Malicious code used to intercept and steal payment card data during online transactions

Scottsdale, AZ – November 14, 2016: With attacks that are now compromising online shops to scan credit card information, it seems as though encryption might not be the answer to keeping network data safe, says Jupiter Support senior tech analyst Vinay Patel.

This was brought to light after a Dutch researcher reported that almost 6,000 online shops, most of them built with the Magento content management system, have malicious code that intercepts and steals payment card data during online transactions. Among the websites was the online storefront of the U.S. National Republican Senatorial Committee (NRSC).

His research also showed that in many cases these compromises go undetected for up to a year. This has to do with the poor understanding of the problem by webmasters who believe that if their sites use HTTPS or a third-party payment processor the customer data is safe.

Upon investigation by web security firm Sucuri of a shop compromise that wasn’t detected by automated scans, it was detected that one of the site’s core files, called Cc.php, had recently been modified.

Malicious code was found to be designed to steal payment card data and stored inside an image file. “This technique of hiding data inside files with non-suspecting  extensions, such as image files, is not new and is intended to avoid detection,” said Patel.

“To obtain the stolen numbers, the attacker would not even have to maintain access to the site,” Sucuri researcher Ben Martin said in a blog post. “The image was publicly accessible. All the attacker would need to do is download the image from the website just like any other and view its source code.”

For more information on how to safely shop online, visit www.jupitersupport.com

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

The “Internet of Things”… a blessing or a curse?

More than12 billion devices can currently connect to the Internet, and researchers estimate that by 2020 there will be 26 times more connected things than people

Scottsdale, AZ – November 14, 2016: A high-profile cyberattack has put the growing Internet of Things (IoT) space on alert, news reports say.

Last month a cascading string of distributed denial-of-service (DDoS) attacks took down parts of hundreds of sites including Twitter, Netflix, Spotify, Airbnb, Reddit and The New York Times — demonstrates record-breaking volumes that are overwhelming website defenses. The four-fold growth in attack size over the last year is being driven by hundreds of thousands of internet-connected devices hackers are adding to their botnets, according to industry sources.

With an estimated 21 billion devices expected to be connected to the internet by 2020, there is a critical need to ramp up the security of “things.” The Smart Card Alliance said it advocates for the addition of embedded security in IoT devices.

“Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet,” Virginia senator Mark Warner wrote in a letter to the US Department of Homeland Security and other federal agencies after the attack.

Experts at Jupiter Support, a remote tech support organization, sense a vital need for consumers to change the passwords on their IoT devices. Neil Britto, CIO of Jupiter Support says the burden is even more on IoT companies to make sure their devices are highly secure, even if vulnerabilities are not necessarily solely their industry’s fault – with the first step being for companies to program their devices to require users to change passwords upon first use.

Security holes of IoT devices are present in any products running software, but IoT items are especially vulnerable, Britto said. He added that patching devices can fix security vulnerabilities without any user interaction, easily.

Playing safe:

  • Create a special guest network for a home Wi-Fi router that allows the creation of separate guest networks to keep untrusted visitors off the regular network.
  • Turn off Universal Plug and Play (UPnP) on the router, and on all IoT devices if possible.
  • Keep the firmware up to date on all IoT devices.
  • Choose passwords carefully and write them down if needed.
  • Refrain from carrying IoT devices to work or connect them to the employer’s network without permission from IT staff.

Visit www.jupitersupport.com for more information.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

Bogus Invoices produced by Dropbox Phishing campaign

Scottsdale, AZ – November 14, 2016: Yet again, Cloud storage giant Dropbox wreaks security related troubles through a malware-based phishing blast that attempts to impersonate itself as a Dropbox notification email.

According to AppRver an email and web security firm, the phishing email alerts the recipient that they’ve must download an invoice file via a link provided in their email. The message claims that the invoice is for work completed for language translation.

“The download link within the message is an exploited SharePoint URL where the .zip file is stored. From the live samples we’ve seen, it appears that this is an isolated source of the malware and that it hasn’t spread to other SharePoint sites,” AppRiver said in a report.

In a recent report shared with Infosecurity,  Tools and Osterman Research said that phishing campaigns like this one are up several hundred percent this year—and all too often, those campaigns are delivering ransomware.

The report said that 51% of C-level and IT execs have experienced between one and five phishing or ransomware incidents in the past year, while nearly a quarter have experienced six or more. There are now 4,000 ransomware attacks occurring daily, a 300% increase from 2015, the report found.

For information on how to get rid of malware, visit www.jupitersupport.com or call 1-800-860-8467.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

Cybercrime to surpass $6 Trillion by 2021: Cybersecurity Ventures

Scottsdale, AZ – November 14, 2016: A report by information-security analyst firm, Cybersecurity Ventures, estimates that cybercrime will double within just five years, reaching $6-trillion annually by 2012, up from an expected $3-trillion this year.

