In spite of spirited efforts from email providers, browser developers, and security firms, phishing continues to be a major nuisance. There are already repositories like Phishtank that rely on crowdsourcing to identify phishing campaigns. However, crowdsourcing is not nearly nimble enough to tackle phishing scams that often require just a few hours to cause the intended damage.

Now, a new Cisco spinoff called Agari is trying to tackle the problem by combining multiple sophisticated approaches including authentication of the sender, message analysis, and end-to-end email channel visibility. Google, Microsoft, Yahoo, and AOL, who are amongst the biggest email providers, have joined hands to provide metadata about emails passing through their networks to Agari, which uses its cloud infrastructure to analyze more than 1.5 billion messages every day. It doesn’t receive the actual messages, but might receive suspicious links contained in the message along with miscellaneous metadata. Agari, which is launching today, has Facebook and some of the largest financial institutions, social networks, and ecommerce companies as its customers. Besides the aforementioned four email giants, file sharing website YouSendIt, social network LinkedIn, and Cisco are also part of its trust fabric network.

“Facebook can go into the Agari console and see charts and graphs of all the activity going on in their e-mail channel (on their domains and third-party solutions) and see when an attack is going on in a bar chart of spam hitting Yahoo,” for instance, Daniel Raskin, vice president of marketing for Agari, explained to CNET. “They receive a real-time alert and they can construct a policy to push out to carriers (that says) when you see this thing happening don’t deliver it, reject it.”

Agari, which had been operating in stealth mode for the past couple of years, protects 50 percent of U.S. consumer e-mail traffic and more than one billion individual mailboxes. During its stealth phase, it rejected more than one billion messages across its email partners. Agari believes that by having end-to-end visibility over most messages it can rapidly react and stop phishing campaigns in their tracks.

Team Poison is a notorious hacker collective, which has managed to survive without being part of Anonymous. We have seen Team Poison in action earlier, when they engaged LulzSec and  exposed many of their members  back in June. A few days ago, Team Poison joined hands with Anonymous on #opRobinHood, which protests against banks. However, what they have done lately does not fall under the premise of any ongoing operations directly.

Team Poison has hacked the website of the  United Nations Development Programme, Organization for Economic Co-operation and Development, UNICEF, World Health Organization,  and has leaked an enormous list of usernames, emails and passwords. The idea behind this leak was to protest against the fact that

the bureaucratic head of NATO used to legitimise the Barbarism of Capitalist elite.

Anonymous has had many failed claims recently because of half-hearted support. However, with Team Poison, they have managed to hack into a huge list of login credentials, many of which are admin accounts.

The UN is a worldwide organization, and this hack proves just how vulnerable it is. The collectives participating in this hack have exclaimed at the lack of security at these UN departments with,

United Nations, why didn’t you expect us?

The list of passwords found in the Pastebin document shows some user accounts with common passwords like “12345″ and “password”. Some even used their own username as the password, and there were a few user accounts with the same email ID, username and password. Moreover, a vast majority of users had no password at all. Clearly, security has been the least of their concerns.

A hacker from Nepal, who goes by the name of Cru3l Int3ntion,  has released a huge list of Facebook usernames and passwords. This comes a few days after Facebook was hacked, and Facebook users found pornographic content on their wall posts. The hack is not motivated by any reason, and the hacker in question (Cru3l Int3ntion) does not seem to be affiliated with any international hacker collective. He claims responsibility for this hack, and has not tagged it under any Anonymous operation.

Cru3l Int3ntion has leaked login details for over 2500 Facebook accounts. The total list is 500 KB in size. Most of the hacked accounts have been locked due to repeated login attempts from multiple locations. This is Facebook’s preventive measure against hacks.  The method used in this hack is unknown.

Facebook has become a phishing haven. A few days ago, another hacker Cr@zy 3xpl0!t released a list of hacked Facebook accounts.  A hacked Facebook account is a whole world of private data and this makes it so attractive for phishing scams. Unless Facebook does about it, its users are under a continuous risk. Phishing scams on Facebook are at an all-time high, and solving this is their biggest challenge at the moment.

If you want to check whether your Facebook account is hacked, head over to  pwnedlist.com.

