Look Out RIM, US Govt Testing iPad & iPhone For Security Standards

Given Apple’s recent Q2 numbers  indicating a 113% growth in iPhone sales, it’s no real surprise that people love their iOS devices. Many businesses and organizations have been slowly loosening their grip on forcing employees to use ‘sanctioned’ devices (read: BlackBerrys) in order for provisioning and providing support on their corporate network. Employees are now being allowed to put their consumer devices to business use, provided they meet certain requirements. The US government is no different.

The US Department of Commerce recently signed off on a $44,000  purchase of ‘Apple Equipment’, which consists of 55 iPad 2 tablets and 5 16GB iPhone 4s. The acquisition request was put through by the National Institute of Standards and Technology  (NIST) and was approved just a few days ago. One of the most relevant things to keep in mind, is that NIST provides mandates and standard procedures for FISMA (Federal Information Security Management Act of 2002). Among other things, FISMA governs the development, documentation and implementation of information security and information systems within government agencies. Federal Information Processing Standards (FIPS) are used to define standards developed by the US federal government for implementation in computer systems. This is where FIPS-140-1 and FIPS-140-2 come into play, which define a standard for cryptography modules.

As seen above, NIST has recently updated their Cryptographic Module Validation Program Process List  (PDF) to include both the iPad and iPhone FIPS cryptographic module tests. Both are in IUT (Implementation Under Testing) phase as of August 1st, 2011. This comes just after RIM announced the PlayBook to be the first FIPS-140-2 compliant tablet  for deployment within federal agencies.

Could this be an indicator that the US government is aggressively looking to bring iOS devices to their federal workforce instead of simply renewing contracts with Research in Motion for legacy BlackBerry devices? RIM has had the government supply market locked up for decades, it’s a very strict niche, but if anybody can force their way through, it’s Apple.

Microsoft Announces a Contest for Security Researchers

Microsoft’s Trustworthy Computing Group has announced a new initiative to inspire computer security researchers to focus on security defense technologies. The announcement was made today at the Black Hat 2011 security conference in Las Vegas. The inaugural Microsoft BlueHat Prize intends to encourage the world’s most talented researchers and academics to tackle key security challenges and generate original ideas to protect customers and provide a more secure computing experience.

bluehat

The BlueHat Prize is the first and largest award offered by Microsoft for defensive computer security technology. With over a quarter million dollars in cash and prizes, the BlueHat Prize will motivate the community and foster greater collaboration with researchers across the industry. Researchers will own the intellectual property from their inventions and Microsoft will be able to use the technology under a royalty-free license.

Microsoft wants to encourage more security experts to think about ways to reduce threats to computing devices. We’re looking to collaborate with others to build solutions to tough industry problems. We believe the BlueHat Prize will encourage the world’s most talented researchers and academics to tackle key security challenges and offer them a chance to impact the world.

– Katie Moussouris, senior security strategist lead for the Microsoft Security Response Center

The contest challenges security researchers to design innovative solutions to address serious security threats such as Data Execution Prevention (DEP) which helps prevent attacks that attempt to exploit vulnerabilities in software. The solution considered to be the most innovative by the Microsoft BlueHat Prize board will be presented the grand prize of US $200,000. A second prize of US $50,000 and a third prize of MSDN Universal subscription (valued at US $10,000) will also be given away.

The contest entries should be emailed to [email protected] between August 3rd 2011 to April 1st 2012. Microsoft will judge entries based on practicality and functionality, robustness, and the impact. The winning entry will be announced at Black Hat USA 2012.

TimesofMoney/Remit2India Database Hacked Through SQL Injection – HDFC Bank Vulnerable Too

Update – August 4th 2011: TimesofMoney contacted us with an update saying that this breach does not exist and will be sending us a statement regarding the same shortly.

In this day and age of technology, it does not come as a surprise that websites are frequently hacked. Groups like Anonymous and Lulzsec have been creating havoc on the internet, however, there are other cases too where security teams hack several websites to show them how insecure they are.

