Ads 468x60px

Thursday, May 29, 2014

An Abney Associates Tech Tips: EBay believed user data was safe after cyber attack

EBay initially believed that its customers' data was safe as forensic investigators reviewed a network security breach discovered in early May and made public last week.

EBay has come under fire over its handling of the cyber attack, in which hackers accessed personal data of all 145 million users, ranking it among the biggest such attacks launched on a corporation to date.

"For a very long period of time we did not believe that there was any eBay customer data compromised," global marketplaces chief Devin Wenig said, in the first comments by a top eBay executive since the e-commerce company disclosed the breach.

EBay moved "swiftly to disclose" the breach after it realised customer data was involved, he said.

Wenig would not say when the company first realised that the cyber attackers accessed customer data, nor how long it took to prepare last week's announcement.

He said hackers got in using the credentials of three corporate employees, eventually making their way to the user database.

The attackers accessed email addresses and encrypted passwords belonging to all eBay users. "Millions" of users have since reset their passwords and the company had begun notifying customers, though it would take some time to complete that task, Wenig said.

"You would imagine that anyone who has ever touched eBay is a large number," he said. "So we're going to send all of them an email, but sending that number all at once is not operationally possible."

At least three US states are investigating the company's security practices, and New York's attorney general called on eBay to provide free credit monitoring services to users.

But the internet retail giant has no plans to compensate customers or offer free credit monitoring for now because it had detected no financial fraud, Wenig said.

Wenig declined comment when asked if he thought eBay had good security prior to the breach. He said the company would now bolster its security systems, and has mobilised senior executives in a subsequent investigation of the attack.

"We want to make sure it doesn't happen again so we're going to continue to look our procedures, harden our operational environment and add levels of security where it's appropriate."

The breach marked the latest headache for eBay this year. In January, it crossed swords publicly with activist investor Carl Icahn, who mounted a campaign to get it to spin out PayPal. Then in April, the e-commerce company disappointed investors with a weak second-quarter outlook, pressuring its shares.

Avoiding back doors

Buying and selling activity on eBay remained "fairly normal" though eBay is still working out the cost of the breach, which included hiring a number of security firms. Wenig, who was previously a senior executive at Thomson Reuters, declined to comment on whether the cost could be material to eBay's results.

Wenig's revelation that the company initially believed that no customer data had been compromised might take some of the heat off eBay's executive team.

Cyber forensics experts said it's not uncommon for large companies to take weeks to grasp the full impact of an attack, because hackers are often able to steal data without leaving obvious clues.

"In some cases you go in and find the smoking gun immediately. Other times, it takes a few days or even a few weeks," said Kevin Johnson, a cyber forensics expert who was not involved in the eBay investigation but has worked for other Fortune 500 companies.

Daniel Clemens, a forensics expert and CEO of Packet Ninjas, said investigators often ask companies to hold off on disclosure until they believe they understand the full extent of an attack.

Otherwise, they risk tipping off attackers who might cover their tracks or leave "back doors" so they can return after the investigators complete their probe.

Last week, the e-commerce company announced that hackers raided its network between late February and early March. The company said financial information was not compromised and its payments unit PayPal was not affected.

When eBay first discovered the network breach in early May, the senior team was immediately involved and held multiple daily calls on the issue. EBay staff have been working around the clock since then.

Wenig said he could not provide much more detail about what happened in the attack beyond the scant information given out so far.

He declined to provide further specifics, citing ongoing investigations by the Federal Bureau of Investigation and several forensics firms including FireEye's Mandiant division.

The article above is a repost from Abney and Associates.

Wednesday, May 28, 2014

An Abney Associates Tech Tips: Americans Are More Afraid Of Credit Card Fraud

What are you afraid of?

That's the question that information technology company Unisys aims to answer in the 2014 installment of its annual security index, which measures eight major concerns of U.S. citizens in four areas: national, financial, internet, and personal security.

This year, credit card security tops the list, which may not be too surprising when you consider the hysteria surrounding the Heartbleed Bug. In fact, Americans are more concerned about technological threats than they are about physical ones, like war or terrorism.

The above article is a repost from Abney and Associates.

Tuesday, May 27, 2014

An Abney Associates Tech Tips: Europe's order to mute Google angers US

MOUNTAIN VIEW, CALIF. — Europe's moves to rein in Google — including a court ruling this month ordering the search giant to give people a say in what pops up when someone searches their name — may be seen in Brussels as striking a blow for the little guy.
But across the Atlantic, the idea that users should be able to edit Google search results in the name of privacy is being slammed as weird and difficult to enforce at best and a crackdown on free speech at worst.

"Americans will find their searches bowdlerized by prissy European sensibilities," said Stewart Baker, former assistant secretary for policy at the U.S. Department of Homeland Security. "We'll be the big losers. The big winners will be French ministers who want the right to have their last mistress forgotten."

Mountain View, California -based Google says it's still figuring out how to comply with the European Court of Justice's May 13 ruling, which says the company must respond to complaints about private information that turns up in searches. Google must then decide whether the public's right to be able to find the information outweighs an individual's right to control it — with preference given to the individual.

The judgment applies to all search engines operating within the European Union. But in practice that means Google, given that 90 percent of all online searches there use Google's search engine.

"The ruling has significant implications for how we handle takedown requests," Google spokesman Al Verney said. "This is logistically complicated, not least because of the many languages involved and the need for careful review. As soon as we have thought through exactly how this will work, which may take several weeks, we will let our users know."

There will be serious technological challenges, said U.S. privacy attorney David Keating in Atlanta.

"It seems aspirational, not a reality, to comply with such a standard," he said. "The reengineering necessary to implement the right to be forgotten is significant."

Google may partially automate the process, as it does with copyright-infringement complaints, but ultimately a human will have to decide when results should be sanitized.

Johannes Caspar, who as Hamburg's Commissioner for Data Protection acts as Germany's lead regulator of Google on privacy issues, confirmed the company is already working on an "online tool" to help people file complaints.

Because the court's ruling applies only within Europe, it will mean some fragmentation of search results. That is, Europeans and Americans will see slightly different versions of the Internet. A worst-case scenario would be if Google decides it must err on the side of caution and removes links liberally in order to avoid lawsuits, critics of the ruling said.

