's notable that the <em>Onion</em> is the first news outlet -- satirical or straight -- to detail exactly how its Twitter accounts were owned by the Syrian Electronic Army. That's despite the hacktivist group having exploited the Twitter feeds of such organizations as National Public Radio, Reuters, the BBC <a href="http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800"> and the <em>Guardian</em></a>. <P> But the Syrian Electronic Army's most infamous outing to date was its compromise of multiple AP Twitter feeds, which it used to issue a hoax alert that President Obama had been <a href="http://www.informationweek.com/security/attacks/twitter-preps-two-factor-authentication/240153539">injured in explosions</a> at the White House. The compromise led to reports that Twitter was finally <a href="http://www.informationweek.com/security/management/twitter-two-factor-authentication-too-li/240153672">prepping two-factor authentication</a> to help users block some types of account takeovers. <P> According to the Syrian Electronic Army, it seized control of the AP accounts via a phishing campaign that compromised at least 50 employees at the news agency, including social media editors. <P> <i>People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital <a href="http://www.darkreading.com/drdigital/041513?k=axxe&cid=article_axxt_os">How Hackers Fool Your Employees</a> issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)</i>2013-05-08T13:10:00ZMeanwhile, hackers behind Cdorked malware that targets Apache servers now have extended it to infect open-source Nginx and Lighttpd server software.http://www.informationweek.com/security/vulnerabilities/nginx-patches-critical-vulnerability-web/240154480?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --><div class="inlineStoryImage inlineStoryImageRight"><a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10-things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div><span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div><!-- /KINDLE EXCLUDE -->The developers behind the popular open-source Web server software Nginx have released updates to patch a serious vulnerability. <P> Nginx Tuesday announced the <a href="http://nginx.org/en/">release of nginx-1.4.1</a> -- as well as "development version" nginx-1.5.0 -- to fix a buffer-overflow vulnerability that attackers could exploit to execute arbitrary code on a Ngnix server and completely compromise it. In a <a href="http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html">security advisory</a> issued Tuesday, Nginx said <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028">the bug</a> is present in Nginx versions 1.3.9 and 1.4.0. "The problem is fixed in nginx 1.5.0 [and] 1.4.1," it said. <P> The vulnerability rates as "highly critical," according to a <a href="https://secunia.com/advisories/53248/">security advisory</a> issued by vulnerability research firm Secunia. "The vulnerability is caused due to an error within [a] function ... when parsing an HTTP chunk and can be exploited to cause a stack-based buffer overflow," it said. <P> <strong>[ Another U.S. hack leads back to China. Read <a href="http://www.informationweek.com/security/government/china-tied-to-3-year-hack-of-defense-con/240154064?itc=edit_in_body_cross">China Tied To 3-Year Hack Of Defense Contractor</a>. ]</strong> <P> Nginx -- <a href="https://en.wikipedia.org/wiki/Nginx">pronounced "engine X"</a> -- is an open-source Web server, reverse proxy server, and load balancer designed for a large number of concurrent connections and high levels of performance but with a low memory footprint. It runs on Unix, Linux, Solaris and Windows, as well as AIX, BSD variants, HP-UX and Mac OS X. <P> Nginx is now the third most popular HTTP Web server software, behind Apache and Microsoft ISS, although its popularity continues to increase. "Nginx reached a new milestone this month: it is now used by more than 100M websites, and within the million busiest websites has overtaken Microsoft IIS to take second place with a market share of 13.5%," said a <a href="http://news.netcraft.com/archives/2013/05/03/may-2013-web-server-survey.html">May 2013 Web server report</a> released by Netcraft. <P> "Overall, Nginx's market share now stands at 15.5%, just 1.2 percentage points behind Microsoft, helped by a growth of 8.3M sites