“One of the reasons that cybercrime damage is rapidly on the rise is because of everything that is computerized and connected to the Internet,” said Rohit Pillai, tech support analyst with Jupiter Support, an online remote tech support organization.

Other key findings in the report include:

  • By 2020, the dramatic increase in the number of people and devices connected to the Internet will need 50 times the protection than it needs today

  • The number of points at which an attacker can target is expected to grow ten times larger over the next five years.

  • There is no effective law enforcement against financial cybercrime today.

The best way to protect yourself against the rising tide of cybercrime is to be prepared. Visit www.jupitersupport.com for more information.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

Disabling Cortana is still possible with Windows 10 Anniversary Updates

Scottsdale, AZ – November 14, 2016: Disabling Cortana is now not as simple as it was. This is because the toggle switch has been removed with the Windows 10 Anniversary Updates. It has to be manually disabled through the registry editor, Jupiter Support, a remote tech support organization said.

Jupiter Support lays out the manual process to disable Cortana, as follows:

  1. Press the Windows button and R on your keyboard to open the Run window

  2. In the window, type regedit and click OK

  3. Using the path tree in the left of the Registry Editor – navigate to the following path

      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows S

  1. if you do not have the ‘Windows Search’ path you will need to create by following these steps

  2. Right-click on the ‘Windows’ path click on ‘New’ then ‘Key’

  3. Enter the name – Windows Search

  4. Right-click on the ‘Windows Search’ path and click on ‘New’ then‘DWORD (32-bit) Value’

  5. Enter the name – AllowCortana

  6. The default value should be 0 (zero) – if it is not – double click on it and set it to 0

  7. Restart the computer and standard non-Cortana search will be back again.

For more Windows 10 tips and tricks, visit www.jupitersupport.com or call 1-800-860-8467.
0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

Instapaper now free for everyone

Instapaper is dropping its monthly subscription and will begin offering its service ad-free to all users. All of Instapaper’s Premium features, including full-text article searches and speed-reading, will also be opened up to everyone.

This is a big shift for Instapaper, and one that’s clearly driven by its recent acquisition by Pinterest. Before today, Instapaper offered a $2.99 per month (or $29.99 per year) subscription to support itself. But in doing so, it placed some of the service’s unique and helpful features behind a paywall, making it harder to stand out from its much-loved competitor, Pocket.

In opening those features up to everyone, Instapaper starts presenting a more compelling offering. It’s now including various features for free — like full-text searches and ad-free browsing — that Pocket charges for. The services are more-or-less equivalent, so that might be enough to win over people undecided on which read-it-later app to start using.

The app has gone through several different business models — free with ads, paid only, paid with optional subscription, free with optional subscription — and gone through three different owners -its founder, then Betaworks, now Pinterest. If subscriptions were bringing in a meaningful amount of revenue, Pinterest probably would have let them be.

Pinterest says it has “no new monetization plans to share at this time” for Instapaper. The decision to drop subscriptions, Pinterest says, was simply a matter of the app being “better resourced,” so that it can “offer everyone the best version.” Those resources may be Instapaper’s best chance at taking on Pocket.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

Election hacking FAQs

From Hillary’s vulnerable email server to the string of Russia-linked email dumps, digital security has been one of the major forces driving the news. So far, all the hacks have been about information — in their way, not so different from October Surprises and smear campaigns of previous elections — but they raise an even more troubling question. With allegedly state-sponsored hackers already playing an active role in the campaign, could the integrity of voting itself be at stake?

Voting machines

Voting machines are terrible in basically every way. They’re expensive, old, prone to failure, and unpleasant to look at, but they’re also not that hard to break into. Computer scientists have been demonstrating that for at least 10 years, generally by physically cracking open the machines and installing election-rigging software. Election boards have been slow to respond, and the demonstrations have just gotten better as the years go by.

Voter data

This year has already seen attacks against voter registration systems in Arizona and Illinois, with the latter attack bringing down the system for 10 days and stealing data on as many as 200,000 voters. If an attacker went farther, actively erasing certain voters from the rolls, it could easily cause havoc on election day.

The good news is that, like the voting machines, rolls are distributed. Hackers might compromise the election board’s version of the voter registration list, but there would be plenty of other evidence that each voter was registered, including previously distributed voter rolls and actual registration forms.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

LinkedIn can now help you determine the salary you deserve

LinkedIn recently introduced a new tool called LinkedIn Salary that aims to help users learn more about the salaries in their industry and how making changes to their current career impacts how much they make.

When you enter a job title and a city, the tool brings results of the median earnings individuals with that job title in the city you selected. Besides base salary, it also takes into account other forms of compensation, like bonuses and stock options.

