Hackers stole classified information from two Canadian ministries

The hackers sent e-mails to staff that seemed to come from senior managers, the Canadian Broadcasting Corp. reported. When recipients opened the attachments, the hackers got a path into the federal network.

Stockwell Day, then the Treasury Board president, told the CBC Thursday he was not told of the breach.

“Certainly, on the information that I got, I had full confidence that the systems had moved quickly to shut down, that significant information had not in fact been carried away, and that the ongoing assessment of that by the technicians continues,” he said.

The Department of Finance and the Treasury Board were still restricting Internet access for their workers Thursday. The agencies now have separate computer stations disconnected from the main government network.

A secret May 2010 memo from Canada’s spy agency warned that cyberattacks on government, university and industry computers were growing “substantially.”

SRC : http://www.upi.com/Top_News/World-News/2011/06/03/Secret-Canadian-government-data-hacked/UPI-21181307109472/#ixzz1OE7G6Psd

Contact me at : contactme.bijay@gmail.com




Facebook phishing: Can you spot the difference?

by Graham Cluley on June 3, 2011

We’ve seen some messages being spread on Facebook in the last day or so, claiming to link to a video of Barack Obama. Most of them appear to have been cleaned up by now (presumably by Facebook Security) but there are still some remnants lying around.

Here’s a typical message:

Facebook phishing message

hello have you seen this recent video on the president? What is he doing in it?! LOL


What's the president doing in this video. OMG LOL!

Some versions of the message give away that the link will ultimately take you to a website ending with .co.cc. Almost all of the links we see in SophosLabs which end with “.co.cc” contain “bad stuff”. Perhaps it would be simplest if everyone simply avoided .co.cc links (and close cousins such as .cz.cc) as they are tainted by association.

And what sort of name is hzjqorbbmdnf anyway?

Regardless of the dodgy-looking nature of the link – what happens if you click on it?

Well, you will be redirected to what appears on first glance to be a Facebook login page. However, in reality, it’s a phishing page designed to steal email addresses and passwords from users who are so keen to see a video of their president that they’ll type in their credentials without thinking.

Here’s the fake login page:

The fake Facebook login page

And here’s Facebook’s genuine login page:

The real Facebook login page

Did you spot all the differences?

Here’s the ones I found – well done if you spotted even more!


Starting at the very top –

1. The genuine login page calls itself “Log in” in its title bar. Amusingly, the real Facebook is inconsistent as to whether you “Log in” or “Login” to Facebook as later in the page it refers to “Facebook Login”. It’s odd to see a phishing page be more professional than the real thing.

2. That’s clearly not Facebook’s genuine URL. Interestingly, other pages on the domain contain clickjacking scams.

3. The real page gives me more language options – including UK English and Welsh which aren’t available on the phishing page. It’s possible that the real Facebook is doing some GEO-IP lookups and determined that I’m visiting from the UK – maybe users in other countries don’t see those options.

4. The phishers have the copyright date incorrect, believing it to be 2010 rather than 2011.

5. There are many more link options made available to me in the footer of the real login page, including “Badges”, “Mobile”, “People”, etc.

There’s bound to be more differences than the ones I spotted though. So, leave a comment below if you find any more.

If you’re on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.

Update: Wow! I can always rely on the eagle-eyed Naked Security readers who spotted some other differences.

More differences

Contact me at : contactme.bijay@gmail.com




Here’s The Fake Gmail Site Chinese Hackers Used To Steal U.S., Activist Data

Look at the two Gmail login pages in the image below, (click to enlarge them) and ask yourself: Would you have spotted the difference?

On Tuesday, Google revealed on its official blog that it had been the target of a phishing campaign seemingly originating in Jinan, China, and aimed at gaining access to the accounts of senior officials in the U.S., Korea and other governments, as well as those of Chinese activists.

The attack worked–at least in part–by sending the victims spoofed emails, often from accounts that appeared to belong to coworkers, family or friends. Those emails contained links to the spoofed Gmail sites, which harvested the usernames and passwords of anyone fooled by their realistic appearance.

