As our daily use of iPhones, iPads and Android devices increases, cybercriminals are focusing their efforts on attacking us as we use our mobile devices.

Attackers want to get passwords to online services, including those we access with our mobile devices. Criminals know that you likely use the same password for many online services. The know that if they can gain control of your e-mail or Facebook logons, they can send convincing fraudulent messages to your contacts.

Attackers know that we download many apps that can be tweaked to leak confidential information to evil websites. Your lists of contacts, and their associated data, is a gold mine for cybercriminals.

What’s more, because our mobile phones and touch tablets are small And research shows that people fall for phishing emails much more when they read them on their iPhones or Androids. This is because the screens are so small that faked website addresses are very difficult to detect.

And we tend to use many different WiFi hotspots and networks, exposing ourselves to numerous not-very-secure networks . Attackers can easily compromise these networks and redirect your Web browsing, email or apps to criminal sites where all your data is exposed to them.

So here are tips to protect yourself:

•  Use a WiFi VPN service to encrypt your app and browsing activities on every access point that you encounter.

• Use a different password for every website and app.

• Do not respond to security alerts or password request emails on your smart phone. They are usually fraudulent.

• Install an app security scanner on your phone or iPad to see if you have apps that are uploading your private data to the Internet.

• Do not jailbreak your iPhone or root your Android device. Do not allow your children to use your device and jailbreak it either.

• This is one of the biggest security vulnerabilities you can face.

• Read the security notices on Android apps when you are installing them. There is a reason that these are being presented to you. Don’t just click “OK” without understanding how your private data is going to be exposed by these apps.

• Keep your device up to date with the latest operating system version. Many of these updates include important security improvements.

Here’s the big twist: the perpetrators appear to operate from India. Norman’s principal security researcher, Snorre Fagerland, lays out the case that an elaborate spying botnet, controlled out of India, is the wellspring of this activity in this report.

“We have documented that there appears to be private players running a large scale operation,”Fagerland told CyberTruth.

The strongest evidence of ties to India, Fagerland says, “is the pattern of buying and maintaining hostile websites. There are a lot of links toward Indian attackers in those data,”

Norman’s investigation began after Norwegian telecom giant Telenor filed a criminal complaint for unlawful computer intrusion last March. The attackers, referred to in Norman’s report as “Operation Hangover,” began with spear phishing. They identified and targeted specific senior Telenor managers, sending them legit-looking e-mail and getting them to click on a viral attachment.

They then probed deeper into Telenor’s network, pilfering data and storing it on the Internet, much the same as countless other so-called Advance Persisent Threat capers, as our cover story details. APT attacks are often attributed to hackers from China .

Norman established that the network of infected storage PCs and web servers used to send out tainted e-mail and infiltrate Telenor’s network has also been used to run identical APT attacks against organnizations in more than a dozen nations, most heavily represented by Pakistan, Iran and the United States.

“A lot of attention is directed towards the threat from Chinese attackers,” Fagerland says. ” That threat is real, but we should be alert for players in other regions, as well. These guys (the Hangover gang) are just as voracious as the Chinese.”

Last week ESET researcher Jean-Ian Boutin published this report about an APT attack against organizations in Pakistan that used parts of the Hangover gang’s web infrastructure. Boutin established that the attackers worked hours consistent with living in India and made several references to “Ramu Kaka,” a stereotypical servant as depicted by Bollywood.

ESET distinguished researcher Aryeh Goretsky emphasizes that evidence of the attacks attributed to the Hangover gang being orchestrated out of India is circumstantial.

“Threat attribution is incredibly complex and time-consuming and what we publicly see, so far, is far from a smoking gun,” Goretsky says. He says a rival gang or nation-state could, hypothetically, embed evidence in the attackers’ network to “misdirect attention away from themselves.”

SEATTLE – The top love affair in the lives of many women is their mobile device, according to survey findings released today by antivirus vendor AVG Technologies.

AVG polled 4,000 women in the UK, US, Canada, France, Germany and Brazil. It found nearly 35 per cent of women now use social media channels to check out dates ahead of time. What’s more, 57% of American women said they could live without sex for a week, but not without their mobile devices.

AVG’s survey underscores how rising use of social media and mobile devices continue to reshape long held notions of privacy. The findings were released today in Las Vegas at the CTIA mobile marketplace conference.

“Make sure you’re aware of your privacy settings, ” cautions Judith Bittlerly, AVG’s senior vice president of marketing. “Your digital foot print is not just what you see, it’s what other people see. Make sure it’s right for the environment.”