Wikipedia founder Jimmy Wales, who has been an outspoken critic of the ruling, summarized it for The Associated Press as a "technologically incompetent violation of human rights." He said it amounts to censorship, and he predicted it will ultimately be scrapped.

"The danger is that search engines now are faced with an uncertain legal future which may require them to censor all kinds of things when someone thinks it is 'irrelevant'," Wales said.

In the wake of the decision, some Europeans are already asking to clean up their online history, though there may not yet have been a "flood" of hundreds of requests, including some from pedophiles and politicians, as was reported in the British press shortly after the ruling was handed down.

In Britain, David Murphy of the Information Commissioner's Office said "while we've had some people get in touch around this issue, we're simply telling them to speak to Google."

Officials in the Netherlands said they haven't had any new requests since the ruling.

Caspar, the German official, said his office has received 20 new requests, including some from people who won legal fights with websites to have material taken down — but the sites didn't comply because they were based abroad.

Differences between the U.S. and Europe over privacy have never been greater, sparked by recent revelations that the U.S. National Security Agency secretly broke into communications on Yahoo and Google abroad and targeted overseas telecoms, including German Chancellor Angela Merkel's own cellphone.

Joel Reidenberg, visiting professor of information technology policy at Princeton University, said the ruling was not surprising, "given the current tenor of US-European privacy relations as a result of the Snowden revelations."

A "fundamental divide" between the European and American worldview is becoming evident, he said.

"In Europe, there is a sense that privacy and control over personal data are basic human rights," he said. In America, freedom of speech and free-market solutions tend to prevail, he said.

Nico Sell, who runs San Francisco-based Wickr, an encrypted messaging service, said it would make more sense to let individuals, not tech giants, control their own online presence.

"The right to be forgotten is a great idea philosophically, but it is wrong to put the onus on Google or Facebook," she said. "They have no idea where all your data is, and this is not their job. We need to give consumers tools with the ability to add expiration dates to their personal data."

The above article is a repost from News Observer.

Monday, May 26, 2014

An Abney Associates Tech Tips: Inside the ‘iWatch’

Apple's anticipated entry to the wearable devices market has taken on near-mythical status, with rumors reaching every corner of the technology map. AppleInsider has rounded up some of the technologies most likely to find their way into the still-unannounced "iWatch."



Apple's interest: A $578 million deal with sapphire equipment maker GT Advanced Technologies to open and operate a massive commercial sapphire plant in Arizona.

Much has been made of Apple's agreement GT Advanced Technologies. Many believe the new jointly-operated facility in Arizona will produce display covers to replace the Gorilla Glass currently used in the iPhone and iPad; some think the crystals will be used in an iWatch, while still others believe that Apple simply needs more sapphire for its camera lenses and Touch ID housings.

If sapphire is to be used as a main component of an Apple device, the iWatch is its most likely target. High-end watch companies have long used sapphire to cover the faces of their timepieces because of its scratch resistance, but — as anyone who has dropped a sapphire-covered watch can attest — the material is prone to shattering, making it far better suited for a device that's constantly strapped to a person rather than hanging loosely in their hands.


Apple's interest: A $20 million contract for exclusive rights to use Liquidmetal in consumer electronics and a number of manufacturing patents related to the material. That agreement was re-upped through February 2015 earlier this week.

Liquidmetal is an amorphous alloy — essentially, metallic glass — that is much lighter, harder, and more flexible than metals traditionally used in electronics manufacturing. Parts made of Liquidmetal could "snap back" from deformations that might cause permanent bends or dents in other metals, such as Apple's omnipresent aluminum, and it's extremely scratch-resistant.

Liquidmetal is difficult to work with, however. Apple famously tested its viability by using it to make the SIM ejector tool included with the iPhone 3GS, but Liquidmetal's inventor predicted in 2012 that at least two to four years of further refinement in manufacturing processes was necessary before it could be commercially viable on a large scale.

Complicating Liquidmetal's possible appearance in Apple's iWatch is a deal with Switzerland's Swatch group that granted the horologists exclusive use of Liquidmetal in watches.



Apple's interest: Apple has a number of OLED-related patents to its name, including dynamic brightness adjustment and improved power efficiency. The company also hired away a senior OLED researcher from LG Display.

OLED — or organic light-emitting diode — displays are a new type of display in which each pixel is made of an organic compound that emits light when electrical current is passed through it. Because of this design, OLED panels don't require a backlight, making them thinner and lighter than traditional LCD-based panels and adding the potential to be folded or curved.

While many Apple watchers previously expected the iWatch to ship with a more traditional LCD panel, the tide of opinion has shifted in recent months in favor of OLED. The inclusion of a flexible OLED would allow for a more form-fitting design in which the screen could curve with the contours of the wearer's wrist, rather than sitting flat on the top.

From the outside, Apple has long seemed apathetic toward OLEDs. Former CEO Steve Jobs is thought to have disliked the technology, and current chief Tim Cook panned OLED earlier this year, saying that the displays showed "awful" color saturation.

"If you ever buy anything online and really want to know what he color is, as many people do, you should really think twice before you depend on the color from an OLED display," he said.


A similar micro LED array displayed by Taiwanese researchers

Apple's interest: Acquired micro-LED display maker LuxVue Technologies earlier this month for an unknown price.

Micro LEDs are essentially exactly what they sound like: very small LEDs. The technology that enables their miniaturization also plays a part in lowering power consumption and increasing brightness, with the combination placing micro LED arrays in direct competition with OLEDs.

This is a relatively new technology, however; Apple's acquisition of secretive LuxVue is likely to have given micro LEDs more exposure the day it was uncovered than the technology has received since its invention. Despite a number of high-profile backers — and their rumored inclusion in Google's next-generation Glass headset — micro LEDs have yet to find their way into shipping consumer device.

Still, there is reason to believe that Apple may have chosen the micro LED route. At least one of LuxVue's patents covers the manufacturing of a curved micro LED array, which could replace the flexible AMOLED display Apple is thought to have targeted.

The article above is a repost from Abney and Associates.

Sunday, May 25, 2014

An Abney Associates Tech Tips: Effective Google Drive phishing scam returns

An Abney Associates Tech Tips: A particularly crafty and effective Google Drive phishing scam that was originally spotted by Symantec researchers back in March has experienced a resurgence here in May, but with one key difference – a page corruption that may set off red flags for would-be victims.