Captcha is no surety of safety, demonstrated a group from Stanford University, thwarting the best guard we have against automated attacks. Captcha is supposed to be breakable only by humans, but not by bots or any other automated machines. A word or phrase, written in a style that cannot be read by a text editor is the method to achieve this. Users have to enter this code in order to gain access. It was developed at Carnegie Mellon University by a graduate student in 2000. Captcha is actually a fancy acronym for a bland sentence Completely Automated Public Turing Test to tell Computers and Humans Apart.

Breached!!

The Decaptcha

Stanford Security Laboratory post-doctoral researchers Elie Bursztein, Matthieu Martin and John C. Mitchell busted that myth as they created a tool, named DeCaptcha, that breaks codes 13 out of 15times. The sites used for testing were high-profile sites like CNN, Visa, eBay and Wikipedia. Bursztein says:

For example, our automated Decaptcha tool breaks the Wikipedia scheme… approximately 25% of the time. 13 out of 15 of the most widely used current schemes are similarly vulnerable to automated attack by our tool. Therefore, there is a clear need for a comprehensive set of design and testing principles that will lead to more robust captchas

The principle for the working for Decaptcha is simple it just reduces background noise, breaks strings into single characters and recognizes the pattern. It achieved varying degrees of success at various sites. It broke Visa’s Authorise.net 66% of the time and eBay 43% of the time. Wikipedia clocked in at 25% in the rate of being breached.

The team shared a report elucidating the strengths and weaknesses of the Captcha method. The link is given below.

Report link:  http://cdn.ly.tl/publications/text-based-captcha-strengths-and-weaknesses.pdf

Google Untouched!

There is, however, some good news for those seeking online security. Google was unbeatable and so was reCAPTCHA. reCAPTCHA is an improved version of Captcha, which makes it more difficult for bots to recognize patterns by warping and twisting words into strange forms readable only by humans. Google now owns reCAPTCHA, which it acquired in 2009. On these two cases, Decaptcha scored no breaches.

Not yet breached!

The bottom line is that Captcha needs to be upgraded. Next time you feel smug about getting in a site by correctly typing in the captcha code, think twice. There are some smart computer programs sharing the same cyberspace!

Report on strengths and weaknesses of Captcha:  http://cdn.ly.tl/publications/text-based-captcha-strengths-and-weaknesses.pdf

Today, I received a letter from Emsisoft that explained how a well known group of hackers in Germany discovered and tested a trojan program that’s used by the German Federal government to spy on its citizens. These white hat hackers, known as the Computer Chaos Club, determined that the “R2D2″ or “State Trojan” is not only able to spy on an infected target computer, it’s also able to download more software and remotely control the target computer. So far, it’s designed to work only on Windows based PCs.

Back in 2008, Computerworld reported that WikiLeaks documents provided information that Germany had hired a company named “Digitask” to create a trojan spy program for them. A few days ago, ZDnet was confirming that a few of the German State agencies have admitted to using this trojan in their investigations. Naturally, these were “legal” uses of the trojan, and required a judge’s signature.

The Electronic Frontier Foundation was curious to see if the U.S. Government had similar trojans, and in 2008, they submitted  a FOIA request. Unlike many other attempts to get information released, the EFF received documents that revealed how the FBI was investigating ways to intercept Skype conversations. I think we can assume that since then, the U.S. has done more than just “investigate” how to spy on Skype.

What does all of this mean to the average Windows user? It means that you not only have to worry about threats from the usual hackers after your money, you also have to worry about “Big Brother” trojans from your own government. Fortunately, companies like Emsisoft, F-Secure and Sophos have assured us that they intend to search and elimate government trojans as well as the typical spyware we’re used to seeing.

For those of you who are using Macintosh or Linux instead of Windows, feel free to stick out your tongue and say “na na na na na na“. You don’t have to worry about these trojans … for now.

In an attempt to help people stay safe on the Internet and manage the way of sharing information online, the Citizen’s Advice Bureau (CAB) has teamed up with Google to promote online safety in the UK and the rest of the world.

The campaign, which will include adverts in newspapers, on public transport and online, is basically done to create awareness about online safety and teach users to take suitable steps to ensure that they’re more secure when surfing the web (and other online activities). It also provides an overview of some of the security tools that Google offers.

