Security News

Security Think Tank: What should be in an incident response plan

Imagine this scenario: Your website has been down for the past ten minutes and the techies, rightly I must add, are scurrying around trying to identify the root cause. Given the limited tools (due to the budget cuts announced last year), they have limited visibility into the origins, the method of attack. Eventually, one techie shouts: "This is a massive DDoS attack! A distributed denial of service attack and that your site is being attacked by hundreds of thousands of zombie machines! Panic!" “Get everyone on the bridge! Now!” barks the head of operations and you, the CISO and or the CIO and every man and woman worth a title jumps on the bridge along with the techies. Let’s not forget the outsourcers. Multiple accents, time zones, and people are all clashing trying to stop a zombie DDoS attack. “Oh, by the way, I can access the site now, its back up,” says one of the techies on the call. In the meantime, while the drama of the DDoS was playing out, the interim CFO tried to call the IT manager to report an incident on her machine. She had clicked on a link in an email and there was an explosion of several internet explorer windows. She could not close them fast enough. But the IT manager had told her he would call her back because he was busy with a major DDoS incident affecting the front-end website. The interim CFO did not push him, surely the DDoS was more important than her internet browser behaving badly. In the end, the CFO just restarted her machine. Problem solved. This is a common setup in many organisations and something that I have seen many times. Okay, it is not common to see a DDoS and the CFO’s laptop misbehaving but I am trying to make a very important point - hear me out. Most incident plans and the creators behind them are still living in the static and visual age. What do I mean by that? The impact of a DDoS can be seen by all, your customers, your employees, your shareholders! It is totally natural to ply all resources into its resolution. The interim CFO’s issue is a singular non-impact incident that is nothing but an irritant affecting a single individual. Here is what happened next: The interim CFO’s laptop had experienced a targeted attack by an ideological group of cyber activists. The irritating windows that kept cropping up was a purposeful design of the malware that this group had purchased from the dark underbelly of cyberspace. The malware was installed and had dialled back home informing the buyers that it was ready for the next set of commands. To cut the story short, the cyber hacktivists infected the chief marketing officer’s laptop, where they hit “gold” in the form of a list of the half a million customers personal information including name, address, date of birth etc.  They stole the data and published it on the internet for everybody to see The company was not only fined by the regulators, but also named and shamed by the media affecting its brand reputation and eventually its share price. So what should a CIRP or Cyber incident response plan contain? The organisation creating the plan, must start by acknowledging that: A cyber attack is imminent and it is not the size and visible impact of an attack that should drive the plan. The smallest of incidents can have the biggest of impacts. The attack may be too complex to fully understand or feel its immediate impact. The need for “Info Sharing” mitigation is the first and most effective line of defence. Most importantly: The CEO, senior executives and the board of large organisations must understand that they will fall victim to a cyber attack. In addition, the organisation’s  C-suite must be responsible for managing a cyber incident rather than sysadmin and helpdesk. Although the heading refers to what must be in an incident plan, I am going to take a different approach for now by arguing that there are some things that must never be considered in a CIRP or Cyber Incident Response Plan. These are: A DR approach: Do not include, copy or plagiarise a  DR plan. A cyber incident is not similar to a disaster in many cases.   A list of attack scenarios: Do not create an impossible list of all possible attack scenarios that are then compiled into a tome that no one ever reads. Save the planet: Do not write and print 500-page documents that detail the steps for remediation. Process a DOS:  Carrying on from point number three, untested processes end up creating a denial of service. Think about it, do not create and expect staff to follow untested useless processes, especially during or just after a cyber attack. Skill you NOT: Do not expect anyone to Google a skill at 03:00 in the morning. Enough said. Executives: Step up to the plate One reason most plans fail could be because of the lack of executive support and understanding. It is becoming evident that most executives and senior management are unable and unaware of how to respond to the growing threat of cyber incidents.  There is no-one advising or guiding senior executives on how to develop these capabilities to make cyber incident response work. There needs to be a cyber incident response programme (CIRP) for executives that enables them to understand and deal with the threat of cyber attacks. Amar Singh is chair of ISACA UK Security Advisory Group Email Alerts Register now to receive IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from RELATED CONTENT FROM THE TECHTARGET NETWORK This was first published in July 2014

