Showing posts with label hacking. Show all posts
Showing posts with label hacking. Show all posts

Friday, 23 September 2016

Affected by the Yahoo hack? Here’s what you need to do:

If you have a Yahoo account, you should act fast. Just yesterday it was confirmed that hackers stole the personal data of half a billion Yahoo accounts in the most recent cyber-catastrophe. 

Details, including names, email addresses, phone numbers and security questions were stolen from the company’s network in late 2014. It's also now been revealed that passwords were also taken, but in a “hashed” form, with the company reporting they believe the financial information held with it remains safe, unless the hashed passwords are decrypted.

Yahoo believe this was a state-sponsored act – an increasingly common scapegoat following cyber hacks today. Although Yahoo are currently notifying those potentially affected by the hack, as a precaution you can take steps now to protect your data.

Below, we will identify these steps in order to secure your information now and in the future.

This is what you need to do:

Take back your account: If your Yahoo account has been compromised, the first thing you need to do is take it back. Hackers, may have also gone after your linked accounts so check them also. Below are a series of links to the most common social and mail platforms where you can take back your account.
·         Yahoo
·         Apple
·         Facebook
·         Google
·         Microsoft
·         Twitter

Report it to the police: If you believe you have been hacked and are now the victim of identity theft or fraud, file a report with Action Fraud

Change your passwords and security questions: Even if you haven't been hacked, change your password and security questions immediately. This is especially important if your email is connected in any way to your bank or a PayPal account. 

Additionally, you should look to change the passwords in any other account that uses the same or similar security information. This ensures hackers cannot access other accounts through your Yahoo information. It is also sensible to check your password recovery settings and ensure they have not been changed to a third party. 

Tell everyone you know: In this situation it is a common tactic for hackers to target friends and family of compromised accounts to extract financial gains. So spread the news to your friends and family. Not only will this help them inform you if they see unusual activity, but it may also spare them falling victim to a similar hack.

Be wary of emails from Yahoo: Now is the perfect time for cyber criminals to strike through a phishing attack. Avoid downloading or clicking links in any emails coming from Yahoo. Almost all malware is installed unknowingly by the victims themselves. 

Update your security settings and run a security scan: Make sure you run a virus scan and have the most recent security updates on your operating system. If you don't have an anti-virus application, invest in a high quality one like McAfee or Norton Antivirus. This is something you should be doing as best practice regardless of the issue.

Continue to review your activity: Just because you’ve gotten your account back, doesn’t mean you’re safe. Hackers often leave ‘backdoors’ so they or other hackers can regain access at a later date. Make sure you continually review any activity to make sure no emails are being forwarded or security questions have been changed.

De-authorise applications: Although it may be frustrating, de-authorising accounts that are in any way linked to your Yahoo account will be essential. Although many may deem this unnecessary, it certainly is a better idea than leaving an unknown individual in your system – even if it is just precautionary.   

How serious is this? And what does it mean for Yahoo?

The most serious concern for you as a Yahoo users is if the cryptographically hashed passwords were deciphered and used maliciously. Although the hashing scheme used to encrypt the passwords is known to be relatively tough, Yahoo have yet to release any details on it.

For Yahoo, this breach comes at the worst possible time. Earlier this summer, Yahoo had announced it was investigating a breach reported to involve 200m customers. The sudden increase to 500m means “Yahoo may be facing an existential crisis” with their “already besieged business execution issues and an enduring fire sale to Verizon, this may be the straw that breaks the camel’s back” according to Corey Williams from identity management software company Centrify.

Security researcher Kurt Baumgartner from Kaspersky Labs believes that Yahoo’s failings hardly come as a surprise: “It’s unfortunate that when we are talking about this organisation, a massive breach doesn’t come as a big surprise”. Baumgartner has also criticised Yahoo’s delayed response, citing it as characteristic if we look at their “delay in encrypting IM communications, implementing https for its web properties and more”.

Wednesday, 19 March 2014

Windows XP retirement puts ATMs at risk


As we mentioned in an earlier post, Microsoft will be discontinuing the support of Windows XP on 8th April. Windows XP has been one of the most popular operating systems ever created and its endgame is certainly going to impact more than just individual users. According to Gartner’s experts, around 10-15% of XP-using businesses will fail to migrate to a different operating system, but this is not the most worrying news.

