Minecraft exploit makes it “easy” for hackers to crash servers

A security researcher has posted a Minecraft flaw that makes it “easy” for hackers to crash the game’s servers, reports Ars Technica.

Developer Anmar Askar first noticed the exploit two years ago and notified the game’s creator, Mojang, but after being “ignored” and given several “highly unsatisfactory responses” he has now published the details on his blog.

According to ZD Net, the exploit concerns how the Minecraft sever decompresses and parses data, which, when taken advantage of, can cause a processor load that would exhaust the server’s memory. A fix for the flaw “isn’t exactly that hard,” according to Askar, but the company has failed to address the issue in a series of patches.

“I don’t want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act upon it,” he wrote. “Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time.”

The Register notes that Mojang attempted and failed to patch the flaw after Askar’s blog was published, leaving the game’s server’s still vulnerable.

Minecraft was the victim of an attack earlier this year, after 1,800 logins were leaked online in plain text format. It is thought that the data breach could be used to target gamers with phishing attacks that would put their account details at risk.

Microsoft, who purchased Minecraft last year for $2.5 billion, has not yet responded to the latest exploit.

by Kyle Ellison, ESET

Verizon report: Healthcare security shows little sign of improvement

Security in the healthcare sector has been making headlines for all the wrong reasons in recent months, and a new report has found that the industry is showing little sign of cleaning up its act.

More organizations than ever participated in this year’s Data Breach Investigations Report, which identified a record 80,000 security incidents and 2,100 data breaches. According to information shared with Healthcare IT News, 234 of those security incidents related to healthcare as well as 141 data breaches.

A number of security areas became more vulnerable, including incidents of insider misuse, which accounted for 15 percent of healthcare incidents in 2014 but jumped to 20 percent this year. Senior Verizon analyst Susan Widup says this is a particular cause for attention, as it includes everything from employee snooping to organized crime groups.

Other areas in which healthcare organizations became more vulnerable included web app attacks (seven percent, up from three percent in 2014) and denial of service attacks (9 percent, up from two percent last year and the 4 percent all-industry average.)

These jumps, of course, mean that there was some good news for the healthcare industry, as theft or loss of unencrypted devices fell from a huge 46 percent last year to 26 percent this year. “It was surprising to see that go down a bit,” said Widup, but the new figure still represents “a huge problem.” She concluded that rather than any significant improvement, healthcare is just seeing a shift in some of the threat actors.

In February, Anthem Inc. was hit by the largest ever data breach suffered by a health insurance company, potentially affecting as many as 80 million customers.

by Kyle Ellison, ESET

Four Mortal Kombat moves cybercriminals use to attack your security

After a long wait, Mortal Kombat X is finally here. Over the past decade, this fighting video game series has been enjoyed by many generations of gamer. Some of the tricks employed by the characters in the legendary fighting series aren’t a million miles away from those deployed by cybercriminals however…

With security threats increasing all the time, users are in a constant battle to protect their online security – Mortal Kombat style, in fact.

Below, you will see four malicious techniques used by attackers, which would not be out of place in a classical battle between Sub Zero, Kitana, Reptile and their rivals:

Fatality

This is indeed the best-known move to finish off an opponent, available since the very beginning of the series. Many people will certainly feel the adrenaline rush when hearing the famous “Finish Him” (or “Finish Her”, when fighting against a female character) line, providing the chance to execute a fatal finishing move.

Mortal Kombat fans will remember that Shang Tsung’s specialty move is the “Soul Drain”, which involves him stealing his opponent’s soul.

As computer technology has improved, the video above seems pretty unimpressive; nonetheless, it still keeps certain parallels with what goes on in the world of IT security – think about a ransomware infection, the kind of malware that “kidnaps” information and demands the payment of a ransom to restore access to it. We can say that practically in all cases the compromised files are important, private, confidential and valuable.

Isn’t that also the computer’s soul? Of course it is. Therefore, when blocking access to the system’s files, the ransomware is somehow attacking against the system’s own existence… and taking away its innermost and most valuable contents. Just as a dark sorcerer would do.

A piece of advice – the best weapon is prevention. Make sure you have an adequate security solution, are cautious when browsing, and ensure you keep an appropriate security backup schedule to recover essential files in case they are compromised.

