16.8 C
London
Saturday, September 23, 2017
Home Tags HSBC

Tag: HSBC

8-char password limits? HTTP-YES HSBC has been faulted for redirecting business customers to a website that is not obviously secure.…
Google first announced its plan to become a top cloud provider for the enterprise in June 2012. But turning an inward-focused, engineering-driven company inside out to cater to enterprise customers has been a struggle. By most estimates, Google Cloud remains a distant No. 3 behind AWS and Microsoft Azure.Last week’s Google Cloud Next conference may mark a turning point. At 10,000 attendees, the three-day event was more than four times the size of last year’s conference. A change in tone emerged: Google spent more time actively reaching out to enterprises than it did flogging its technical superiority.Instead of SnapChat or Evernote, real enterprise customers waltzed across the stage, including Colgate, Disney, HSBC, Schlumberger, and Verizon. Plus Google announced a partnership with the fusty enterprise software vendor SAP, which will run its in-memory HANA analytics database on Google Cloud.To read this article in full or to leave a comment, please click here
Enlarge / Avalanche once hosted ransomware that spoofed messages from law enforcement. Now, a team of 40 law enforcement agencies has shut it down.Symantec reader comments 27 Share this story [Update, 3:00 PM EDT: This story has been updated with additional details from The Shadowserver Foundation and Europol.] A botnet that has served up phishing attacks and at least 17 different malware families to victims for much of this decade has been taken down in a coordinated effort by an international group of law enforcement agencies and security firms. Law enforcement officials seized command and control servers and took control of more than 800,000 Internet domains used by the botnet, dubbed "Avalanche," which has been in operation in some form since at least late 2009. "The operation involves arrests and searches in five countries," representatives of the FBI and US Department of Justice said in a joint statement issued today. "More than 50 Avalanche servers worldwide were taken offline." A Europol release on the operation provided more details, stating: [Five] individuals were arrested, 37 premises were searched, and 39 servers were seized.
Victims of malware infections were identified in over 180 countries.

Also, 221 servers were put offline through abuse notifications sent to the hosting providers.

The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800 000 domains seized, sinkholed or blocked. The domains seized have been "sinkholed" to terminate the operation of the botnet, which is estimated to have spanned over hundreds of thousands of compromised computers around the world.

The Justice Department's Office for the Western Federal District of Pennsylvania and the FBI's Pittsburgh office led the US portion of the takedown. "The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network," the FBI and DOJ said in their joint statement. In 2010, an Anti-Phishing Working Group report called out Avalanche as "the world’s most prolific phishing gang," noting that the Avalanche botnet was responsible for two-thirds of all phishing attacks recorded in the second half of 2009 (84,250 out of 126,697). "During that time, it targeted more than 40 major financial institutions, online services, and job search providers," APWG reported.
In December of 2009, the network used 959 distinct domains for its phishing campaigns.

Avalanche also actively spread the Zeus financial fraud botnet at the time. The phishing messages sent through Avalanche's army of bots in 2009 were generally spoofed e-mails from financial institutions, including USAA (a bank largely serving US military and veterans) and HSBC.

The botnet churned through domains faster than most, with more than half its domains being live for less than 12 hours in late 2009.

The programmatic churning through domains is how the botnet accrued more than 800,000 domains by the time of the takedown this week. The Shadowserver Foundation, a non-profit organization of security professionals that assisted in what the organization described in a post on the takedown as an 18-month collaboration with law enforcement, described Avalanche as a "Double Fast Flux" botnet.
Individual nodes within the botnet are registered and then quickly de-registered as the host associated with a Domain Name Service A address record for a single DNS name The destination addresses for a DNS record often change as quickly as once every 5 minutes, and can cycle through hundreds or thousands of IP addresses.

And there are multiple domain names for command and control nodes hard-coded into the botnet malware, allowing the bots to switch to a different domain name if a specific domain is blocked. "More than 20 different malware families using multiple Domain Generation Algorithms (DGAs) and operating criminal infrastructure in 30 countries and US states impacted over 60 registries worldwide required unprecedented levels of effective international partnership," a Shadowserver Foundation spokesperson reported. Avalanche's phishing operations appeared to drop off in 2010—likely because the organization behind the botnet turned to other sources of income, using its infrastructure to spread a variety of malware instead.