ATMs at risk as XP is set to retire

This may come as a shocker, but over 2 million (95% of all) ATMs in the world are running on Windows XP and they will become easy targets for hackers and viruses once the support for XP has to come to its end.
To make matters worse, only about 1/3 of these ATMs are ready for an upgrade and preparing the remaining 2/3 would cost about £60 million.

However, we must also point out that ATMs are equipped with sophisticated, customised additional security. Therefore it is unlikely that they’d just “start shooting out money into the streets or things like that,” said James Lyne, Director of Technology Strategy at Sophos.

They knew the day would come

Microsoft already announced its plans to stop issuing security fixes for Windows XP in 2007. So it really shouldn’t have struck any bank as a surprise, yet quite a few failed to take action. Banking giants like RBS, Santander UK, Lloyds or HSBC have decided to sign up for three years of custom support, before migrating their ATM operations to Windows 7.

According to James Lyne, these changes have been hanging around for so long, so banks really should have thought about addressing them a long time ago. 

About the Author:       
Sarah writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself. Sarah has 11 years of experience in the IT industry. 

Monday, 13 January 2014

Hacking with LinkedIn. The next battlefield in Cyber-warfare


Social engineering by definition is “a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.” Social engineers often referred to as con artists, have been around for hundreds of years and their methods have evolved alongside the World’s technological developments.

Social engineering expert Sharon Conheady delivered a presentation entitled the “Future of Social Engineering” at DeepSec 2010. In her presentation she outlined how social networks, such as LinkedIn may be used for social engineering in the future. Well, the time has come, more and more scams are surfacing LinkedIn. Here’s the latest one:

How to spot the signs

As you can see the message follows the pattern of the well-known 419 Scams, also known as advance-fee frauds. However, it has one important characteristic that most scam emails don’t: a well-designed LinkedIn profile to give credibility to the message. 
The sender claims to have been Senior Accountant at Lloyds Banking Group for over 9 years now; however her profile states over 15 years spent at the role. Perhaps the body of the message would need an update?

There are also formatting errors, such as the spelling of “AleX Jones”, which clearly suggest that the message is unlikely to have come from a legitimate source. And of course we shouldn’t ignore the message either. Which bank would give away any money to someone who shares the same surname as a client? None.

If you'd like to know more about social engineering, watch the full presentation of Sharon Conheady, including stories of LinkedIn attacks, starting at 25:16. 

Please be alert and look out for scams like this. If you found this article useful share it, so that your friends and family won’t have the slightest chance of falling victim to it. 

About the Author:       
Sarah writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself. Sarah has 11 years of experience in the IT industry. 

Thursday, 19 December 2013

Christmas scams - four tips to keep your personal information safe


With the festive period approaching, many people are eagerly browsing the web to find some last minute deals on gadgets. Word of advice: if a deal is "too good to be true", it probably isn't.

Kaspersky Lab issued the following warning this week: "As we get ready for the latest round of Christmas-themed status updates, we should also prepare for a barrage of scams on social networks in the coming weeks too".

In the lead to Christmas, more and more gullible Facebook users are becoming targets and victims of scammers. There are hundreds of pages offering free gadgets such as PlayStation 4s, and insanely good deals on new Apple products, in exchange for your personal information.

Despite the fact that the majority of these scam posts rarely look legitimate, many people are falling for them. The below give-away received 646 entries. 

Kaspersky’s four tips to keep your social profile and personal data safe:
  • Don’t give away too much. Sharing is caring, especially at Christmas, but it doesn’t mean you have to share your personal information. Try keeping it safe by not sharing too much. If you lose control of your social media account to a hacker, it could mean more than just having your privacy infringed upon. They can also use your information to potentially breach other accounts, such as online banking services or e-commerce accounts, like Amazon.
  • Don’t click on untrusted links. Scammers use various techniques to get people to give away their Facebook login details. Clicking on an email link entitled "Facebook X-mas Specials", for example, could lead to a fake Facebook portal which invites users to enter their credentials. Since the interface seems identical to the real entry page, users don’t realise what’s happening until it’s too late. Once the victims have entered their details, the hacker has their passwords. You should, therefore, never click links that don’t come from trusted sources. But even if a link has been posted from a friend, still watch out - they may have been hacked.
  • Use two-factor authentication. Social media sites, such as Facebook and Twitter are becoming more and more security-conscious. They both have introduced two-factor authentication, which means the user can give another credential, such as a unique number sent to them via text or an application, when logging in. So even if someone gets hold of your details, they won’t be able to login as they won’t have that extra credential.
  • Get the right security. Different types of malware are circulating the web trying to steal social media passwords, such as the innocent-sounding Pony virus. Others, like Kelihos, are spread across Facebook and attempt to steal other personal data. Outside of taking precautionary measures, such as thinking before clicking on links, users need to invest in a decent anti-virus solution that can deal with the latest and most prevalent threats. A properly configured firewall is also essential. 

