The experiment, which was aimed at measuring the effectiveness of email security controls in several major products and services, demonstrated just how powerful social engineering can be and how little technology can do about it. Joshua Perrymon, CEO of PacketFocus, sent a spoofed LinkedIn email to users in different organizations who had agreed to participate in the test; he was able to get his spoofed message through 100 percent of the time. He tested 10 different combinations of email security appliances, services, and open-source and commercial products; four major client email products; and the three major smartphone brands. (Full article)

“… It’s not hard to understand why there is a fair bit of confusion. Cloud computing has become a sort of blanket term for where computing is going. Think of it as a synonym for “computing.next.” It represents a shift to an operational model in which applications don’t live out their lives on a specific piece of hardware and in which resources are more flexibly deployed than was the historical norm.

Cloud computing is therefore not a single technology or even a single approach but rather a collection of technologies and approaches that collectively represent the direction that computing is headed. I see nothing wrong with this. Many of the benefits espoused for these new approaches to computing are genuine. To the degree that “cloud computing” offers a convenient rallying point to get users headed there, that seems for the good. …”

The trojan received specific instructions about how much money to steal from each account as well as the details of the money mule’s account into which the money was transferred.

The code included very specific criteria to make sure the bank accounts of victims were not completely emptied and to ensure the amount being stolen was not so high that it would be detected by banks’ anti-fraud systems.

In 22 days they managed to get €300,000 ($440,000) in 22 days.
What’s really impressive is that the Trojan also modified the bank statement so that the user would not notice the unauthorized withdrawal. In once instance the statement was showing €53.94 was transferred. In fact €8,576 was stolen.

It happened just days ago, for instance, to the Web site of The New York Times. The newspaper company informed readers on Sunday about a rogue ad that was popping up on its site. The ad warned visitors to NYTimes.com that their computer may be infected with a virus and redirected them to a site that purports to scan the computer and offers to sell antivirus software.

This is common behavior for what is known as fake security alerts, or “scareware,” designed to trick people into paying for something they don’t need. Use of this type of scam is on the rise.

Typically, the site hosting the rogue alerts has been compromised, or a worm, like Conficker, distributes the alerts directly to computers.

Read the rest of the article here…

Shared via AddThis

Inconsistent protection is in many ways worse than no protection at all, as it lulls users into thinking that they’re perfectly safe behind a brick wall. Unfortunately, that wall may be a lot more like a bead curtain

FULL ARTICLE

Draft NIST Working Definition of Cloud Computing v15

Presentation on Effectively and Securely Using the Cloud Computing Paradigm v25