I have a theory that says improving information system security–the security of our operating systems, network connections, and applications–just means the bad guys will focus more attention on our endpoints, the digital devices we use to access the information and systems we need to do our work.

Furthermore, as we improve endpoint security technology, the people that use the endpoints will be targeted more and more by bad guys who see end users as the weak link in our data defenses. To put it another way, the real endpoint is between the ears. You need security-savvy users on your side as well as good security technology on your endpoints.

That's my take on why all aspects of endpoint security are so important today and I just finished recording a webinar that captures my thoughts on the subject quite well. You can access the recording of the webinar here.

When you have some time–about 50 minutes or so–I hope you can take a look and a listen. I''m keen to know what you think about this theory, and the practical advice I offer towards the end of the webinar about how to protect endpoints today. You will need to register to see the webinar but it only takes a moment and you won't have to divulge a whole lot of information to do so.

BTW, that same link will lead you to a range of recorded information security webinars that may be of interest, as well as notices about upcoming sessions you might like to attend. We also have a page that provides links to all the latest ESET security resources in one place. We hope you find it helpful.

Go here to read the rest:
Endpoint Security Webinar: Protecting your network at the sharp end

Dear Miss Deborah,
Three months ago, I started chatting with a guy I met online, and we really hit it off – we have so much in common! He looks quite handsome in the photos he sent. He sent me flowers and a sweet teddy bear. Isn’t that romantic? We haven’t met yet, because he is actually supervising a construction project in an African country, but we will when he gets back. I can’t wait.

Yesterday, I got a message from him explaining how he is unable to cash his checks and asking if I could wire him money so he could come home. I’m starting to like him more each day, and I want to meet him. What should I do? Risk rejection or send him the money?

Sincerely,
Single and looking again

Dear Single and looking again,
Somewhere deep inside, your wee small voice warned you before you lost more than your heart. I’m glad you listened. Modern-day singles often turn to online dating sites to find their soul mate, and according to the marketing materials lots of relationships and even marriages are being made through these sites. Unfortunately, mixed among your potential Prince Charmings are scammers who target the lovelorn with well-played deceptions. After establishing a relationship, the smooth-talking scammer plays on emotional triggers to get the victim to provide money, gifts or personal details.

These “sweetheart” scams are known as Nigerian scams, and can take months or even a year to develop. The Secret Service and other U.S. agencies, as well as foreign authorities, have issued warnings on the scams, also known as “419″ or “advance-fee” frauds. In one version, the victim is tricked into sending money to the African country using some irreversible method like a wire transfer. In another variation, the scammer asks their victim to “re-ship” items to locations in Nigeria, essentially acting as the “middle-man.” The scammer purchases items from the victim’s home country, with stolen credit cards, and asks the victim to forward them on, because they have trouble getting them delivered out of the country.

Match.com says in a statement about dating scams,  “…we have over 100 fraud team agents who manually review every profile before it’s allowed on the site. But a few of these sophisticated criminals still slip through all of our checks…”

To avoid being ripped off and left broken-hearted, remember a few things:

• Keep all communication within the dating site, since they often monitor for fraud
• Do not send or wire money to anyone you have not met face-to-face
• Keep your personal information, like credit card number, PIN, and social Security number to yourself

As you have experienced, you never know a person just from writing to him online. The next time you find someone you are interested in, meet him in person sooner rather than later. See if there’s any chemistry. Risk rejection and get it over with. It’s up to you to find out if he’s real or not.

Good luck,
Deborah

View original post here:
Online Dating Advice for the Lovelorn

Scam artists and cybercriminals are looking to turn romance into profit now that Valentine's Day approaches, possibly taking over your computer in the process. According to ESET researchers in Latin America, we can expect the quest for love to be leveraged as an effective social engineering ploy to enable the bad guys to infect unsuspecting users with malicious code.

Malware authors, always eager to exploit their victims' susceptibility and curiosity, see great potential for “romantic” hyperlinks that lead, allegedly, to greetings cards, poems, songs or videos. On the right you can see an early example of such a “card of love” received in the run-up to Valentine’s Day, 2012, analyzed by our research team in Latin America:

Apart from the disappointment that the victim might experience when he realizes that the secret admirer is no such thing, there’s also the significant issue of the risk to all his sensitive financial information.

As you can see from the picture on the right, the victim receives an email “greetings card” that purports to be a declaration of love which appeals directly to the reader’s romantic spirit, trying to make him believe that he is someone’s One and Only. Then, to encourage him to download malware, the letter ends with three ellipses and the link inviting him to read the “full message”, which in reality leads to malicious content.