LinkedIn, which is increasingly focusing on a data-driven approach to its services, will also let you dig into the salary data so you can get a better idea of how different factors impact salaries in a given field. For example, it will show how salaries for a given role vary by company, as well as how company size and education level impact earnings.

LinkedIn is not the first company to try to bring more transparency to salary information — Glassdoor has a similar product for helping people determine whether they are being paid fairly — but the company says it is more focused on helping its users maximize their potential rather than assessing fairness or whether a particular salary is competitive.

Instead, the goal of all of this, LinkedIn says, is to “help professionals around the world make better career decisions and optimize their earning potential now.” And the company says we can expect to see it integrate salary information into more parts of its network in the future (LinkedIn Premium users will also see salary details in the site’s job search results.) LinkedIn Salary is available to all the site’s users, though those who don’t subscribe to a paid tier will need to first enter their own salary before they can access all of the information.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

Google rebuked for disclosure of Windows Bug

Google on Monday posted to the Internet a previously unpublicized flaw that could pose a security threat to users of the Microsoft Windows operating system.

Google notified both Microsoft and Adobe of zero day vulnerabilities in their software on Oct. 21, wrote Neel Mehta and Billy Leonard, members of Google’s Threat Analysis Group, in an online post.

Google has a policy of making critical vulnerabilities public seven days after it informs a software maker about them. Adobe was able to fix its vulnerability within seven days; Microsoft was not.

“This vulnerability is particularly serious because we know it is being actively exploited,” wrote Mehta and Leonard.

However, Google’s Chrome browser prevents exploitation of the vulnerability when running in Windows 10, they added.

“We disagree with Google’s characterization of a local elevation of privilege as ‘critical’ and ‘particularly serious,’ since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week,” Microsoft said.

After cracking a system, hackers typically try to elevate their privileges in it to obtain access to increasingly sensitive data.

“Additionally, our analysis indicates that this specific attack was never effective against the Windows 10 Anniversary Update due to security enhancements previously implemented,” Microsoft noted.

The Windows vulnerability Google’s team discovered is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape triggered by a win32k.sys call, according to Mehta and Leonard.

The sandbox in Google’s Chrome browser blocks win32k.sys calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of the sandbox escape vulnerability, they explained in their post.

Google’s decision to release details of the vulnerability before Microsoft had a chance to get out a fix has surfaced a long-standing debate over responsible disclosure. Many security researchers have long held that vendors should be given a reasonable shot at fixing reported flaws in their products before details of the vulnerability are publicly disclosed.

Others, especially bug hunters, have said the only way to get some vendors to address security issues quickly is to give them a tight deadline for fixing the issues and to threaten them with public disclosure if they don’t.

The latest incident shows why some sort of regulatory requirement is implemented to guide disclosure practices, said Udi Yavo, chief technology officer and co-founder at security vendor enSilo.

“The Google-Microsoft disclosure dispute is yet another example of why the 90-day window for vulnerability disclosure that has been industry practice for some time should be an actual regulatory requirement,” he said in an emailed statement.

The legislation should spell out the grace time that is available for vendors that are not able to meet the 90-day window and the consequences for violating these rules

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

Yahoo Hack: Whodunnit

A week has passed since Yahoo was subjected to the worst data breach in history. Yet, there have been no profound details made known about who nabbed info on 500 million email accounts remain sketchy.

At least one firm says it wasn’t a “state-sponsored actor” as Yahoo claimed, but like many things related to hacks, cybersecurity and the dark web, even that claim is impossible to verify.

“The group responsible for the Yahoo hack are cybercriminals,” said Andrew Komarov, chief intelligence officer at InfoArmor. The company posted a report on Wednesday detailing the involvement of “Group E,” a hacking syndicate that InfoArmor says it has been monitoring in dark corners of the internet for some time.

The FBI is currently investigating the data breach but hasn’t put forward a theory publicly about who is behind it.

“We take these types of breaches very seriously and will determine how this occurred and who is responsible,” the FBI said in a statement.

Komarov said InfoArmor was able to obtain “a pretty large sample of the database” of stolen email addresses, encrypted passwords and other personal information. With the permission of people whose information was caught up in the hack, the company checked the database and found it corresponded with real Yahoo accounts from 2014.

Details of the breach were confirmed shortly within weeks of the Democratic National Committee’s emails being hacked, exposing the Democrats’ attempt to smear former presidential candidate Bernie Sanders.

Other large-scale company security breaches include Dropbox, which announced earlier this month that 68m users’ accounts were compromised in 2012, representing two thirds of its customer base. Some 167m LinkedIn users’ account details were leaked the same year.

Sony Pictures Entertainment also suffered an attack with around 47,000 social security numbers of current and former employees leaked online, including those of actors and freelancers.

This year, around 37m users of Ashley Madison, a site to facilitate extramarital affairs, were hacked. More than 400m MySpace accounts were compromised in July, the second largest breach in history.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment