-> Software, equipments, procedures.

2. Indirect costs

->Reduced efficiency due to additional procedures

3. Savings

-> Avoiding possible, expensive damage.

-> Potentially: optimisation of procedures.

1. Pervasive mechanisms:

• Protect against a number of threats. Example -> Firewall
• Protect individual computers or whole networks. Example -> Virus Checking Programs

2. Specific mechanisms

• Protect against a specific threat. Example -> Data integrity protection.
• Protect an individual data or a piece of hardware. Example -> Controlling access to individual data items.
• More accurate, less economical

Trojan Horse: Code doing what it is supposed to do, plus something else

Trapdoor: Access to services by non-standard methods

Logic Bomb: Dormant malicious code, waiting for triggering event

Easter egg: “Cute” but harmless behaviour triggered by special input

Attack Techniques:

Injection attacks: Exploiting the input vulnerability of data not being checked or sanitised properly

Rootkits: Malware that hides its presence via modifying system data

Social Engineering: Exploiting human gullibility to extract confidential information

The Federal Trade Commission said a US judge has ordered a halt to six “scareware” operations and has frozen their assets following an investigation in cooperation with Canada, Britain, Australia and New Zealand.

FTC Chairman Jon Leibowitz said the schemes involved calls to consumers in English-speaking countries from call centers in India, informing consumers of bogus infections.

The groups also used online ads which informed computer users of the infections, and then sold “fixes” at prices ranging from $49 to $450.

“In these outrageous and disturbing cons you get a call from someone pretending to be from a major computer company who dupes you into thinking you have a virus on your computer,” Leibowitz told a news conference, which also played an audio tape of one of the calls.

“At one level, it’s like a bad Bollywood movie, but at another level it’s a ripoff of consumers.”

The FTC six firms with deceptive commercial practices and other violations and asked the court to permanently halt the scams and order restitution for consumers.

The FTC cases targeted 14 corporate defendants and 17 individuals in six separate legal filings. The companies included Pecon Software Ltd., Finmaestros LLC, Zeal IT Solutions Pvt Ltd, Virtual PC Solutions, Lakshmi Infosoul Services Pvt Ltd, and PCCare247, Inc.

Canada’s top telecom regulatory official, Andrea Rosen of the Canadian Radio-Television and Telecommunications Commission, said two related enforcement actions were filed in Canada.

Leibowitz said the FTC was sending a delegation to India to help work with authorities in such cases.

Source: http://economictimes.indiatimes.com/tech/internet/us-blocks-online-fraud-schemes-linked-to-india/articleshow/16658801.cms

The Electronic Frontier Foundation (EFF) has launched a new web app dubbed Panopticlick that reveals just how scarily easy it is to identify you out of millions of web users.

The problem is your digital fingerprint. Whenever you visit a site, your browser and any plug-ins you have installed can leak data. Some of it isn’t very personal, like your user agent string. Some of it is more personally revealing, like which fonts you have installed. But the what if you put it all together? Would the results make you identifiable?

As the EFF says, “this information can create a kind of fingerprint — a signature that could be used to identify you and your computer.”

The EFF’s test suite highlights what most of us probably already suspect — we’re readily identifiable on the web. We ran the test on a Mac using Firefox, Safari and Google Chrome, all of which leaked enough data to make us identifiable according the EFF’s privacy explanations.

The purpose of Panopticlick is to show you how much you have in common with other browsers. The more your configuration mirrors everyone else’s, the harder it would be to identify you. The irony is, the nerdier you are — using a unique OS, a less common browser, customizing your browser with plug-ins and other power-user habits — the more identifiable you are.

For example, say you’re running Firefox on Ubuntu with the Gnash plug-in instead of Flash — way to stick it to the man — but you’re also showing up with a unique configuration of browser, OS, installed fonts, plug-ins and more which can be combined to identify you via a unique online fingerprint.