If you were to follow this link it would try to download a malicious program that is detected heuristically by ESET products as a variant of Win32/Injector.HVG Trojan. (According to the information gathered by our Latin America researchers, the threat in question was downloaded approximately 430 times between January 20 and 24).

If there is no antivirus software running on the victim's computer and this Trojan file is downloaded and executed, then Injector.HVG proceeds to modify the victim’s hosts file in order to divert him from certain Chilean banking sites to pages that look similar to the original, but are actually phishing sites created by cybercriminals with the sole purpose of tricking the victim into disclosing his bank details.

As February 14 approaches we are likely to see more malware using love and roses to reel in more victims. This time last year, ESET Latin America put together a blog post with more examples of Valentine scams, so that readers would be better prepared when surfing the Internet. What follows is a summary of their advice.

1. Malware in social networks

Social networks are a major vector for attacks using social engineering. We hate to pour water on romantic inclinations, but all posts in social media relating to the Valentine theme, especially eye-catching messages about special offers and exclusive gifts should be regarded with suspicion, in order to avoid infection and forestall potential threats.

While this example is from Twitter, various kinds of scams exploiting gift cards and other special offers are also seen frequently on Facebook.

In particular, be wary of messages that direct you to web pages using shortened hyperlinks, such as this one from bit.ly. While bit.ly is a very reputable service, it can be abused by the bad guys, looking for a way to mask the final destination of a link. In fact, these types of links have become a fundamental component of the attacker’s toolkit. If you feel you really need to check out where a bit.ly link goes without clicking it, enter a plus sign on the end of the link in the browser URL field (like this: http://bitly.com/w5LAnh+)

There are tens of millions of free or paid Wi-Fi hotspots around the world. The unsuspecting business or adventure travelers will use Wi-Fi wherever they find themselves. Airports often have free Wi-Fi and as vacation season is in full swing, Wi-Fi access is a necessity. That is why ESET’s researcher Cameron Camp has prepared some advice for user of the wireless internet spots.

Read more:
ESET Advises: Use Caution When Connecting to Public Wi-Fi

On the heels of the Zappos cyber robbery last Sunday that left 24M customers fretting over stolen passwords and email addresses, articles are being published about how people can protect themselves online. The number one point is always about passwords. Clean up your passwords. Never Share Your Password. Create different passwords for different accounts.

Sage advice, which we at AVAST support. We even have a dedicated password manager called avast! EasyPass to help you juggle it all. The theft at Zappos and the struggle for greater online privacy made it even more startling when I read about the growing trend among teenagers to share their passwords as an act of trust with their current BFFs.

The Pew Internet and American Life Project discovered that “for some wired teens, a sign of true friendship is for one Internet user to share his screen name and password with a buddy. While such behavior might seem strange in light of concerns about online privacy, the teens who share their passwords see it as emblematic of their trust in their friends.”

The report said that girls are more likely to share their passwords with friends, and teens age 14-17 are more likely to share their security codes than younger ones. Password sharing is especially common among users of social network sites. One-third of all teen Facebook and Twitter users have given others their passwords.

I predict that most of these teenagers will rue the day when they decided to rebel against the voice of authority with password sharing. Interestingly, teens are savvy about their online reputations and what it means for future college entry and job prospects. The Pew report found that over half of online teens say they have decided not to post something online out of concern that it might reflect poorly on them in the future. But they seem to forget that their online reputations can be put at risk if the person they shared log in information with decided to retaliate after an argument or a break-up.

Does this mean we need to start preaching digital sharing abstinence? That will probably work as well as the other kind of abstinence, so we need to look at viable alternatives instead. The National Strategy for Trusted Identities in Cyberspace (NSTIC) program is working with companies to identify Internet-scale solutions that could rely on password alternatives like trusted identity providers and biometric solutions. But for the near future, safe log ins should be practiced by keeping passwords to yourself.

Read this article:
I’ll show you my password, if you’ll show me yours

Hacktivism, the hacking of information systems to advance a social or political agenda, was clearly a major trend in 2011, which is why hactivism was noted several times in our cyberthreat predictions for 2012 (in other words, we think you're going to see more of it). That prediction was underlined by the news on Christmas Day that Anonymous had hacked Strafor Global Intelligence, a think tank in Austin, Texas.

You are likely to see more than one post on this blog about that incident and its lingering aftermath, the phased release of data obtained by the hackers. So far, according to independent analysis performed by identity theft prevention service Identity Finder and published by VentureBeat, some 9,651 active credit cards, 47,680 unique e-mail addresses, 25,680 unique phone numbers and 44,188 encrypted passwords were hacked from the A through M name list published by Anonymous (we may see the N through Z portion of the list exposed in the next few days).