One of the most common way of hacking websites is by SQL injection. Ironically, MySQL.com was also hacked using an SQL Injection attack a few months back.

Today, zSecure Team has found a vulnerability in a very popular digital payments site called TimesofMoney which provides online remittances, fortified domestic e-payment mechanisms and facilitated remittance solutions of banks. The company is behind products like Remit2India, DirecPay and Times Card.

The zSecure Team claims that there exist a critical SQL Injection Vulnerability in the TimesofMoney website using which an attacker can gain access to the site’s entire database which contains the huge amount of customers confidential information.

This vulnerability may prove to be very critical for the company because TimesofMoney is India’s one of the leaders in e-payment system. Existence of such a critical flaw in company’s web may cause huge to the existing market reputation of the company concerned.

The group also claims that HDFC Bank’s Website is also vulnerable right now:

We discovered alike vulnerability in HDFC Bank’s Website as well and issued them a similar advisory. But even after couple of weeks of sending our advisory to the bank, the said vulnerability is still open for outside attacks. If the said vulnerability doesn’t get fixed by the bank as an earliest then our next post may disclose that concerned vulnerability publically.We hope that both the companies (TimesofMoney and HDFC Bank) will take immediate actions to fix the reported vulnerabilities

TimesofMoney currently has a SQL Injection Vulnerability which is very high. They are currently running the Oracle Database 11g Enterprise Edition. The vulnerability allows hackers to access the database as well as run a database dump. It also has a possibility of shell uploading.

The security team has also posted images about the hack, which can be viewed below.

TimesofMoney Hacked Database 1

TimesofMoney Hacked Database 2

TimesofMoney Hacked Database 3

TimesofMoney Hacked Database 4

The security team have said that no data has been dumped, but the fact that the attackers can access your financial information so easily is enough to make me cringe. I would suggest that you purge information from the relevant sites, till it is fixed. More information on the vulnerability can be found at zSecure website.

Thanks for the tip Christopher

Facebook Rewards $500 for Every Bug Reported

Remember Google’s Chrome Bug Bountyprogram? Well, when Google released Google Chrome 12, it announced on its blog that it rewarded developers/researchers who found vulnerabilities (bugs) in its code. Earlier in August 2010, it was reported that Google gave away a total estimate of $10k of rewards. Mozilla too has the bug bounty program which pays $3,000 in hard cash plus a free Mozilla T-shirt for finding bugs!

Facebook has joined Google and Mozilla, and is following the “Bug Bounty” program, by rewarding its security researchers. However, the reward offered is way too less. For security related bugs – cross site scripting flaws, for example – the company will pay a base rate of $500, but if they’re highly significant flaws, Facebook has promised to pay more. However, the company executives haven’t revealed the bonus reward.

“To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs,” Facebook stated on its portal.

Facebook launched a new Whitehat hacking portal where researchers can sign up for the program and report bugs. They have also published a list of about 42 researchers who have made responsible disclosuresin the past.

Facebook Bug Bounty Program

With over 750 million  active  users, looks like Facebook is highly concerned about its security issues. Facebook hired a computer hacker who was recently sued by Sony for hacking the online gaming system PlayStation 3, last month.

If a bug has been discovered, the researchers  are asked to provide  as much information as possible. In order to receive the award, a detailed  explanation of steps is  required and all legitimate reports will be investigated.

Here’s the company’s policy –

“If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.”

In addition to that, the researcher who reports a bug first is only rewarded. For instance, if two researchers find the same bug individually, the first one who reports it will be eligible to claim the reward.

Facebook’s Bug Bounty Eligibility Rules

In order to be eligible for the reward, researchers must follow to Facebook’s Responsible Disclosure Policy.

  • You must be the first person to responsibly disclose the bug.
  • Give Facebook a reasonable time to respond to your report before making any information public.
  • You must live in a country not under any current U.S. Sanctions.
  • You agree to report issues that may compromise a user’s information including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF) and Remote Code injection.
  • Only one payment per bug will be awarded.
  • Bugs in third-party applications, third-party websites that integrate with Facebook, Denial of Service Vulnerabilities or Spam or Social Engineering techniques will not be eligible.

Google, Mozilla and Facebook are not the only ones who reward its security researchers. Microsoft does it too. Microsoft, on the other hand, offers a big reward of US$250,000 to anyone who provides information on a virus culprit who masquerades in the Windows theme.

Android Security Apps Benchmarked: Bit Defender Has the Highest Detection Rate, Symantec the Lowest

The growing sophistication and popularity of smartphone operating systems has handed malware developers new platforms for wreaking havoc. Apple by and large avoids malware scares by maintaining a tight grip over the iOS App Store. However, Android’s open nature makes it a much easier target. Although malware outbreaks on Android aren’t nearly as big of a problem as they are on Windows, over the past year, a few of them have succeeded in creating trouble. PCSL (PC Security Labs) from China has published a comparative study of some of the security solutions for Android currently available in the market.

PCSL used a sample database consisting of 90 malware to test the detection capabilities of Android antimalware/antivirus applications. The detailed report is yet to be published, but the chart below illustrates the overall results.

Android-Antivirus-Shootout

Bit Defender was the top performer followed by a Chinese solution called Qihoo 360. Somewhat surprisingly, reputed vendors such as Trend Micro, AVG, and Symantec performed miserably. One possible explanation might be that PCSL, which itself is based in China, used a sample set that contained a sizable proportion of malware of Chinese origin. I guess we will have to wait for the release of the full report to know more. Many familiar names including Lookout and ESET were also excluded from this shootout; however, PCSL has promised to include them in the next edition.

Gmail Now Warns About Filters That Forward Email to Another Address

is definitely one of the best email providers out there and they have always been innovating and adding new features. We have written several Gmail Tips and features in the past, however, a new feature is being rolled out to users where they are being warned about filters that forward emails to other email addresses.

Gmail has always been keen on increasing the security of their service after what happened in China. They have been adding features which displays the locations you logged into Gmail from and also alerts you about suspicious logins. Additionally, Google has also added features like forced SSL and two step validation process.

The new alerts about forwarding filters is really useful and will allow users to see if anyone is forwarding emails to other accounts. In fact, I was very keen on having this feature for Gmail and had even spoken to few developers on creating an extension for Gmail, however, Google beat me at it.

Gmail Forwarding Filters Alert

The new message will be displayed on the top of the page as seen in the screenshot above and will allow users to review settings and change them if required. Currently, the "Review Settings" link takes you to the Filters page, however, I would have loved to have Gmail only display those filters which are forwarding emails to other accounts when I click on it.

A Google help page is also setup to tell users about this new feature, it states;

Why do I have a forwarding filter notice?

You’re seeing a notice to help you confirm that the forwarding filter setting that’s active on your account is accurate. If your account has this feature enabled, you should see this notice.

Forwarding filters are a pretty powerful feature that enables you to send a specific portion of your incoming email to another email account. This mechanism is helpful especially when you have more than one email account. Even so, it’s a good idea to make sure all the details are consistent with what you intend and expect. We encourage you to review your settings and verify that they are accurate.

How long will I see this notice?

For about a week, this notice will appear for a few minutes each time you sign in to your account. Displaying the notification in this way helps ensure that you have a chance to see the notice, rather than someone who might try to gain unauthorized access to your account and use this setting improperly. The notice will disappear immediately if you choose to disable the forwarding filter setting, but that decision is up to you.

How do I remove unwanted forwarding filters?

If the content of the notice looks unneeded or unfamiliar, please do the following:

  1. If you see unfamiliar account access, please change your password immediately. This may indicate that someone has unauthorized access to your account. It’s a good idea to pick a strong password for your Gmail account and never use it again on other websites.
  2. Sign back in to your Gmail account and click the gear icon in the top right corner of Gmail and choose Mail settings.
  3. Click the Filters tab.
  4. Search for the terms "Forward to" and delete any filters with unfamiliar email addresses. Note, there may be more than one filter.
  5. Click the Forwarding and POP/IMAP tab.
  6. In the "Forwarding" section, click the first drop-down menu and remove any unfamiliar email addresses.
  7. Select the Disable forwarding radio button if you want to disable non-filter based forwarding.

