0 Comments
Adrian Lamo, the hacker probably best known for breaking into The New York Times‘s network and for reporting Chelsea Manning‘s theft of classified documents to the FBI, was found dead in a Kansas apartment on Wednesday. Lamo was widely reviled and criticized for turning in Manning, but that chapter of his life eclipsed the profile of a complex individual who taught me quite a bit about security over the years. I first met Lamo in 2001 when I was a correspondent for Newsbytes.com, a now-defunct tech publication that was owned by The Washington Post at the time. A mutual friend introduced us over AOL Instant Messenger, explaining that Lamo had worked out a simple method allowing him to waltz into the networks of some of the world’s largest media companies using nothing more than a Web browser. The panoply of alternate nicknames he used on instant messenger in those days shed light on a personality not easily grasped: Protagonist, Bitter Geek, AmINotMerciful, Unperceived, Mythos, Arcane, truefaith, FugitiveGame. In this, as in so many other ways, Lamo was a study in contradictions: Unlike most other hackers who break into online networks without permission, he didn’t try to hide behind the anonymity of screen names or Internet relay chat networks. By the time I met him, Adrian had already earned the nickname “the homeless hacker” because he had no fixed address, and found shelter most evenings in abandoned buildings or on friend’s couches. He launched the bulk of his missions from Internet cafes or through the nearest available dial-up connections, using an old Toshiba laptop that was missing seven keys. His method was the same in every case: find security holes; offer to fix them; refuse payment in exchange for help; wait until hole is patched; alert the media. Lamo had previously hacked into the likes of AOL Time Warner, Comcast, MCI Worldcom, Microsoft, SBC Communications and Yahoo after discovering that these companies had enabled remote access to their internal networks via Web proxies, a kind of security by obscurity that allowed anyone who knew the proxy’s Internet address and port number to browse internal shares and other network resources of the affected companies. By 2002, Lamo had taken to calling me on the phone frequently to relate his various exploits, often spoofing his phone number to make it look like the call had come from someplace ominous or important, such as The White House or the FBI. At the time, I wasn’t actively taking any measures to encrypt my online communications, or to suggest that my various sources do likewise. After a few weeks of almost daily phone conversations with Lamo, however, it became abundantly clear that this had been a major oversight. In February 2002, Lamo told me that he’d found an open proxy on the network of The New York Times that allowed him to browse the newsroom’s corporate intranet. A few days after that conversation, Lamo turned up at Washingtonpost.com’s newsroom (then in Arlington, Va.). Just around the corner was a Kinkos, and Adrian insisted that I follow him to the location so he could get online and show me his discovery firsthand. While inside the Times’ intranet, he downloaded a copy of the Times’ source list, which included phone numbers and contact information for such household names as Yogi Berra, Warren Beatty, and Robert Redford, as well as high-profile political figures – including Palestinian leader Yassir Arafat and Secretary of State Colin Powell. Lamo also added his own contact information to the file. My exclusive story in Newsbytes about the Times hack was soon picked up by other news outlets. In August 2003, federal prosecutors issued an arrest warrant for Lamo in connection with the New York Times hack, among other intrusions. The next month, The Washington Post’s attorneys received a letter from the FBI urging them not to destroy any correspondence I might have had with Lamo, and warning that my notes may be subpoenaed. In response, the Post opted to take my desktop computer at work and place it in storage. We also received a letter from the FBI requesting an interview (that request was summarily denied). In October 2003, the Associated Press ran a story saying the FBI didn’t follow proper procedures when it notified reporters that their notes concerning Lamo might be subpoenaed (the DOJ’s policy was to seek materials from reporters only after all other investigative steps had been exhausted, and then only as a last resort). In 2004, Lamo pleaded guilty to one felony count of computer crimes against the Times, as well as LexisNexis and Microsoft. He was sentenced to six month’s detention and two years probation, an ordered to pay $65,000 in restitution. Several months later while attending a formal National Press Foundation dinner at the Washington Hilton, my bulky Palm Treo buzzed in my suit coat pocket, signaling a new incoming email message. The missive was blank save for an unusually large attachment. Normally, I would have ignored such messages as spam, but this one came from a vaguely familiar address: [email protected]. Years before, Lamo had told me he’d devised a method for minting his own .mil email addresses. The attachment turned out to be the Times’ newsroom source list. The idea of possessing such information was at once overwhelming and terrifying, and for the rest of the evening I felt certain that someone was