The same phishers seem to be at work here, Satnam Narang, a Symantec researcher, told in a Thursday email correspondence, explaining that, like before, users are directed to a phony Google Drive login page if they click on a link in an email with “Documents” as the subject.

Credentials are compromised if submitted on the phishing page and victims are then redirected to an actual document hosted on Google Drive, but careful users that look at the bottom right of the phony website, by the option to choose languages, may be tipped off to the scam due to a glaring issue.

“The options within the language selection box at the bottom of the page are corrupted,” Narang said. A Wednesday blog post by Nick Johnston, a Symantec researcher, contains pictures that show how most language names are bookended by question marks. Related Infotech Update!

Aside from the question mark gaffe, the scam is particularly convincing because it uses the actual Google Drive platform, which serves up the phishing website over SSL, according to the post. Google did not immediately respond to a request for comment on why phishing pages could be served up this way.

Narang said that enabling two-step verification should help prevent unauthorized access to accounts.

“Getting user Google account credentials opens the door to [many services, including] Gmail, Google Drive, Google Plus [and] Google Wallet,” Narang said. “And that email can be used to reset passwords for other services you might use.”

In another Google Drive scam recently observed by Symantec, victims were redirected to a Brazilian website hosting a trojan detected as ‘Trojan Horse,' Narang added.

Friday, May 23, 2014

An Abney Associates Tech Tips SECURITY WARNING

The Association of Cyprus Banks has issued a warning for all bank customers in relation to Phishing attacks or fraudsters attempting to steal their personal data over the phone, email and internet.

Phishing is a type of internet fraud that seeks to acquire a user’s credentials by deception. It includes theft of passwords, credit card numbers, bank account details and other confidential information. The announcement said that in Cyprus, fraudsters call people who have bank accounts and pretend that they are bank employees calling to confirm their clients’ bank account number, password, ID details and other personal data.

Fraudsters also send fake emails, pretending to be the bank of the recipient in order to convince them to divulge their personal data. They come up with various reasons for sending the email such as security reasons, fraud, renewal of their data and other.

If recipients press on the link, they are then redirected to a page where they have to enter their access codes which they use to access online banking services.

“If someone falls victim to fraud it usually means that fraudsters have managed to gain access to their bank account and steal their money transferring sums to their own account in Cyprus or abroad,” said the announcement.

The Association said that in the case that a client has revealed their password and realised they have fallen victim to fraud, they should immediately notify their bank to change their access codes.

The Association emphasised that all banks in Cyprus and all professional bank organisations around the world will never call or send messages to their clients asking them to reveal their personal details and provide access codes to online banking services.

The only messages that banks send their customers involve information about their services, products or special offers. They also mentioned that access to online banking services should be attempted only through the official website of each bank. Customers should not trust other similar websites or reveal their personal information such as access codes to such websites.

Customers can receive more information about security issues from their bank’s website or by calling their local bank.

Related Articles:

Thursday, May 22, 2014

An Abney Associates Tech Tips China vents outrage over U.S. cyberspying indictment

BEIJING — Outraged by U.S. cyberspying charges against members of a secretive Chinese military unit, China summoned the U.S. ambassador in Beijing for a dressing down, state media said Tuesday, and the Defense Ministry blasted the U.S. accusations as hypocritical.

The government, meanwhile, published new statistics that it said showed massive cyberattacks on China originating from the United States. “Those activities target Chinese leaders, ordinary citizens and anyone with a mobile phone,” the state-run Xinhua News Agency reported. “In the meantime, the U.S. repeatedly accuses China of spying and hacking.”

A day after the U.S. Justice Department unveiled explosive criminal cyber-espionage charges against five Chinese military officers, Beijing was still sputtering with indignation. Late Monday, the Chinese Foreign Ministry called the charges in a U.S. federal grand jury indictment “purely fictitious, extremely absurd.” China also announced it was suspending participation in the Sino-U.S. Cyber Working Group, formed to bridge differences over cyberspying.

The U.S. charges are certain to strain Washington’s military relationship with China, which the Pentagon made a concerted effort to build up in recent years. A Pentagon spokesman, Rear Adm. John Kirby, said Tuesday that the Defense Department had been aware of the impending charges and hoped that they would not stymie cooperation on various fronts.

“The degree to which this affects the relationship is up to the Chinese,” Kirby said, noting that Washington’s military relationship with Beijing has been built in “fits and starts.”

U.S. defense officials have portrayed the relationship in recent weeks as being on the upswing. Secretary of Defense Chuck Hagel visited Beijing for the first time in his current job last month and said he was heartened by the frank discussions he held with the country’s defense chiefs. Just days before the indictments were unsealed, Gen. Martin Dempsey, the chairman of the Joint Chiefs of Staff, hosted his counterpart, Gen. Fang Fenghui, at the Pentagon for the latest in a series of high-level visits.

Dempsey said the two leaders had mapped out possible steps they could take to build trust and avoid miscalculations, including by establishing a secure video conference system that would allow them to consult regularly.

“All these initiatives are intended to continue to build a positive relationship, help us manage risk and reduce the chance of misunderstanding,” Dempsey said during a joint news conference last week.

“These visits are an indication that we’re trying to build a better level of trust,” he said.

China and Washington have tussled over territorial disputes in the region that involve close U.S. allies, including Japan and the Philippines. China has argued that its rivals in those cases have been emboldened by the Obama administration’s policy to shift more military assets to the region as an era of ground wars comes to an end.

U.S. officials recently sought to gain insight into China’s cyber military doctrine by briefing Chinese officials about Washington’s — but Beijing did not reciprocate.


Wednesday, May 21, 2014

An Abney Associates Tech Tips Google, Facebook Unmask Tech Support Scams

The Internet companies uncover 4,000 ad accounts using the names of 2,400 legitimate tech support businesses to trick people into downloading malicious software

Google and Facebook are finding cunning scams in which shysters advertise 800 numbers for bogus tech support that typically leads to people giving up personal data and downloading malicious software.

The companies described the schemes in the first report published by, a nonprofit group launched this week by AOL, Facebook, Google and Twitter. The organization is dedicated to educating people about malicious Web advertisements and deceptive practices.