Kudos to Gmail on adding this feature, I have always wanted it and would have created it myself. It will definitely help people to keep a quick eye on Forwarding filters and remove them if necessary.

WARNING: Amy Winehouse Death Video Scam Spreading on Facebook

As with the past Facebook Scams , the scammers on are all out to exploit situations to make money and scam people. Quite recently, they took advantage of the Oslo bombings and spread a Fake Oslo Bombing Video Scam. Earlier they had exploited Ryan Dunn’s death and spread a scam about Ryan Dunn’s LAST WORDS EXCLUSIVE Video.

RIP Amy Winehouse

Today, another tragic incident happened with singer Amy Winehouse dying under unknown circumstances. However, death or bombings do not deter these scammers from exploiting people and they have started to spread a new scam on Facebook related to Amy Whitehouse death.

amy_winehouse_facebook_scam

The scam is spreading under multiple guises including;

  • Leaked Video!! Amy Winehouse on Crack hours before death. Amy Winehouse getting high on crack just hours before she died
  • Amy Winehouse Death film Leaked Attention: Real Video. Leaked Video of Miss Amy Winehouse Death – Watch Now!

This is definitely pathetic, however, with over 750 million Facebook users it is a very good opportunity for these scammers to exploit users and make money. I am really fed-up of the lack of management by Facebook because they can easily put in solutions which can stop such things. Earlier last year, managed to put a perfect solution for tackling and stopping scams and spam from spreading by introducing their own short URLs t.co.

Using that facility, they could easily block and control spam URLs and stop users from visiting affected sites. Sadly, the amount of scams spreading on Facebook suggests that Facebook is not doing anything about it.

It is recommended that you DO NOT click on such links or scam messages on Facebook. If you come across this scam message, please delete/remove the scam from your Facebook news feed immediately. Alternately, you can report the scam to Facebook Security.

Here is an article about Avoiding Facebook Likejacking and Clickjacking scams. We have also compiled a list of Most Actively Spreading Scams on Facebook on Facebook for you to look through and avoid. You might also want to use a security application for protecting you from Facebook scams. As a precautionary measure, always check which applications you use and remove unwanted or suspicious ones. If you aren’t sure how to do it, you can always check our guide on removing apps from Facebook.

OMG This Sexy Mom Making Thousands of Dollar Working From Home – Facebook Scam

Looks like I am working overnight today with Facebook Scams. I recently posted about three scams today. The first was a girl having a spider living under her skin video followed by the Oslo bombings video scam and the Ex Girlfriend being violated Facebook Scam. Now I have come across a new scam where a sexy mom is making thousands of dollars working from home.

Sexy Mom Thousand Dollars Facebook Scam

The new scam is going with the text saying "This is so real.. OMG This Sexy Mom Making Thousands of dollar only working from home. Now you can also make lot of money like her".

However, this mom is neither sexy, nor does she make thousands of dollars. The people who make the thousands of dollars are the scammers who basically entice you to click on these links and spread them across to your unsuspecting friends.

Seriously, if it was so easy to make money, why would someone share it with you? Also why would a lingerie clad mom show her assets to you when she was making thousands of dollars anyway?

I am really fed-up of these scams on , but there is no stopping them. They will continue to happen and spread throughout the system. After all, not all of the 750 million users on Facebook are good at spotting it, or are they?

It is recommended that you DO NOT click on such links or scam messages on Facebook. If you come across this scam message, please delete/remove the scam from your Facebook news feed immediately. Alternately, you can report the scam to Facebook Security.

Here is an article about Avoiding Facebook Likejacking and Clickjacking scams. We have also compiled a list of Most Actively Spreading Scams on Facebook on Facebook for you to look through and avoid. You might also want to use a security application for protecting you from Facebook scams. As a precautionary measure, always check which applications you use and remove unwanted or suspicious ones. If you aren’t sure how to do it, you can always check our guide on removing apps from Facebook.