going to find me out (it didn’t help that I was seated adjacent to a table full of NYT reporters and editors). It was difficult not to stare at the source list and wonder at the possibilities. But ultimately, I decided the right thing to do was to simply delete the email and destroy the file. EARLY LIFELamo was born in 1981 outside of Boston, Mass. into an educated, bilingual family. Lamo’s parents say from an early age he exhibited an affinity for computers and complex problem solving. In grade school, Lamo cut his teeth on a Commodore64, but his parents soon bought him a more powerful IBM PC when they grasped the extent of his talents. “Ever since he was very young he has shown a tendency to be a lateral thinker, and any problem you put in front of him with a computer he could solve almost immediately,” Lamo’s mother Mary said in an interview in 2003. “He has a gifted analytical mind and a natural curiosity.” By the time he got to high school, Lamo had graduated to a laptop computer. During a computer class his junior year, Lamo upstaged his teacher by solving a computer problem the instructor insisted was insurmountable. After an altercation with the teacher, he was expelled. Not long after that incident, Lamo earned his high school equivalency degree and left home for a life on his own. For many years after that he lived a vagabond’s existence, traveling almost exclusively on foot or by Greyhound bus, favoring the affordable bus line for being the “only remaining form of mass transit that offers some kind of anonymity.” When he wasn’t staying with friends, he passed the night in abandoned buildings or under the stars. In 1995, Lamo landed contract work at a promising technology upstart called America Online, working on “PlanetOut.com,” an online forum that catered to the gay and lesbian community. At the time, advertisers paid AOL based on the amount of time visitors spent on the site, and Lamo’s job was to keep people glued to the page, chatting them up for hours at a time. Ira Wing, a security expert at one of the nation’s largest Internet service providers, met Lamo that year at PlanetOut and the two became fast friends. It wasn’t long before he joined in one of Lamo’s favorite distractions, one that would turn out to be an eerie offshoot of the young hacker’s online proclivities: exploring the labyrinth of California’s underground sewage networks and abandoned mines. Since then, Lamo kept in touch intermittently, popping in and out of Wing’s life at odd intervals. But Wing proved a trustworthy and loyal friend, and Lamo soon granted him power of attorney over his affairs should he run into legal trouble. In 2002, Wing registered the domain “freeadrian.com,” as a joke. He’d later remark on how prescient a decision that had been. “Adrian is like a fast moving object that has a heavy affect on anyone’s life he encounters,” Wing told this reporter in 2003. “And then he moves on.” THE MANNING AFFAIRIn 2010, Lamo was contacted via instant message by Chelsea Manning, a transgender Army private who was then known as Bradley Manning. The Army private confided that she’d leaked a classified video of a helicopter attack in Baghdad that killed 12 people (including two Reuters employees) to Wikileaks. Manning also admitted to handing Wikileaks some 260,000 classified diplomatic cables. Lamo reported the theft to the FBI. In explaining his decision, Lamo told news publications that he was worried the classified data leak could endanger lives. “He was just grabbing information from where he could get it and trying to leak it,” Mr. Lamo told The Times in 2010. Manning was later convicted of leaking more than 700,000 government records, and received a 35 year prison sentence. In January 2017, President Barack Obama commuted Manning’s sentence after she’d served seven years of it. In January 2018, Manning filed to run for a Senate seat in Maryland. HOMELESS IN WICHITAThe same month he reported Manning to the feds, Lamo told Wired.com that he’d been diagnosed with Asperger Syndrome after being briefly hospitalized in a psychiatric ward. Lamo told Wired that he suspected someone had stolen his backpack, and that paramedics were called when the police responding to reports of the alleged theft observed him acting erratically and perhaps slurring his speech. Wired later updated the story to note that Lamo’s father had reported him to the Sacramento Sherriff’s office, saying he was worried that his son was over-medicating himself with prescription drugs. In 2011, Lamo told news outlet Al Jazeera that he was in hiding because he was getting death threats for betraying Manning’s confidence and turning him in to the authorities. In 2013, he told The Guardian that he’d struggled with substance abuse “for a while.” It’s not yet certain what led to Lamo’s demise. He was found dead in a Wichita apartment on March 14. According to The Wichita Eagle, Lamo had lived in the area for more than a year. The paper quoted local resident Lorraine Murphy, who described herself as a colleague and friend of Lamo’s. When Murphy sent him a message in December 2016 asking him what he was up to, he reportedly replied “homeless in Wichita.” “Adrian was always homeless or on the verge of it,” Murphy is quoted as saying. “He bounced around a great deal, for no particular reason. He was a believer in the Geographic Cure. Whatever goes wrong in your