Tech support scams were chosen for the subject of the group's debut report because of the craftiness of the fraudsters, Rob Haralson, executive director of, said Friday. Posing as a legitimate business and providing an 800 number in an online ad or related web page makes it difficult to identify the service as a scam.

"By doing it through an 800 number, it takes the scam offline, so for Google's (automated) systems and Facebook's too, it becomes a little bit more of a challenge to determine which tech support providers are legitimate and which ones are scammers," Haralson said.

Because of the difficulty in getting automated systems to detect the scams, Google will have employees call the posted numbers and pose as callers looking for tech support. Oftentimes, the numbers are to places outside the U.S.

To date, the two companies have found a total of 4,000 such scams hijacking the names of 2,400 legitimate businesses, Haralson said. The fraudulent ads typically appear in Facebook display ads and Google search results.

Scams that depend on deceptive advertising hurt the online ad industry by further tainting the reputation of a business constantly under fire by consumer advocates for gathering too much personal data.

People roped in by the scammers can lose money and have their credit ratings damaged by downloading malicious software that contains viruses, spyware, adware and keystroke loggers. The malware is typically designed to steal personal data that can be used later to impersonate the person to obtain credit, merchandise and services.

In some cases, the crooks download software that freeze the recipient's computer and then demand several hundred dollars to unlock the system, Haralson said.

"The scammer essentially holds the computer hostage," he said.

Google and Facebook use automated and manual methods to detect fraud. The Internet companies continuously check ads and the Web pages they point to in search of signs that they are part of a fraudulent operation.

Other deceptive activities plans to report on in the future include scams that promise weight loss for little or no effort, Haralson said. The group will also look at ads that try to get people to pay for content, such as government documents, that is available for free on the web.

Tuesday, May 20, 2014

An Abney Associates Tech Tips New online video aims to cut fraud

Derbyshire Constabulary have launched an online video to raise awareness and offer advice on courier fraud following recent incidents across the county.

The online video gives the public an insight into the scam to see how fraudsters are calling members of the public to convince them to hand over their banks cards and PIN to a courier.

Detective Inspector Rob King, head of the Derbyshire Economic Crime Unit said: “We have been working alongside our partners to raise awareness of frauds and scams as part of our forcewide Stamp out Fraud campaign.

“Recently we have had an increase in reports of suspected courier fraud, but thankfully there are steps that we can all take to protect ourselves from the crime.

“This includes never giving out your card details, PIN or bank card to anyone and ending any suspicious calls immediately before reporting the incident.

“By spreading the message we can aim to stamp out fraud and protect more people from falling victim to the crime.”

Friday, May 16, 2014

The Daily Times’ phone number used as part of phishing scam: An Abney Associates Tech Blog

A phone number on a Maryville man’s caller ID that appeared to be from The Daily Times ended up being nothing more than a phishing scam.

The scam is described as con artists using techniques such as phony caller ID numbers to solicit personal information and money.

The man, who asked not to be not identified, said that he received a call early Tuesday evening from what looked to be The Daily Times, according to his caller ID. When he answered, the caller offered to give information on how to reduce his credit card rate.

The man was suspicious and ended the call. When he called the number back, the number was not in service.

He then paid a visit to The Daily Times and showed them the number on his phone. They informed him that the caller definitely did not represent the newspaper.

According to, the callers are able to convince victims that they’re receiving a call from a bank or credit card company, and try to acquire sensitive personal and financial information, or even money, from their victims.

Scammers’ philosophy

The philosophy of the scammers is that few people would think that the names and phone numbers appearing on their caller ID screens were not genuine. Therefore, scammers are already using phony caller IDs and are posing as representatives of banks and credit card companies.

The Internet offers a number of legal online services that supply fake caller ID numbers.

Internet sites, email accounts and regular mail are also used regularly as part of phishing scams.

“I get hounded with these calls from telemarketers from India and Timbuktu and everywhere else,” the man said Wednesday. “I always look on my caller ID, and I just hang up because it’s something I don’t want to hear.

“I looked to see the number and saw ‘Daily Times,’ the man continued. “Since it was a Maryville number, I thought it should be legitimate. I answered the call, and someone who wanted to give me a deal where my interest rate would be lower. I’ve never paid interest in my life. I saved the number and took my phone to the (Daily Times) office. I thought they should know about it.”


Thursday, May 15, 2014

Beware of Phishing Scams: An Abney Associates Tech Blog

For the second week in a row, local bank customers have been being targeted by “phishing” scams designed to separate them from the cash in their accounts.

Phishing is a term used to describe various scams that use automated phone calls, texts or email messages, sent by criminals, to trick you into divulging personal information. Thieves use this information to access your bank account, steal your identity or take over your computer.

These types of cyber scams are on the rise across the country, according to the FBI and the Internet Crime Complaint Center. They also are getting more sophisticated.

The recent scam being perpetuated in this area involves automated telephone calls to bank customers who are told their bank debit cards have been deactivated. The phone calls sound legitimate and use the bank’s name in a prerecorded message. The calls seek customer debit information to reactivate the cards. Some calls requested the 16-digit bank card number while others requested personal identification numbers (PIN) or Social Security numbers.

Variations of this phone scam have been reported at a number of local banks over the past two weeks. Officials say hundreds of fraudulent calls were made and several people who divulged account information were victims of the scam.

Meanwhile, bank officials say they were overwhelmed with calls from customers wanting to know if the phone calls are legitimate. One bank representative described the situation as chaotic.

The best defense to this illegal activity is simply not to respond. The same goes for a suspicious text or email. If you receive one of these bogus telephone calls, hang up immediately.

Remember, community banks never make these types of calls asking for confidential card numbers, PIN or account numbers.

In fact, most financial institutions go out of their way to inform customers that they will never ask for personal information via phone or email.

Giving out your account or card information jeopardizes your account and could lead to you becoming the victim of identity theft as well. Those who feel they may have provided confidential information to the scammers should call their bank immediately. They can help monitor your account and prevent further fraud.

Federal investigators say cyber-criminals often strike late in the day or on a Friday in hopes that a sense of urgency prevails. Unfortunately, much of this crime originates overseas and is difficult to track. The FBI is investigating the phishing schemes in this area but that doesn’t mean it will stop.