OMG Ex-Girlfriend Revenge Video Scam Spreading on Facebook

In a new trend, a new scam is spreading on in multiple ways. There are different updates related to the same thing and they are similar in nature. I have been writing about Facebook Scam for a while today. Previously, I wrote about the Oslo Blasts Security Camera Blast and the Girl Has a Spider Living Inside her Skin scam.

Ex Girlfriend Revenge Facebook Scam

Now a new scam is spreading very rapidly on Facebook and it is going around in various flavors as given below;

  • [Video] OMG! Watch as he gets REVENGE on his Ex Girlfriend. LOL. She could not walk properly for days!
  • OMGF! See what she done after his Ex girlfriend posted This on here wall. I dare you to watch more than 44 second of this video!
  • [Video] OMGG! This is what Happened to his Ex Girlfriend. LOL. She could not walk properly for days!

There are many more variants of the same scam and it is definitely not looking good because the rate at which it is spreading is alarming at best. We urge you to not click on this Facebook spam links and avoid clickjacking scams so that others are not affected by this.

The scam uses the same methods as earlier Facebook video scams and entices a user to click on the link and then directs them to a site where they are asked to fill out surveys before they can view a video. In the end, the user fills up the survey and makes money for the scammers and then dupes the users by not showing any video at all.

With more than 750 million users, Facebook is ripe for pickings and the scammers stand to make a decent amount of money even if they fool 1% of the Facebook users.

It is recommended that you DO NOT click on such links or scam messages on Facebook. If you come across this scam message, please delete/remove the scam from your Facebook news feed immediately. Alternately, you can report the scam to Facebook Security.

Here is an article about Avoiding Facebook Likejacking and Clickjacking scams. We have also compiled a list of Most Actively Spreading Scams on Facebook on Facebook for you to look through and avoid. You might also want to use a security application for protecting you from Facebook scams. As a precautionary measure, always check which applications you use and remove unwanted or suspicious ones. If you aren’t sure how to do it, you can always check our guide on removing apps from Facebook.

[Video] OSLO Security Camera Captures Blast! Facebook Scam

Earlier today, a bomb went off in OSLO killing several innocent people and injuring many. The blasts were carried out by terrorists, but it looks like scammers are out to fool people and make use of the tragic incident as a background.

OSLO Security Camera Blast Facebook Scam

A new Facebook Scam is doing the rounds of Facebook where people are sharing updates saying “[Video] OSLO Security Camera Captures Blast!”. There is no such video available on the internet and the the users are just scamming people and having them click on the links and making money for themselves.

Earlier this month, scammers used the Casey Anthony case and spread scam saying; Leaked Video of Casey Anthony Confessing to Lawyer! Facebook Scam. They also took advantage of Ryan Dunn’s death and spread a scam Ryan Dunn’s LAST WORDS EXCLUSIVE Video.

Additionally, earlier this year, scammers also took advantage of the Osama Bin Laden killing and spread scams like Osama Dead Censored Video Leaked Wikileaks Video, Osama Bin Death Video among other things. The scammers have also not left celebrities like Justin Bieber and Miley Cyrus by spreading scams like OMG Can’t Believe Justin Beiber Did This To A Girl and Warning: Miley Cyrus Sick Video.

Overall, the scammers take advantage of people and their curiosity and spread their scams during a big event or disaster. They don’t care about the sufferings, all they care about is to fool you and make money.

It is recommended that you DO NOT click on such links or scam messages on Facebook. If you come across this scam message, please delete/remove the scam from your Facebook news feed immediately. Alternately, you can report the scam to Facebook Security.

Here is an article about Avoiding Facebook Likejacking and Clickjacking scams. We have also compiled a list of Most Actively Spreading Scams on Facebook on Facebook for you to look through and avoid. You might also want to use a security application for protecting you from Facebook scams. As a precautionary measure, always check which applications you use and remove unwanted or suspicious ones. If you aren’t sure how to do it, you can always check our guide on removing apps from Facebook.