Square – Security Risk?

Square is an electronic payment service that is designed to be used for mobile devices. It is a hardware dongle that reads the sound file of a magnetic stripe and parses the retrieved data to obtain the information. Applications have already been released on the markets for Apple and Android so that users in the United States can accept credit cards almost anywhere. This new product does pose a large security risk because a person can obtain the Square dongle for free and it is very small and non conspicuous. Third party programs have already been developed, such as Magread on maemo.org that parses the sound files to display the data on the card.

Advertisements

Should Bitcoin wallet be considered a bank account?

Bitcoin is a decentralized, peer to peer network that allows users to make transactions. The “wallet” is a file where Bitcoins are stored on a computer. Bitcoin wallet is coincided as a bank account by the United States Government even though it does not regulate or track Bitcoin transactions. Bitcoins are also not an approved currency by the US government, which is obvious. New malware is currently being used to find the Wallet file stored on an infected computer and transfer to the attacker.

US Cyclist found guilty for hacking drug lab

United States cyclist Floyd Landis has been found guilty of being involved in a hacking attack on a French laboratory and was sentenced for 12 months according to the Wall Street Journal. Floyd Landis had won the 2006 Tour de France, but was stripped of his victory over doping allegations. Investigators discovered Trojan backdoors on the Laboratory computers, which accessed files and doctored them. The malware was trace back to Alain Quiros, who admitted hacking the laboratory and also Greenpeace computers.

Source: http://online.wsj.com/article/SB10001424052970204358004577029800156942714.html?mod=googlenews_wsj

Microsoft Youtube Channel Compromised

The Microsoft Youtube channel was recently compromised and is still under investigation. The attacker changed the content videos that surprisingly was not pornography or something ridiculous, but he posted four short videos that advertised he “hacked” the channel. It surprises me how easy it is for any attacker to compromise account for social networking sites, even email providers including Gmail and Yahoo, and most of it goes unnoticed and nothing is done about it. People place a large amount of trust in large corporations such as Google and Facebook for their identities on the internet. Accounts can be compromised by answering simple recovery questions that can be researched by an attacker using social engineering or other resources. Google, for an example, has responded with the two-step verification to make it more difficult to compromise an account, but it does not force users to use it nor does it advertise.

Form Grabbing

In the growing world of cyber crime, new methods are created and used for espionage, financial theft (fraud), and even cyber warfare. The term form grabbing refers to a method of capturing web form data within browsers. It may be confusing to contrast the differences between form grabbing and traditional keylogging, but a keylogger records all individual keystrokes by hooking into the keyboard APIs or even acting as a keyboard device driver. Keylogging method will soon be replaced by advanced form grabbing techniques because a criminal interested in your credit card and bank account does not want to read countless logs of facebook conversations. Form grabbing malware logs web form submissions by recording onsubmit event functions in a web browser, which even bypasses HTTPS encryption.The method was invented in 2003 by the developer of the Berbew Trojan (http://www.symantec.com/security_response/writeup.jsp?docid=2003-071612-0251-99), but made popular by the infamous banking trojan called Zeus in 2007. The first advancement with the form grabbing module was that Zeus in the early versions had the ability to detect the form data that was grabbed and determined whether the information is useful to the cyber criminal and even the website that the data was submitted. This allows the form grabber to be more effective in stealing sensitive information. Another banking trojan, SpyEye, (which is a rival malware of Zeus) developed web injects, which “injected” forms into websites to trick the user in entering information such as pin numbers and even social security numbers. Web injects were also adopted in the later versions of Zeus and new underground markets emerged for effective web injects to many popular websites such as Ebay and PayPal.

Enhanced by Zemanta