About the Author:        
Sarah writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself. Sarah has 11 years of experience in the IT industry. 

Friday, 22 November 2013

What the future holds – eight IT security predictions for next year


Hope for the best and prepare for the worst. It may sound like an old cliché, but being prepared is the foundation of great IT security. This year we’ve seen some high-profile data breaches, ransom-demandingmalware and prominent cybercriminal arrests. After an eventful 2013, we are curious about what 2014 brings, and so are cyber-security researchers from Websense Security Labs, who compiled a list of their predictions* for the New Year.

Lower levels of advanced malware

According to Websense ThreatSeeker Intelligence Cloud, the quantity of new malware is heading towards a decline. However, this is bad news for companies, because cybercriminals are likely to switch to lower volume, more targeted attacks to decrease the risk of detection. Long story short, there’ll be less attacks, but they’ll bear greater risk.

There’s a major data-destruction attack on the horizon

In the past, network breaches have mostly been about selling information for money. In 2014, enterprises should be concerned about hackers destroying data. Small and medium-sized companies should also stay alert, as ransomware attacks are expected to target them.

Cloud data over network

Loads of sensitive business data have been moved to the cloud in the last few years. Therefore, it seems logical and perhaps even convenient for hackers to adopt a new approach, and target clouds rather than on-premise servers.

Power struggle in the exploit kit market

Following the arrest of “Paunch”, the alleged creator of the Blackhole exploit kit, the market is likely to see a power struggle for the leading position. The Neutrino and Redkit exploit kits are expected to consolidate their positions in 2014.

Java will remain exploitable and therefore exploited

As most end point will continue running older versions of Java, they’ll be highly exploitable. Next year, cybercriminals will put great effort into developing new, multi-stage attacks, as well as making us of tried-and-true methods.

BreachedIn aka compromising organisations via social networks

Cybercriminals are expected to come up with more and more ways of luring executives and compromising networks, with the help of professional social media platforms, such as LinkedIn.

Only the strong ones will survive

This may sound a bit over the top, but similarly to a food chain, the weakest ones will be the primary targets. Obviously, they do not have to be afraid of being eaten, but if they’re the “weakest links”, they must watch their backs to avoid serious breaches.

“Offensive” security mistakes are likely to happen

Retaliatory actions against (alleged) attackers are the basis of “offensive” security. However, as in real warfare, tactical mistakes can happen, which might put innocent organisations in the crossfire.

*Original article written by Information Age editor, Ben Rossi. 

About the Author:        
Sarah writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself. Sarah has 11 years of experience in the IT industry. 

Wednesday, 20 November 2013

CryptoLocker attacks on the rise – SMEs in danger


Imagine the following scenario: you are surfing on the web, checking your emails, opening the attachments and then suddenly your monitor displays a splash screen with a countdown timer and the message “Private key will be destroyed on [date]“, unless you pay. Your PC has just been infected by a relatively new, increasingly common Trojan horse malware, called CryptoLocker. All your photos, videos, documents and other important files have been encrypted and your only option appears to be to satisfy the demands of this ransomware and its creators by paying, hoping that your files will be decrypted and the nightmare ends.

The UK’s National Crime Agency has issued an urgent alert to PC users about CryptoLocker and the threats it poses. As described in the statement, tens of millions of UK customers are receiving emails that appear to be from banks and other financial institutions. However, the primary targets appear to be small and medium businesses.

According to recent reports and the NCA’s warning, the amount of “ransom” demanded by CryptoLocker is 2 Bitcoins (£550 as at 18/11/13).