So what can you do to make yourself less identifiable? Well, by disabling cookies, the Flash plug-in, the Java plug-in and most of our extensions we were able to blend in better. Actually, the fact that we didn’t have Java or Flash turned on made us more identifiable in those categories, but it also denied the test access to our installed fonts and other bits of data, so overall, less identifiable.

Obviously that approach has a downside — without Flash there’s not much in the way of online video, a lack of cookies will cause issues with logins, and without Java, you won’t be able to crash your browser or cause it to get hung up for hours.

In short, the disabling method isn’t much fun. Strange though it may seem, the best way to lose the unique online fingerprint is to blend in with the herd. As the EFF points out, mobile browsers are hardest to identify since there are few customization options and, for the most part, one version of Mobile Safari looks just like another.

By the same token, if you want to blend in, stick with stock system fonts, run Windows XP, use Firefox with no add-ons and turn off cookies. You’ll be much harder to identify.

We should point out that, no matter how well you blend in the fingerprint test, you are of course still identifiable by your ISP. Advertisers and websites generally can’t access the information your ISP has on you, but of course governments — with the cooperation of your ISP — always can. So don’t think just because you’ve eliminated your fingerprints no one knows who you are.

Source: http://www.webmonkey.com/2010/01/eff_reveals_how_your_digital_fingerprint_makes_you_easy_to_track/

Digital game distribution leader Valve just announced there has been a security breach within its Steam database. In a message sent to Steam users, Valve co-founder and managing director Gabe Newell said someone managed to gain access to not only the Steam forums, but to the database containing user information.

Newell adds that the passwords were hashed and salted, and credit card information is encrypted. Currently, there is no sign of data being stolen, but he urges users to keep a close eye on their statements and credit card activity as the company continues to investigate.

Here is the official statement from Valve:

Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6.  We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums.   This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

This is not the first time a gaming service has been targeted in such a breach. Earlier this year, Sony’s online services were hit and shut down in April and remained down partway through the month of May. Back in October, Microsoft’s Xbox LIVE service also suffered an attack that forced Microsoft to put a freeze on some accounts.

VentureBeat has contacted Valve for further comment and we will update as information becomes available.
Read more at http://venturebeat.com/2011/11/10/valve-steam-service-experiences-security-breach/#jkji6wCeOx7xbqMv.99

A tweet posted on Wednesday to the Twitter account of the infamous international hacker group asserted that the PlayStation Network had been hacked again. The tweet has been taken down, but here is a screenshot before it was removed just minutes ago:

Kotaku also linked to a tweet that reportedly read 10 million PSN accounts were at risk, but that tweet has since been deleted.

However, it’s possible that these tweets were deleted because the claims were unsubstantiated.

Shane Bettenhausen, who works in Sony’s business development unit retaliated on his on Twitter account, retorted by arguing that the claims were false. Bettenhausen’s tweet has also been deleted, but here’s a screenshot:

However, note that there hasn’t been an official statement from the Sony Corporation itself yet.

There has been bad blood — to say the least — between Sony and Anonymous for more than a year now.

Last spring, Sony’s PlayStation Network was hacked, putting millions of accounts with sensitive and personal data worldwide at risk. Sony took a lot of flack for not coming forth with answers for its customers sooner, and many members signed off from the Network for good — some of whom went so far as to sell their PlayStation 3 consoles altogether.

However, a few weeks after the security breach, Sony revealed that it found a file tied to Anonymous on Sony Online Entertainment servers. It eventually broke out into an international war between Anonymous and Sony, including one incident in Spain in which three people were arrested for allegedly being involved in the PSN security breach. Anonymous retaliated by hacking the official website of Spain’s national police force.

By that point, the damage had been pretty much done between this debacle and the earthquake in Japan last March as Sony faced a $3.2 billion loss for the 2010-2011 fiscal year.

Source: http://www.zdnet.com/anonymous-says-it-hacked-10m-psn-accounts-sony-disagrees-7000002695/