Brutality

This final move is a combination of successive punches to finish off the opponent and make him explode! As you’d guess from its name, we can’t help thinking about brute force attacks carried out for password stealing purposes.

These attacks allow cybercriminals to automatically compare a list of credentials from a dictionary with the ones stored in the server, generating massive login authentication attempts until retrieving the correct key, explains Denise Giusto from ESET. These credential dictionaries include widely-used words or common expressions.

With the same discipline, strength and speed used by Kitana in the video below where she destroys her opponent, cybercriminals make numerous password-guesses in a matter of seconds, gaining access to accounts for different platforms and services.

A piece of advice – create a strong and safe password so that no one can guess it – not even someone trying with four arms at the same time.

Good practice is to combine letters and numbers, although in those cases it is important to emphasize on the character-length – it should be longer, as long passwords take longer to break.

Babality

One of the most polemic additions to the Mortal Kombat series was this final move that consisted of turning an opponent into the baby version of themselves. Many complained that it wasn’t gory or violent enough, while others thought it was funny and original.

The truth is that once turned into a baby, the only thing the character who lost the fight can do is cry or have a tantrum, but, in contrast to the cases in which the other techniques are used, he doesn’t die and, at least his body remains in one piece.

When it comes to threats and computer attacks, cybercriminals perform a kind of Babality when using Social Engineering techniques to turn their victims into innocent creatures who fall for different types of scams – malicious links, fake websites, prizes that will never be handed out, profiles run by bots, fraud under the name of legitimate entities, and more.

Why do we still find inattentive users clicking on an attractive ad claiming he has won a prize for being the millionth visitor to the site?

A piece of advice – many of these threats are spread hidden in email attachments, so you should be careful when the email you receive comes from an unknown sender; a good choice is not to enable macros, and scan the mails with a security solution.

It is also worth checking which URL it’s redirecting the advertised link to, because in many cases it is easy to identify a fake or questionable website by looking at its domain. Moreover, do not forget that Social Engineering is based on exploiting topical events; consequently, look out for these topical scams and avoid falling into a trap.

Friendship

Friendship is an act of good will towards the weakened adversary. Instead of killing him, the winning character gives him a gift, dances around or shows some attitude that somehow simulates mercy.

And when it comes to fake friendship, we can’t help thinking about the masters of disguise: the rogue. They are programs that claim to be an antivirus or security solution, usually free of charge, but are actually harmful. The attack starts with striking warning windows indicating the existence of malicious software in the system.

Scared, the victim generally downloads a fake security application that installs malware in the computer.

A piece of advice – once more, you should pay attention so that you can always identify a rogue and, therefore, avoid it. If you use an efficient security solution, you will know that your computer is clean and that the disturbing warning is probably a scam.

As you can see, the fatal techniques used in Mortal Kombat have their parallels in the computer world. Adequate security can ensure you aren’t defeated!

And should you fancy picking up Mortal Kombat X today, it goes without saying you should buy it through the official channels – plenty of malware comes from fake game downloads around the net!

Apply good defensive practices and enjoy the battle! (Only in the video game, of course!)

by Sabrina Pagnotta, ESET

Kendall Jenner has her Twitter hacked, and rude things are said about Justin Bieber

When a celebrity starts to post crazy things on Twitter there are a small number of possibilities.

Either they are just seeking some attention, tweeting things without thinking, or they have been hacked.

The problem is that when it comes to publicity-seeking celebrities, often it’s hard to decide what is most likely. Many times it’s tricky to tell the difference, and although a celebrity might later claim that they have been hacked – it’s hard to know if that’s just being used as an excuse for some ill-advised tweeting.

And sometimes it’s just a lame April Fool’s joke.

But in the case of Kendall Jenner, I think we can be fairly confident that her account was hijacked by an unauthorised party.

Kendall Jenner, one of the stars of the “Keeping up with the Kardashians” reality TV show, appears to have been the latest celebrity to fall foul of Twitter hackers after her account began posting some out-of-character messages to her 10.2 million followers.

Here are some of the out-of-character tweets, one of which refers to her father’s much-rumoured gender reassignment:

Tweets from Kendall Jenner's account

Just got down slobbing on @justinbieber’s nob #SloppyToppy #KKK.