What can you do against it?

Similarly to many other cases, preventive measures are more useful than trying to find a cure, especially when it’s too late. So what can we do? According to Graham Cluley’s extensive article on the matter, the answer is three-fold.
  • Keep your PC up-to-date with anti-virus and security patches and don’t open unsolicited email attachments.
  • Set a software restriction policy on your PC to prevent executables from running from certain location on your hard drive.
  • Make regular backups of your important data and keep them separate from your computer.
To learn more about CryptoLocker, read the full article on

About the Author:       
Peter writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself.

Wednesday, 6 November 2013

A story about how your life can get hacked


Have you ever wondered about what it’s like to be hacked? Investigative journalist Adam Penenberg has too, so he hired a group of hackers to find out how vulnerable he is. The ground rules to this experiment forbade the hackers to do anything unlawful, for instance breaking into Adam’s house, and they also had to leave his children out of it. Other than these two conditions, the hackers, led by SpiderLabs founder Nicholas J. Percoco, were allowed any technique to breach Penenberg’s privacy as much as possible.

“It’s my first class of the semester at New York University. I’m discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots. Seconds later the screen flashes a message. To receive the four-digit code I need to unlock it I’ll have to dial a number with a 312 area code. Then my iPhone, set on vibrate and sitting idly on the table, beeps madly.
I’m being hacked — and only have myself to blame.” – extract from Adam L. Penenberg’s article.

Percoco with his team spent a few weeks trying to hack Penenberg and despite some initial difficulties, their efforts were eventually rewarded. Within a relatively short period of time, the attackers gained all the information, including passwords, usernames, credit card details, etc. that would be more than enough to ruin someone’s life.

Facebook profile, Twitter account, Amazon account, online banking, you name it. The hackers gained access to all of them. They even did a little shopping on Amazon and ordered 100 plastic spiders to Penenberg’s house, at his expense of course.

At the end of the experiment Percoco gave a report to Penenberg, which listed their plans, as well as a log of their progress. To see the chilling results, read the full article

About the Author:       
Sarah writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself. Sarah has 11 years of experience in the IT industry. 

Thursday, 12 September 2013

Touch ID - security concerns and flaws


Apple’s Keynote on Tuesday did not bring too many surprises. Although, the company did not reveal as many new products as expected, the most important ones, such as the iOS7 and two new iPhones, got a fair share of stage time. While most people are admiring the new colours, the slightly changed looks or the simplicity of iOS7, IT pros and tech fans are concerned about mobile security issues brought by the Touch ID.

What it is

Touch ID is the name of Apple’s new pride, a fingerprint sensor in the iPhone 5S’ home button, that unlocks the device through biometrics.  Although, the Motorola Atrix had a fingerprint scanner two years before the new iPhone, ‘innovations’ sound more exciting to many, when presented by Apple. But let’s put trends and the craze aside, and see the potential flaws and risks of the revamped home button.

Concerns and flaws

According to the Cupertino-based firm, Touch ID will store the encrypted fingerprint data on the device’s A7 ARM chip and it won’t be sent to iCloud or any of Apple’s servers. Moreover, the company also reiterated that third-party applications won’t be able to make use of the fingerprint scanner, for now. But what will happen when the day comes? What will happen when apps can somehow access the encrypted data? If Touch ID could be extracted by an exploit, you'd be facing a much bigger problem, than a simple breach. Your fingerprint would be given away, instead of your password. And let’s be honest, passwords are easier to change than fingerprints. But that's not all, as fingerprints are not only used to your new iPhone. Think of biometric passports, or entering facilities where fingerprint authentication is required.

Besides the aforementioned potential security issues, future users of the iPhone 5S may encounter further annoying flaws, such as the strictness of the fingerprint sensor. Imagine you have just moisturised your hands or scarred your finger in a kitchen accident and suddenly you are unable to access your phone. Although, the four digit passcode and password options will remain available, it surely is frustrating not to be able to use one of the top features of your new handset. 

Many will have a go at it

Until the smartphone is officially out, we can only speculate about how Touch ID will perform in everyday life, but one thing is certain: many of us will try to fool it, one way or another. However, the more concerning fact is that so will hackers. 