The hackers then used those login details to forward all mail coming into the account to a third party, or in some cases gathered information about contacts to use in other phishing scams.

Google credits the discovery of the scheme in part to the blog Contagio, where a detailed analysis of the scam including images of the spoofed emails and the fake login page above were posted in February.

This kind of phishing scheme isn’t new, and Google warned in its high-profile revelation of Chinese hacking in January of last year that it–like all webmail services–was vulnerable to this sort of spoof attack. But the company has never before revealed so much about its phishing attackers, nor has it shared images of the fake login pages those phishers use.

Contagio points to subtle differences in the two login pages, including the destination of links and small design contrasts. But given the spot-on accuracy of the fake Gmail gateways above, Google isn’t depending on users to tell the difference. Instead, it suggests using its two-factor authentication system, which sends a code to a user’s phone that he or she needs to use to log in. If a user has set up that safeguard and no code appears when he or she is prompted to log in, then the login page might be fake.

Google is also suggesting that users watch for suspicious forwarding settings that might indicate an intruder is copying their mail, as well as a red warning at the top of the page that indicates Google has detected “suspicious activity” that might signal a hacker has gained access to the account.

Contact me at : contactme.bijay@gmail.com




Facebook Privacy: 10 Settings Every User Needs to Know

Facebook Privacy Image

Facebook’s privacy settings are extremely detailed, giving you the ability to fine-tune the privacy aspects of almost every little part of your Facebook account. Unfortunately, for most users, this level of micromanagement makes Facebook’s privacy settings a convoluted mess.

Even worse, these settings change often; you may think you know everything there is about them, only to be greeted with a completely different layout and a bunch of new options the next time you visit the dreaded Facebook Privacy Settings page.

So, what do you do when you’ve got over 170 options to choose from? You focus on the most important ones. We’ve entered Facebook’s maze of privacy options and came out on the other side bruised, battered, but with 10 essential settings in our hands. Disregard them at your own peril!

1. Sharing on Facebook





Account > Privacy Settings > Sharing on Facebook

Controlling how you share content is quite complex and will probably make your head hurt, but it’s essential that you take a good look at the settings and decide for yourself what you want to share and with whom.

Facebook gives you the easy way out: You can share content with Everyone, Friends of Friends, or Friends only. However, if you’re using lists (see item number eight on this list), you might want to customize the settings and set a certain type of content to be visible to the people on some of your lists, and invisible to others. For example, only my close friends can see all my photos, while business associates can see just a few.

It’s important to note the “Preview my Profile” option which lets you see your profile as someone else would. Setting all the options just right can sometimes be tricky. When in doubt, defer to this option.

2. Existing Photos





Account > Privacy Settings > Sharing on Facebook > Customize Settings > Edit album privacy for existing photos

Settings for sharing content on Facebook can be treacherous as they don’t always apply to all your existing photos. With this setting, you can go through your old albums and change the privacy setting for each one, including your Wall Photos.

3. Checking In to Places

Account > Privacy Settings > Sharing on Facebook > Customize Settings > Friends can check me in to Places

Another setting under Sharing on Facebook often goes unnoticed, and it can be very important, as it lets your friends check you in to Places. Having someone else telling the world where you are can be unpleasant and even dangerous in some cases. If you want to avoid it, disable this feature.

4. Connecting on Facebook





Account > Privacy Settings > Connecting on Facebook

Privacy settings for sharing content on Facebook are separated from the settings for connecting, which basically means sharing information about you: Your photo, gender, age, education, hometown etc.

Furthermore, these settings determine how people can find you on Facebook. Can they do it simply by searching for your name? Can anyone add you as a friend, and send you a message?

Here, you can change those settings to Friends Only, Friends of Friends, Everyone or — in some cases — customize them. For example, if you get pestered by too many anonymous messages, you might consider letting only your friends send them. Be careful: If you set everything to the strictest available privacy setting, people may have a harder time finding you on Facebook.

