Sunday, January 31, 2010
January News & Views Published Below
CU SECURITY & TECHNOLOGY News - Providing a brief summary of news and information related to security and technology issues for credit unions - Plus some interesting and fun web sites . . .
Friday, January 22, 2010
If Your Password Is 123456, You May Be In Trouble
Back at the dawn of the Web, the most popular account password was "12345."
Today, it's one digit longer but hardly safer: "123456."
Despite all the reports of Internet security breaches over the years, including the recent attacks on Google's e-mail service, many people have reacted to the break-ins with a shrug.
According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like "abc123," "iloveyou" or even "password" to protect their data.
"I guess it's just a genetic flaw in humans," said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. "We've been following the same patterns since the 1990s."
Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)
The trove provided an unusually detailed window into computer users' password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.
"This was the mother lode," said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.
Imperva found that nearly 1 percent of the 32 million people it studied had used "123456" as a password. The second-most-popular password was "12345." Others in the top 20 included "qwerty," "abc123" and "princess."
More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.
That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.
"We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations," Mr. Shulman said. "The reality is that you can be very effective by choosing a small number of common passwords."
Some Web sites try to thwart the attackers by freezing an account for a certain period of time if too many incorrect passwords are typed. But experts say that the hackers simply learn to trick the system, by making guesses at an acceptable rate, for instance.
To improve security, some Web sites are forcing users to mix letters, numbers and even symbols in their passwords. Others, like Twitter, prevent people from picking common passwords.
Today, it's one digit longer but hardly safer: "123456."
Despite all the reports of Internet security breaches over the years, including the recent attacks on Google's e-mail service, many people have reacted to the break-ins with a shrug.
According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like "abc123," "iloveyou" or even "password" to protect their data.
"I guess it's just a genetic flaw in humans," said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. "We've been following the same patterns since the 1990s."
Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)
The trove provided an unusually detailed window into computer users' password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.
"This was the mother lode," said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.
Imperva found that nearly 1 percent of the 32 million people it studied had used "123456" as a password. The second-most-popular password was "12345." Others in the top 20 included "qwerty," "abc123" and "princess."
More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.
That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.
"We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations," Mr. Shulman said. "The reality is that you can be very effective by choosing a small number of common passwords."
Some Web sites try to thwart the attackers by freezing an account for a certain period of time if too many incorrect passwords are typed. But experts say that the hackers simply learn to trick the system, by making guesses at an acceptable rate, for instance.
To improve security, some Web sites are forcing users to mix letters, numbers and even symbols in their passwords. Others, like Twitter, prevent people from picking common passwords.
For more information from this article, Visit the NY Times at:
Wednesday, January 20, 2010
A Frequent Traveler Jacket
How about a frequent travelers jacket with 22 pockets as a purposeful carry-on. Breeze thru security. Just slip off the vest. Comes in three colors. Not a bad idea.
Check out more details and information at: http://www.scottevest.com/
Monday, January 18, 2010
The Rollup PC - You Won't Believe Your Eyes
Check out the laptop of the future - The Rollup.
See more at: http://orkin-design.de/design/rolltop/movie/FXVideo_Example.html
or at: http://manneli.com/movies/Laptop.html
The wave of the future.
See more at: http://orkin-design.de/design/rolltop/movie/FXVideo_Example.html
or at: http://manneli.com/movies/Laptop.html
The wave of the future.
Sunday, January 17, 2010
Use Wasp Spray Instead of Pepper Spray
A friend who is a receptionist in a church in a high risk area was concerned about someone coming into the office on Monday to rob them when they were counting the collection. She asked the local police department about using pepper spray and they recommended to her that she get a can of wasp spray instead.
The wasp spray, they told her, can shoot up to twenty feet away and is a lot more accurate, while with the pepper spray, they have to get too close to you and could overpower you. The wasp spray temporarily blinds an attacker until they get to the hospital for an antidote.
It's also one he wants everyone to hear. If you're looking for protection, Glinka says look to the spray. "That's going to give you a chance to call the police; maybe get out." Maybe even save a life.
The wasp spray, they told her, can shoot up to twenty feet away and is a lot more accurate, while with the pepper spray, they have to get too close to you and could overpower you. The wasp spray temporarily blinds an attacker until they get to the hospital for an antidote.