About the Author:       
Peter writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself.

Thursday, 5 September 2013

Shall we drop our data into the box?


With the BYOD (Bring Your Own Device) policy becoming widely popular among some organisations, employees are feeling more comfortable, working on their own laptops, tablets or even smartphones. But should employers feel comfortable too? Should they trust the protection offered by file-sharing and cloud services? Think of the recent Dropbox security breach resulting in a massive spam attack, and your response will surely be no.

Most people tend to use similar, if not the exact same, passwords to their online accounts, be it social media, email, banking or cloud services. To a hacker, this is almost like offering up all your sensitive information, and most importantly that of your company, on a silver platter. Sounds scary, but we tend to do it, don’t we? 

Mathew Schwartz says if you are using Dropbox, on an organisational level, you should bear the following points in mind:

  • Monitoring Use
If you decide to allow the use of file-sharing services and/or storing your data in the cloud, you might as well keep an eye on it. Continuous monitoring is the first step towards noticing all potential threats.

  • Comparing Cloud Service Security
Although, many business users have little trust in cloud security, the numbers of accounts keep on rising, but only a few have done their research. Long story short, before uploading your data to the cloud, you must evaluate, whether that particular service provider has the measures to protect your information.

  • Treat Dropbox As A Public Repository
Employees should be informed that until Dropbox steps up its security game, they should consider all their uploaded information public. Almost as if, it was published to the likes of Google+ or Facebook.

  • The risks of insider theft
Insider attacks are listed among the most feared threats, simply because they are hard to detect. Imagine malicious insiders uploading sensitive data to Dropbox, and taking it all with them, when they get themselves fired. You must always have access to your data; therefore, using a centrally managed file-sharing service should be a no-brainer.

From the above points it seems obvious, that cloud security should be absolutely essential to every user. Luckily, many well-secured cloud providers are available. However, their services can be expensive. But, then again, consider the costs of a secure cloud, as opposed to the potential costs caused by a breach. You know it's money well spent. 

About the Author:       
Peter writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself.

Thursday, 22 August 2013

Attack techniques by the numbers

Verizon logo

Verizon released its 2013 Data Breach Investigations Report (DBIR) which offers security pros a guide to the most persistent threats and where attention should be focused to defend against them.

The report used the data obtained from breach investigations that they and other organisations performed during 2012. The data includes a total of 621 confirmed data breaches and over 47,000 security incidents from around the world.

According to the report, 52% of the data loss incidents it examined were the result of some form of hacking.

The report considered more than 40 attack techniques (some incidents used more than one) the majority came from just 5 categories, which shows hacker preferences. Of the 52% of breaches that involved hacking, 80% involved guessing, cracking, or reusing valid credentials.

Types of attack can vary depending on the size of the company. Small companies tend to get more "brute force" attacks on authentication while larger companies have more issues with stolen credentials.

The best way to tackle these forms of attack are by moving to multi-factor authentication, but it isn't always the safest solution and the Verizon also notes that password issues are not an easy problem to fix. Policies for proper password lengths and complexities are vital and can help reduce the risk. We wrote about passwords on a previous post and how you can make them more secure, you can find it here.

When discussing the importance of information security, it’s important to remember that anyone can be a target. You've probably heard excuses like "we're too small to be a target" or "we don't have anything of value", but if there is anything the Verizon report shows us, is that breaches can and do occur in organizations of all sizes in all types of industries.

Profit drives several breaches, especially in the finance, retail, and food-services sectors, but they also target industries that possess assets in the form of property, such as manufacturing and professional services.

Below is a list of attack techniques listed by the overall.

Attack techniques - Verizon Report
By the Numbers: Attack Techniques by Verizon
The report contains a lot of information that paints a clear picture of the motives and techniques used by attackers to compromise their target organizations. It's an interesting read and there are many lessons that can be found within. You can download the report here.

About the Author:
Julian writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself. Julian is the companies Digital Marketer.

Monday, 19 August 2013

Why mobile security is important


We love our gadgets, regardless of whether they're for work or entertainment, we just love them. We browse, we shop, we even bank with them. With the continuous increase in both smartphone and tablet sales, it is fair to say that every day more and more of us get enchanted by the never-ending range of games and applications available in the various e-stores. However, we must not forget that we might not be the only ones trying to make a transfer from our own bank account.