5. Apps You Use





Account > Privacy Settings > Apps and Websites > Apps You Use

This is another painful setting as it usually means wading through dozens of apps and either removing them or editing the privacy settings for each of them individually.

We suggest removing all of the apps you’re not using (hint: If you can’t remember what it is, you probably don’t need it), and carefully reviewing the permissions you’ve given each individual app. For example, some apps like to post on your Wall even though they don’t require the option to function.

6. Instant Personalization





Account > Privacy Settings > Apps and Websites > Instant Personalization

We’ve covered this setting in-depth before. For detailed info on what it does, check out this article. Essentially, it lets third-party websites personalize your experience, which can be nice, but it also allows access to your personal data.

You can opt-out of Instant Personalization on individual third-party websites, such as Pandora, simply by clicking on “No Thanks” when asked about it. However, on Facebook you can completely disable it by leaving the checkbox before “Enable instant personalization on partner websites” unchecked.

7. Info Accessible to Your Friends





Account > Privacy Settings > Apps and Websites > Info accessible through your friends

This is where Facebook’s privacy settings get really tricky, and most users don’t realize it. No matter how tight your privacy settings are, you’re still sharing some of your content and info with a group of people, even if it’s only your closest friends. However, what you share with them doesn’t necessarily end with them, especially iftheir privacy settings are lax. In the end, your friends might be sharing your info with third-party services, which is precisely what you want to avoid.

With this setting, you can set exactly what information is available to apps and websites if your friends use them.

8. Public Search





Account > Privacy Settings > Apps and Websites > Public Search

When someone searches for you on a search engine, they might get a preview of your public profile which, in some cases, can be very revealing. If you don’t want that to happen, you should turn this option off.

9. Friend Lists

Friends > Edit Friends > Create a List

If you’re a typical Facebook user, you have 130 friends, and it’s very likely that you don’t want to share every detail of your life with all of these people.

This is where Friend Lists come into play. By creating lists of — for example — your family members, close friends and business acquaintances, you can finely tune the details you want to share with each list (as explained above).

Creating lists can be a bit dull at first, especially if you start doing it when you already have hundreds of friends, but once you set them up, it’s easy to add each new friend to a particular list.

10. Enabling HTTPS





Account > Account Settings > Account Security > Secure Browsing (HTTPS)

The last setting we’d like to highlight has more to do with security than privacy. However, if someone hacks into your account or sniffs your data (which can be easily done with an app like Firesheep), all the privacy settings in the world won’t help you protect it.

Recently, Facebook started introducing HTTPS support, which makes it a lot harder for someone connected to the same network to sniff your password and other data. It makes Facebook a bit slower, and certain features don’t work yet, but we highly recommend it as HTTPS is essential to online security on all web services, not just Facebook.

If the option isn’t available to you just yet, don’t worry. Facebook promised it will gradually roll out the feature in the following weeks.

Contact me at : contactme.bijay@gmail.com




Apple security update bypassed after 8 hours

It took only eight hours for the malware developers behind the MacDefender and its variants to come up with a way to bypass thesecurity update pushed out by Apple.

According to Chester Wisniewski, a new variant of the malware has sprung up and it manages to infect the updated systems without asking for the administrative password.

How does it manage to bypass the protection Apple put in place? The malware developers have changed tack: a downloader program is installed first, and it then retrieves the actual malicious payload.

This way, they can make endless small changes to the downloader program and few to the actual malware – and still be successful. “If the bad guys can continually mutate the download, XProtect will not detect it and will not scan the files downloaded by this retrieval program,” he explains. “Additionally, XProtect is a very rudimentary signature-based scanner that cannot handle sophisticated generic update definitions.”

Apple has also reacted quickly and has updated XProtect to detect the current downloader:

The 2011-003 update also makes systems check for new updates to the File Quarantine malware definitions every 24 hours. Let the cat-and-mouse games begin.


Contact me at : contactme.bijay@gmail.com




“World’s hottest female hacker” to face NYC court

Kristina Svechinskaya – who has been dubbed the “world’s hottest female hacker” – recently appeared in a NYC courtroom to face charges of stealing $35,000 for the notorious Eastern European ZBot cyber-criminal gang.