Simple phishing scams are easy to spot. But the more sophisticated ones require vigilance by consumers. Businesses and even school districts are now being targeted in elaborate phishing schemes. Law enforcement officials warn that the problem is likely to get worse.

The best protection to avoid being a victim in a phishing scam is to never divulge any confidential bank information to anyone but a bank representative you know in person.

Article Source:

Wednesday, May 14, 2014

Big 'win' became $5000 loss: An Abney Associates Tech Blog

RIP OFF: ‘‘Micheal Reagan’’ purported to be from the Internal Revenue Service (IRS) in the United States.

A Christchurch woman lost $5000 in a scam after hackers cloned her best friend's Facebook account.

Maria, not her real name, was last week convinced to send the money - her only savings - by "Halbert Colb" after an online conversation with scammers posing as Kay Snee.

INTERNET SCAM: Maria* in Christchurch was duped out of $5000
 in an internet scam involving a clone of her best friend’s Facebook profile.

Instead, hackers, likely to be from overseas, had cloned Snee's profile, re-friended Maria, in her 70s, and started chatting to her.

The scammers, posing as her trusted friend, convinced Maria she had won $500,000 in a Facebook lottery. They said she would receive it after paying a $5000 deposit to a man in the United States.

Internet watchdog NetSafe has since issued a warning about the increasing number of internet scams in Christchurch, where many are still vulnerable after the city's earthquake.

NetSafe digital project manager Chris Hails said one scam, where cold-callers claimed to be from Microsoft, had been around for years "but we have certainly seen a pattern of calling targeting Christchurch".

Research showed those already in difficult or vulnerable positions especially financially, were more likely to fall victim to scams, he said.

The cloned profile Facebook scam to which Maria fell victim was new to New Zealand, but NetSafe had received reports of six similar incidents in New Zealand in the past couple of months.

One victim was fleeced of $1000, and in Maria's case, $5000 was "a big sum of cash to lose".

"These social networks are built on the basis of trusted friendships in the offline world and as far as [Maria] was concerned she had received a genuine message from Kay's account and took it to be truthful," Hails said.

"If you are accepting friend requests you need to be taking steps to make sure that it really is the friend that your are talking to."

Maria was too embarrassed to be identified by The Press, but wanted to share her story to prevent it happening to anyone else.

"My poor husband. He has been amazing . . . I was just so gullible," she said.

Snee, in her 50s, believes hackers got access to her account when she clicked on a Facebook video link on her mobile phone.

NetSafe's helpline is 0508 NETSAFE and people can also report incidents online via


A "gutted" Maria* received a Facebook message from a "very, very close friend" informing her she had just won half a million dollars in an online lottery.

A person calling herself Kay Snee told Maria to get in touch with a man called "Halbert Colb" on Facebook.
She was instructed to pay $5000 by Western Union - a 1 per cent commission on her $500,000 prizemoney - before she could get her prize money.

She deposited the money via eftpos at post shops in New Brighton, Parklands and in Hills Rd.
The next day she heard from "Micheal Reagan", purporting to be from the Internal Revenue Service (IRS) in the United States.

Reagan said Maria's name was on an IRS certificate and "they needed $8950 for tax on the winnings".
That night, Maria finally got in touch with her friend, who had just returned from a week-long holiday and was shocked.

(*Maria is not her real name)

Tuesday, May 13, 2014

1 in 5 Australians have been victims of identity crime with computer hacking, online banking and shopping to blame: An Abney Associates Tech Blog

People need to be wary about how much of their personal information is shared online. Source: News Corp Australia

SO you think you’re safe online and take all the necessary steps to protect your information? Think again — your details may not be as private as you think.

More Australians than ever are falling victim to identity crime and the victims aren’t signing up to dodgy scams and being careless either.

They’re using internet banking, shopping online and sending email, actions that millions of Australians do each day without a second thought.

A startling new survey by the Australian Institute of Criminology (AIC) shows 1 in 5 Australians have had their personal information misused and 10 per cent have experienced in the past year.
That’s higher than similar research in the United Kingdom and the United States.

The amounts lost ranged from a few dollars to a staggering $310,000. The first indication anything was wrong usually was when they received their bank account statement.

More Australians are falling victim to identity theft. Source: News Corp Australia

Dr Clare Sullivan, an identity crime expert and law lecturer at the University of South Australia, said the survey showed that no system was “impenetrable”, even banking systems.

“I can tell you I don’t use online banking. I don’t think it’s secure,’’ Dr Sullivan told
She expected there would be more public attention on that issue if banks didn’t bail out people who lost money through fraud that wasn’t directly their fault.

Internet banking was cost effective for the banks and popular with consumers — because it was convenient — but Dr Sullivan said no system “anywhere in the world” was fail safe.

“I don’t think they can be, [the security] is not sufficient.”

Online shopping was another area that has become part of everyone’s daily life. But it is as vulnerable, if not more so, as having your wallet snatched from trolley at your local store.

The problem is the level of detail many people provide, much of it unnecessary.

“One of the things in this survey is [the victims] are saying they are less trusting and more careful. That’s the lesson learned.’’

When buying something online, it was important to ask why all the information you were being prompted for was necessary, she said.

Fraud from using an ATM or Eftpos transaction also featured and has been a popular way for international gangs to rip unsuspecting people off.

It was one of a number of areas that people could be lulled into a false sense of security even when there are disclaimers, the assurances of top security and promises your information won’t be on sold.

The people who had fallen victim to identity crime in Australia believed their info was accessed by computer hacking, online banking, email and online shopping. Source: News Corp Australia

And then there was social media.

“People put everything out there on social media. All you need [to steal someone’s identity] is their full name, their date of birth, sometimes their place of birth and an account number.

“With that information all over the internet then its is very easy to piece together.”

The report also revealed which Australians could be at most risk. Affluent, English speaking people outside of capital cities were significantly more likely to be a victim of cyber-crime than anyone else.

She believed that was an indication they were more reliant on online shoppers than perhaps city based.
”You’re a lot more vulnerable if you can’t just walk down the road.”

Dr Sullivan said people got upset about the loss of money, but that usually temporary, and was actually the least of their worries.