By 2012, Avalanche's command and control network was pushing a variety of crimeware, including "police ransomware." That malware spoofed a message from law enforcement claiming the victim's system had been distributing illegal pornography, then disabling the infected computer until the victim paid a "fine" to unlock it.

According to Symantec, the same block of command and control servers was also used by a banking Trojan called Bebloh that targeted German speakers.

This malware family was investigated at the time by police in Luneburg, Germany, and as the investigation expanded, more and more malware families were discovered to be tied to the same command and control infrastructure. As the investigation grew, the Luneburg police and the public prosecutor's office for the district of Verden, Germany were joined by law enforcement organizations from more than 40 countries, including the FBI's Pittsburgh Division and the Computer Crime and Intellectual Property Section of the United States Department of Justice, Europol, and Eurojust. The Justice Department said additional information on the dismantling of Avalanche—and information about some of its victims in the Pittsburgh area—will be provided "early next week."
Phishing emails promise free money Fraudsters are phishing for what remains in fraud victims' bank accounts under the guise of British anti-fraud campaign Action Fraud. An email using the City of London Police logo – Action Fraud works closely with it – has circulated offering free money from the Fraud Intelligence Unit and National Fraud Intelligence bureau. The fraudulent email says that HSBC and the South African Reserve Bank have been chosen to handle compensation claims. Going by the number of complaints that The Register receives each month regarding Action Fraud's tardiness, those who may have been defrauded in the past are likely to be suspicious simply receiving any correspondence from the organisation at all. This type of scam, known as recovery fraud, targets people who had formerly been a victim of fraud with promises of compensation for the money they've lost.

The fraudsters attempt to acquire confidential details from victims in order to defraud them for a second time, and in some circumstances request fees in order to speed up the release of the recovered money. For those in doubt: It's a scam.

Don't click the links, don't open the attachments.

Delete the email and report it to Action Fraud. ®
'Whaling' attackers fall for poison PDF 'invoices' HITB Florian Lukavsky hacks criminals profiting from out-of-control multi-billion dollar CEO wire transfer scams... and they hate him for it. The director of SEC Consult's Singapore office has made a name striking back at so-called "whaling" scammers by sending malicious Word documents that breach their Windows 10 boxes and pass on identity information to police. Whaling is a well-oiled social engineering scam that sees criminals dupe financial controllers at large lucrative organisations. Whalers' main method is to send emails that appear to originate from chief executive officers, bearing instructions to wire cash into nominated bank accounts. It works.

The FBI estimates some $2.2bn (£1.7bn, A$2.9bn) in losses have arisen from nearly 14,000 whaling cases in the seven months to May this year.
Some $800m (£601m, A$1bn) in losses occurred in the 10 months to August 2015. Harpooned companies include Mattel, which shipped and by dumb luck recuperated $3m its executive sent to a hacker's Chinese bank account; Ubiquiti, which lost $46.7m in June last year; and Belgian bank Crelan, which lost $78m in January. They join Accenture, Chanel, Hugo Boss, HSBC, and countless smaller victims. Lukavsky told The Reg of his work on the back of his presentation at August's Hack in the Box in Singapore, where he explained that he uses the attacker's tactics to compromise scammers' Microsoft accounts. "Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters," Lukavsky says. "We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information." "We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook." Those Windows 10 password hashes only last a few hours when subjected to tools like John the Ripper. The information Lukavsky passed on to police from that attack late last year lead to the arrest of the scammers located in Africa. He says he got a kick out of the tale of one security researcher who avenged his parents by convincing a net scammer to run the dangerous Locky ransomware. Lukavsky says one of his friends recently compromised a whaling scammer and has reported seven of the criminal's bank accounts to financial institutions which shut them down. "And those bank accounts are probably one of the most valuable goods to the fraudsters as they are difficult to set up in times of more stringent regulatory controls, know your customer rules, anti money laundering, etcera," he says. It generally difficult for organisations to recuperate their losses. Ubiquiti clawed back $9m from the $46.7m it lost, a rare win. The document harvesting system Lukavsky uses is being woven into a data leak prevention system Sec Consult hopes to launch by year's end. MyNetWatchman's Donald McCarthy has had equal fun messing with whaling scammers. He told Vulture South earlier this year how he doxed tax scammers in Africa, where about 17,000 business email compromise actors, or about 40 per cent of the global pool, are thought to operate. Some of the best scams are compartmentalised, with different teams responsible for various intelligence and social engineering tasks.

Teams will often compromise a business's email accounts to gather intelligence on the types of services and partners it uses. Criminal call centre services offer scammers the ability to pay for English-speakers to make follow-up phone calls to further convince targeted businesses. Scammed funds are often wired between banks on its way to the Chinese port city of Wenzhou, a hub of cybercrime on the East China Sea, where money trails run cold. ®
Bank drops passwords, rolls out voice recog for phone banking Barclays is abolishing passwords for its telephone banking customers in favour of voice recognition. The high street bank - which has been trialling voice recognition technology with a limited number of customers for three years since 2013 - said that technology that identifies a caller based solely on their voice is a “highly secure method of identification that removes the need for security questions and passwords”. “Each person’s voice is as unique as their fingerprint, made up of over 100 characteristics based on the physical configuration of the speaker's mouth and throat.

Therefore, when a customer calls up to use telephone banking, the technology will be able to identify them simply from the first few words that are spoken,” it added. Barclays voice recognition technology is being supplied by Nuance Communications and has been "fully tested", a Barclays spokeswoman told El Reg. If a customer has forgotten their password, it takes two minutes on average to get through the alternative security measures.
Voice Security will speed up this process significantly as well as being more secure, according to Barclays. Steven Cooper, chief exec of personal banking at Barclays, commented “We can all relate to the frustration of forgetting a password at the crucial moment.
Voice security can cut out that part of the call completely and, unlike a password, each person’s voice is as unique as a fingerprint.” Barclays said the success of its trial means that it is now rolling it out to all its personal banking customers over the age of 16. Richard Lack, director of sales EMEA at customer identity management experts Gigya, welcomed the UK high street bank’s move away from difficult-to-remember passwords. “The news that Barclays is abolishing passwords in favour of voice recognition technology for its telephone banking customers comes as no surprise.
In Europe, consumers tell us that they are struggling to remember what is now an average of more than 100 passwords across their personal accounts and devices. “Using one’s voice is far more convenient than creating and remembering yet another username/password combination, along with the answers to tedious security questions. What’s more, our most recent survey found that 80 per cent of all consumers believe that biometric authentication is more secure than traditional registration,” he added. Barclays was the first bank in Europe to begin moving away from passwords towards voice recognition.

For example, UK rival HSBC announcedplans to begin trialling voice recognition and Touch ID as an alternative to conventional passwords back in February . Moving to biometric authentication is beneficial for both businesses and their customers, according to Lack. “Biometric authentication is a powerful enabler, allowing businesses smart enough to deploy it to significantly increase rates of registration, gaining data and insight about their customers, while also increasing customer security,” Lack concluded. ® Sponsored: 2016 Cyberthreat defense report
Thomson Reuters 'working furiously' to secure 2.2 million sensitive records. The terrorist database used by global banks and intelligence agencies World-Check has reportedly leaked online. The mid-2014 version of the database contains some 2.2 million records and is used by 49 of the world's 50 largest banks, along with 300 government and intelligence agencies. The Thomson Reuters database is accused of falsely designating citizens and organisations as terrorists.

Banks have used this data in whole or in part to shutter accounts, effectively locking people out of vast swathes of the global banking system. Established security researcher Chris Vickery found the database and told The Register it is still exposed online after he disclosed its location to Thomson Reuters. "As far as I know, the original location of the leak is still exposed to the public internet," Vickery says. "Thomson Reuters is working feverishly to get it secured." Thomson Reuters says it will provide citizens and organisations information about their designation on individual request.

Alerts are not issued to known contacts of those affected when terrorist designations are assigned, however. A high profile public disclosure of the database beyond the original leak could be reckless: World-Check contains sensitive information on citizens regarding their alleged criminal histories and terrorist links. Thomson Reuters requests that banks and other customers use multiple sources alongside World-Check and requests that the secretive database not be cited in any public decision-making materials. The organisation rejects accusations that World-Check is a controversial service. Inaccurate terror designations were first revealed by the BBC's Radio 4 which gained 30 minutes of access to the database in August 2015 from a disgruntled customer. That program revealed multiple British citizens who had their HSBC bank accounts closed in 2014 without the possibility of appeal, because what they claimed were incorrect records in World-Check identifying them as having terrorist links. One of those was the account for the UK Finsbury Park Mosque which was described in a HSBC letter as having "fallen outside of HSBC's risk appetite". The Mosque was in years past visited by Al Qaeda operatives, Beslan Siege members, and had convicted terrorist Abu Hamza al-Masrim as its imam in 1997. Since that time the Mosque has been run by a group supported by the Metropolitan Police. Sources say HSBC closed on the mosque because it donated money to Palestine during the 2015 Israel-Gaza war. At the same time HSBC shuttered the account of the Cordoba Foundation, a UK think tank which was designated by the United Arab Emirates as a terrorist organisation for its alleged links to the Muslim Brotherhood. The dynamic Muslim Brotherhood movement is a political opponent in the region. HSBC shuttered the accounts of foundation chief executive Anas Altikriti, including his three-decade old personal account, and that of his wife and two teenage children. The BBC reported finding information in World-Check based on Wikipedia entries, bias blogs, and state-backed news agencies. Vice News also gained access to the World-Check database in Feburary. It found terrorist profiles including the Council on American-Islamic Relations executive director Nihad Awad, joined former US President George W.

Bush in a post 9/11 press conference, and the organisation itself. Former World Bank and Bank of England advisor Mohamed Iqbal Asaria awarded a Commander of the Order of the British Empire award in 2005 was also listed as a terrorist. Vickery has reported recent large-scale breaches including information on 93 million Mexican voters in April.

The records were exposed thanks to a configuration error in a MongoDB database. He also earlier revealed the exposure of 13 million records of MacKeeper, Zeobit, and Kromtech, and some 1700 records of children from website uKnowKids. ®
New research by industry-leading think tank reveals that most organizations cannot ensure protection and access for critical long-term digital information despite accelerating legal and business requirements IGI Industry Benchmark calls for immediate action & provides insight and guidance to help organizations achieve compliance IGI Preservica Benchmark Report InfographicNew research has revealed that the majority of organizations do not have a coherent long-term strategy for their vital digital information even though virtually all of them (98%) are required to keep information for ten years or longer.

Further, while 97% of information professionals understand the need for a specialized approach to these assets, only 11% are storing them in systems specifically designed to ensure long-term protection and access.

This gap has economic, legal, and business competitiveness implications.The research, conducted by think tank the Information Governance Initiative (IGI) with support from Preservica, provides a new benchmark for organizations to evaluate their capability and outlines tactics for closing this critical gap.
It also reports on how leading organizations like Associated Press, HSBC, and the State of Texas have addressed this challenge.

The Governance of Long-Term Digital Information: IGI 2016 Benchmark also reveals that information management professionals charged with addressing this problem are highly aware (97%) of the unique challenge of opening, using, and relying upon digital files over the long-term. Namely, that accelerating innovation and technology refresh rates mean that software and hardware can be obsolete, making the information unusable, long before an organization’s legal need or business requirement to keep and use that information expires. However, most organizations appear to lack a coherent strategy to solve this problem.

An alarming majority of organizations (68%), for example, rely on shared network drives to store these assets, a technology that offers no inherent capabilities to protect or ensure access over the long-term. “Every day it becomes easier and cheaper to store digital information,” said Barclay T.

Blair, executive director and founder of IGI. “But every day we also see an intensification of global legal and business obligations to protect and provide long-term access to these critical assets. Our Benchmark shows that virtually every organization large and small across industry verticals faces this problem, but awareness of how to solve it is low.

This concerns us.”“It is great to see forward-thinking organizations in this report, such as HSBC, Texas State Archives and the Associated Press, leading the way in adopting digital preservation as a core facet of their information governance strategies,” commented Jon Tilbury, CEO at Preservica. “However, this research tells us that most organizations are still at significant risk when it comes to safeguarding their vital long-term digital information.”Preservica’s support has enabled the IGI to make the full Benchmark available for immediate download at no cost.
It is available now at: www.preservica.com/resource/long-term-records-preservation The IGI and Preservica are running an online event to discuss the key findings of the Benchmark on the 8th of June 2016 at 11am EST, 4pm UK.The IGI is supported by a number of leading information governance providers, and aims to promote the adoption of information governance strategies in the protection of corporate data. Preservica’s partnership with the IGI demonstrates the growing importance of digital preservation in the overall information governance lifecycle, ensuring that data is findable, useable and trustworthy long into the future.About the IGI:The Information Governance Initiative (IGI) is a think tank and community dedicated to advancing the adoption of Information Governance (IG) practices and technologies through research, events, advocacy and peer-to-peer networking. We are dedicated to the professionalization of IG and have called for the creation of a new kind of information leader called the Chief Information Governance Officer.

The IGI Community is where thousands of practitioners from cybersecurity, IT, analytics, privacy, legal, records management, and the other facets of IG come together and learn from each other.

The IGI was founded by recognized leaders in the field of IG, and is supported by leading providers of IG products and services.About PreservicaPreservica is a world leader in digital preservation technology, consulting and research. Our active preservation solutions are used by leading businesses, archives, libraries, museums and government organizations globally, to safeguard and share valuable digital content, collections and electronic records, for decades to come.

These include 17 US State Archives, the European Commission, Wellcome Library and HSBC, to name a few. Preservica’s award-winning digital preservation and access software is a complete, standards-based (OAIS ISO 14721) trusted repository that includes connectors to leading Enterprise Content and Records Management systems to ensure long-term usability, trustworthiness and preservation of vital digital records, emails and content.Visit: www.preservica.com In the US: For further information, please contact: Maria Doyle, maria@doylestratcomm.com, +1-781-964-3536In the UK: For further information, please contact: Ilona Hitel, ihitel@thecommsco.com, or mobile: 07734 355205.
More than half of the world’s 50 biggest bank websites have been hit by security incidents in the past eight years, a study has revealed. High or critical risks made up 15% of the total incidents discovered, affecting 11 banks, according to research by Swiss IT security services firm High-Tech Bridge. Low or medium risks made up 46% of the 102 incidents that affected 23 of the banks, said the research, published to coincide with the UK financial sector cyber resilience exercise. Operation Waking Shark 2 is the most extensive cyber threat exercise in two years to test the preparedness of the UK financial infrastructure to withstand a sustained cyber attack. Topping the security incident table in the High-Tech Bridge study is the Bank of America with 12 incidents, followed by HSBC and Bank of Montreal with 10 each, and Barclays with 9. But most of the incidents (19.6%) were in the UK, followed by the US, Canada and France. No incidents were reported in Denmark, Italy and Japan. The best performers – with no website security incidents – were 24 of the 50 banks, including Lloyds Banking Group, Mizuho Financial Group, Bank of China, Sumitomo Mitsui Financial Group, Rabobank, Goldman Sachs, National Australia Bank and Scotiabank. High-Tech Bridge used public and open sources of information to collect statistics on security incidents involving banking websites. The research team noted the number of actual incidents is probably higher, as many security incidents pass unnoticed or are covered up to protect the reputation of the banks involved. The study was aimed at assessing the scale of insecure web applications on banking websites, and to find out how many financial institution websites had been compromised. To simplify the research, High-Tech Bridge looked only at the main websites and subdomains of each bank, without taking into consideration regional websites. Cross-site scripting (XSS) attacks accounted for 79% of the incidents, followed by SQL injection (SQLi) at 4%.Ilia Kolochenko chief executive of High-Tech Bridge, said the numbers were high even though the research covered only publicly known security incidents and did not include common DDoS (distributed denial of service) attacks or phishing campaigns. “The statistics confirm that even financial institutions should pay more attention to their web application security, not only to protect their customers but to maintain their digital reputation,” he said. Kolochenko said the fact that there were few security incidents publicly exposed in 2013 does not necessarily confirm that web applications are becoming more secure. “It is more about new objectives of hackers - today they are not looking for glory but for profit, therefore do not make any noise and compromise web systems without being noticed," he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com