According to the NY Observer, the crying Svechinskaya approached the bench wearing skin-tight jeans and slinky, calf-high boots.

Sexy, eh? Definitely!

World's hottest female hacker appears in NYC courtStill, as Sophos senior security researcher Graham Cluley notes, the jury is still out on whether or not the fetching Svechinskaya is actually a bona fide hacker.

“Kristina has been charged with one count of conspiracy to commit bank fraud and one count of false use of passports. [Yet], that’s not how I would define hacking,” opined Cluley.

“[Yes], prosecutors claims that Svechinskaya was recruited to join a ‘mule’ organzation that had numbered over two dozen participants and had contact with computer hackers and individuals who could provide fake passports.

“[Nevertheless], there’s nothing really there to suggest, even if she was proven guilty, that she’s a hacker.”

Fair enough.

But that isn’t really the point of Kristina Svechinskaya or her photos, is it?





Contact me at : contactme.bijay@gmail.com




China accuses US of starting ‘internet war’

A group of Chinese academics from a military academy has accused the US government of creating a global internet war.

The group doesn’t refer directly to Google’s claims thatthis week’s attackon the Gmail accounts of US government officials originated in China – but was struck, perhaps, by the coincidence of the episode coming so soon after US calls for such attacks to be treated as acts of war.

The group, writing in the government-controlled China Youth Daily newspaper, accuses the US of launching an ‘internet war’ against Arab nations, Reuter reports.

“Of late, an internet tornado has swept across the world … massively impacting and shocking the globe. Behind all this lies the shadow of America,” it reads.

The article calls on the Chinese government to maintain an ‘internet border’ – the filtering system known as the Great Firewall of China’.

Google says it’s traced the government attacks to China’s Shangdong province, where, it says, a national-security arm of the People’s Liberation Armyis based – a claim which the Chinese government strongly denies. Chinese Foreign Ministry spokesman Hong Lei says the allegation is ‘unacceptable’ and ‘a fabrication’.

The state-run Xinhua news agency has criticized the US government for suggesting that a cyberattack could be legitimate grounds for military action.

Contact me at : contactme.bijay@gmail.com




Study links playing violent video games and aggressive behavior






COLUMBIA — In the last 20 years, technology has evolved to make violent video games more graphic and realistic.

In Grand Theft Auto players get points for killing people, robbing banks, selling drugs and terrorizing prostitutes.


A Call of Duty player has the option to slit an opponent’s throat as he is sleeping or stuff a victim’s mouth with glass and punch him in the face.


Mortal Kombat features a fight to the death between characters where the winner can demolish an opponent execution-style.


Now, an MU study has established a link between playing violent video games and aggressive behavior, although the researchers say it doesn’t mean the players are dangerous.

Bruce Bartholow, associate professor of psychology at MU, conducted the study that demonstrates how a reduced brain response to violence, or desensitization, can forecast an increase in aggression.

Although a tie between violent video games and aggression has long been debated, the MU study identifies the process that leads to the aggression: Playing violent video games causes the brain to become desensitized to violence, and that provokes aggressive behavior.

“We now can say that we know definitively that playing a violent video game causes a reduced brain response to violence,” Bartholow said. “It’s not just that those two things are associated, but rather that the video game playing causes the brain change that we saw.”

The researchers initially looked for a change in the brain after students played a video game, either violent or nonviolent. Researchers then measured how aggressive the participants became after playing the violent game.

They stopped short of linking desensitization directly to violence, however. Playing violent video games does not turn someone into a killer or a rapist. The immediate aggression tends to be more benign, like cutting another driver off in traffic or tossing out an insult.

“I think it is an important distinction to say that violent video games do not necessarily cause an increase in violence,” said Christopher Engelhardt, a fourth-year graduate student who worked on the study. “I would never say that.”

Bartholow made it clear that there is a distinction between aggressive behavior, which he defined as any action intended to harm another, and violence, which is an extreme form of aggression.