life, moving will make it better. And he knew people all over the country.” The Eagle reports that Wichita police found no signs of foul play or anything suspicious about Lamo’s death. A toxicology test was ordered but the results won’t be available for several weeks. from https://krebsonsecurity.com/2018/03/adrian-lamo-homeless-hacker-who-turned-in-chelsea-manning-dead-at-37/ Security researchers who rely on data included in Web site domain name records to combat spammers and scammers will likely lose access to that information for at least six months starting at the end of May 2018, under a new proposal that seeks to bring the system in line with new European privacy laws. The result, some experts warn, will likely mean more spams and scams landing in your inbox. On May 25, the General Data Protection Regulation (GDPR) takes effect. The law, enacted by the European Parliament, requires companies to get affirmative consent for any personal information they collect on people within the European Union. Organizations that violate the GDPR could face fines of up to four percent of global annual revenues. In response, the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit entity that manages the global domain name system — has proposed redacting key bits of personal data from WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges (IP addresses). Under current ICANN rules, domain name registrars should collect and display a variety of data points when someone performs a WHOIS lookup on a given domain, such as the registrant’s name, address, email address and phone number. (Most registrars offer a privacy protection service that shields this information from public WHOIS lookups; some registrars charge a nominal fee for this service, while others offer it for free). But in a bid to help registrars comply with the GDPR, ICANN is moving forward on a plan to remove critical data elements from all public WHOIS records. Under the new system, registrars would collect all the same data points about their customers, yet limit how much of that information is made available via public WHOIS lookups. The data to be redacted includes the name of the person who registered the domain, as well as their phone number, physical address and email address. The new rules would apply to all domain name registrars globally. ICANN has proposed creating an “accreditation system” that would vet access to personal data in WHOIS records for several groups, including journalists, security researchers, and law enforcement officials, as well as intellectual property rights holders who routinely use WHOIS records to combat piracy and trademark abuse. But at an ICANN meeting in San Juan, Puerto Rico on Thursday, ICANN representatives conceded that a proposal for how such a vetting system might work probably would not be ready until December 2018. Assuming ICANN meets that deadline, it could be many months after that before the hundreds of domain registrars around the world take steps to adopt the new measures. Gregory Mounier, head of outreach at EUROPOL‘s European Cybercrime Center and member of ICANN’s Public Safety Working Group, said the new WHOIS plan could leave security researchers in the lurch — at least in the short run. “If you don’t have an accreditation system by 25 May then there’s no means for cybersecurity folks to get access to this information,” Mounier told KrebsOnSecurity. “Let’s say you’re monitoring a botnet and have 10.000 domains connected to that and you want to find information about them in the WHOIS records, you won’t be able to do that anymore. It probably won’t be implemented before December 2018 or January 2019, and that may mean security gaps for many months.” Rod Rasmussen, chair of ICANN’s Security and Stability Advisory Committee, said ICANN does not have a history of getting things done before or on set deadlines, meaning it may be well more than six months before researchers and others can get vetted to access personal information in WHOIS data. Asked for his take on the chances that ICANN and the registrar community might still be designing the vetting system this time next year, Rasmussen said “100 percent.” “A lot of people who are using this data won’t be able to get access to it, and it’s not going to be pretty,” Rasmussen said. “Once things start going dark it will have a cascading effect. Email deliverability is going to be one issue, and the amount of spam that shows up in peoples’ inboxes will be climbing rapidly because a lot of anti-spam technologies rely on WHOIS for their algorithms.” As I noted in last month’s story on this topic, WHOIS is probably the single most useful tool we have right now for tracking down cybercrooks and/or for disrupting their operations. On any given day I probably perform 20-30 different WHOIS queries; on days I’ve set aside for deep-dive research, I may run hundreds of WHOIS searches. WHOIS records are a key way that researchers reach out to Web site owners when their sites are hacked to host phishing pages or to foist malware on visitors. These records also are indispensable for tracking down cybercrime victims, sources and the cybercrooks themselves. I remain extremely concerned about the potential impact of WHOIS records going dark across the board. There is one last possible “out” that could help registrars temporarily sidestep the new privacy regulations: ICANN board