“It’s the loss of identity. Once that has been compromised it’s compromised forever. People don’t realise how important that is and it could come up in six months or a year’s time or five years’ time.’’

Australians living away from capital cities appear to being targeted by scammers as they are more reliant on the internet for online shopping and communication Source: News Corp Australia

For her there was “no question” the problem would get worse as more of our daily lives were spent online.
AIC principal criminologist Dr Russell Smith told it was significant the number of Australians reporting misuse was higher than similar international surveys.

“It needs exploring ... But it could well mean the percentage of people suffering identity crime is higher in Australia.”

Something the research did show was the growing concern of Australians who worried their personal information being misused.

The survey was commissioned by the Federal Government to determine the extent of identity crime in Australia.

Dr Smith noted “ordinary transactions” were being used by cyber criminals but said more traditional ways of deceiving were still in use.

“Identity crime has been around for a long time. There are the tried and true methods of stealing information, like from a tombstone or taking letters out of mailboxes. So the old ways still exist.”

Experts warn internet crime is here to stay as more of our daily lives are spent online. Source: News Corp Australia

  • Secure your mailbox with a lock and make sure mail is cleared regularly
  • Shred or destroy your personal and financial papers before you throw them away, or keep them in a secure place if you wish to retain them
  • Always cover the keypad at ATMs or on EFTPOS terminals when entering your PIN, and be aware of your surroundings — is anyone trying to observe or watch you, are there any strange or loose fixtures attached to the machine or terminal?
  • Ensure that the virus and security software on your computers and mobile devices is up-to-date and current
  • Don’t use public computers (for instance, at an internet cafe), or unsecured wireless ‘hot spots’, to do your internet banking or payments
  • Be cautious of who you provide your personal and financial information to — ensure that there is a legitimate reason to supply your details. Don’t be reluctant to ask who will have access to your information and which third parties it may be supplied or sold to. Ask to see a copy of the Privacy Policy of the business before you supply your details
  • Only use trusted online payment websites for items won at online auctions or purchased online. Never make payments outside of trusted systems — particularly for goods which you have not yet received
  • If responding to an online employment or rental advertisement, be wary of transmitting personal information and copies of documents via email or electronically
  • Take extreme care if placing personal details such as date of birth, address, phone contacts or educational details on your profile, and do not accept unsolicited ‘friend’ requests

Monday, May 12, 2014

Where Australia Is Still Going Wrong With Cyber-Security, An Abney Associates Tech Blog

The recently released Commission of Audit report recommends that the Australian government needs to become “digital by default“. The continued shift to digital service delivery is intended to reduce costs, improve quality of service and provide greater transparency. But it will also open up new vulnerabilities to cyber attacks that could be used to access secure and confidential data compromise the integrity of trusted authorities and disrupt critical services.

In a report launched last week at the CeBIT cybersecurity conference in Sydney, we outline cybercrime trends which could feasibly shut down critical utility infrastructure such as energy grids and defraud the healthcare system to the tune of $16 billion by 2023.

The recent Heartbleed security bug is a telling example of the evolving nature of cyber threats, with the vulnerability impacting many popular websites and going undetected for almost two years.

Technology trends

The shift towards digital commercial services will continue to play a key role in driving the economy and society forward, as these services become increasingly embedded into business operations across a wide range of industries.

The healthcare industry is looking to digitisation to reduce spiralling costs while meeting changing patient needs and improving the care experience. The adoption of electronic health records will allow physicians to easily create and share medical records and other important patient data.

Investment in cloud computing will drive efficiencies and allow interoperability between provider systems. And new diagnostic and non-invasive sensor technologies will improve remote monitoring and telehealth solutions.

Similarly, digital infrastructure will transform the energy industry. Smart grids and smart meters will allow providers to better forecast and adjust to peak demand, driving improved pricing models and optimised production. And in-home energy management devices will connect with smart appliances and allow consumers to monitor, control and optimise consumption automatically.

Alongside critical industries, consumers are also becoming more digitised, with a growing number of devices connected to the network. This goes beyond personal computers, smartphones and tablets to include wearable devices, sensors and interactive displays such as in-home energy monitors. The number of devices connected to the internet is expected to increase to as many as 50 billion by 2020.

Evolving cyber threats

This increased dependence on technology, combined with the evolving complexity of cybersecurity threats will increase our level of vulnerability – at a national, organisational and individual level.

The Department of Defence estimates that 5.4 million Australians were victims of cybercrime in 2012 and independent estimates put the cost of cybercrime in Australia as high as A$2 billion per year.

Left unchecked, these figures will continue to rise in coming years as cyber attacks become more sophisticated and harder to detect.

As more data and processing continues to move to public networks and the cloud, traditional network boundaries are dissolving, leading to new challenges in how we secure data and infrastructure across virtual locations.

The tools needed to carry out a cyber attack are becoming more widely available, opening up attack opportunities to a wide range of would-be attackers, from disgruntled corporate insiders seeking retribution, to “hacktivists” promoting a cause, to corporate espionage and criminal syndicates using cyber breaches as a means for financial gain.

Navigating the threat

An April report by the Australian Strategic Policy Institute (ASPI) ranked Australia second in cybersecurity capabilities in the Asia-Pacific region. But Australia cannot remain complacent in its approach to cybersecurity. Our strategies and tools need to evolve and keep pace with rapidly advancing cyber challenges.

To address these emerging threats, Australia will need a change in perspective, recognising that cybersecurity is not solely a technology challenge. It is also a cultural challenge; one that extends beyond traditional information security practises.

Because attackers frequently exploit the weakest link, cybersecurity will need to be viewed as a shared responsibility with everyone having a role to play in ensuring the security of the entire digital ecosystem.
This will need:
  • a commitment to improved education and training to make users aware of the risks and consequences of their actions
  • improved software and system design that integrates effective security as naturally and invisibly as possible
  • New technologies to prevent and respond to future cyber threats.
We are working on these challenges, through improved digital identity systems that will make it easier to verify identities and establish trust in collaborative environments and through researching new homomorphic cryptography techniques that allow processing secure data without needing to decrypt it.

CSIRO’s research in data analytics and machine learning could also contribute to new innovations that make it easier to detect and quickly respond to network anomalies.