UK leads international partnership to fight financial malware

The UK’s National Crime Agency (NCA) is leading an international collaboration between law enforcement and private sector firms to fight bank theft malware. The first project of its kind brings together partners including the FBI, Europol, BAE Systems Applied Intelligence, GCHQ, Dell SecureWorks, Kaspersky Lab and the German Federal Police. The partners are working together to combat the Shylock Trojan by disrupting the infrastructure enabling cyber criminals to use the malware to raid bank accounts. The disruption action includes seizing computer servers which form the command and control system for the Trojan, and taking control of the domains Shylock uses for communication between infected computers. Investigators from the NCA, FBI, the Netherlands, Turkey and Italy gathered to co-ordinate action in their respective countries, in concert with counterparts in Germany, Poland and France. The disruption action is being conducted from the operational centre at the European Cyber Crime Centre (EC3) at Europol in The Hague. EC3 has provided a unique platform and operational rooms equipped with state-of-the-art technical infrastructure and secure communication means, as well as cyber analysts and cyber experts to assist the operation. “In this way we have been able to support frontline cyber investigators, co-ordinated by the UK’s NCA, and working with the physical presence of the United States’ FBI and colleagues from Italy, Turkey and the Netherlands, with virtual links to cyber units in Germany, France and Poland,” said Troels Oerting, head of EC3. Hath not a hacker eyes? Shylock - so called because its code contains excerpts from William Shakespeare’s Merchant of Venice - has infected at least 30,000 computers running Microsoft Windows worldwide. The NCA is co-ordinating the operation because intelligence suggests Shylock has targeted the UK more than any other country, although the suspected developers are based elsewhere. Victims are typically infected by clicking on malicious links that download and install the malware. The malware then accesses funds held in business or personal accounts, and transfers the money to the criminal controllers. According the NCA, Windows users who receive automatic updates do not need to take any action, as the updates will ensure infected computers are cleaned automatically. Windows users who do not get automatic updates or who would like to learn more about how to check their computers and remove infection can visit the Microsoft support site. Andy Archibald, deputy director of the NCA’s National Cyber Crime Unit (NCCU), said the disruptive phase of the operation is intended to have a significant effect on the Shylock infrastructure. “This operation demonstrates how we are using partnerships across sectors and across national boundaries to cut cyber crime impacting the UK,” Archibald said. Private sector collaboration The NCCU sees a deeper, more defined and developed relationship with private sector businesses as crucial, not only to identify crimes and patterns of criminal activity, but also to tap into specialist skills. “We need to be able to go to organisations in the private sector and ask to work with people with the skills we need in some of our investigations,” Archibald told Computer Weekly in a recent interview. “Industry can bring things to the table that we may not be aware of, and we will work with the private sector within the law if the solution to an operation is something the private sector can take the lead on,” he said. The latest operation follows the first collaborative action involving the NCCU in mid-May that resulted in the arrest of 17 suspected users of Blackshades malware, which is designed to take control of computers and steal information. The operation tested some of the principles the NCCU has been working on around international co-ordination and collaboration. Archibald said the operation in May also demonstrated that, despite the well-known challenges to working in multiple jurisdictions, it is possible to share information and co-ordinate action around a common goal. Email Alerts Register now to receive IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from RELATED CONTENT FROM THE TECHTARGET NETWORK

Cameron rushes through emergency phone and internet data retention bill

After an initial announcement that came only yesterday evening, Prime Minister David Cameron held a press conference this morning to announce a new "emergency" law to force telecommunications firms to retain data for 12 months. The Data Retention and ...

PC sales bounce bank as XP drives hardware refresh

Desktop and laptop upgrades, driven by the migration away from Windows XP, have bolstered PC sales in Europe. The European PC market has returned to strong growth after very weak growth (0.3%) during the first quarter of 2014 and eight consecutive quarters of decline prior to that, according to Gartner’s latest PC market share data. Ranjit Atwal, research director at Gartner, said: "In EMEA during the second quarter we saw a continued shift to ultramobiles at the expense of traditional notebooks." In addition, PC sales in Europe continued to be driven by an increase in professional spending. This is in part due to organisations upgrading from Windows XP as official support from Microsoft ended. With XP no longer supported, businesses have been forced to upgrade their Windows operating system. As Computer Weekly has previously reported, XP migration projects are major undertakings, requiring a huge amount of application compatibility checking. Older XP machines are unsuitable for running modern operating systems, such as Windows 7 or 8, and new applications, resulting in the uplift in sales of new enterprise PCs. HP retained the number one position with 20.5% market share and had a strong quarter, shipping 4.61 million units. Lenovo held on to the second spot with 17.% market share, marking eight consecutive quarters of double-digit growth. Lenovo PC shipments grew 52% in the second quarter of 2014 thanks to growing presence in the consumer PC market, Gartner noted. Both Asus and Acer grew in the hybrid PC market, which may point to greater acceptance among users for Windows 8.1 hybrid PC tablets, over the iPad and high end Android tablets. In August, Microsoft is set to launch the latest version of its Surface Pro hybrid device. The Surface Pro 3 is being targeted at mobile professionals and can be specified with an Intel Core i3, i5 or i7 processor, up to 512 Mbytes of SSD storage and 8 GBytes of memory. The Core i5, model, equipped with 128 Gbytes SSD and 4 Gbytes of RAM is priced at £899. While PC sales are improving, sales of tablets are set to slow in 2014, as uptake moves into the late adopters phase in mature markets, according to Gartner. Email Alerts Register now to receive IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from RELATED CONTENT FROM THE TECHTARGET NETWORK