The site “Good to Know” has 4 main categories, namely -

• Stay safe online -
  This section provides you with helpful tips and advice for staying more secured on the web. Some of the terms explained here are choosing strong passwords, phishing and malware attacks, identifying secure sites (https), safe networks, mobile security, family safety, shopping safety, and so on.
• Your data on the web -
  This particular section explains how you can keep your data safe from hackers and phishers.

• Your data on Google -
  Google here tries to explain its five privacy principles that describe how they approach privacy and user information across all of our products

• Manage your data
  Lastly, Google elaborates on some of the ways of managing what you share online, with Google and with others. This section enlightens you about Google Talk, Incognito mode in Chrome, Google+ and +1 button, Google Docs, and so on.

The campaign also provides you with the following tips -

• Use two-step verification for accounts, which will add an extra layer of security to your account.
• Pick strong passwords, which are not-so-easy to crack.
• Always look for “https” websites.

Campaigns like this are pretty good to learn, since they explain complicated stuff (safety advice) into simpler and easily understandable terms. This is Google’s first campaign advertising, other than their products like Google Chrome and Android mobile operating system.

Anthony House, Google Communications and Policy Manager said: Everyone wants to stay safe online, but many people aren’t confident that they know how to. We’re launching the Good to Know campaign and website to provide easy steps everyone can take.”

Gillian Guy, chief executive of the Citizens Advice Bureau added: We are delighted to be working in partnership with Google. Citizens Advice is all about straightforward, simple advice on the issues that matter, so helping people take control of their safety and privacy online is right up our street.

With a world full of malware, identity thieves and hackers, securing your computer properly is of at most importance. But unfortunately, most of us do not think further than installing security software. Mostly it is only after you get infected or hacked, that you realize you have done too little. But it would be too late by then.

The truth is, by following some very simple practices, you can easily minimize chances of being infected. Here’s a rundown of some of basic tips to secure your computer.

Install reputed Anti-virus software

You should make it a habit of installing an anti-virus (AV) software right after you install your OS. There is free antivirus as well as paid security software. If you are ready to shell out a few bucks, you can go for paid solutions. But the free ones work just fine. When you buy/download security software, make sure that it is a reputed one. A simple Google search can give you an idea whether the software is good or not. There are lots of Fake AVs doing the rounds and you don’t want to end up getting one of those. So this is an important step before getting a security suite.

Also Read: Protect Yourself from Internet Threats

Some examples of paid security software are Norton, NOD32, and Vipre etc. Free ones include AVG, Avast and Microsoft Security Essentials.

As I mentioned before, just having the anti-virus installed is not enough. You have to use it wisely. And by using wisely, I mean turning on the real-time protection, updating the AV and scanning your PC in regular intervals. The real-time protection mechanism monitors you PC all the time and will warn if there is any suspicious activity. Almost all major AV software has this feature.

Malware of different types are being released to the internet every minute and running an out-dated anti-virus makes your PC more susceptible to those malware. A common trend nowadays is that people tend to use trial versions of paid security suites that come pre-installed even after the trial has expired. Do not do that. As the trial is expired, you won’t be getting updates and your AV will be of no use unless you have the latest updates. So pay to get the full version of that software or else choose a free one to get those valuable definition updates. Remember! Updates are the spirit of your AV.

Do a system scan once in a while. A full scan every week would suffix. Most of the modern AVs allow you to schedule regular scans and automatic updates so that it requires minimum intervention from the end user.

Update the OS and all other installed software

While trying to break into a PC, it’s not just the vulnerabilities in Windows that the hackers take advantage of. Vulnerabilities in third party software are also an important issue. So make sure that all of the programs that you have installed are fully updated and not just your OS or security software.

Use a strong and unpredictable password

Your password is the key to your data and it is extremely important that you use a strong password. Here are some tips on creating a strong password.

• Your password should have more than 8 characters.
• Use a password that is not easily predictable. People tend to use passwords that are related to them such as their own names, date of births, favorite quotes etc. A hacker who stalks their victim’s social networking accounts such as Facebook can find this kind of information very easily. So it is very important that you use an un-related word, preferably a non-dictionary word as your password.
• Try to include upper case letters, lower case letters, numbers and special characters to strengthen your password.
• Do not use a single password for all your accounts. If you use a single password and your account gets hacked, your other accounts are also compromised.