What strikes me about this incident is the spotlight it shines on questions as old as hacking itself, most notably: Do the ends justify the means? I engaged in a lively discussion of this and related questions with a large congregation of hackers at DefCon III, held at the old Tropicana in Las Vegas, in 1995. The session, which The Dark Tangent invited me to present, was titled “Why Hacking Sucks” but it quickly morphed into a consideration of “When does hacking suck?” Unlike sessions at more recent and more expensive information security conferences, this one was recorded in high quality audio and made available free on iTunes (obviously some time after iTunes was invented, and yes, it is weird to hear yourself speaking 16 years ago).

What I took away from that session, and the whole DefCon III experience, was that most hackers are not “amoral, sociopathic scum.” That phrase was erroneously attributed to a friend and colleague, Mich Kabay, because what he actually said, to the best of my recollection, was: “criminal hackers are amoral, sociopathic scum.” But even with that “criminal” qualification I would argue with the term “amoral” and suggest, perhaps, “differently moralled.”

Indeed, there was a lot of righteous indignation in hacking circles circa 1995. People who thought of themselves as hackers bent on improving technology by exposing flawed implemenations had watched in mounting frustration as the media began demonizing “hacking” without any real understanding of what it was. I know because a journalist writing for a well-known magazine called me that summer looking for cases of “hackers causing bloodshed.” He got quite testy when I could offer no examples and he ended the call when I suggested he write about the technical failure of the London Ambulance Service Computer-Aided Despatch system in 1992, to which dozens of avoidable deaths had been attributed. My advice to hackers at DefCon III was to better articulate their moral perspective and be sure they were clear about any equations involving righteous ends and illegal means.

Some 16 years later it seems clear that, if you're going to break the law to break into a computer system, you should have clear and well-articulated reasons for doing so. After all, illegal acts of this nature carry risks for you and, potentially, unhappy consequences for thousands of innocent people. While most reports of the Stratfor incident have focused on the company's big name corporate clients the company had a lot of paying customers who were private citizens entirely lacking in nefarious agendas.

Many of us may feel compelled to call out those with whom we disagree and we may choose to break laws which we feel are deeply unjust. The peaceful exercise of civil disobedience has a proven ability to overthrow cruel oppression and strike down illegitimate regimes. So perhaps the question today is: How far can you extrapolate the principles that inform civil disobedience before you risk losing the support of those you seek to liberate or empower? That, and Why would you not encrypt your customers' credit card numbers?

See the original post:
Latest round of hacktivism highlights questions at the heart of hacking

…Or not.

Cheesecake Factory scams aren't new, but according to Facecrooks, there's an uptick today in rogue “Eat for Free at Cheesecake Factory!” wall posts. Sadly, there is still no such thing as a free lunch: it's a survey scam with no payoff. Well, not for you. The scammers seem to be doing quite nicely out of it.

Even more sadly, Cheesecake Factory isn't giving away $100 gift cards either. (There are, as you may know, many Facebook scams hanging on that particular hook, and Cheesecake Factory is just one of the names used.

If you've fallen for something like this, there's some good advice on several Facecrooks pages:

• Your Ultimate Guide to Facebook Scams and How to Deal with Them
• How to spot a Facebook Survey Scam
• Beware of Facebook Freebies!

All this talk of cheesecake is making me peckish. Time for dinner, I guess.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Examples of the significant losses caused by keyloggers are also highlighted in the report, together with advice on how users and organisations can protect themselves from the malware.

Continue reading here:
Kaspersky Lab publishes new report: Keyloggers – how they work and how to detect them

Kaspersky Anti-Virus 6.0 has received a Best Buy award in the category of antivirus products for home users from PC Advisor, a respected British magazine specializing in expert advice on information technology.

Read the original here:
PC Advisor, a well-known British magazine, calls Kaspersky Anti-Virus 6.0 “Best Buy”

On the “old hoaxes never die” tack,it seems that last year's Christmas Tree App “virus” warning is circulating again: at any rate, Facecrooks has found it necessary to put a warning on its Facebook page against spreading it.

There is plenty of information available about this little beauty, so I'll just give you a few pointers:

• Facecrooks cites a write-up at Hoax Slayer
• Snopes has a write-up here
• Geek Squad, which is alleged in the hoax message to have validated the alert, has denied it here (and also thrown in some advice for Facebook users)
• Graham Cluley included some screen shots and a historical note here,