members told attendees at Thursday’s gathering in Puerto Rico that they had asked European regulators for a “forbearance” — basically, permission to be temporarily exempted from the new privacy regulations during the time it takes to draw up and implement a WHOIS accreditation system. But so far there has been no reply, and several attendees at ICANN’s meeting Thursday observed that European regulators rarely grant such requests. Some registrars are already moving forward with their own plans on WHOIS privacy. GoDaddy, one of the world’s largest domain registrars, recently began redacting most registrant data from WHOIS records for domains that are queried via third-party tools. And experts say it seems likely that other registrars will follow GoDaddy’s lead before the May 25 GDPR implementation date, if they haven’t already. from https://krebsonsecurity.com/2018/03/who-is-afraid-of-more-spams-and-scams/ Are you in need of a new phone but don’t want to break the bank? According to Android Central, buying a Refurbished Phone is a great alternative and becoming an ever-growing phenomenon. Recent reports state that 1 out of 10 mobile phones sold across the world are now refurbished. What is a Refurbished Mobile Phone? Pre-owned handsets that are returned faulty then repaired for resale, are often described as ‘Refurbished Phones’, however, not all phones that are described as ‘refurbished’ were once faulty. Some retailers and networks class Refurbished Phones as devices that have been returned prior to the 30-days return policy. This is usually down to the consumer disliking the phone rather than an issue or fault arising. All leading retailers and manufacturers will perform a series of tests to determine if a Refurbished Phone is in fit for re-sale. Tests will check battery life and other vital components such as touchscreen responsiveness and connectivity to both Wifi and 3G/4G. Once the phone has been tested and is deemed to be in full working order, most companies/retailers will grade the condition of the refurbishment typically on a scale from A to C: A: Excellent condition with minor signs of usage All devices sold through a retailer or manufacturer are guaranteed to have been cleaned of any previous data including that which is stored in the internal memory. Why Should I Consider Buying a Refurbished Phone? Let’s be honest, the price of a brand new phone is on the rise. With Apple releasing a £999 iPhone (iPhone X) and other leading companies hiking their prices in 2018, it seems like the latest handset on the market is guaranteed to cost you a fortune. With renowned retailers such as Amazon, GAME and Carphone Warehouse all stocking Certified Refurbished Phones, it speaks volumes about the current climate in the refurbishment industry. Mobile networks and manufacturers also offer great deals on pre-owned handset this often helps reduce the cost of post-pay contracts considerably. As shown in a recent Uswitch report, consumers can save up to £15 a month by choosing a contract with a Refurbished Phone. These massive monthly savings are encouraging the consumer to make the switch to this style of contract, often saving hundreds of pounds over the life of the deal and still enabling them to gain a high quality product. Pairing both a Sim-Only Deal with a Refurbished Phone is another great option when looking to save on your monthly phone bill. According to Money Saving Expert, Sim-Only Plans have recently lowered in price with great deals on offer for as little as £7.99 per month. Most Refurbished Devices when bought through a retailer or mobile network come with a 12-month warranty. However, it’s always best to check before buy as warranties will vary in length dependent on the quality of the refurbishment. Why would you buy an iMend Refurbished iPhone? iMend.com are already well known in the mobile phone space as one of the most trusted nationwide Mobile Phone Repair businesses. After recently been acquired by Eco Renew, iMend.com are now able to source the UK’s most Premium Refurbished iPhones, an obvious product extension. These are available for both customers and business users alike. But what makes iMend’s Refurbished iPhones standout from the rest? Unlike any other Refurbished Phone on the market, each device is remanufactured to new using 100% genuine parts, guaranteeing the highest standard in both appearance and performance. All devices are put through their paces and rigorously tested using industry leading methods, exceeding all quality levels currently available on the Refurbished Mobile Market. Here are a few other key factors that make our Refurbished iPhones standout from the crowd: – Zero signs of usage – looks identical to a new iPhone iMend’s Premium Refurbished iPhones can be with you in 24hrs thanks to their next-day delivery service. Confident you will be satisfied with your phone, they are offering a full refund within 14 days of purchasing if you are unhappy in anyway with your remanufactured device. All Phones come with a 12-month hassle free warranty. Premium Refurbished iPhone 6 / 6s / 6s Plus / 7 / 7 Plus are available to purchase now. To find out more, please contact Sarah at iMend on: 0333 014 4262 or email: [email protected] The post Premium Refurbished iPhones – Now Available At iMend.com appeared first on iMend Blog. from https://www.imend.com/blog/premium-refurbished-iphones-now-available-at-imend-com-2/ Adobe and Microsoft each pushed critical security updates to their products today. Adobe’s got a new version of Flash Player available, and Microsoft released 14 updates covering more than 75 vulnerabilities, two of which were publicly disclosed prior to today’s patch release. The Microsoft updates affect all supported Windows operating systems, as well as all supported versions of Internet Explorer/Edge, Office, Sharepoint and Exchange Server. All of the critical vulnerabilities from Microsoft are in browsers and browser-related technologies, according to a post from security firm Qualys. “It is recommended that these be prioritized for workstation-type devices,” wrote Jimmy Graham, director of product management at Qualys. “Any system that accesses the Internet via a browser should be patched.” The Microsoft vulnerabilities that were publicly disclosed prior to today involve Microsoft Exchange Server 2010 through 2016 editions (CVE-2018-0940) and ASP.NET Core 2.0 (CVE-2018-0808), said Chris Goettl at Ivanti. Microsoft says it has no evidence that attackers have yet to exploit either flaw in active attacks online. But Goettl says public disclosure means enough information was released publicly for an attacker to get a jump start or potentially to have access to proof-of-concept code making an exploit more likely. “Both of the disclosed vulnerabilities are rated as Important, so not as severe, but the risk of exploit is higher due to the disclosure,” Goettl said. Microsoft says by default, Windows 10 receives updates automatically, “and for customers running previous versions, we recommend they turn on automatic updates as a best practice.” Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. Adobe’s Flash Player update fixes at least two critical bugs in the program. Adobe said it is not aware of any active exploits in the wild against either flaw, but if you’re not using Flash routinely for many sites, you probably want to disable or remove this awfully buggy program. Just last month Adobe issued a Flash update to fix two vulnerabilities that were being used in active attacks in which merely tricking a victim into viewing a booby-trapped Web site or file could give attackers complete control over the vulnerable machine. It would be one thing if these zero-day flaws in Flash were rare, but this is hardly an isolated occurrence. Adobe is phasing out Flash entirely by 2020, but most of the major browsers already take steps to hobble Flash. And with good reason: It’s a major security liability. Chrome also bundles Flash, but blocks it from running on all but a handful of popular sites, and then only after user approval. For Windows users with Mozilla Firefox installed, the browser prompts users to enable Flash on a per-site basis. Through the end of 2017 and into 2018, Microsoft Edge will continue to ask users for permission to run Flash on most sites the first time the site is visited, and will remember the user’s preference on subsequent visits. The latest standalone version of Flash that addresses these bugs is 29.0.0.113 for Windows, Mac, Linux and Chrome OS. But most users probably would be better off manually hobbling or removing Flash altogether, since so few sites actually require it still. Disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites. from https://krebsonsecurity.com/2018/03/flash-windows-users-its-time-to-patch/ iMend Now Part of the Same Group as Mazuma MobileiMend.com, the UK’s leading nationwide mobile phone repair brand, are very pleased to announce that we have now joined the EcoRenew group of companies. Founded in Hong Kong in 2006 EcoRenew are one of the world’s leading and largest mobile phone refurbishment specialists. EcoRenew is a truly global business with almost 1500 staff across operations in the Philippines, China, UK, USA, Japan & UAE and turnover in excess of $300 million. State of the art factories across 3 continents produce 80,000+ refurbished smartphones every month and with a strong environmental commitment there is 0% waste to landfill. Keir McConomy, Founder and CEO of iMend.com comments on the acquisition “We are really pleased and proud to be part of the EcoRenew Group. It is a perfect strategic fit. The vision for iMend has always been to create the very best phone repair service in the world and this acquisition will enable this to happen. EcoRenew’s resources will allow us to continue to improve our service to our customers, supercharge iMend’s growth and fully realise the brand’s global ambitions so these are exciting times for us” As well as iMend, as part of its global expansion EcoRenew has recently acquired 2 other businesses in the UK – Mazuma Mobile and ICT Reverse. MazumaMobile.com is well recognised by many as the market-leading no. 1 brand in the UK for getting the best value for trading in your old mobile phone or tablet. Offering same day payment for your old mobile device Mazuma is the most trusted phone recycler brand in the UK. ICT Reverse is the UK’s leading, fully accredited reverse logistics company for IT assets. It specialises in helping large enterprises recycle and data wipe electronic equipment such as PCs, laptops, servers, etc. For more information about EcoRenew and our group companies please see: What Does This Mean For iMend Customers? This is great news for iMend customers as it means iMend is now part of