this month," it said. <P> The growing popularity of Nginx, however, has made it a target for attackers. Notably, the developers behind the <a href="http://www.informationweek.com/security/attacks/darkleech-apache-attacks-intensify/240153922">Cdorked malware</a> that targets Linux systems running Apache HTTP server software recently updated the malware to exploit Nginx, as well as open-source Lighttpd ("lighty") Web server software. <P> To date, Cdorked infections have been confirmed in about 400 Web servers, 50 of which rank in the <a href="http://www.alexa.com/topsites">Alexa index of the top 100,000 websites</a>. But security researchers don't yet know how attackers are infecting servers with the backdoor malware. <P> "We still don't know for sure how this malicious software was deployed on the Web servers," said Marc-Etienne M. Leveille, a malware researcher at security firm ESET, in a blog post. "We believe <a href="http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/">the infection vector is not unique</a>. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software." <P> "One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software," he said. "Linux/Cdorked.A is a backdoor, used by [a] malicious actor to serve malicious content from legitimate websites." <P> Interestingly, the malware "is even more stealthy than we first thought," he said. "By analyzing how the attackers are configuring the backdoor, we found it will not deliver malicious content if the victim's IP address is in a very long list of blacklisted IP ranges, nor if the victim's Internet browser's language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian." In those cases, the malware is instead set to redirect users to a "page with links to pornographic websites," said Leveille. <P> ESET researchers have also <a href="http://www.informationweek.com/security/attacks/darkleech-apache-attacks-intensify/240153922#">clarified the relationship between CDorked and the Apache-targeting Darkleech</a> (aka Chapro) malware attacks, which has continued to intensify in recent months. "While both target Apache servers, they are distinct pieces of code and send visitors to different instances of the Blackhole kit," said ESET malware researcher S&#233;bastien Duquette. "However this does not change the fact that this trend is quite concerning."2013-05-08T11:26:00ZAll Internet traffic from the war-torn country -- via overland and submarine connections -- went offline Tuesday.http://www.informationweek.com/security/management/syria-back-online-after-internet-blackou/240154412?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security"Breaking news: traffic from Syria disappears from Internet." <P> So read a Tuesday alert issued by Umbrella Security Labs, which reported that all outbound Internet traffic from Syria had disappeared. The country's Internet connection remained offline for about 24 hours, before appearing to come online again about 11 a.m. Eastern Time Wednesday. <P> Multiple Internet monitoring firms corroborated the outage. "Since 18:45 UTC on May 7th, Renesys hasn't seen a flicker of activity," <a href="http://www.renesys.com/blog/2013/05/syrian-internet-fragility.shtml">said Jim Cowie, CTO of Renesys, in a blog post</a> Wednesday morning, before the country's Internet connection appeared to come back online. "We haven't been able to successfully send a ping or a traceroute to any host inside Syria. Government websites, universities, domain name servers, core infrastructure routers, banks, businesses, DSL customers, smartphones: all silent." <P> Akamai likewise confirmed the "traffic drop to Syria" with a chart that shows hits and megabits of data being delivered to the country <a href="https://twitter.com/akamai_soti/status/331858414684749825/photo/1">plummeting to zero</a> after 2 p.m. Eastern time Tuesday. Akamai confirmed that <a href="https://twitter.com/akamai_soti/status/332104033479299074/photo/1">traffic levels remained at zero</a> early Wednesday morning. <P> <strong>[ Is it easier to catch a hacker with honey? Read <a href="http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334?itc=edit_in_body_cross">Sweet Password Security Strategy: Honeywords</a>. ]</strong> <P> The blackout occurred after both of the top-level domain name servers for Syria -- ns1.tld.sy and ns2.tld.sy -- became