She keeps a can on her desk in the office and it doesn't attract attention from people like a can of pepper spray would. She also keeps one nearby at home for home protection. Thought this was interesting and might be of use.
On the heels of a break in and beating that left an elderly woman in Toledo dead, self defense experts have a tip that could save your life.
Val Glinka teaches self-defense to students at Sylvania Southview High School . For decades, he's suggested putting a can of wasp and hornet spray near your door or bed. Glinka says, "This is better than anything I can teach them." Glinka considers it inexpensive, easy to find, and more effective than mace or pepper spray.
The cans typically shoot 20 to 30 feet; so if someone tries to break into your home, Glinka says "spray the culprit in the eyes". It's a tip he's given to students for decades.
Five Robberies in Five Years; CU Closes Branch
After enduring five robberies in five years, workers at A-K Valley Federal Credit Union in the Pittsburgh area cleaned out their crime-plagued Homewood branch -- never to reopen.
"We just decided we'd had it," said Janet Horn, chief executive of the credit union, regarding the latest incident New Year's Day at the two-story brick office.
The Homewood branch had been robbed by criminals bearing assault rifles on four previous occasions since mid-2004, when the credit union opened there. This time, the credit union's board voted Jan. 5 to shutter the branch, which served 1,630 members.
More on this story at: http://www.pittsburghlive.com/x/pittsburghtrib/business/s_662505.html
"We just decided we'd had it," said Janet Horn, chief executive of the credit union, regarding the latest incident New Year's Day at the two-story brick office.
The Homewood branch had been robbed by criminals bearing assault rifles on four previous occasions since mid-2004, when the credit union opened there. This time, the credit union's board voted Jan. 5 to shutter the branch, which served 1,630 members.
More on this story at: http://www.pittsburghlive.com/x/pittsburghtrib/business/s_662505.html
Oxymorons at Play
Beyond the classic definition of oxymoron, there may be at least two others in my never finished complete Dictionary of Words as We Phonetically Understand them. Take a look:
(1) Oxymoron. (noun) definitions: (1) any expression in words or placement of objects or combination of both that conveys a contradictory meaning; (2) the dumbest guy at Oxford; (3) anyone who fails to grasp the cleansing power of Oxydol soap after seventy years of its broad commercial exposure to one and all.
That first one was mine, but I can neither take nor offer credit for the rest of these items on the list below because they came to me via e-mail with a lot of beautiful graphics and no acknowledgement of authorship by a living or deceased soul. Some of these figures of speech have been around these parts for a very long time so I suspect that even this list is little more than a collection of “oxy-morons” from all those places on this electronic planet where jokes and whimsy pop up as often and surprisingly as those little life-energy lightning bugs of Pandora in the movie “Avatar”.
Here’s the Sunday Working Day of Rest List of All the Rest:
(2) Is it good if a vacuĆ¼m really sucks?
(3) Why is the third hand on the watch called the second-hand?
(4) If a word is misspelled in the dictionary, how would we ever know?
(5) If Webster wrote the first dictionary, where did he find the words?
(6) Why does “slow down” and “slow up” mean the same thing?
(7) Why does “fat chance” and “slim chance” mean the same thing?
(8) Why do “tug” boats push their barges?
(9) Why do we sing “Take Me Out To The Ballgame” when we are already there?
(10) Why are the benches and chairs at the ballpark called “stands” when they are made for sitting?
(11) Why do we say an evening time for something is “after dark” when it is really “after light”?
(12) Doesn’t “expect the unexpected” make the unexpected expected?
(13) Why are a “wise man” and a “wise guy” perceived as opposites?
(14) Why do “overlook” and “oversee” mean opposite applications of attention?
(15) Why is “phonics” not spelled the way it sounds?
(16) If work is so good for you, why do they have to pay you to do it?
(17) If all the world’s a stage, where is the audience sitting?
(18) If love is blind, why is lingerie so popular?
(19) If you are cross-eyed, but you also have dyslexia, can you read all right?
(20) Why is a “bra” singular and “panties” plural?
(21) Why do we press harder on the buttons of a remote control when we know the batteries are dying or dead?
