Ads 468x60px

Featured Posts

Thursday, August 21, 2014

Abney and Associates Internet Technology: Why we remain disconnected even though we now connect more

The ubiquitous use of Internet everywhere except for the remotest corners of our globe today requires a technology that is unprecedented in the history of the human race. Satellites that transmit signals through a worldwide wireless communication infrastructure now surround our planet even more since Marconi (or should we say Tesla) invented the radio.

Whereas the Internet used to be the sole domain of US government spies and other agents working in foreign lands; it now serves as the basic tool for communication for many individuals and most, if not all, commercial and industrial concerns. And to think that only a few decades ago, the beeper and the fax machine reigned supreme as the quickest way to transmit data and short messages. Today, people can send sms, photos and videos in a few seconds just by using a smartphone or a PC.

We ask ourselves this question: How are we different from the people who lived before the Industrial Revolution in terms of social cohesion? Are we much more “in touch” with others because of social networking or are we merely communicating more but not really getting closer as we should? Let us look at some tell-tale signs of our continuing modern social alienation.

1. We continue to be a planet of alienated people

Most people who use Facebook have at least 50 or 100 friends with whom they share a big part of their wakeful life – from what they eat for  lunch to what they wear at a party and to where they spent the last weekend. Ironically, however, those posts are not entirely for all your friends but for those who are closely tied to the people in the photo or the video posted.

Only a few people use Facebook as a forum for dispensing vital information to as wide an audience as possible. And these people are either members of an advocacy or have a group that serves special social or economic needs. That is, while Facebook and other social networks are potent tools for promoting or advertising products and services, real social networking in the sense of getting in touch with people as they are and where they are is not largely being addressed.

In general, most people use these services to remove their sense of alienation, insecurity or loneliness in a still largely-divided and disparate world. Social networking has provided a means to spread knowledge but not a genuine merging of sentiments and beliefs. China and other communists countries and many Islamic nations control the Internet to prevent the flow of corruptive and immoral western influences, and rightly so. But most democratic countries have no such similar fear or care for their people as they allow almost anything to be seen and heard online.

2. In reality, we still remain choosy as to who we communicate with

Given the choice or if only Facebook administrators were more protective of individual privacy, we would all limit access to our activities to just a few people. But the way the system works, everyone gets to see what you post online. It is a ripe place for spies and criminals to look for hapless victims.

Sure, we all want to have exchange of the latest news with our close friends and relatives; but as it is, the whole world can find out as much the same things your son or daughter knows about your recent activities. But as we have no choice as to how we can control the flow of information, we just let it pass, hoping people will not care anyway about what we do in the same way that we will not care about what they will do. Any amazing or tragic events will merely catch our attention now and then as if we were only reading the news. What is important is we know how our immediate circle of relatives and friends are doing.

3. With the alienation and parochialism preserved, we still fail to reach out

Sure, when calamities or tragedies happen, the Internet allows us to come to the aid of those in need in a more rapid though indirect manner; but sadly it is limited to merely expressing platitudes and, at best, sincere kind words and providing financial aid. There are people, of course, who go beyond the virtual connection and come to the aid of victims in a very personal way; but that remains a minority. Social networking may help spread the word as to the extent of the disaster and the necessary medium for coordinating relief efforts; but in the end, the real help needed by people in need does not come from people who sit before a PC or with a smartphone in hand but from people who carry no gadgets but food, clothing, shelter and medicine and from tireless people who can offer a helping hand or a listening ear to those who are hurting.

Victims of Yolanda had no electricity nor cellphones to use after they were hit by the super-typhoon. They needed food and shelter which did not come until after several weeks. The first photos of the disaster, however, were online in a matter of days. People watched online as people suffered and many, to be fair, did help to alleviate the suffering.

The technology may have allowed us to all suffer together, whether in truth or vicariously; but we have merely magnified the degree of suffering without the corresponding amount of compassion and commiseration to flow toward those who need it. That is, like the news that bears bad report, we have helped to spread tragic things without providing the real consolation we must provide for those who suffer the tragedy. Many of us also suffer as we see the suffering from a distance without doing anything about it and whether that is good for a society or not is something we can ponder upon for a long time.

