Does AVG Respect Your Privacy?
AVG has been answering questions about its new privacy policy after accusations that the firm is about to sell its users down the river.
A Reddit discussion has heard from furious users who spotted that the simplified policy effectively gives the company permission to sell its mailing lists to third parties for fun and profit.
AVG stated under ‘Do You Share My Data?’ in the Q&A about the new policy, which is automatically enforced on 15 October: “Yes, though when and how we share it depends on whether it is personal data or non-personal data. AVG may share non-personal data with third parties and may publicly display aggregate or anonymous information.”
AVG has hit back at the criticism in a blog post today, by which we mean confirmed that its stance is correct, explaining: “Usage data allows [AVG] to customize the experience for customers and share data with third parties that allow them to improve or develop new products.
“Knowing that 10 million users like a certain TV program gives broadcasters the data to get producers to make more of that type of program.
“This is also how taxi firms know how to distribute their fleets, and how advertisers know where to place banners and billboards, for example. Even at AVG, we have published non-personal information that we have collected regarding app performance.”
But AVG added in big, bold type: “We do not, and will not, sell personally identifiable data to anyone, including advertisers.”
This will placate some, but others fear that the lack of choice over this matter, which requires an active decision to opt out, is too clandestine. As ever, there are threats to move to everything from Linux Mint to the Commodore 64, some more serious than others.
Several Redditors have likened it to similar warnings in Windows 10′s Insider Programme which essentially say: ‘we can track you … but we won’t, unless we do.’
Courtesy-TheInq
Malware Targets Job-seekers
April 10, 2014 by admin
Filed under Around The Net
Comments Off on Malware Targets Job-seekers
A new version of the Gameover computer Trojan is targeting job hunters and recruiters by attempting to steal log-in credentials for Monster.com and CareerBuilder.com accounts.
Gameover is one of several Trojan programs that are based on the infamous Zeus banking malware, whose source code was leaked on the Internet in 2011. Like Zeus, Gameover can steal log-in credentials and other sensitive information by injecting rogue Web forms into legitimate websites when accessed from infected computers.
The ability to inject content into browsing sessions in real time has traditionally been used by computer Trojans to steal online banking credentials and financial information. However, cybercriminals are increasingly using this technique to compromise other types of accounts as well.
For example, in February, researchers from security firm Adallom found a Zeus variant that stole Salesforce.com log-in credentials and scraped business data from the compromised accounts.
The latest development involves a new Gameover variant that contains a configuration file to target Monster.com accounts, one of the largest employment websites in the world, security researchers from antivirus firm F-Secure said.
“A computer infected with Gameover ZeuS will inject a new ‘Sign In’ button [into the Monster.com sign-in page], but the page looks otherwise identical,” they said.
After the victims authenticate through the rogue Web form the malware injects a second page that asks them to select and answer three security questions out of 18. The answers to these questions expose additional personal information and potentially enable attackers to bypass the identity verification process.
Targeting Monster.com is a new development, but the Gameover malware had already been targeting CareerBuilder.com, another large employment website, for some time.
Recruiters with accounts on employment websites should be wary of irregularities on log-in pages, especially if those accounts are tied to bank accounts and spending budgets, the F-Secure researchers said. “It wouldn’t be a bad idea for sites such as Monster to introduce two factor authentication beyond mere security questions.”
The authors of the Gameover Trojan program have been particularly active recently. In early February researchers from security firm Malcovery Security reported that a new variant of Gameover was being distributed as an encrypted .enc file in order to bypass network-level defenses. Later that month researchers from Sophos detected a Gameover variant with a kernel-level rootkit component that protected its files and processes, making it harder to remove.
Unlike most other Zeus spinoffs, Gameover is also using peer-to-peer technology for command-and-control instead of traditional hosted servers, which improves its resilience to takedown efforts by security researchers.
Twitter’s Authentication Has Vulnerabilities
June 6, 2013 by admin
Filed under Around The Net
Comments Off on Twitter’s Authentication Has Vulnerabilities
Twitter’s SMS-based, two-factor authentication feature could be abused to lock users who have not enabled it for their accounts if attackers gain access to their log-in credentials, according to researchers from Finnish antivirus vendor F-Secure.
Twitter introduced two-factor authentication last week as an optional security feature in order to make it harder for attackers to hijack users’ accounts even if they manage to steal their usernames and passwords. If enabled, the feature introduces a second authentication factor in the form of secret codes sent via SMS.
According to Sean Sullivan, a security advisor at F-Secure, attackers could actually abuse this feature in order to prolong their unauthorized access to those accounts that don’t have two-factor authentication enabled. The researcher first described the issue Friday in a blog post.
An attacker who steals someone’s log-in credentials, via phishing or some other method, could associate a prepaid phone number with that person’s account and then turn on two-factor authentication, Sullivan said Monday. If that happens, the real owner won’t be able to recover the account by simply performing a password reset, and will have to contact Twitter support, he said.
This is possible because Twitter doesn’t use any additional method to verify that whoever has access to an account via Twitter’s website is also authorized to enable two-factor authentication.
When the two-factor authentication option called “Account Security” is first enabled on the account settings page, the site asks users if they successfully received a test message sent to their phone. Users can simply click “yes,” even if they didn’t receive the message, Sullivan said.
Instead, Twitter should send a confirmation link to the email address associated with the account for the account owner to click in order to confirm that two-factor authentication should be enabled, Sullivan said.
As it is, the researcher is concerned that this feature could be abused by determined attackers like the Syrian Electronic Army, a hacker group that recently hijacked the Twitter accounts of several news organizations, in order to prolong their unauthorized access to compromised accounts.
Some security researchers already expressed their belief that Twitter’s two-factor authentication feature in its current implementation is impractical for news organizations and companies with geographically dispersed social media teams, where different employees have access to the same Twitter account and cannot share a single phone number for authentication.
Twitter did not immediately respond to a request for comment regarding the issue described by Sullivan.
Is A Cyber Warfare On The Horizon?
F-secure’s chief security researcher, Mikko Hypponen, has warned that we are entering into a cyber warfare revolution, and that governments will soon attempt to outdo each other based on their computer weapons’ prowess.
The internet security expert said-any future crisis between technically advanced nations will involve cyber elements.
His comments came after hearing last week that China and the US have been engaging in “war games” simulations.
“I wasn’t expecting [war games] so soon,” Hypponen said.
“I’m surprised and I think it is a good move because everybody is worried about escalation. The way to fight unnecessary escalations is that you know more about how the perceived enemy would act if there would be an escalation. War games are exactly that.”
It was Hypponen’s observations on the war games which led him to remark that we must look at “the bigger picture”.
“We’ve seen a revolution in defence technology and in technology generally over the past 60 to 70 years and I believe we are right now seeing the beginning of the next revolution: a cyber warfare revolution, which is going to as big as the revolutions we’ve seen so far in technology becoming part of defence, and part of wars,” he added.
Hypponen also predicted that it won’t be long before the world sees its first cyber arms race, including cyber war rehearsals to prove how strong countries are and boasting about their cyber skills to make other countries pay attention.
“Like nuclear in the sixties, cyber attacks are a deterrent and deterrents only work if your perceived enemies know that you have it,” he said.