a much bigger global group with more resources. EcoRenew are the world’s leader in mobile device refurbishment so have some of the best technical skills in the world plus state of the art high-tech facilities. Having access to these resources iMend customers will benefit from any even greater focus on quality. Plus EcoRenew will be investing heavily in iMend to expand the business and improve the service even further for customers. So in summary, it’s all good news for iMend customers as the service and quality to our customers will continue to get better and better! Premium Refurbished iPhones Now Available From iMend.com As stated above EcoRenew are one of the biggest mobile phone refurbishment specialists in the world. They specialise in particular in the refurbishment of Apple iPhones and produce high volumes of exceptional quality refurbished iPhones for large telecoms and insurance customers. The other advantage of iMend being part of the EcoRenew Group is that this range of premium refurbished iPhones are now available to iMend’s customers. How are EcoRenew’s Refurbished iPhones different? EcoRenew don’t just refurbish iPhones, they completely Remanufacture them back to new The company operates a state of the art factory in Manila in the Philippines employing 1000+ people producing 80,000+ refurbished iPhones per month. The company uses the latest technology and innovative approaches to refurbishment to produce the highest quality product in the market. The devices are not just cosmetically refurbished, each device is completely disassembled and every single component is refurbished and remanufactured and then rigorously tested. What is truly unique about the process is that each device is completely remanufactured back to brand new condition with zero signs of use using all genuine parts so the quality is unparalleled. Our devices look exactly like brand new devices. The only difference is the price! For more information about our unique iPhone Remanufacturing process see the following video of our facility: There is a huge demand from consumers and business customers right now for refurbished phones. Savvy customers these days want the best value and many now prefer to buy refurbished devices rather than brand new as they are much better value. Why buy a brand new phone when you can buy a refurbished one that looks and functions like brand new for much less? Many are also buying refurbished devices to pair with sim-only contracts that offer better value Our range of fully remanufactured iPhones are perfect to meet this demand as they look exactly like brand new phones but at a fraction of the cost. Each device comes boxed with genuine accessories and all devices come with a 12 month warranty. We believe these are the highest quality refurbished iPhones in the market today and are now available through iMend. All models of refurbished iPhones are available to buy including iPhone 6 / 6s / 6s Plus / 7 / 7 Plus. If you are interested in purchasing any of our range of Premium Refurbished iPhones please contact our team on 0333 014 4262 or [email protected]. About iMend.com iMend.com are the UK’s leading nationwide mobile phone repair brand. iMend provides a market leading phone repair solution to both consumers and businesses. What is unique about the iMend service is that it has a national network of 200+ expert repair technicians that can go out to customers same day at their workplace or home to fix their phone securely at their convenience. iMend repairs all makes and models of phones and tablets including Apple, Samsung, Sony, LG, Huawei, Google, HTC, etc. and is 5* rated on Trustpilot with reviews from thousands of happy customers. iMend repairs over 100,000 devices every year and all repairs come with a 12 months warranty For more information please go to www.iMend.com or view the iMend video here: https://youtu.be/HsQkjzoKk8Y Press Contacts Sarah McConomy Tel: 0333 014 4262 The post iMend.com Acquired By EcoRenew Group appeared first on iMend Blog. from https://www.imend.com/blog/imend-com-acquired-by-ecorenew-group/ A recent consumer survey suggests that half of all Americans still haven’t checked their credit report since the Equifax breach last year exposed the Social Security numbers, dates of birth, addresses and other personal information on nearly 150 million people. If you’re in that fifty percent, please make an effort to remedy that soon. Credit reports from the three major bureaus — Equifax, Experian and Trans Union — can be obtained online for free at annualcreditreport.com — the only Web site mandated by Congress to serve each American a free credit report every year. Annualcreditreport.com is run by a Florida-based company, but its data is supplied by the major credit bureaus, which struggled mightily to meet consumer demand for free credit reports in the immediate aftermath of the Equifax breach. Personally, I was unable to order a credit report for either me or my wife even two weeks after the Equifax breach went public: The site just kept returning errors and telling us to request the reports in writing via the U.S. Mail. Based on thousands of comments left here in the days following the Equifax breach disclosure, I suspect many readers experienced the same but forgot to come back and try again. If this describes you, please take a moment this week to order your report(s) (and perhaps