unreachable. "Routing on the Internet relies on the Border Gateway Protocol (BGP). BGP distributes routing information and makes sure all routers on the Internet know how to get to a certain IP address," according to a <a href="http://labs.umbrella.com/2013/05/07/breaking-news-traffic-from-syria-disappears-from-internet/">blog post from Dan Hubbard</a>, CTO of Umbrella Security Labs, which is the threat research division of OpenDNS. "When an IP range becomes unreachable it will be withdrawn from BGP, this informs routers that the IP range is no longer reachable," he said. But in the case of Syria, "currently there are just three routes in the BGP routing tables for Syria, while normally it's close to 80." <P> "Effectively, the shutdown disconnects Syria from Internet communication with the rest of the world," Hubbard said. "It's unclear whether Internet communication within Syria is still available. Although we can't yet comment on what caused this outage, past incidents were linked to both government-ordered shutdowns and damage to the infrastructure, which included fiber cuts and power outages." <P> <!-- Image Aligning Right --> <div class="inlineStoryImageManual inlineStoryImageRight" style="width:300px;"> <a href="http://twimgs.com/informationweek/news/2013/05/syrias-3-submarine-cables-renasys_300.png"><img src="http://twimgs.com/informationweek/news/2013/05/syrias-3-submarine-cables-renasys_300.jpg" alt="Syria's 3 Submarine Cables" title="Syria's 3 Submarine Cables" width="300" /></a> <div class="storyImageCaption">Image courtesy of Renasys</div> </div> <!-- / Image Aligning Right --> This isn't the first time the Syrian Internet has blacked out. In November 2012, the Syrian government may have <a href="http://www.informationweek.com/security/attacks/syria-hits-internet-kill-switch-blackout/240142977">hit a "kill switch"</a>, taking the country's Internet services offline for two days, or else the infrastructure may have simply failed. Prior Syrian Internet outages occurred in July and August 2012, as well as June 2011. <P> According to Renasys, Syria's Internet connections comprise overland connections from its northern neighbor, Turkey, as well as three different submarine communications cables from Cyprus, Egypt and Lebanon. All told, Syria works with four different telecommunications providers, it said, although one of those connections -- <a href="https://twitter.com/renesys/status/331868678075330562/photo/1">with Turk Telekom</a> -- has been offline for almost two weeks. <P> Renesys CTO Cowie said the latest Syrian Internet blackout shouldn't be surprising, given that the country remains in the midst of a <a href="http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">bloody civil war</a>. "In the middle of the chaos and tragedy of civil war, why is anyone surprised when the Internet stops working?" he said. "Isn't it actually more shocking and noteworthy that the Internet in Syria actually functions pretty well 360 days out of the year?" <P> The Internet outage may temporarily slow the efforts of the Syrian Electronic Army hacktivist group that's allied to the regime of Syrian president Bashar al-Assad. The group recently compromised Associated Press Twitter accounts and tweeted hoax messages about <a href="http://www.informationweek.com/security/attacks/twitter-battles-syrian-hackers/240153424">explosions at the White House</a>. It later compromised the Twitter feeds for the <em>Guardian</em> and on Monday, <a href="http://www.informationweek.com/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368">satire site <em>The Onion</em></a>. <P> "To be flippant for a second, this outage might at least shed some light as to whether the Syrian Electronic Army -- who have been causing quite a nuisance by hacking media organizations lately -- are really based in Syria, or not, as some tend to suspect," <a href="http://nakedsecurity.sophos.com/2013/05/07/syria-disappears-off-internet/">said Graham Cluley</a>, senior technology consultant at Sophos, in a blog post. <P> <i>Antivirus systems alone can't fight a growing category of malware whose strength lies in the fact that we have never seen it before. The <a href="http://www.darkreading.com/AdvancedThreats/util/9727/download.html?k=a xxe&cid=article_axxe">How To Detect Zero-Day Malware And Limit Its Impact</a> report examines the ways in which zero-day malware is being developed and spread, and the strategies and products enterprises can leverage to battle it. (Free registration required.)