“It’s not the case that by playing a violent video game we expect people to go out and be violent,” Bartholow said. “What we do tend to see is that, for at least a short period of time following the gaming episode, people become more likely to behave aggressively.”

His study, to be published in an upcoming edition of the Journal of Experimental Social Psychology, included 70 college undergraduates. Each was randomly assigned to play either a violent game — such as Call of Duty or Grand Theft Auto — or a nonviolent game — such as MVP Baseball or Tony Hawk’s Pro Skater. They were given 25 minutes to play the game.

Afterward, students looked at a series of random photos, and their brain responses were measured. Some photos were neutral, a person standing on a street corner, for example, and some were images of violence, such as a man holding a knife to a throat.

Then participants were set up in a fictitious competition and told that the player with the fastest reaction time could dish out an irritating, painfully loud noise. The loser would get the blast.


During the noise blast,  the researchers measured aggression levels according to the intensity and length of blast the “winner” selected.

In reality, there was no competition, and players didn’t know their level of aggression was being monitored.

Participants were aware that the blast was noxious, Engelhardt said. “They knew it was something that someone else would be motivated to avoid.”

The researchers found that simply playing the violent game led to louder and longer blasts. Those who played a violent game in the lab were more aggressive in their blasts than those who played a nonviolent game.

Students in the study also were categorized depending on their history of playing violent games.

The study found that students who had played violent games in the past were desensitized to the violent images no matter which game they played in the lab.

Yet, researchers were intrigued to find how quickly desensitization could occur. Playing a violent game for just 25 minutes even affected those who had little prior exposure.

Desensitization occurs when an emotional or psychological response is reduced after repeated exposure to something, Bartholow said.

In some cases, he said, desensitization can be positive. It is often used in therapy for people who have phobias, Bartholow said. People with an irrational fear of snakes could reduce their anxiety after repeated exposure to snakes in a safe environment, for example.

This is Bartholow’s second study at MU on violent video games. He created a similar study in 2006 where researchers saw a connection between the games and aggression but could not explain why.

“It’s been hypothesized many times that becoming desensitized to violence could be one factor that causes increased aggression, but nobody had ever really demonstrated that experimentally before,” Bartholow said.

His recent study demonstrates that desensitization can even occur rapidly — within 25 minutes — whereas before, it was thought to be a long-term process.

Social scientists and others, however, agree that playing violent games is only one aspect of an aggressive culture. Yet, other, more complicated factors such as violent movies and sports cannot be measured in a lab.

There is a double-standard between R-rated movies and rated M games, said Ted Sharp, assistant manager of Slackers, a downtown video game retailer. He said he doesn’t see a difference between movies and video games.

Cyrus Marriner, who has worked at Slackers for nine months, called aggression a cultural problem.

“The violent video games are not a problem on their own,” he said. “We are a violent culture. We celebrated Bin Laden’s death.”

Marriner said video games can be addictive and the games that are more fun to play tend to be violent.

“It’s not the violence that makes them more fun,” he said. “The early games that were the most engaging were the violent ones.”

Games reward players for their violent behavior, Engelhardt said. Accumulating points and advancing to higher levels is the feedback they crave to assess how they are playing.

In order to get to the next level in Mortal Kombat, for example, the player must inflict a certain amount of damage on the opponent.

The 1999 Columbine High School shootings that left 13 dead have been attributed to the shooters’ experience with violent video games, but Engelhardt finds that unjustified.

“Some people become much more aggressive, while others don’t become aggressive at all,” Bartholow said. “But the average effect is to increase the likelihood of aggression.”

Not every person who picks up a game controller is affected by violent video games, and this study takes that into account.

“We do not examine any one individual,” Engelhardt said. “What we see is a causal increase in aggressive behavior as a result of playing such games.”

Bartholow compared it to people who smoke cigarettes — not everyone who smokes will develop lung cancer, but there is a causal relationship.

More research is being done at MU to look into other possible effects of playing violent video games.

Engelhardt is investigating the effects on higher-level cognitive abilities.