The international scope of AVG’s poll resulted in some interesting findings. American women are the most prolific users of social media channels to screen dates, while 61% of Brazilian women said they cancelled dates based on information discovered through social media. Meanwhile fewer than 25 per cent of French women use social media to screen dates.

AVG’s survey found that women are using their mobile devices and social media to research potential partners, and to break up with them, as well. Some 55 % of respondents said they have, or would, break up with a significant other via mobile technology.

“It’s not surprising technology is increasingly being used as a substitute for one-on-one, in-person contact,” says John Giamatteo, AVG’s chief operating officer. COO of AVG Technologies. “This study suggests an increasing level of detachment, where devices serve as agents to filter potential partners and release them when women are ready to move on.”

By Irfan Saif and David Mapgaonkar

Staying ahead of savvy cyber-criminals is a constant struggle.

Companies often deploy solutions to specific problems, such as controlling access to their web site or managing user account registration, in what’s referred to as Identity and Access Management, or IAM.

However, IAM solutions can end up as a patchwork of poorly integrated components, leaving gaps .that cybercriminals seek out and exploit.

But the good news is that IAM systems are improving. Consider a user who typically logs on to her bank account from California, using a home computer between 6 and 9 p.m. Now, what happens when the system detects that the user is logging on at 3 a.m. from Mongolia (where there are no customers or business relationships) using an unknown device?

An advanced IAM system would capture this and trigger a higher risk score even though the user entered correct credentials. Through verification, the IAM solution might deny access, even if the user logged in correctly.

Alternatively, it may request more information to authenticate the user’s identity thereby providing additional layers of protection. It might seem inconvenient if you really are in Mongolia but your best interests – in terms of protecting identity and information – are being protected.

Such thorough practices are far from universal, which is why executives at companies of all sizes should urge IT and security teams to consider the quality of their IAM systems.

Not every organization needs the most sophisticated IAM solution. For smaller organizations, off-the-shelf-solutions may work today while cutting-edge solutions become less expensive over time. Larger organizations, however, face greater risks and should consider more sophisticated IAM solutions.

Meanwhile, the next time you see “access denied,” look on the bright side: it may just be an IAM system doing its job.

SEATTLE – A new touchscreen payment system – designed to frustrate data thieves — should start appearing in hundreds of restaurants across the nation over the next few months.

The system, called RAIL, introduces a novel way for restaurant patrons to pay for a meal using a proprietary mobile device designed expressly to frustrate data thieves.

“RAIL allows you to self-swipe your card, which is really important for security, and, just as importantly, the system encrypts each transaction so the restaurant never sees or stores your credit card number,” says Joe Snell, co-founder and CEO of Viableware, the Seattle start-up that raised $6 million in funding to develop this new technology over the past 2 years.

Storage of unencrypted payment card data remains a common practice. It represents a major security weakness that cyber gangs feast on. The latest high-visibility example: an alleged international gang of cyberthieves managed to steal $45 million from thousands of ATMs in multiple countries using stolen account data to create counterfeit payment cards.

Financial, hospitality and retail industries account for an estimated 55% of unencrypted payment card data stored by commercial businesses, according to a SecurityMetrics analysis.

RAIL instantaneously encrypts data from each restaurant sale in real time. It is being used at two restaurants here, Bar Cotto and Rione XIII, and is undergoing trials at several large national chains, Snell says. He expects several large national chains now testing RAIL to introduce the system chain-wide through the course of this year.

However, improved security isn’t what will wow consumers who encounter RAIL for the first time. After self-swiping, you use a stylus to complete the transaction on a digital representation of the bill. This set-up enables you to calculate tips, split the bill and answer survey questions.

You may use PayPal or a digital wallet application to pay for the bill, and you can choose to have a copy of the receipt printed off at the restaurant or emailed to your personal e-mail account.

“RAIL is about security — and convenience,” Snell says. “You can split the bill up to nine ways, or, if you like, you can choose the items you’d like to pay for, then hand it off to the next person and they can choose their items.”

Seattle restaurateur, Ethan Stowell, ran trials in his trendy Bar Cotto and Rione XIII establishments before switching over completely to RAIL in mid April.

“By incorporating the RAIL devices into our service, our wait staff can spend more time attending to guests,” says Stowell. “Additionally, our guests can have the peace of mind that their card information will never be compromised.”

Case in point: Silicon Valley-based risk management integrator Agiliance recently announced a 65% increase in sales for the first quarter, including a 415% boost in revenue from financial services clients.

LastWatchdog asked Torsten George, chief product strategist for Agiliance, for his perspective riding this wave.