(22) Why do we put suits in garment bags and garments in a suitcase?
(23) How come “abbreviated” is such a long word?
(24) Why do we wash bath towels? Aren’t we clean when we use them?
(25) Why doesn’t glue stick to the inside of the bottle?
(26) Why do we drive on a parkway, but we park on a driveway?
(1) Oxymoron. (noun) definitions: (1) any expression in words or placement of objects or combination of both that conveys a contradictory meaning; (2) the dumbest guy at Oxford; (3) anyone who fails to grasp the cleansing power of Oxydol soap after seventy years of its broad commercial exposure to one and all.
That first one was mine, but I can neither take nor offer credit for the rest of these items on the list below because they came to me via e-mail with a lot of beautiful graphics and no acknowledgement of authorship by a living or deceased soul. Some of these figures of speech have been around these parts for a very long time so I suspect that even this list is little more than a collection of “oxy-morons” from all those places on this electronic planet where jokes and whimsy pop up as often and surprisingly as those little life-energy lightning bugs of Pandora in the movie “Avatar”.
Here’s the Sunday Working Day of Rest List of All the Rest:
(2) Is it good if a vacuĆ¼m really sucks?
(3) Why is the third hand on the watch called the second-hand?
(4) If a word is misspelled in the dictionary, how would we ever know?
(5) If Webster wrote the first dictionary, where did he find the words?
(6) Why does “slow down” and “slow up” mean the same thing?
(7) Why does “fat chance” and “slim chance” mean the same thing?
(8) Why do “tug” boats push their barges?
(9) Why do we sing “Take Me Out To The Ballgame” when we are already there?
(10) Why are the benches and chairs at the ballpark called “stands” when they are made for sitting?
(11) Why do we say an evening time for something is “after dark” when it is really “after light”?
(12) Doesn’t “expect the unexpected” make the unexpected expected?
(13) Why are a “wise man” and a “wise guy” perceived as opposites?
(14) Why do “overlook” and “oversee” mean opposite applications of attention?
(15) Why is “phonics” not spelled the way it sounds?
(16) If work is so good for you, why do they have to pay you to do it?
(17) If all the world’s a stage, where is the audience sitting?
(18) If love is blind, why is lingerie so popular?
(19) If you are cross-eyed, but you also have dyslexia, can you read all right?
(20) Why is a “bra” singular and “panties” plural?
(21) Why do we press harder on the buttons of a remote control when we know the batteries are dying or dead?
(22) Why do we put suits in garment bags and garments in a suitcase?
(23) How come “abbreviated” is such a long word?
(24) Why do we wash bath towels? Aren’t we clean when we use them?
(25) Why doesn’t glue stick to the inside of the bottle?
(26) Why do we drive on a parkway, but we park on a driveway?
Thursday, January 14, 2010
FBI issues Haitian relief fraud alert
Internet users who receive appeals to donate funds in the aftermath of the recent earthquake in Haiti need to perform their due diligence before responding to the requests, said the Federal Bureau of Investigation (FBI).
Credit unions might want to warn members that past tragedies and natural disasters have prompted criminals to solicit contributions that they claim are for a charitable organization or a good cause.
Before making any donation, consumers should use these guidelines, said the FBI.
Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within the messages;
Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites;
Verify the legitimacy of nonprofit organizations by using Internet-based resources to assist in confirming the group's existence and its nonprofit status rather than following a purported link to the site;
Be cautious of e-mails that claim to show photos of the disaster areas in attached files because these files may contain viruses. Only open attachments from known senders;
Make contributions directly to known organizations rather than relying on others to make the donation on your behalf to ensure contributions are received and used for intended purposes; and
Do not give personal or financial information to anyone soliciting contributions; providing that information may compromise your identity and make you vulnerable to identity theft.
The agency said anyone receiving a suspicious e-mail or anyone who becomes a victim of such incidents should notify the Internet Crime Complaint Center, known as IC3.
Credit unions might want to warn members that past tragedies and natural disasters have prompted criminals to solicit contributions that they claim are for a charitable organization or a good cause.
Before making any donation, consumers should use these guidelines, said the FBI.
Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within the messages;
Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites;
Verify the legitimacy of nonprofit organizations by using Internet-based resources to assist in confirming the group's existence and its nonprofit status rather than following a purported link to the site;
Be cautious of e-mails that claim to show photos of the disaster areas in attached files because these files may contain viruses. Only open attachments from known senders;
Make contributions directly to known organizations rather than relying on others to make the donation on your behalf to ensure contributions are received and used for intended purposes; and
Do not give personal or financial information to anyone soliciting contributions; providing that information may compromise your identity and make you vulnerable to identity theft.
The agency said anyone receiving a suspicious e-mail or anyone who becomes a victim of such incidents should notify the Internet Crime Complaint Center, known as IC3.
Wednesday, January 13, 2010
Malware hits online banking, Google's online apps market
Credit unions sounded the alarm that suspicious applications downloaded from Google's Android Market for cellphones may have stolen users' online banking information. And the Credit Union Information Security Professionals Association (CUISPA) is alerting credit unions to a fraud attempt in the online banking arena.
BayPort CU, a $1.1 billion credit union in Newport News, Va., and First Tech CU of Beaverton, Ore., issued warnings on Dec. 22 about a rogue Android application on Google's online market that promised members easy access to their online banking (Computerworld Jan. 12 and iPhone Central Jan. 11).
"It is believed that fraudsters deployed fraudulent mobile banking applications to the Android Marketplace, using a phishing technique to attempt to gain access to mobile banking users' financial information," said BayPort's alert.
The suspicious application creates mobile banking apps that members and other users can download to their phones but actually have the ability to steal information. Those who have added the apps should go to their mobile service provider to make ensure the suspicious apps are removed for good.
BayPort said it notified Google, and Google removed the program plus 50 similar apps, all written by a single developer identified as "09Droid."
However, security researchers have not confirmed whether the Android apps were actually malicious because before they could get copies of the suspicious apps, Google removed them from the market, according to ComputerWorld. The apps could just be someone using a shortcut app to make a quick buck, said the researchers.
Google does not vet its Android applications that appear on its online store. Apple runs its App Store for the iPhone and has an approval process for mobile applications.
Another kind of fraud in online banking--the Zeus or Zbot--was the topic of warning from CUISPA.
The Zbot is a "particularly nasty malware that is bypassing top antivirus/Malware scanners and compromising member accounts," said CUISPA's alert. "Cases have been identified by dozens of credit unions, that we know of. One can assume it is far more widespread than we've currently seen," said Kelly Dowell, executive director at CUISPA.
"The malware infects desktops the same way viruses do, but once infected it is very difficult to remove. Initial reports have come in from credit union members that logged into online banking and received a display page asking for additional authentication in the form of credit card information. The key here is the page was displayed after logging into their home banking accounts," said Dowell.
"It's important to understand that if the user is seeing that page, the damage is done. The online banking credentials have been compromised and need to be changed immediately," Dowell explained.
"The nasty thing about Zeus/Zbot is how it has been morphing or evolving," said Dowell, adding that it hides its presence on the member's machine. It is the same attack that is behind a recent flurry of automated clearinghouse (ACH) fraud.
BayPort CU, a $1.1 billion credit union in Newport News, Va., and First Tech CU of Beaverton, Ore., issued warnings on Dec. 22 about a rogue Android application on Google's online market that promised members easy access to their online banking (Computerworld Jan. 12 and iPhone Central Jan. 11).
"It is believed that fraudsters deployed fraudulent mobile banking applications to the Android Marketplace, using a phishing technique to attempt to gain access to mobile banking users' financial information," said BayPort's alert.
The suspicious application creates mobile banking apps that members and other users can download to their phones but actually have the ability to steal information. Those who have added the apps should go to their mobile service provider to make ensure the suspicious apps are removed for good.
BayPort said it notified Google, and Google removed the program plus 50 similar apps, all written by a single developer identified as "09Droid."
However, security researchers have not confirmed whether the Android apps were actually malicious because before they could get copies of the suspicious apps, Google removed them from the market, according to ComputerWorld. The apps could just be someone using a shortcut app to make a quick buck, said the researchers.