Security Think Tank: Minor failings can trigger major data breaches

A good data breach incident response plan looks like one that has never been used. By that I mean it has been created and tested but never had to be called into use because the preparation, education and testing involved in good security has been so effective.  Realistically, though, I wanted to put together some thoughts to show the kind of things an organisation needs to be thinking about when it comes to developing a good quality plan and embedding a security culture that minimises the likelihood of the plan being activated. My experience of data breaches is that sometimes the near-misses go unnoticed. These are small security failings that should be taken as fair warning that there is a problem in the organisational culture that could eventually lead to a serious incident. Instead, priority and spend is reserved for bigger threats that may have a greater impact, but are far less likely to occur. The more we focus on preventing large events, the more chance there is of one actually happening. This may sound absurd but it is a real result of the ‘aggregation effect’. The aggregation effect refers to there being many more minor security infractions within an organisation than large security events, with an accumulation of increasingly frequent small incidents ultimately leading to a major event.  When small incidents go unchallenged – or even unnoticed – they become the accepted culture. So, the first time a door to a file room is propped open for the sake of convenience, the security policy is bypassed. If this goes unchallenged, it will happen again because “Fred” does not see the importance of putting his PIN code into the door entry system for the file room. This mindset cascades, with more and more people believing it to be acceptable behaviour. Before you know it, propping the door open is the norm within the business, offering an opportunity for files to be removed by unauthorised staff, altered and copied – and a more major security breach could occur.  Just because the policy is that entry to the file room is via PIN code, with the door locked again when someone leaves the room, it is dangerous to assume that this is exactly what happens every time.  Another common example of how a seemingly innocuous act can generate the potential for a major security event relates to encrypted laptops.  “Jim” never logs his laptop off before closing it and dropping it into his bag. It takes too long and he’ll be working on it when he gets home anyway. Not only does he ignore security protocol but more importantly the laptop is unencrypted while he is logged on – as is access to the sensitive data held on it as a result. The problem is compounded because Jim assumes that because nothing bad happened the first time he forgot to log his laptop off it’s ok to carry on doing so.  This is how a culture of sloppy security practice or lack of focus on the small but frequent incidents can become a fast track to a major incident. Chances are that this behaviour is not an isolated instance and others may be doing it too, so the risk of a major information breach increases. Data from the Ponemon Institute suggests that almost a third of breaches are reported by customers but only 19% by employees. The same research says that more than half of employees are wandering around with sensitive or highly sensitive data on mobile devices and around 10% carry out activities on those devices that are subject to the data protection laws. These are security failings that become cultural and when added together increase the chance of a large-scale or business-critical breach. Hopefully, it highlights the importance of education when it comes to building an effective plan. How to construct your incident response plan So back to the question, ‘What does a good data breach incident response plan look like?’  The plan should have the stages of preparing, identifying, assessing, containing, investigating, resolving and, finally, learning.  Hopefully you will have gathered from what you have just read that not enough time, effort and resource is going into the preparation and identification parts of plan development.  Training and embedding the security policy is all part of the preparation phase. However, statistics show that far too many organisations still vastly under-fund and under-resource awareness and education. If we continue with our earlier example of the unencrypted and still logged-on laptop, then the preparation part would have covered things like encrypting the laptop, training Jim to ensure he always logs his laptop off before taking it out of the office and only removes if from the office when necessary. In other words, some solid policy, procedure and education will ensure the employee knows the correct actions to take.  To take the identify stage with the laptop example again, a colleague might notice that the laptop was still logged on and notify the colleague or appropriate person. This would be flagged as a near-miss and a risk that required Jim to be reminded of the policy. This would have to be recognised and flagged enough times to stop this behaviour becoming the culture. “Culture eats strategy for breakfast,” as Paul Drucker, widely considered the father of modern management, once said. Skimping on these two stages enables the risk of more serious incidents to grow, as sloppy or insecure behaviour will proliferate if unchecked. Eventually one of these incidents may get through and you end up with what could be a business-closing data breach. The eBay breach is a reasonable example of how it can go wrong.  There are many hundreds of thousands of phishing emails a day sent to organisations and businesses of all sizes; the same number of serious data breaches do not occur on a daily basis. But all it takes is one staff member who does not realise that they have received a phishing or spear phishing email and accidentally allows the payload to be deployed. Inadvertently they have enabled what could turn into a major breach.  So even though major breaches are relatively rare, phishing is ubiquitous and seemingly relentless. However, dealing with the occurrence of phishing emails is much easier than trying to contain and resolve a major breach. Being able to accurately assess the scope and scale of the incident is vital. If it has gone beyond a near-miss and an actual breach has occurred, then you need to understand precisely what assets are affected and gather as much information as possible before moving onto the containment stage of the plan. The investigation stage needs to establish not only where the vulnerability was but what resources are going to be required (such as legal or forensic support) to move into resolution.  Finally the learn stage will cover all the key indicators that have been revealed throughout the whole plan implementation. The learning phase is as important as the preparation stage because it actively informs that part of the plan and enables improvements to be made. Put it to the test Testing any plan is a vital part of its effectiveness and relevance. I have frequently seen the whole plan being tested – a huge undertaking for most organisations. The danger here is that the focus can end up being on large-scale and disastrous events, which tend to be less frequent, and the smaller yet more frequent events can be overlooked and untested. This can be magnified when you add in the ‘marking your own homework’ approach; sometimes an independent set of eyes will find flaws and vulnerabilities that someone very close to the plan or organisation/department might not notice.  An example of how a flaw like this might happen is the file room door example I mentioned earlier. Perhaps this is a patient or client file room containing sensitive and possibly valuable paper-based data. This has to be protected too and it is dangerous to assume that all staff would know not to prop the door open or have a Post-it note with the door entry code stuck to the wall. These seem like obvious things, but when a plan is being tested, if the focus is on preventing a major hack then it is little things like this that can drift by unless someone with a fresh approach can spot these potential failures in policy and procedure. In closing, I would say that a fully rounded view of all the factors mentioned here has to be part of any data breach incident response plan. The key part is to make sure you put measures in place to limit the need for its full deployment in your organisation, and if you do have to use it, then make sure you glean every possible lesson from it and get those small incidents and near-misses covered, recorded and acted on as they are the frequent enablers of the much larger events. Get outside help to check and test your plan to ensure no assumptions become vulnerabilities. Mike Gillespie is director of cyber research and security at The Security Institute Email Alerts Register now to receive IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from RELATED CONTENT FROM THE TECHTARGET NETWORK This was first published in July 2014