</i>2013-05-07T13:11:00ZDHS predicts Tuesday's hackathon will involve little more than nuisance exploits. Meanwhile, Syrian Electronic Army hacks Twitter feeds of The Onion.http://www.informationweek.com/security/attacks/anonymous-opusa-hackathon-mostly-bluster/240154368?cid=SBX_iwk_related_mostpopular_Intrusion_prevention_security<!-- KINDLE EXCLUDE --> <div class="inlineStoryImage inlineStoryImageRight"> <a href="http://www.informationweek.com/security/vulnerabilities/anonymous-10- things-we-have-learned-in-2/240149686"><img src="http://twimgs.com/informationweek/galleries/automated/955/01_Mask_by_E dans_110.jpg" alt="Anonymous: 10 Things We Have Learned In 2013" title="Anonymous: 10 Things We Have Learned In 2013" class="img175" /></a><br /> <div class="storyImageTitle">Anonymous: 10 Things We Have Learned In 2013</div> <span class="inlinelargerView">(click image for larger view and for slideshow)</span> </div> <!-- /KINDLE EXCLUDE -->Will the Anonymous-lead Operation USA (#OpUSA) scheduled for Tuesday disrupt leading U.S. government and banking websites? <P> An <a href="http://pastebin.com/LXHKjsfg">"#OpUSA target list" posted to Pastebin</a> two weeks ago named nine government websites -- the White House and Department of Defense's public-facing websites among them -- and 133 banks and credit unions as primary targets. "We will now wipe you off the cyber map," read the Pastebin post, signed by N4M3LE55 CR3W. "Do not take this as a warning. You can not stop the internet hate machine from doxes, DNS attacks, defaces, redirects, ddos attacks, database leaks, and admin take overs." <P> In a show of solidarity, the distributed-denial-of-service bank-attack outfit known as al-Qassam Cyber Fighters, which as part of Operation Ababil has been <a href="http://www.informationweek.com/security/attacks/laws-cant-save-banks-from-ddos-attacks/240152324">successfully disrupting financial websites</a> for months, Monday <a href="http://pastebin.com/vpP9KZ6P">promised to take the week off</a>. "Due to the simultaneity of OpUSA with Operation Ababil, and to abstain from ambiguity in the intentions of our operation, this week we will not run any attack," read a statement posted to the group's Pastebin. <P> By Tuesday afternoon, however, despite a <a href="http://www.hackersnewsbulletin.com/2013/05/list-of-websites-affected-under-opusa.html">plethora of hacked-site reports</a>, the OpUSA attacks appeared to be targeting low-level -- and possibly random -- sites in the United States and abroad, arguably causing little damage. <P> <strong>[ Could fake passwords help keep your database secure? Read <a href=" http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334?itc=edit_in_body_cross">Sweet Password Security Strategy: Honeywords</a>. ]</strong> <P> The Tunisian Hackers Team, for example, claimed to have dumped a SQL database for the <a href="http://bloodbanker.com">Blood Bank of America</a> that appeared to contain about 3,000 usernames and hashed passwords. Among other attacks, AnonGhost members BilalSbXtra & Dr.SaMiM_008 posted what they said were 10,000 credit card numbers, including expiration dates and security codes, as well as account holders' names and addresses -- that were apparently stolen from an online store. Some of the published information also included social security numbers, bank account routing numbers and answers to secret questions. The group also claimed to have hacked 29 Israeli websites. <P> Meanwhile, Mauritania Attacker Tuesday claimed to be preparing to release "all governments emails of USA." It <a href="https://twitter.com/An0nGhost/status/331255767644655617">published a teaser</a> showing some doxed addresses -- which included both microsoft.com and cia.gov addresses, as well as numerous accounts with service providers -- but with obscured passwords. <P> Hacking groups or collectives claiming to participate in OpUSA include Anonymous and affiliates <a href="http://www.informationweek.com/security/attacks/anonymous-hackers-helper-it-security-neg/232602226">AntiSec</a> and <a href="http://www.informationweek.com/security/attacks/lulzsec-reborn-claims-military-dating-si/232700290">LulzSec