4. Internet Technology still has to provide a real beneficial service other than to inform or to entertain

In general, social networking and online activities are for the purpose of information and providing recreation. The amount of time people spend in gaming and even merely chatting into the wee hours of the morning provide no saving grace for the misuse or abuse of the technology. Young people waste a lot of time playing inane games and doing nothing but gossiping and yapping (as they used to do with the old land-phones). As far as using the technology to transform lives and to provide a venue for real social change, we do not see any of that happening except for a few groups that are into advocacies or activities that had already been in place even before the Internet came.

Internet technology only quickens the speed at which information is passed on or received; but it has not improved the ability of people to respond to meaningful and fruitful endeavors. What they do in schools, churches and offices they can continue to do after the bell rings or the clock strikes five, leaving people less time to be with themselves in solitude to think or meditate. We are connected, yes; but we remain as disconnected as ever.

So, if Internet technology has failed to make us more socially receptive and responsive, what can we do to make it more beneficial? We need to go back to the old way of talking face-to-face and touching one another in a loving and sincere way. Turning off the phone and the PC may be the best way we can do to recover and maintain the real process for communicating our needs and our joys with one another. And that is, by opening our hearts and minds to people without the barriers we have set up before and between ourselves. Using technology to accomplish that is still the real challenge we have today.

Sunday, July 6, 2014

An Abney Associates Fraud Awareness Program: Cyber-Attacks Seen Defrauding Brazilian Payment System of Billions

Cyber- criminals have abused the Boleto Bancário online payment system to steal potentially billions of dollars, according to security firm RSA.

Cyber-Criminals have infected nearly 200,000 computers in Brazil and used their access to issue payment vouchers with an estimated value of $3.75 billion, according to an analysis of the attack published by security firm RSA on July 1.

Dubbed the "Bolware" gang, the criminals abuse the Brazilian payment system known as Boleto Bancário, which allows customers to promise to pay an online merchant, print out a payment slip with a barcode and remit money at a bank. While previous attempts to defraud the payment system used fake boleto, the latest attack, which started in late 2012, infects Web browsers on compromised computers and modifies legitimate boleto to route payment to the criminal accounts.

"The Boleto Malware (is) a newer and more sophisticated kind of fraud in Brazil that leverages MITB (man-in-the-browser) technology to attack online operations, and is based on transaction modification on the client side," RSA stated in its analysis. "Like any substantial cyber-criminal operation, the Bolware gang has continued to innovate, revising their purpose-built malware through 19 different versions.

While the details of the fraud differ from payment fraud in other nations, the techniques—such as using a man-in-the-browser attacks—are similar to how criminals are attempting to steal money from financial institutions in the U.S. and Europe. Criminals adopted man-in-the-browser attacks to defeat additional countermeasures—such as IP address and device identification—deployed by financial institutions.

"It is a class of problem where the arms race has migrated," Dan Kaminsky, co-founder and chief scientist of White Ops, an anti-fraud technology firm. "Once upon time, it was good enough to steal a customer's username and password and log into the bank from wherever and do whatever you wanted, but they soon figured out that a California customer should not be logging in from Latvia."

While banks in Brazil and other nations continue to fight against payment fraud, such attacks expose weaknesses and undermine trust in the financial ecosystem in most countries. Because customer-owned computers are generally thought to work on behalf of the user, banks typically argue that any fraud that originates from compromised customer systems are the responsibility of the victims. Such fraud rose more than 200 percent in the first nine months of 2013, according to Symantec.

Small U.S. businesses, for example, have lost hundreds of thousands of dollars to such attacks and sued their banks for allowing funds to be transferred to foreign nations, even though it was the business's machine that was compromised. Courts have generally split on whether the business is responsible for the lost money, or if banks should catch anomalous transactions and perform extra security measures.

A similar scam, where the attacker changed the banking information to which publisher Conde Nast sent funds, resulted in $8 million being transferred in six weeks, but the money was frozen before attackers could transfer it to their own bank accounts

While the Brazilian crime network is not large compared to other botnets, the potential profits for its operators are huge, according to RSA.

"Boleto malware is a major fraud operation and a serious cyber-crime threat to banks, merchants and banking customers in Brazil," the company stated. "While the Bolware fraud ring may not be as far-reaching as some larger international cybercrime operations, it does appear to be an extremely lucrative venture for its masterminds."

Monday, June 30, 2014

An Abney Associates Fraud Awareness Program: The resurgence of data-entry phishing attacks

‘Old school’ email social engineering or data-entry phishing is an attack method that has been on the rise in recent months, notably employed by the Syrian Electronic Army to hack seemingly every major media outlet in the Western hemisphere.

Data-Entry phishing emails lure employees into freely giving up their login credentials by taking them to a seemingly legitimate landing page. Attackers then use the credentials to establish a foothold in the network.

When spear phishing, data-entry style emails contain a link that takes the recipient to a webpage that appears to be a genuine corporate or commercial site soliciting login information.

Despite their pervasiveness and high-success rate, data-entry attacks seeking login credentials and other sensitive information have been a secondary concern for enterprises.

Information security teams have been more concerned with phishing emails that attempt to carry out drive-by attacks through a malicious link or malware delivery via an attachment.

Since data-entry phishing attacks don’t require malware, it’s quite possible to fall victim to this technique and never even realise it. Victims will often enter their information and not recognize something is wrong. Without the presence of malware, these attacks often go undetected by technical solutions.

However, this doesn’t mean the consequences are any less severe. 

Once attackers gain legitimate credentials into the network, their activity is difficult to detect. Using these credentials they can often exfiltrate significant amounts of information from overly permissive file shares, search for other devices with weak or default credentials, and possibly escalate privileges to dump entire username/password databases that can continue to grant future access.

This activity may have the appearance of an insider threat, so breaches caused by data-entry phishing are often attributed to this source. Is it really an inside job if they gained access through a spear phish?

From an attacker’s perspective, what is easier: researching social media to craft a spear phishing email, or recruiting an actual insider within the organisation?

Some experts in the security industry have identified two-factor authentication as a way to mitigate this threat; however, two-factor authentication will not prevent phishing. While two-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful.

If a user is tricked into revealing login credentials to a false landing page, two-factor authentication will only limit the time the hacker has access to the account. Attackers would need to collect the second factor of authentication, but the underlying tactics would remain the same.

Even if two-factor authentication could prevent phishing, for large enterprises implementing the solution across the board is often cost prohibitive and a logistical nightmare. This isn’t to say that two-factor authentication doesn’t improve security, but it isn’t a panacea.

The same goes for technologies and services that take down phishing websites. At best, these technologies offer lead times of four to eight hours to take down phishing sites. It can often take longer, particularly if the site’s domain is in an unfriendly country or if the site is hosted using a subdomain on a large provider. Continue reading…

Sunday, June 29, 2014

An Abney Associates Fraud Awareness Program: Identity fraud is on the increase

Recent statistics by the Southern African Fraud Prevention Service (SAFPS) reveal that identity fraud is on the increase.

Based on the year-to-date figure, 1 370 cases had been reported to the SAFPS as at the end of April. 

Experts warn that the figure could be the tip of the iceberg as the statistics only indicate the cases that have been recorded.

There was a 16% increase in fraud from a total of 3327 cases in 2012 to a total of 3873 cases in 2013. 

The crime cost the local economy a whopping R1bneach year. It is estimated that the number of incidents could exceed the 4000 mark by the end of 2014.

Frank Lenisa, director of credit bureau Compuscan, said they had been keeping a close watch on the situation and was endeavouring to educate consumers and assist them in preventing the negative impact that fraud can have on their credit reports.

“It’s concerning to see that there is an increase in identity fraud.

What worries us even more is that consumers are often unaware that they have fallen victim to such a crime and this could have a severe negative knock-on effect in their ability to obtain credit in future,” said Lenisa

Lenisa also said it was important for credit-active consumers to keep a close eye on account activity in their name to prevent and recover from identity fraud.

“This is one of the steps that can be taken to protect the health of their credit records.

Credit-active consumers can safeguard themselves by obtaining a copy of their credit reports as regularly as possible and carefully examining every piece of information. 

It is recommended that this is done once a month,” he said

He added that consumers should carefully examine their statements, keep their passwords and identity numbers secure and shred receipts and statements before discarding them.

“It must also be stressed that personal information should never be given over the phone and the authenticity of websites should be checked before entering any personal information,” said

According to the latest National Credit Regulator Credit Bureau Monitor, there were 20.

64 million credit-active consumers in South Africa as at the end of December last year and each one of these consumers are urged to pay close attention to the threat of fraudulent activity that could affect their credit records.

Credit-active consumers can safeguard themselves by obtaining a copy of their credit reports as regularly as possible and carefully examining every piece of information.

Friday, June 27, 2014

An Abney Associates Fraud Awareness Program: Little reform since Snowden spilled the beans

LONDON – A year has passed since the American former intelligence contractor Edward J. Snowden began revealing the massive scope of Internet surveillance by the U.S. National Security Agency.

His disclosures have elicited public outrage and sharp rebukes from close U.S. allies like Germany, upending rosy assumptions about how free and secure the Internet and telecommunications networks really are.

Single-handedly Snowden has changed how people regard their phones, tablets and laptops, and sparked a public debate about the protection of personal data.

What his revelations have not done is bring about significant reforms.

To be sure, U.S. President Barack Obama, spurred by an alliance between civil society organizations and the technology industry, has taken some action. In a January speech, and an accompanying presidential policy directive, Obama ordered American spies to recognize that “all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and that all persons have legitimate privacy interests in the handling of their personal information.”

Some specific advances, unprecedented in the shadowy world of intelligence agencies, have accompanied this rhetorical commitment to privacy. When technology companies sued the government to release details about intelligence requests, the Obama administration compromised, supporting a settlement that allows for more detailed reporting. Under this agreement, companies have the option of publishing figures on data requests by intelligence agencies in ranges of 250 or 1,000, depending on the degree of disaggregation of the types of orders.

Though this represents a step forward, it is far from adequate, with gaping loopholes that prohibit reporting on some of the most notorious NSA programs such as the dragnet collection of phone records under Section 215 of the USA Patriot Act.

Moreover, Obama has demurred on the most significant recommendations of the independent review group that he appointed.

And the USA Freedom Act, which was meant to stop the mass collection of Americans’ phone records, is being diluted by a set of amendments that would enable the government to continue collecting metadata on millions of individuals without their consent.

This metadata — covering whom we talk to, when and for how long — can reveal as much about our private lives as the content itself.

Relative to the rest of the world, the United States has taken the strongest action since the Snowden revelations began. Of course, Snowden exposed more about the U.S. government’s surveillance activities than any other country. But the documents also included egregious examples of overreach by the Government Communications Headquarters, the United Kingdom’s signals intelligence agency and information about intelligence sharing in the so-called “Five Eyes” network of the United States, the United Kingdom, Canada, Australia, and New Zealand.

The agreements that govern the pooling and exchange of intelligence among these governments remain closely guarded secrets. Continue reading…

Wednesday, June 25, 2014

An Abney Associates Fraud Awareness Program on Apple implements MAC anti-tracking technique

Apple is going to implement random MAC addresses technology in its iOS8 devices, an anonymity-granting technique which late computer prodigy Aaron Swartz was accused of using to carry out his infamous MIT hack.

Swartz, who faced criminal prosecution on charges of mass downloading academic documents and articles, was also accused of using MAC (Media Access Control) spoofing address technology to gain access to MIT’s subscription database.

At the time of his suicide at the age 26, Swartz was facing up to 35 years in prison, the confiscation of assets and a $1 million fine on various charges.

Now computer giant Apple is installing a MAC address randomizing system into its products. The company announced that in its new iOS 8, Wi-Fi scanning behavior will be “changed to use random, locally administered MAC addresses.”

MAC-address is a unique identifier used by network adapters to identify themselves on a network, and changing it could be regarded as an anti-tracking measure.

David Seaman, journalist and podcast host of “The DL Show,” told RT that a single technology cannot protect users from being spied upon and advised users to trust no one, particularly the companies that have been caught cooperating with agencies such as the NSA, or those who used to turn a blind eye toward governments’ illegal activities.

RT: Why is Apple suddenly becoming interested in boosting the privacy protection of its devices by spoofing MAC-addresses?

David Seaman: That’s one of the techniques that Apple has adopted to spoof these MAC-addresses and it’s just another step to make smart phones and other devices, other mobile devices a bit more secure. Of course you have to keep in mind that a smart phone is to begin with not all that secure, because there are so many different application developers, as well as the fact that you have to rely on whatever cell phone company is providing you with a signal. So this definitely doesn’t make phones completely secure, but I think it’s a step in the right direction.

RT: Some argue that Apple’s attempt to protect the privacy of its users is pretty much useless because there are many ways to see where the device is. Do you agree that what they are trying to give us is perhaps not really the full picture?

DS: There are a number of other hardware identifiers, aside from the MAC-address that your cell phone is still emitting, and which, using cell towers, they can still find your exact location. So this definitely doesn’t restore total privacy to the user, it’s just one band aid. And I think if you’re injured, you should use as many band aids as possible.

But there’s also a larger thing here which is that governments are spying on us and these cell phones are not designed to be all that secure from day one. And there are a number of private companies that, I wouldn’t say spying, but eavesdropping on what you’re doing to make money out of you. And this is a growing problem as we spend more and more of our lives online and on our phones and we expect these things to be secure. Continue reading…

Tuesday, June 24, 2014

An Abney Associates Fraud Awareness Program on YouTube Video Teaches Credit Card Fraud

The YouTube video features Lil Wayne rapping over a melancholy beat: "I see that guilt beneath the shame. I see your soul through your window pane."

Displayed on the screen is a message for aspiring credit card fraudsters.

"Everyone...I'm selling full cc generator...I also sell full cc...Have much more hacking tools, software   and other Business to offer. Only serious buyers."

The pitch for credit card fraud plays alongside an ad for American Express credit cards -- which means that the apparent cybercriminal who posted the video may profit not just on the stolen data   but also on the ads purchased by the credit card companies that had their data stolen.

The odd set-up, it turns out, is not unique. YouTube is littered with videos marketing stolen credit cards and other tools for criminal ventures. (Many liven up their pitches with unauthorized samplings from famous musicians.)

A report to be released Tuesday by the Digital Citizens Alliance, an Internet safety advocacy organization, blasts Google Inc., YouTube's parent company, for profiting from ads paired with such videos.

The illicit videos are so common that it's almost inevitable that legitimate advertisers will get paired with them.

The process begins with a user posting a video onto the site and agreeing to allow ads. If the videos get a certain number of hits, their producers can get a cut of the revenue coming from the ads.

A search   of credit card fraud terms reveals the extent of the problem: "CC Fullz" brings up 2,030 videos, according to the report. (Fullz is slang for a full package of identifying information on a credit card holder.) "Buy cc numbers" shows 4,850 results. And "CC info with CW" brings up 8,820 hits.

"Many of these videos are embedded with advertisements, which means that Google is effectively in business   with crooks peddling stolen or bogus credit cards," the report states.

The videos are commonly displayed alongside ads for major companies. In one instance, the accompanying pitch was for Target, a company still reeling from the kind of credit card attacks these videos help facilitate.

Asked about the pairing by The Times, Target spokesman Evan Lapiska said "the ad placement in question is a clear violation of the contract terms with the vendor who manages ad placements online."

"We are working with them to address this issue as soon as possible," Lapiska said in a statement.

Target and other advertisers have little control over whether their promotions get paired up with fraud videos. The responsibility for weeding out such videos falls on YouTube and Google.

Tom Galvin, executive director of Digital Citizens Alliance, said Google has failed to implement a systemic fix for keeping such videos from going live.

Galvin acknowledged that it would be untenable for YouTube to check every video that gets uploaded onto the site. But he said common search terms such as "fake credit card numbers" should be vetted.

"YouTube is supposed to be this mainstream site," Galvin said. "It's not a good thing when these mainstream sites start looking like the dark corners of the Internet."

Galvin said he didn't blame the advertisers, such as Target, who ended up on the illicit videos: "They're kind of captive to the system."

Google, which owns YouTube, did not respond to questions from The Times.