US government network hacked by Chinese cyber criminals

Chinese hackers broke into the computer network of the US government agency that stores personal information on all federal employees, US official have revealed. The hackers appeared to be targeting files on tens of thousands of employees who have applied for top-secret security clearances, according to the New York Times (NYT). A senior US official said the attack had been traced to China, but it was not clear if the hackers were part of the government. Although US officials said federal authorities had detected and blocked the intruders, it remains unclear how far they penetrated the network of the Office of Personnel Management. But a senior Department of Homeland Security official said that so far there was no evidence that any personally identifiable information had been accessed. The intrusion took place in March, two months before the US charged five Chinese military officers with hacking into five US companies and a labour union to steal trade secrets. Those charged are members of the Chinese People’s Liberation Army Shanghai-based Unit 61398, which was identified as a dedicated and prolific hacking unit by US security firm Mandiant in 2013. The charges are believed to be the first to be made by the US against state actors for infiltrating commercial targets by cyber means. China responded to the allegations by suspending co-operation with the US on an internet working group and made counter claims that the US hacked into Chinese systems using phishing attacks. Chinese foreign ministry spokesman Qin Gang said the allegations were "made up" and would "damage Sino-American co-operation and mutual trust". But this week, China and the US began annual talks in Beijing, called the Strategic and Economic Dialogue. The talks are expected to include discussions on cyber security. More on cyber espionage IT manufacturers fight cyber espionage risks in the supply chain Researchers uncover advanced cyber espionage campaign Norway’s Telenor hit by cyber espionage campaign Prolific cyber espionage group tied to the Chinese military After lull, PLA 'Comment Crew' hasn't changed cyber-espionage tactics RSA 2013: China not the only cyber espionage country, says Mandiant Dell SecureWorks uncovers cyber espionage targeting energy firms Dell SecureWorks uncovers cyber espionage targeting energy firms Security researchers discover powerful cyber espionage weapon 'Flame' NIST revises US federal cyber security standards Email Alerts Register now to receive IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from RELATED CONTENT FROM THE TECHTARGET NETWORK