your spouse’s) and see if anything looks amiss. If you spot an error or something suspicious, contact the bureau that produced the report to correct the record immediately. Of course, keeping on top of your credit report requires discipline, and if you’re not taking advantage of all three free reports each year you need to get a plan. My strategy is to put a reminder on our calendar to order a new report every four months or so, each time from a different credit bureau. Whenever stories about credit reports come up, so do the questions from readers about the efficacy and value of credit monitoring services. KrebsOnSecurity has not been particularly kind to the credit monitoring industry; many stories here have highlighted the reality that they are ineffective at preventing identity theft or existing account fraud, and that the most you can hope for from them is that they alert you when an ID thief tries to get new lines of credit in your name. But there is one area where I think credit monitoring services can be useful: Helping you sort things out with the credit bureaus in the event that there are discrepancies or fraudulent entries on your credit report. I’ve personally worked with three different credit monitoring services, two of which were quite helpful in resolving fraudulent accounts opened in our names. At $10-$15 a month, are credit monitoring services worth the cost? Probably not on an annual basis, but perhaps during periods when you actively need help. However, if you’re not already signed up for one of these monitoring services, don’t be too quick to whip out that credit card: There’s a good chance you have at least a year’s worth available to you at no cost. If you’re willing to spend the time, check out a few of the state Web sites which publish lists of companies that have had a recent data breach. In most cases, those publications come with a sample consumer alert letter providing information about how to sign up for free credit monitoring. California publishes probably the most comprehensive such lists at this link. Washington state published their list here; and here’s Maryland’s list. There are more. It’s important for everyone to remember that as bad as the Equifax breach was (and it was a dumpster fire all around), most of the consumer data exposed in the breach has been for sale in the cybercrime underground for many years on a majority of Americans. If anything, the Equifax breach may have simply refreshed some of those criminal data stores. That’s why I’ve persisted over the years in urging my fellow Americans to consider freezing their credit files. A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). Bear in mind that if you haven’t yet frozen your credit file and you’re interested in signing up for credit monitoring services, you’ll need to sign up first before freezing your file. That’s because credit monitoring services typically need to access your credit file to enroll you, and if you freeze it they can’t do that. The previous two tips came from a primer I wrote a few days after the Equifax breach, which is an in-depth Q&A about some of the more confusing aspects of policing your credit, including freezes, credit monitoring, fraud alerts, credit locks and second-tier credit bureaus. from https://krebsonsecurity.com/2018/03/checked-your-credit-since-the-equifax-hack/ How good are you at telling the difference between domain names you know and trust and impostor or look-alike domains? The answer may depend on how familiar you are with the nuances of internationalized domain names (IDNs), as well as which browser or Web application you’re using. For example, how does your browser interpret the following domain? I’ll give you a hint: Despite appearances, it is most certainly not the actual domain for software firm CA Technologies (formerly Computer Associates Intl Inc.), which owns the original ca.com domain name: Go ahead and click on the link above or cut-and-paste it into a browser address bar. If you’re using Google Chrome, Apple’s Safari, or some recent version of Microsoft‘s Internet Explorer or Edge browsers, you should notice that the address converts to “xn--80a7a.com.” This is called “punycode,” and it allows browsers to render domains with non-Latin alphabets like Cyrillic and Ukrainian. Below is what it looks like in Edge on Windows 10; Google Chrome renders it much the same way. Notice what’s in the address bar (ignore the “fake site” and “Welcome to…” text, which was added as a courtesy by the person who registered this domain): IE, Edge, Chrome and Safari all will convert https://www.са.com/ into its punycode output (xn--80a7a.com), in part to warn visitors about any confusion over look-alike domains registered in other languages. But if you load that domain in Mozilla Firefox and look at the address bar, you’ll notice there’s no warning of possible danger ahead. It just looks like it’s loading the real ca.com: The domain “xn--80a7a.com” pictured in the first screenshot above is the Ukranian punycode for the Ukrainian letters for “s” (which is represented by the character “c” in Russian and Ukrainian), as well as an identical Ukrainian “a”. It was registered by Alex Holden, founder of Milwaukee, Wis.