Google does not vet its Android applications that appear on its online store. Apple runs its App Store for the iPhone and has an approval process for mobile applications.
Another kind of fraud in online banking--the Zeus or Zbot--was the topic of warning from CUISPA.
The Zbot is a "particularly nasty malware that is bypassing top antivirus/Malware scanners and compromising member accounts," said CUISPA's alert. "Cases have been identified by dozens of credit unions, that we know of. One can assume it is far more widespread than we've currently seen," said Kelly Dowell, executive director at CUISPA.
"The malware infects desktops the same way viruses do, but once infected it is very difficult to remove. Initial reports have come in from credit union members that logged into online banking and received a display page asking for additional authentication in the form of credit card information. The key here is the page was displayed after logging into their home banking accounts," said Dowell.
"It's important to understand that if the user is seeing that page, the damage is done. The online banking credentials have been compromised and need to be changed immediately," Dowell explained.
"The nasty thing about Zeus/Zbot is how it has been morphing or evolving," said Dowell, adding that it hides its presence on the member's machine. It is the same attack that is behind a recent flurry of automated clearinghouse (ACH) fraud.
Thursday, January 7, 2010
Craig's List ad targeting CUs is pulled
Craig's List has pulled an advertisement that sought to recruit current credit union members to solicit others to join the credit union through them.
According to the Pennsylvania Credit Union Association (PCUA), the advertiser offered $75 to current members who answered the ad and allowed ineligible people to join credit unions through a current member (Life is a Highway Jan. 6).
The ad listed specific credit unions across the country. However, the wording indicated the ad would take anyone, said PCUA.
The ad appeared to be from California. PCUA alerted the California Credit Union League, which investigated the posting. When News Now went to check the link, Craig's List had posted a notice that it had pulled the ad.
According to the Pennsylvania Credit Union Association (PCUA), the advertiser offered $75 to current members who answered the ad and allowed ineligible people to join credit unions through a current member (Life is a Highway Jan. 6).
The ad listed specific credit unions across the country. However, the wording indicated the ad would take anyone, said PCUA.
The ad appeared to be from California. PCUA alerted the California Credit Union League, which investigated the posting. When News Now went to check the link, Craig's List had posted a notice that it had pulled the ad.
Monday, January 4, 2010
Scams Were Rampant in December
An off-shore e-mail scam targeting members and nonmembers of a Michigan-based credit union made its way to Wisconsin recently--one of several scams credit unions reported during the holiday season.
The scam targeted Community Driven CU, Ypsilanti, Mich., and spread to consumers in Wisconsin and in Texas, the Kenosha News reported (Dec. 21). A reporter of that publication received a bogus e-mail purporting to be from the Michigan credit union, asking the reporter to enter in a credit card account number and personal identification number to view a Visa card statement.
Mary Cole, Community Driven CU member service loan officer, said the credit union is aware of the scam and has received many phone calls about it. The credit union also was hit by a text-messaging scam in November, she told the newspaper.
Washington Post columnist Elizabeth Razzi noted in a Dec. 15 column that she and her daughter received a text message saying that their ATM cards had been suspended from Treasury Department FCU, Washington, D.C. After receiving the message, Razzi visited the credit union's website and saw that a scam warning had been posted.
Read more at: http://www.cuna.org/newsnow/10/system123109-2.html?ref=hed
The scam targeted Community Driven CU, Ypsilanti, Mich., and spread to consumers in Wisconsin and in Texas, the Kenosha News reported (Dec. 21). A reporter of that publication received a bogus e-mail purporting to be from the Michigan credit union, asking the reporter to enter in a credit card account number and personal identification number to view a Visa card statement.
Mary Cole, Community Driven CU member service loan officer, said the credit union is aware of the scam and has received many phone calls about it. The credit union also was hit by a text-messaging scam in November, she told the newspaper.
Washington Post columnist Elizabeth Razzi noted in a Dec. 15 column that she and her daughter received a text message saying that their ATM cards had been suspended from Treasury Department FCU, Washington, D.C. After receiving the message, Razzi visited the credit union's website and saw that a scam warning had been posted.
Read more at: http://www.cuna.org/newsnow/10/system123109-2.html?ref=hed
Subscribe to:
Posts (Atom)