UK emergency surveillance legislation expected soon

The government is expected to rush through emergency legislation as early as next week to force UK communications providers to store records of phone calls, texts and internet use. The emergency legislation is expected to be introduced as an independent bill or as amendments to the serious crime bill currently going through parliament. The move has been precipitated by a high court challenge to the government’s continued collection and retention of personal data from internet and phone companies after the EU Data Retention Directive was scrapped in April. The directive was scrapped after the European Court of Justice (ECJ) ruled there was no legal basis for retaining location and usage data on all customers for six to 24 months. Under regulations introduced in 2009, the UK government requires internet and phone companies to retain communications data for 12 months and allow the police and security services to access it. But, if the London high court challenge is successful, the UK regulations will be declared unlawful by a UK court. UK political parties have been discussing emergency measures amid mounting concerns over renewed terror threats and the detrimental effects on counter-terrorism capabilities of the National Security Agency (NSA) leaks by whistleblower Edward Snowden. Labour is expected to accept the bill if it simply restores what the government believed to be the law before the ECJ scrapped the Data Retention Directive, reports the Guardian. No return to snooper's charter But in negotiations on the emergency anti-terror laws, Labour and the Liberal Democrats have insisted they will not allow a revival of the controversial Data Communications Bill known as the snooper’s charter. The bill was aimed at making it easier for security and police services to spy on emails, phone calls and internet activity, but it was withdrawn after being widely criticised as an assault on civil liberties. In the latest negotiations, Labour has also won agreement that ministers will launch a review of the Regulation of Investigatory Powers Act (Ripa) passed in 2000. There have been growing calls for a review of the law in the light of the Snowden revelations and the government’s exploitation of a loophole to monitor the social media accounts of UK citizens. As recently as June 2014, former UK security minister Pauline Neville-Jones called for the law governing mass internet surveillance to be tightened up and more controls added. Privacy campaign groups have expressed fears that the emergency legislation will allow the continuation of "privatised snooping". Privacy and civil liberties campaigners are calling for any new surveillance legislation to allow greater transparency about the data that they are required to collect, for what length of time and for what purposes. Jim Killock, director of the Open Rights Group, said: "Forcing ISPs to retain the data of every UK citizen is disproportionate and unnecessary. Rather than rushing through a new law, let's get parliament to look at this and get this right.” According to the Open Rights Group, any legislation mandating data retention must now comply with the 10 points set out in the ECJ judgment, particularly that blanket data retention is unlawful. Civil liberties groups are also calling for greater transparency after figures obtained under the Freedom of Information Act show that the government paid almost £65m to communications service providers to retain communications data over a six-year period. Emma Carr, acting director of Big Brother Watch, said: “It is clear that communications service providers are being paid with one hand and silenced with another. If the government wants to force communication service providers to retain citizens’ data, then this must go hand in hand with greater transparency.” Email Alerts Register now to receive IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from RELATED CONTENT FROM THE TECHTARGET NETWORK