-based Hold Security Inc. Holden’s been experimenting with how the different browsers handle punycodes in the browser and via email. Holden grew up in what was then the Soviet Union and speaks both Russian and Ukrainian, and he’s been playing with Cyrillic letters to spell English words in domain names. Letters like A and O look exactly the same and the only difference is their Unicode value. There are more than 136,000 Unicode characters used to represent letters and symbols in 139 modern and historic scripts, so there’s a ton of room for look-alike or malicious/fake domains. For example, “a” in Latin is the Unicode value “0061” and in Cyrillic is “0430.” To a human, the graphical representation for both looks the same, but for a computer there is a huge difference. Internationalized domain names (IDNs) allow domain names to be registered in non-Latin letters (RFC 3492), provided the domain is all in the same language; trying to mix two different IDNs in the same name causes the domain registries to reject the registration attempt. So, in the Cyrillic alphabet (Russian/Ukrainian), we can spell АТТ, УАНОО, ХВОХ, and so on. As you can imagine, the potential opportunity for impersonation and abuse are great with IDNs. Here’s a snippet from a larger chart Holden put together showing some of the more common ways that IDNs can be made to look like established, recognizable domains: Holden also was able to register a valid SSL encryption certificate for https://www.са.com from Comodo.com, which would only add legitimacy to the domain were it to be used in phishing attacks against CA customers by bad guys, for example. A SOLUTION TO VISUAL CONFUSIONTo be clear, the potential threat highlighted by Holden’s experiment is not new. Security researchers have long warned about the use of look-alike domains that abuse special IDN/Unicode characters. Most of the major browser makers have responded in some way by making their browsers warn users about potential punycode look-alikes. With the exception of Mozilla, which by most accounts is the third most-popular Web browser. And I wanted to know why. I’d read the Mozilla Wiki’s IDN Display Algorithm FAQ,” so I had an idea of what Mozilla was driving at in their decision not to warn Firefox users about punycode domains: Nobody wanted it to look like Mozilla was somehow treating the non-Western world as second-class citizens. I wondered why Mozilla doesn’t just have Firefox alert users about punycode domains unless the user has already specified that he or she wants a non-English language keyboard installed. So I asked that in some questions I sent to their media team. They sent the following short statement in reply:
If you’re a Firefox user and would like Firefox to always render IDNs as their punycode equivalent when displayed in the browser address bar, type “about:config” without the quotes into a Firefox address bar. Then in the “search:” box type “punycode,” and you should see one or two options there. The one you want is called “network.IDN_show_punycode.” By default, it is set to “false”; double-clicking that entry should change that setting to “true.” Incidentally, anyone using the Tor Browser to anonymize their surfing online is exposed to IDN spoofing because Tor by default uses Mozilla as well. I could definitely see spoofed IDNs being used in targeting phishing attacks aimed at Tor users, many of whom have significant assets tied up in virtual currencies. Fortunately, the same “about:config” instructions work just as well on Tor to display punycode in lieu of IDNs. Holden said he’s still in the process of testing how various email clients and Web services handle look-alike IDNs. For example, it’s clear that Twitter sees nothing wrong with sending the look-alike CA.com domain in messages to other users without any context or notice. Skype, on the other hand, seems to truncate the IDN link, sending clickers to a non-existent page. “I’d say that most email services and clients are either vulnerable or not fully protected,” Holden said. For a look at how phishers or other scammers might use IDNs to abuse your domain name, check out this domain checker that Hold Security developed. Here’s the first page of results for krebsonsecurity.com, which indicate that someone at one point registered krebsoṇsecurity[dot]com (that domain includes a lowercase “n” with a tiny dot below it, a character used by several dozen scripts). The results in yellow are just possible (unregistered) domains based on common look-alike IDN characters. I wrote this post mainly because I wanted to learn more about the potential phishing and malware threat from look-alike domains, and I hope the information here has been interesting if not also useful. I don’t think this kind of phishing is a terribly pressing threat (especially given how far less complex phishing attacks seem to succeed just fine for now). But it sure can’t hurt Firefox users to change the default “visual confusion” behavior of the browser so that it always displays punycode in the address bar (see the solution mentioned above). [Author’s note: I am listed as an adviser to Hold Security on the company’s Web site. However this is not a role for which I have been compensated in any way now or in the past.] from https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/ |
ABOUT MEHi my name is Anthony I am 32 years old from Houston. I am working in local store selling electronic devices. I have been interested in eclectronics since childhood and I like to reacd about it. Archives
April 2019
Categories |