Android browsing alert

Security-testing specialist Veracode has created an infographic with a set of important information and statistics we are probably not aware of. According to this infographic, 40 million tablets were sold between 2011 and Q3 of 2012, so in less than 2 years. Evidently this number has rapidly been increasing ever since.  By the end of last year, around 1 billion mobile devices had been activated and numbers of mobile broadband subscribers are estimated to increase to 3.1 billion by the end of 2015. Big figures.  

But what does this mean? Apart from more train passengers with their heads down, it means there is a continuously growing target (or rather targeted) audience to hackers and cyber-criminals. Malware, phishing, dodgy background processes, hidden spyware, you name it, they are all out there. In fact, one of these may be hidden in the next app you are going to download. So, if you want your data to be intact, it is time to take some countermeasures: 
  • Use Password Protected Access Controls
  • Control Wireless Network and Service Connectivity
  • Try Mobile Antivirus Software or Scanning Tools
  • Back Up Your Data
  • Beware of Free Apps
For further statistics and tips on mobile security see the complete infographic by Veracode here

About the Author:       
Peter writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself.

Monday, 29 July 2013

The World's Biggest Data Breaches in one Infographic


Major data breaches, leaks and hacks are becoming more and more common. But beginning to understand the sheer numbers involved may be hard.

Information is Beautiful created a brilliant interactive infographic of the world's biggest data breaches, highlighting some of the most high-profile attacks. It lets you filter by organisation, method of leak, and gives you a brief description of the breach with a source to full articles. It really puts the importance of IT security into perspective and is really rather distressing.

The infographic includes all of the most recent attacks in 2013 such as the recent incidents with Evernote, LivingSocial, Facebook, LinkedIn, Yahoo and Twitter.

But it seems that technology companies aren't the only ones at risk. "Video gaming sites and organizations have suffered the most," said David McCandless, who runs Information is Beautiful. He adds that “in terms of sheer numbers of records breached, they really get owned."

The healthcare industry also faced its share of serious data breaches, which is worrying considering the sensitivity of the data.

The infographic also shows the huge T.K. Maxx security breach in 2007 that put more than 45 million credit and debit card users at risk. The scary thing is that many slip under the radar meaning the illustration may just be showing the tip of the iceberg.

McCandless stated that "some companies such as Twitter are upfront and transparent about getting the news out as soon as they are hacked, while others like Apple are super uncommunicative".

You can click on each attack to learn more about what happened. Click here to check it out.

About the Author:
Julian writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself. Julian is the companies Digital Marketer.

Wednesday, 26 June 2013

Cloud security flaws: "My entire digital life was destroyed"


Cloud has had a number of security concerns since its release and the concerns are becoming a reality for many victims. 

The idea of the cloud is to store everything in one place; the obvious downside to this is that it makes everything much more vulnerable to be stolen. And when we mean everything, we mean EVERYTHING. 

This is becoming a major concern as cloud is the new 'big thing' to happen to the  IT industry; with Apple pushing its iCloud, Amazon pushing its AWS, Google starting to push it too and the big one Microsoft with its increasingly popular cloud based Windows 8. 

So if these security issues are not going to be dealt with, many are going to suffer the same consequences Wired blogger Mat Honan did when he had his “digital life destroyed in the space of just 1 hour”.
Photo: Ariel Zambelich/Wired. 
His story exposes several security faults in many customer service systems - in this case Apple and Amazon. 

All the hackers had to do was contact Apple support who gave them access to his iCloud account. 

Then they contacted Amazon support who gave them access see small parts of sensitive information, such as the 4 last digits of his credit card number.

These 4 digits were then used to pass Apple security questions and gain further information which lead to the following chaos.

"First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook."

Read more on MAT Honan's story here.

How do you feel about cloud security? Has anything like this happened to you?

About the Author:
Sarah writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself. Sarah has 11 years of experience in the IT industry.

Tuesday, 18 June 2013

‘Unhackable’ Cryptography


As computers get faster, and more powerful. And hackers get smarter and more sophisticated, it's getting harder to protect sensitive information transmitted over the internet.

But hacking sensitive data might become a thing of the past as researchers have almost perfected the most sophisticated way of encrypting information. Quantum cryptography - but now without the optical fibers that are usually required.

The idea was developed by Cambridge University engineers in the UK and by Toshiba’s European research laboratory. It takes everything a step closer to what is now being dubbed ‘unhackable’ and can soon be introduced into credit card transactions.

What is Quantum Cryptography?

Quantum cryptography was developed from the laws of quantum theory to create what could be uncrackable codes that can even show if they've been messed around with or snooped on. The reason it's uncrackable is because it works with the laws of quantum physics. If you try to observe a photon particle, it reacts differently as to how it would react if you were not observing it. It is rather hard to explain so I'll leave that part to an expert. Alex Filippenko explains it with the double helix experiment in the video below.

Quantum cryptography uses single photons, the smallest particles of light, in different orientations to produce a continuous binary code, or "key," for encrypting information. The rules of quantum mechanics ensure that anyone intercepting the key is detected, providing highly secure key exchange.

A similar technique is already being used by governments and the military but one of the issues caused by it is that the quantum keys to encode and decode the information have to be sent on single photons (particles of light) across an optical fibre separate from the line carrying the data itself. This made it extremely complicated and expensive - especially for long distances. But this has now changed.

Andrew Shields from Toshiba Research in Cambridge stated: "The requirement of separate fibres has greatly restricted the applications of quantum cryptography in the past, as unused fibres are not always available for sending the single photons, and even when they are, can be prohibitively expensive,".

"Now we have shown that the single photon and data signals can be sent using different wavelengths on the same fibre."

The Toshiba system, outlined in research published in the journal Physical Review X, still requires an advanced detector that picks up the encryption key in a time window of just 100 millionths of a micro-second, at the expected arrival time of the single photons.

The detector is able to filter out 'noise' in the fibre which is caused by data itself therefore avoiding the cost of dedicated optical fibre lines.

Previously, quantum cryptography did work on shared optical fibres but only through short distances, with low capacity rates, or with data moving only in one direction.

The researchers state that their system can move data back and forth over 50 km with the encryption.

Learn about Cryptography

Opportunities in IT security are popping up everywhere so why not take it? Get the right security certification and earn on average £50,000. Here are two certs which are highly respected, guarantee career advancement and teaches you about cryptography. Read about the top IT security certifications, what you'll learn and how much you can earn here.

About the Author:
Sarah writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself. Sarah has 11 years of experience in the IT industry.

Friday, 7 June 2013

The single tweet that crashed the stock market


On the morning of the 23rd of April, the Associated Press agency, a powerful media outlet in the US with over 2 million followers on twitter, tweeted a disturbing message to the world: “Breaking: Two explosions in the White House and Barack Obama is injured”.

Associated Press twitter hacked
Within minutes, the message got retweeted thousands of times, the New York stock exchange was in high alert and traders anticipated the impact of the news on the economy. Dow Jones Industrial Average, which collects the top US listed companies’ share prices, fell by 100 points and the stock market was in chaos.

Not too much time passed before the White House confirmed to the press that nothing had happened, and the market recovered.  It then quickly became clear that AP’s twitter account had been hacked. A group calling themselves the Syrian Electronic Army claimed responsibility for the hack. They are said to support the Syrian president Bashar Al-Assad, and have targeted several media outlets such as the BBC and the Guardian.

After some research by IT security professionals, they found that an “impressively disguised phishing email” sent to an AP journalist allowed the hackers to extract data and the password for the AP’s official Twitter.

A financial trader stated that after reading the tweet, he had the same feeling when hearing about the 11th September attacks, and he knew it will affect market a lot. He added: “When I realized it was a fake tweet I was outraged and ashamed that the market was able to be manipulated so easily.”

On top of seeing first-hand the affect an attack like this can have on the financial market, it’s scary to know how easy it is for hackers to steal information from a central pillar on the global economy’s information. All of the employees have since been briefed about cyber security and phishing attacks.

The attack brings up the question; is your government and media outlets prepared and ready for similar attacks? We recently mentioned that the UK government announced plans to allocate £650 million to cyber security as part of its four-year National Cyber Security Programme. But is it enough? Read morehere.

About the Author:
Sarah writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself. Sarah has 11 years of experience in the IT industry.