“I’m interested in how well individuals are able to perform on executive functioning tasks as a function of exposure to violent video games,” he said.

Bartholow is interested in figuring out if the effects they observed in college students could be measured in younger people.

He explained that neuroscience research has shown the brain is still going through developmental changes, especially the frontal lobes, through the teenage years, up to age 20 or 22.

“It’s possible that if young kids are being exposed to lots of violent media during those years, that could lead to some changes to how their brains develop and that might have implications long-term,” Bartholow said.

SRC : http://www.columbiamissourian.com/stories/2011/06/02/mu-professor-conducted-study-violent-video-games-leading-aggressive-behavior/

Contact me at : contactme.bijay@gmail.com




Obama Administration Investigates Chinese Hacking of Google E-Mail

The Obama administration considers reports that hackers in China tapped into the e-mail accounts of American government and military leaders to be a “serious” national security issue, a White House spokesman said Thursday.


On Wednesday, Internet giant Google reported that hackers based in Jinan, China had used phishing software to seek e-mail account information of top U.S. government and military officials. They also sought information on Chinese dissidents, journalists and South Korean government officials.

“We’re looking into these reports,” said White House spokesman Jay Carney. “We have no information that any official government accounts were accessed.”

He declined to give more detail about hackers into Google’s e-mail accounts, saying he would prefer to await results of an FBI investigation.

“The president is obviously aware of it,” Carney said.

Hundreds of e-mail accounts were reportedly compromised, including one belonging to a Cabinet-level government official.

Google said in a blog post that it has disrupted the phishing software and notified its customers who might have been affected.

The phishing programs typically try to trick e-mail customers into revealing their passwords so their accounts can be accessed by other persons.

It is uncertain how much information from U.S. government personnel might have been transferred to Google e-mail, or G-mail, accounts. Carney acknowledged that government officials use the Internet widely.

“We are definitely instructed that we need to conduct all of our work on official government accounts,” Carney said.

In addition, government agencies – such as the General Services Administration – increasingly uses G-mail to conduct business.

The Chinese government is denying that it sponsored the hacking.


Carney sidestepped the source of the e-mail infiltration by saying, “I’m not going to confirm anything about origins. The FBI is investigating it.”

Chinese Foreign Affairs Ministry spokesman Hong Lei said in a statement that the “Chinese government is firmly opposed to any cyber criminal activity, including hacking . . . [and] is ready to cooperate with the international community to combat against it.”


He also said that “any blame against China in this [latest incident] is groundless and with an ulterior motive.”

Nevertheless, Google traced the attack on its e-mail accounts to Lanxiang Vocational School in Jinan. The Chinese military often uses computer scientists trained at the school.

The same school was blamed for a cyber attack against Google in a separate incident last year. The incident prompted Google to transfer its Internet services for China to Hong Kong to put it out of reach of Chinese censors.

About the same time, Internet service provider Yahoo blamed Chinese hackers for attacking its e-mail service.

The Obama administration responded to the latest Google hacking incident Thursday on the same day the House Energy and Commerce Committee considered the possibility of a new federal law to improve Internet security.

A bill set to be introduced soon would require Internet companies to notify customers promptly when their personal data is hacked.

“Consumers have a right to know when their personal information has been compromised and companies have a responsibility to promptly alert them,” said Rep. Mary Bono Mack (R-Calif.), chairwoman of the House Energy and Commerce subcommittee that held the hearing Thursday.

Witnesses included officials from Sony Corp. and Alliance Data Systems Corporation’s Epsilon Data Management unit. Both companies have been victims of recent high-profile hacking attacks.

Millions of customers of the companies had their names, e-mail addresses and credit card numbers accessed by the hackers.

The lawmakers criticized the company executives for failing to adequately protect the private information and for not notifying their customers quickly about the security breaches.

Read more: http://www.allheadlinenews.com/articles/90050386?Obama%20Administration%20Investigates%20Chinese%20Hacking%20of%20Google%20E-Mail#ixzz1OCRw3XpG

Contact me at : contactme.bijay@gmail.com