Reborn</a>. Other groups that have pledged their assistance include Ajax Team, Mauritania Attacker, Muslim Liberation Army, Redhat, Team Poison Reborn and ZHC. <P> Not all OpUSA-related attacks began Tuesday. Hacking group <a href="https://twitter.com/YourAnonNews/status/331196545556946946">X-Blackerz Inc claimed</a> Monday to have released 23 emails and passwords for Honolulu Police Department staff. Meanwhile, AnonGhost Team got an early start Saturday, <a href="http://pastebin.com/zftTrrrh">claiming via Pastebin</a> that it had defaced about 900 pages, which included multiple Web pages in the domain of <a href="http://www.hack-db.com/">Hack-DB</a>, which tracks hacktivism and cybercrime. A message posted to defaced sites read "we are everywhere" and left a scrolling list of the group's official members. <P> Many of the groups that pledged to take part in the one-day hackathon had previously joined forces for the ongoing <a href="http://www.informationweek.com/security/attacks/anonymous-launches-opisrael-ddos-attacks/240142149">Operation Israel (#OpIsrael) campaign</a>, which last month promised to "erase" Israel from the Internet. "We promised to take Israel off the cyber map. We succeeded," read a recent OpUSA target list post. OpIsrael attackers last month claimed to have disrupted 100,000 Israeli websites and caused $3 billion in damage. But <a href="http://www.informationweek.com/security/attacks/anonymous-claims-100000-israel-site-disr/240152448">Israeli officials disputed hacktivists' claims</a>, saying while there had been a lot of bluster there was little "real damage," and that the country's critical infrastructure remained unaffected. <P> Likewise, in the lead-up to OpUSA, the U.S. Department of Homeland Security appeared to expect similar low-level attacks aimed to publicize attackers' anti-U.S. grievances but that would cause little lasting damage. In a confidential DHS memo issued last week and <a href="http://krebsonsecurity.com/2013/05/dhs-opusa-may-be-more-bark-than-bite/">obtained by security reporter Brian Krebs</a>, DHS said the attacks "likely will result in limited disruptions and mostly consist of nuisance-level attacks against publicly accessible webpages and possibly data exploitation." <P> Not all hacktivist activity this week has been conducted under the OpUSA banner. The <a href="http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800">Syrian Electronic Army</a> resurfaced Monday when it <a href="http://www.syrianews.cc/syrian-electronic-army-pays-visit-onion/">seized control of the Twitter feed for the satirical news outlet <em>The Onion</em></a>. The group posted fake news headlines relating to Israel's recent missile strikes against military targets in Syria. Another tweet suggested that the Israeli government was allied with Al Qaeda. <P> In the wake of the Twitter account takeover, <em>The Onion</em> <a href="http://www.theonion.com/articles/onion-twitter-password-changed-to-onionman77,32323/">responded in typical fashion</a>: "Following today's incident in which the Syrian Electronic Army hacked into The Onion's Twitter account, sources ... confirmed that its Twitter password has been changed to OnionMan77 in order to prevent any future cyber-attacks." The story quoted "Onion IT specialist Nick Abersold" as saying that the new password would be "virtually impenetrable." <P> Satire aside, in the wake of the <a href="http://www.informationweek.com/security/attacks/twitter-battles-syrian-hackers/240153424">numerous news organizations' Twitter account takeovers</a> by the Syrian Electronic Army, Twitter last week issued a memo last week <a href="http://www.informationweek.com/security/intrusion-prevention/twitter-to-news-outlets-more-takeovers-a/240154094">warning media outlets</a> to take appropriate security precautions, as it expected the account takeovers to continue. <P> <P> <i>Antivirus systems alone can't fight a growing category of malware whose strength lies in the fact that we have never seen it before. The <a href="http://www.darkreading.com/AdvancedThreats/util/9727/download.html?k=a xxe&cid=article_axxe">How To Detect Zero-Day Malware And Limit Its Impact</a> report examines the ways in which zero-day malware is being developed and spread, and the strategies and products enterprises can leverage to battle it. (Free registration required.)</i>