George

LW: So companies now suddenly get it that they’re under cyberattack?

 George: Many organizations are realizing that you can schedule an audit, but not a cyber-attack. This change in behavior is being driven by stricter enforcement of existing regulations, mounting new legislation and SEC guidance, evolving case law propagating a higher standard of care, as well as pressure from corporate board rooms where the impact of a breach on a company’s stock price is now a real concern.

LW: What’s the corporate sector’s biggest worry with respect to potential new regulations?

 George: Opponents of legislation that would mandate information sharing about cyber-threats claim it would be too burdensome to implement and threaten civil liberties and privacy. However, it appears that many businesses would welcome information sharing, as long as it is done in a bi-directional manner and with strong liability protections for those operating within the framework.

LW: What’s most concerning to your customers about emerging privacy regulations in Europe?

 George: While Europe operates as a common trading community, each member state has the right to interpret and apply European Directives on a national basis. As a result, global organizations most likely will face a multitude of different regulations, resulting in a variety of burdensome data breach disclosure and notification practice. Our customers are concerned about how to address the increased compliance reporting and audit workloads.

LW: Meanwhile, aren’t the bad guys still well ahead?

 George: Yes, even though many organizations spend millions of dollars each year to maintain their IT environment and implement some of the most sophisticated computer defenses available today. It’s clear we have to find new ways to improve security.

LW: What progress do you anticipate the good guys will make, going forward

 George: Many organizations rely on a multitude of best-of-breed, silo-based tools. This only adds to the complexity of data feeds that must be analyzed. At the end of the day, the ultimate goal is to shorten the window attackers have to exploit a software or network configuration flaw

Mobile technology companies focus first and foremost on consumers rather than the corporate market. As such, most mobile operating systems lack many of basic security features. What’s more, with so many models from myriad manufacturers running on different versions of a platform such as Android, there is a glaring lack of consistency and basic security protocols.

Cyber criminals are targeting mobile devices more than traditional PCs, and, astoundingly, companies continue to let these devices run rampant and unmanaged on their networks.

No employee wants to be the one to unlock the door and let cyber criminals in. That, however, doesn’t stop it from happening. New research also shows that an estimated one million high-risk Android applications will get introduced into corporate networks this year.

Another recent study analyzed 2 million currently available Android apps, from both third parties and the Google Play store, classifying 293,091 as outright malicious and an additional 150,203 as high-risk. When you factor in iOS, Windows Mobile, BlackBerry and any other mobile platforms, the IT landscape is no longer centered on securing an exclusively Windows-based ecosystem.

Mobile security is a systemic problem, largely due to the business world’s inability to either comprehend or acknowledge that the status quo will no longer suffice. The only way to safely approach the use of smartphones, tablets and other mobile devices in the corporate sphere is to proactively manage how they are used.

Enterprises also cannot afford to continue the tried-and-no-longer-true practice of operating siloed security systems that react to attacks after they have already been hit. By then, it is too late. Instead, they need to bring together and connect the best of the best from all corners.

IT departments need to break these siloes open, integrate critical technologies with one another and educate the workforce in order to build in-depth mobile threat defense and response protocols. It has taken people far too long to connect the dots between mobile attacks in the last two years and how companies view IT security. If we are to stem the tide of mobile attacks, we’ve got to build a better dam.

By Tim Francis

There is little doubt that small businesses face a growing cyberthreat – and hackers are not showing any signs of letting up. Through even more sophisticated means, hackers are finding ways to attack businesses, sometimes forming syndicates of like-minded criminals to share information and new techniques.

Knowing the most common ways data breaches can occur and learning how to mitigate those risks can go a long way in deterring cyber criminals. Here are some general guidelines to help small businesses get ahead of cybercriminals and safeguard against cyber attacks:

 Train staff.  All employees should learn the importance of protecting the information they regularly handle to help reduce exposure to the business. This includes everything from locking up customer records to keeping passwords strong and confidential. Employees should also be taught how to handle a breach if one occurs.

 Defend your network. Use appropriate firewall and antivirus technology and make sure that security software patches are updated in a timely fashion. Evaluate the security settings on software, browser and email programs, and select system options that will meet your business needs without increasing risk.

 Monitor mobile devices and Wi-Fi access.  Establish usage policies for employees and be sure they are clearly communicated. For example, employees should be instructed to use public Wi-Fi only in very limited circumstances. Any data that shouldn’t be made public, such as proprietary business or customer information or credit card numbers should not be transmitted or accessed through public Wi-Fi.