Also Read: Tips to Create Easy-to-remember Strong Passwords | 4 Tools to Generate Strong Passwords

Practice safe browsing habits

Bad browsing habits are one of the major sources of malware infection. Always be vary of things that your download from the internet. Even if you download something from a trusted source, scan it before opening or executing the file. Do not download pirated software or media as there’s a big probability that they might be infected with malware.

Use your browser’s security features such as the smart screen and phishing filter while browsing. All of the major browsers such as IE, Firefox and Chrome come with these features.

While using social networks, be careful about whom you befriend and the level of data that you want to share with. For more on Facebook security, check out this guide.

Backup your data

Even if you are following the above practices, it is better to have a backup’ plan. The best method is to backup your data to an external hard drive. There is lots of software that will do this for you. Using Windows built in tools; you either do a full PC backup or choose which data you want to back. These settings can be found in the Backup and Restore Center in Windows 7 and Vista (just type backup in the start menu and press enter to open the Backup and Restore Center).You can also use paid software like Acronis True Image or Norton Ghost if you need more features.

Whether you use paid solution or the native Windows tool, make it a habit to backup important documents and media so that even if your system gets infected or corrupted, you don’t lose your important data.

You can also use Online Storage websites to backup your data to the cloud. We have covered several services which allow users to backup files for free online, you will find most of them in our Online Storage section.

With the help of security software and by using our very precious common sense, we can easily reduce the chance of getting infected up to a great extent.

So stay safe and happy browsing!

Just three weeks after the launch of the Bug Bounty Program, social networking giant Facebook, announced that is has paid out US$40,000 in rewards so far to expert hackers who have successfully identified and reported security loopholes on the site.

Facebook introduced the Bug Bounty Program in an aim to encourage security researchers to report loopholes and glitches on the social networking site, and as a token of appreciation, Facebook offered them a monetary bounty of $500.

In a blog post by the Chief Security Officer of Facebook, Joe Sullivan stated that, During the past three weeks, Facebook has paid more than $40,000 to security experts around the world, with one individual receiving over $7,000 for identifying 6 different issues, while another person earned $5,000″.

He also clarified that the $500 bounty is a minimum payout, thus attracting more security researchers to participate in the program and earn big bucks. However, it is also clear that the bounty program is only applicable to the Facebook website and has nothing to do with Facebook applications.

In addition to that, the researcher who reports a bug first is only rewarded. For instance, if two researchers find the same bug individually, the first one who reports it will be eligible to claim the reward.

If you are a security researcher, then you might be interested in taking part in the Bug Bounty Program? Here are some eligibility criteria that every researcher must follow -

• You must be the first person to responsibly disclose the bug.
• Give Facebook a reasonable time to respond to your report before making any information public.
• You must live in a country not under any current U.S. Sanctions.
• You agree to report issues that may compromise a user’s information including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF) and Remote Code injection.
• Only one payment per bug will be awarded.
• Bugs in third-party applications, third-party websites that integrate with Facebook, Denial of Service Vulnerabilities or Spam or Social Engineering techniques will not be eligible.

To know more about this, click here  here.

While Facebook is being extremely loyal and generous to security researchers by paying them what they deserve, other companies like Google and Mozilla offer similar services. Earlier in August 2010, it was  reported  that Google gave away a total estimate of $10k of rewards. Mozilla  also has the bug bounty program which pays $3,000 in hard cash plus a free  Mozilla  T-shirt for finding bugs!

On a similar note, in 2007 the Business Software Alliance announced that tipsters who report their company’s illegal use of unlicensed software could earn payouts of up to $1 million.

Any major event that occurs will certainly draw people’s attention on the Internet. We had seen a huge chaos when the news of Osama Bin Laden’s death came in. When such events occur, scammers take advantage of users’ curiosity and create scam messages (including phishing attacks), and post them across social networking sites like Facebook, Twitter, or send phishing emails.

When the  Osama Bin Laden’s death news came in, people were curious to know if there were any leaked images or videos posted on the Internet. Scammers took advantage of this curiosity and created scam messages like – “Osama Bin Laden’s Leaked Death Video” and “Pics of Osama Bin Laden Are Finally Released“, and posted them on Facebook and Twitter. These scams spread through the Internet within minutes targeting user accounts by stealing their login credentials.

As the Hurricane Irene barrels up the East Coast, users on the Internet should lookout for scam messages and phishing attacks related to the storm news. It is likely that scammers will create phishing attacks and other malicious activity, and publish them across the Internet.

Facebook Scams

Newsworthy events, like in this case – Hurricane Irene, usually trigger malicious links and phishing attacks that spread across Facebook. Users on Facebook should stay observant of links promising them to show leakedvideos, pictures and other information related to Hurricane Irene.

Facebook users are tricked very easily. When users click on scam links, they will be taken to bogus websites where they will be asked to complete online surveys or download malicious programs, such as a codec to watch a video. These malware programs are designed to gather user information including email ids,  user names, passwords and credit card details. Sometimes these malicious programs are downloaded automatically where users are blindly infected.

I suggest all users on Facebook to be cautious, and do not blindly click on links that promise you to show videos or pictures, including those which are posted by your friends. This implies to users on Twitter as well. Watch out for re-tweets and DMs with links that lead to fake (clone) login pages where you will be asked to re-enter your username and password, causing a potential threat to your account.

Here’s an article that will help you Prevent Your Facebook Account from Getting Hacked.  We constantly report scams and hoax messages that are spreading on Facebook. You can always stay updated by bookmarking this link –  Techie-Buzz.com/scams

Charity Scams

Watch where you donate! There are thousands of fake charity websites that are created, which attempt to collect donations to help hurricane victims. Do a research before making any donations and make sure that you’re donating to the right charity.

If you’re making any donations, then make sure that you avoid third party sites and organizations, and head straight to the charity’s main website that you want to reach out to.

The FBI has issued warnings about Hurricane Irene charity scams, and has offered some excellent tips  to protect you against charity scammers:

• Do not respond to unsolicited (SPAM) e-mail.
• Be skeptical of individuals representing themselves as officials soliciting via e-mail for donations.
• Do not click on links contained within an unsolicited e-mail.
• Be cautious of e-mail claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders.
• To ensure contributions are received and used for intended purposes, make contributions directly to known organizations rather than relying on others to make the donation on your behalf.
• Validate the legitimacy of the organization by directly accessing the recognized charity or aid organization’s website rather than following an alleged link to the site.
• Attempt to verify the legitimacy of the non-profit status of the organization by using various Internet-based resources, which also may assist in confirming the actual existence of the organization.
• Do not provide personal or financial information to anyone who solicits contributions: providing such information may compromise your identity and make you vulnerable to identity theft.

If you believe you have been a victim of a charity related scheme, contact the National Center for Disaster Fraud by

• Telephone at (866) 720-5721,
• Fax at (225) 334-4707, or
• E-mail at  disaster@leo.gov

You can also report suspicious e-mail solicitations or fraudulent websites to the Internet Crime Complaint Center at  www.IC3.gov.

What is the appropriate age for using social networking sites? Are there practical ways of verifying the users age? These are the two questioned that pop into a concerned parents head with the rapidly growing trend of socializing on the internet.

The policies at social networking sites like Facebook and Myspace recommend that children that are 13 and older need to get parental permission, and younger than 13 are simply forbidden. How closely is that rule being followed? Surveys say that about 20,000 underage users are removed from Facebook daily. All these kids have to do is lie about their age and they can get an account. There are children under 13 who have accounts on Youtube, Facebook or Myspace. There isn’t much evidence that proves this to be harmful, and most underage kids seem to be using these sites in moderation and positively. As parents, only you can decide if you are willing to taking the risk of exposing your child to the vast world of internet socializing.

If we don’t allow kids on Facebook or MySpace, will family and relatives be attracted to use sites like Club Penguin or Togetherville which were designed for children up to the age of 10?

What do you do when you find out that your child has a user profile on a social networking site without your permission? Do you forbid them to use it again or is it wiser to let them use it on a condition that you will have their password so you can keep an eye on their online activity?

Some issues can not be taken lightly, and the protection of your child is one of those. Their safety is something we have to deal with everyday when they leave our homes. Child molesters are everywhere, so how can you be sure they are not sitting online and trying to be a part of your Childs social circle? Children can be manipulated and scammed easily. Their innocent curiosity can lead them into dangerous situations. Keeping track of their activities online is an added responsibility for the parents of these times. Parental involvement seems to be the best solution until these social networking sites develop more practical ways for verifying the identity and age of their users.

==== About the author ====

Nuur Hasan is professional website developer and a social networking enthusiast. When is not busy with work, he likes to browse Microsoft Office 365.