Future attacks will likely be beyond the response capabilities of any one organisation. Successfully navigating the road ahead will require a whole-of-nation effort, harnessing the full range of resources available across our economy.

Alongside existing national and defence-related strategies, the research community in partnership with industry and government has a vital role to play, through applying innovation and cutting-edge technology to the people, process and technology solutions needed going forward.

Through the integration of knowledge, ideas and resources, we can ensure strong cybersecurity capability is at the core of the digitally-enabled future of Australia.

Friday, May 9, 2014

PC Speak: Abney Associates Tech Blog, Peter Hoss: Skritt å ta for å bo trygt på Internett

Det blir stadig vanskeligere å leve uten Internett. Vi oppfordres til å kjøpe produkter, betale regninger, lagre og hente informasjon på nettet. Telefonkataloger blir foreldet. Flere eldre kjøper og bruker en rekke hånd gjennomført produkter kan ikke bare ta telefonsamtaler, men også å lagre en mengde av privat personlig informasjon.

Vi seniorer vokser ikke med Internett og ofte er ikke dyktigere i å bruke den. Vi søker ofte veiledning fra våre barnebarn. Vi må lære et nytt språk på datamaskinen snakke. Denne voksende trenden av Internett-bruk er trolig fortsette raskere enn vi seniorer kan holde tritt med den. Avslår å bruke Internett på alle er ikke anbefalt, selv om noen prøver den. Vi er også sannsynlig å bli igjen i en raskt skiftende kultur.

Svindlere har tatt full nytte av Internett. Pensjonister er en ettertraktet mål vokste opp i en mer tillitsfullt alder, som de fleste forretninger var utført av mennesker snakker med mennesker, i stedet for fremmede starter kontakter over Internett. Svindlere har holdt opp med teknologien, og har blitt jevnere og mer kreative.

Den gode nyheten for vi seniorer er imidlertid at nesten alle Internett-svindel kan unngås av sunn fornuft, reagerer rasjonelt i stedet for følelsesmessig, og følge noen enkle regler. Ved å leve et langt liv har vi forhåpentligvis perfeksjonert disse trekkene.

Nylig kom jeg over 2010 Reader's Digest artikkelen oppsummerer noen vanlige svindel og hvordan unngå dem. Jeg ble truffet av bemerker at disse svindel fortsatt vanligvis brukes. Folk må fortsatt falle for dem. Reglene for å unngå dem er ikke endret.

Her er noen eksempler:

Barnebarn i problemer eller turist ranet i utlandet. Vinne et lotteri som du ikke kjøpe en billett. En "gratis prøveversjon tilbud" som forplikter deg til å signere en kontrakt. Et tilbud om å lindre en av interesse på kredittkort. En utlending, ofte nigerianske, som eiendeler er frosset av en korrupt regjering eller banken som trenger en amerikansk partner. Falske veldedige organisasjoner. En falsk elsker ofte fra utlandet som trenger penger til å bli utsatt. Falske byråer. Falske hjemmet reparasjoner. En e-post som inviterer en til å sjekke noe eller kunngjør en salgsmulighet ved å klikke på en kobling, angivelig være fra en kjent person med e-postadressen er piratkopiert. Et tilbud for noe for ingenting eller en høy økonomisk avkastning for ingen risiko.

Det er bemerkelsesverdig enkle regler for å unngå alle disse svindel:

Vis alle uønsket e-post fra en fremmed med ekstrem mistenksomhet. Sjelden eller aldri, har noen mistet noe av bare ikke svarer. Kontroller kilden uavhengig. Ikke svarer på e-post sende meldingen men kontakt påståtte avsenderen via telefon eller en annen e-post. Kjent barnebarnet problemer eller ranet i utlandet en svindel kan noen ganger unngås ved sondering oppringeren ved å spørre personlige spørsmål. Husk imidlertid at en scam artist kan få personlig informasjon ved å hacke inn i Facebook eller andre sosiale medier. Sikrere praksis er ikke å svare, kontroller kilden uavhengig. Aldri gi et kredittkort, debetkort, personnummer. eller bank rutenummeret for alle via Internett med mindre du har igangsatt forespørselen. Dette er bare en invitasjon for identitetstyveri eller rense ut de bankkonto. Aldri Klikk på en kobling sendt via e-post til kilden er bekreftet uavhengig.

Svindlere bruker ofte Western Union som en uvitende deltaker i en svindel, fordi det er en rask metode for overføring av midler. Jeg vet om tilfeller der kunnskapsrik og hjelpsom Western Union operatører har luktet en svindel og snakket en ville være offer av den.

Ikke anta at personopplysninger på Facebook eller sosiale medier vil forbli privat.

Jeg vet jeg kan høres ut som en knust rekord Gjenta dette rådet, men svindel gå og folk holder fallende for dem. Det ville være fint å leve i en idyllisk verden der alle kan klareres, men dessverre vi ikke.

Peter T. Hoss er en pensjonert advokat og rådgiver for juridiske tjenester for eldre.

Wednesday, May 7, 2014

PC Speak: Abney Associates Tech Blog Indisk FB brukernes havne i hacking egne kontoer

Noen Facebook-brukere i India ble lurt inn hacking sine egne kontoer av en lurendreier hevder å avsløre passord av deres venner.

Svindel kompromittert brukerkontoen ved å lure dem til å bruke noen kode som tar kontroll over kontoen og eksponerer sine venners data i prosessen.

"Hva skjer egentlig når du limer inn denne koden i nettleservinduet konsollen er at en rekke handlinger utføres med Facebook-kontoen din uten din viten.

"Bak kulissene, brukes kontoen lister og brukere og gi liker sider for å blåse tilhenger og som teller definert av svindlere," forklarte Satnam Narang, sikkerhet svar manager for Symantec i et blogginnlegg.

Svindel benytter en instruksjons-video forklare "Facebook Hacking", som lenker til et Google-dokument som inneholder noen kode.

Koden tillater brukere å se venners Facebook passord, ifølge svindlere, instruksjonene forsøker å overbevise brukeren om å lime inn koden i deres nettleser konsollvindu. Instruksjonene forklarer at koden vil ta to timer å arbeide.

I virkeligheten utfører koden handlinger i bakgrunnen ved hjelp av den potensielle hacker Facebook-konto, inkludert etter visse brukere og like sider. Ingen tvil blir svindlere betalt for å kunstig blåse tilhenger eller som teller for noen brukere og sider.