 Derive an emergency plan. If a breach occurs, there should be a clear protocol for which employee is managing the situation, and what action should be taken, such as informing the insurance provider, etc. Whether it is a large or small company, this business continuity plan can help an organization manage a breach while helping to ensure that the business is still meeting customer demands.

 Consider insurance coverage. Liability protection is available for when customers or other individuals who have been affected hold a company responsible for information stolen during data breaches or other network intrusions. A cyber policy can also include coverage for a forensic investigation, litigation and remediation expenses associated with the breach. In addition, a cyber program may include coverage for regulatory defense expenses and related fines, crisis management or public relations expenses, business interruption and cyber extortion coverage.

By following these guidelines, small businesses can take some smart steps to ensuring proper risk management steps early on in order to better thwart potential attacks by cyber criminals.

So you’ve clicked on a link that now seems very suspicious. You’re concerned that the bad guys may be in control of your computing device. Or perhaps you’ve typed some account information into a web form , and you’re having second thoughts about the authenticity of the form.

Recovering will require work. Here are three things you can do if you believe you’ve fallen prey to a phishing scam delivered by e-mail, a social media posting or even a phone call, according to Adam Levin, Chairman of IDentity Theft 911.

Update and scan: If you have clicked on or downloaded anything that might infect your system, then make sure you install or update anti-virus software and run a full scan of your system. Here is helpful guidance from ID Theft 911.

 Contact credit agencies. If you have disclosed any personal information or you’re worried your account may have been accessed, you can place an alert with any one of the three major credit bureaus signals to potential creditors that you could be a victim of identity theft.

 Update account logons. If you have reason to believe that any of your email or social media accounts are compromised make sure you change the passwords immediately. See tips here.

USA NOW

By Jim Reavis

For several years, it has seemed as though computers have played a role in virtually every part of our lives. However, we stand upon the precipice of a truly profound explosion in the growth of computing. From iPhones to tablets to self-driving cars (!) to the electrical grid, conservative projections peg the number of Internet-connected devices to rise from 8 billion today to over 100 billion by 2020

Controlling these devices and managing our information are the massive server farms at Amazon, Google, Microsoft and elsewhere, creating a global compute utility called cloud computing, or more simply, the Cloud, which is expanding at a similar pace. It is impossible to predict all of the good and bad that will result from this massive growth, but it is possible to orient ourselves around a technology-friendly, global point of view to manage the problems as they emerge.

Cloud Security Alliance (CSA), an international not-for-profit organization with over 44,000 members, is building an ecosystem to create trust and confidence in the cloud based upon vendor-neutral best practices research conducted by a global constituency.

Like a utility, the Cloud is always on and available. Also like a utility, nations around the world are scrambling to understand how to regulate the Cloud. While much of this is well meaning and some of it is quite good, it is simply impossible to adequately govern an entity that is changing itself by the nanosecond by regulations alone.

Cloud certainly needs to be governed by the rule law, even though the problem of writing technology-friendly laws that do not become obsolete will become increasingly difficult. The desire to make these massive data centers that potentially store everything about us accountable to the citizens is certainly laudable. CSA believes that a major part of the solution lies in the words that US Supreme Court Justice Louis Brandeis wrote exactly 100 years ago in pursuit of greater transparency in the United States, “sunlight is said to be the best of disinfectants”.

One of the fascinating changes in our consumption of news is how fast events get reported in social media or Twitter. While they are often forums for incorrect information initially, the weight of the community seems to always get it right in the end. We think this dynamic and transparent force is the ideal means to help police the cloud.

CSA created a voluntary program for cloud providers called STAR, which stands for the Security, Trust and Assurance Registry (www.cloudsecurityalliance.org/star). All we ask is that cloud providers publish their compliance to our security best practices and publish this information in our registry for all to see. While still in its infancy, we have many of the major cloud providers already listed.

Many relayed to us that they sweated this process out more than a typical audit, because they knew the information would be made public. Indeed, the legal counsel at some cloud providers has prevented their appearance in this voluntary registry entirely over concerns about the liability of public disclosure. Public pressure will make that a losing proposition.

We think that curating social media’s response to how cloud providers use STAR to post changes in security practices, privacy policies, user terms and conditions is an ideal way to police the cloud in real time instead of waiting for the next government action. We can learn from the community and use it directly to issue new guidance that is appropriate and timely.

Massive cloud providers have potential for great power. To see government regulation as the only check to that power is misguided. Let’s tap into the potential of the community. Not only do we see this as effective, but it is the right thing to do. Consumers have a right to some of Justice Brandeis’ “sunlight” shining on the cloud providers that hold so much of our personal information.