Silent Circle’s OCC VoIP service cuts out roaming costs and snoopers

Mobile device privacy supplier Silent Circle has unveiled a global hybrid encrypted VoIP service in a move it has claimed will directly challenge mobile carriers by eliminating fears over state-sponsored phone tapping and by slashing the cost of mobile roaming. The expansion of its Out-Circle Calling (OCC) service will enable customers to make and receive encrypted, private voice calls across its Silent Phone service to non-subscribers in 79 countries with a user-specific 10-digit number. The firm said the OCC could wreak havoc among wireless carriers – which have tended to impose steep roaming charges on business subscribers – by introducing a high-fidelity VoIP option for calling standard mobile and PSTN lines, backed by the privacy of its encrypted service, over any mobile or Wi-Fi network. “With Out-Circle Calling, Silent Circle is directly challenging the legacy model of mobile carriers by offering an alternative to costly mobile roaming fees,” said Silent Circle chief of revenue Vic Hyder. “This is an especially important issue for our enterprise and government customers around the world.  “International fees and roaming charges account for a significant portion of European and Latin American business overhead. Our encrypted international calling service completely eliminates roaming charges while protecting members with the use of Silent Phone.” The firm already offers private voice and video calls through the Silent Phone service on iOS and Android devices and a Windows desktop service. A companion service, Silent Text, allows customers to securely exchange SMS messages and attachments of up to 100Mb, which can be automatically deleted from both sending and receiving devices. It has also signed a deal to create a privacy-enhanced Android device, dubbed Blackphone, through a joint venture with Spanish developer Geekphone. In a blog post, Silent Circle co-founder and CEO Mike Janke said the comms industry was ripe for a shake-up over long-distance and roaming charges. “One of our Fortune 100 customers in Zurich has estimated they will save over $38,000 a month and be secure using our encrypted calling plans. That is real disruption,” he wrote. Email Alerts Register now to receive IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from RELATED CONTENT FROM THE TECHTARGET NETWORK

The Clock Is Ticking on Windows 7, Microsoft Warns

Mainstream support for Windows 7 ends early next year, but there's no need to panic. Patches will continue for years to come. Microsoft may be preparing for the end of Windows 7, but the popular desktop operatin...

Document Macro Malware on the Rebound

Fifteen years after the first Microsoft Word macro viruses attacked the Internet, the technique is still proving successful at exploiting users. In 1999 and 2000, Microsoft macro viruses such as Melissa and ILOV...

Avast Warns Selling Used Phones May Expose Personal Info

While some iOS versions are an exception, Avast said it found plenty of personal, and saucy, content on factory-reset phones it bought on eBay.  Days after the discovery of a "secret" Apple eBay store, a new report from Avast revealed some of the risks involved with selling used smartphones—even in instances where consumers conscientiously deleted their data. Avast, which offers an Anti-Theft app that it said can "thoroughly" wipe and "permanently delete and overwrite all files on a device," making personal information "irretrievable," recently performed an experiment in which it purchased 20 used smartphones. The previous owners had performed factory resets, or chosen the "delete all" function on the phones—which included Samsung Galaxy S2, S3 and S4 models, as well as phones from Motorola and HTC. Still, Avast said it found plenty of personal information left behind. Specifically, it found 40,000 photos—1,500 of which were of kids and 250 of which were nude male selfies. Try wiping that information from your brain, and then consider that Avast also found more than 750 emails and text messages, more than 250 contact names and emails, more than 1,000 Google searches, the identities of four previous owners and one fully completed loan application. "More than 80,000 used smartphones are for sale daily on eBay in the U.S. Along with their phones, consumers may not realize they are selling their memories and their identities," Jude McColgan, president of mobile at Avast, said in a July 8 statement. "Images, emails and other documents deleted from phones can be exploited for identity theft, blackmail or even for stalking purposes," McColgan added, after shuddering at those selfies of "the previous owner's manhood." As you might guess, Avast said it offers just the solution: its free Avast Anti-Theft app, which is available in the Google Play store. Anyone wanting to sell a phone, without oversharing, can download the app, configure her account online and turn on the "thorough wipe" feature—versus, it would seem, the ineffective wipe feature offered by manufacturers. Used iPhones for Sale For the second time in two years, Apple seems to have partnered with eBay on a "Factory Outlet eBay Store," in an effort to sell restored and unlocked iPhone handsets, AppleInsider reported July 8. The GSM-based phones (so, compatible with AT&T and T-Mobile networks) were priced between $449 and $499. The report added that while there was no "direct language" on the storefront making clear Apple's participation, "it displays many of the hallmarks of the iPhone maker's earlier partnership with eBay to sell refurbished iPads." Notably, the devices advertised as "exclusive to the Factory Outlet" and marked "Apple Certified" come with a full-year Apple warranty and were repackaged with a "final quality inspection performed by Apple." Tomas Zeman, Avast mobile product manager, acknowledged that none of 20 phones Avast bought was an iPhone, and that, in general, recovering data is "much more complicated [on an iPhone] than on Android." He added, in a statement to eWEEK, that the version of iOS is important to note. "If [the version of iOS] does not encrypt the files, you can be somewhat successful in recovering some data using a similar technique as used for Android phones," Zeman added. But generally speaking, "iOS forensics is much harder to do than Android." Follow Michelle Maisto on Twitter.  

Crypto certificates impersonating Google and Yahoo pose threat to Windows users

OS currently has no reliable way to detect bogus credentials released into the wild.