Monday, May 5, 2014

PC Speak: Abney Associates Tech Blog Være proaktiv om kreditt etter brudd

Consumers need to pay much closer attention to their statements and charges.(Photo: Thinkstock)

(Usatoday) - Mike Rosinski, 51, vet ikke hvordan en rekke bedragerisak spenner fra så lite som $3.19 for noen merkelig antrekk i Missouri til $434.10 på en yngel er elektronikk i en annen stat havnet treffer sin Visa-kortet i midten av April.

Kanskje han spekulert at det var da en parkeringsplass dreng tok sitt kredittkort, hevdet det var ikke går gjennom og så sa han kunne parkere gratis? Kanskje det var noe relatert til får hacket i målet hendelsen sent i 2013, men det synes tvilsomt som han allerede er utstedt et nytt kort etter at en.

Uansett, Rosinski, som bor i Hartland, Mich., sa han mener forbrukere trenger å ta hensyn til deres uttalelser og kostnader. Han kontrollerer sin balanserer regelmessig, men hans kone fikk ringe fra kortutstederen om mistenkelig aktivitet. Han fulgte opp direkte med kortutsteder, som Ja, skal sende ham ennå en annen ny kredittkortnummer.

Som mange forbrukere som ikke ønsker å håndtere noen nummer flere av problemene med å få et nytt kort, Rosinski bare ønsker mer kan gjøres for å stoppe skurkene før de gjør gebyrene. Jada, han er fornøyd at utstederen hadde et system for å oppdage svindel raskt, men hva med noen lagt å sette en stopper for hacking?

Vi ser mer svindel avgifter eller er vi bare mer klar over at svindlere jobber overtid for å få våre kredittkort eller debetkort informasjonen? Det kan være litt av begge, sier ekspertene. Svindel kan være økende delvis siste fordi det er så mange betydelige sikkerhetsbrudd sa Adam Levin, leder og medstifter av ID tyveri 911.

Et sikkerhetsbrudd fant sted i Michaels butikker og sitt datterselskap Aaron Brothers. Skjedde mellom 8 mai 2013, og Jan 27 Michaels butikker og kan ha truffet 2,6 millioner forbrukere eller 7% av transaksjoner i denne perioden. På Aaron Brothers, 26 juni 2013 og 2014, Feb. 27, og kan ha truffet 400.000 forbrukere.

Bransjeeksperter si det er mange måter noen kortinformasjon kan bli svekket, fra en rogue ansatte bruker en skimming enhet til en forbruker å phishing e-post til skadelig programvare installeres på et point-of-sale system i en butikk. Cyber-angrep kan være svært avansert og kriminelle er ofte ut av landet.

Noen andre svindel omfatte det som kalles "micropayment svindel ordninger" som belaste ditt gjentatte ganger for små beløp for rogue Internett apotek, falskt anti-virus programvare, smykker eller veske kjøpe klubber, og online gambling.

Brudd har ansporet et push for bedrageri teknologi og utvidet bruk av microchip kort som gir mer sikkerhet enn magnetstriper. Målet sa at neste år vil utstede chip og pin-kort for sin Redcard merket kredittkort og debetkort.

Akkurat nå, skjønt, forfjamset av brudd og anekdotisk informasjon på bedragerisak må alle mer forsiktige og mer villige til å bruke tid går online daglig eller ukentlig spore kostnader på en konto.

"Handlingen viktigste forbruker kan gjøre er overvåke kontoen tett," sa Teresa Thornton, senior vice president og direktør for svindel tjenester for banken Comerica.

En slektning, som leser sine regninger, fortalte meg om en $49.77 kostnad som ble gjort på sin konto i Mexico i April. Var det tilkoplet, kanskje en annen svindel en måned tidligere når han ser en falsk $11.18 kostnad fra en såkalt "BLS WebLearn" på hans kontoutskrift?

Mannen min onkel varslet umiddelbart hans kredittkortutstederen om $11.18 kostnader og han fikk beskjed om ikke å betale den. Men et nytt kort ikke var utstedt rett deretter. Kanskje skal man ha vært å hindre senere svindel kostnader. Noen ganger svindlere starter med små kostnader å sjekke om et tall er "live" og kan brukes til å foreta større innkjøp. Eller svindlerne fortsette å lage flere falske små kostnader bare for å holde svindel kommer.
Vaktbikkje området kalt "Krebs på sikkerhet" rapportert på BLS svindel i slutten av mars. En ny utslett av falske kostnader for ulike mengder, for eksempel $10.37 eller $12.96, ble rapportert av forbrukere. Tillegget kan også referere til PLI Weblearn.

Hjernen Krebs, forfatter av "Krebs på sikkerhet" har informert forbrukerne til å rapportere slik svindel umiddelbart til kortutsteder. Han sa det er også en god idé å be om et nytt kort selv om banken ikke foreslår et nytt kort på stedet. Tross alt, hvis noen har kortnummeret, er oddsen bra at flere svindel avgifter, stor eller liten, kan fortsette.

Beverly Harzog, en kredittkort ekspert og forfatter av "Confessions av en kreditt narkoman," sa forbrukerne ikke bør rettferdig vente på setninger. De bør også spore deres kort aktivitet online eller via mobile banktjenester så ofte som de kan. Ved lov, kredittkort ofre kan bare være ansvarlig for opp til $50 men mange utstedere ha ikke null ansvar i tilfelle svindel.

Bankene tilbyr også mobile varsler at forbrukerne kan konfigurere varsler dem til bestemte typer kontoaktivitet, inkludert transaksjoner.

Gitt, kan det være en hassle å faktisk gå kredittkortnummer, spesielt hvis du har strømregninga eller det gym medlemskapet automatisk trekkes fra kredittkortet. Når endringene, må du varsle selskapet som tar en automatisk utbetaling så du ikke treffer med ekstra sent avgifter eller avgifter for ubesvarte betalinger.

Likevel sa Levin noen forbrukere vil kanskje å kort nummer endre hvis de oppdager mer enn én eller to svindel kostnader.

"Det har aldri vondt for å være proaktiv og enda litt paranoid," sa Levin.