My dad got the sex change, he’s officially a woman now, we can finally have lesbian sex #sweg

Some of the messages referred to two other Twitter accounts, which one presumes belonged to the hackers. Both of those accounts have since been suspended by Twitter’s security team.

All in all, it’s pretty juvenile stuff.

Kendall JennerI guess we should be grateful that whoever hacked Kendall Jenner’s account didn’t use the opportunity to spam out links to webpages pushing financial scams, miracle diets or – worst of all – malware.

After all, with over 10 million followers there are probably many people who could have followed a malicious link if it was worded convincingly, and ended up infecting their computer or having their passwords phished.

The mistake Kendall Jenner has probably made is not being careful enough with her account security.

We don’t know precisely how the hackers commandeered control of her account, but it’s possible that she was using an easy-to-guess password, had been phished, or made the classic mistake of reusing passwords in multiple places on the net.

The best way to harden your Twitter account is to not just use a unique, hard-to-guess, hard-to-crack password, but to also enable an additional level of authentication.

For instance, you can configure Twitter to send an SMS message with a random number to your mobile phone whenever you try to login. All you need to do is enter that number alongside your password, in order to gain access to your account.

Alternatively, you can set up login verifications, and from then on a login confirmation request will be sent to the official Twitter app on your iPhone or Android.

Twitter Login Verifications

It’s a sensible idea, because the chances that a hacker who has grabbed your password also has access to your phone is pretty low.

Having such security in place would, I suspect, have prevented Kendall Jenner’s account from telling the world that her father had changed his sex or that she had had an intimate entanglement with bad boy Justin Bieber.

It does appear that the Kardashian Klan suffers its fair share of security issues with its online accounts, with matriarch Kris Jenner claiming to have had her nude videos stolen from the iCloud, Kim and Khloe Kardashian having their Twitter accounts hijacked in an apparent prank by Nicole Richie, and naked photos of Kim Kardashian leaking online.

by Graham Cluley, We Live Security

Easter Social Media Safety: video guides

Easter is here, and with it plenty to chat about on social media. Despite the holiday season though, you can’t guarantee that hackers and cybercriminals won’t be on the hunt for weak and vulnerable social media slip ups, so what better time to give a refresher on social media safety than now?

Social Media Safety: General Advice

Let’s start with the basics. Five tips to remember when using any social media sites. These are generic pointers, but the advice they offer is definitely worth considering whether you’re tweeting or scouting for jobs on LinkedIn.

Security and safety are two different things, of course. This next video gives you some useful guidelines about how to behave on social media to ensure you stay safe:

Unfortunately social media accounts are a real target for hackers, especially if you have a large social following. Here’s some tips on how to make your social account (almost) unhackable:

Social Media Safety: Facebook

Facebook is the world’s most popular social network, but how many people have delved deep into the security settings? Here’s what you can tweak behind the scenes:

Sticking with Facebook, it’s a hotbed of scams and ‘too good to be true’ deals. Here’s the Top 5 scams to keep an eye out for:

One final one for Facebook. Hoaxes are pretty common throughout the site, and although most may be benign, some can have unintended consequences. Here’s several signs that all might not be what it seems:

Social Media Safety: YouTube

YouTube is the go-to place to watch video online, but with 300 hours of content uploaded every minute, plenty of it isn’t suitable for young eyes. Here’s a guide to keeping your children safe on the video sharing site:

Social Media Safety: Instagram

Instagram may be tame by comparison, but there are always ways to stay safe and secure, and the photo sharing site is no exception. Here’s five useful tips:

Social Media Safety: Snapchat

Finally, Snapchat. Last year’s leak of 13gb of data from a third party app demonstrated the need to stay safe, even on apps that claim to offer true privacy. Here’s some pointers for the vanishing chat app:

Got any more social media safety tips? Let us know in the comments.

by Alan Martin, ESET

New day, new Bank of Ireland scam

boi

ESET Ireland sees an unending stream of Irish bank email phishing scams, with Bank of Ireland customers particularly in the crosshairs.

Irish online banking users should be on the watch for a constant flood of variations on the phishing scams involving Irish banks. This week we’ve noticed an increased number of emails targeting Bank of Ireland customers, trying to socially engineer them into giving up their online banking details.

The first most common variation of the scam claims maintenance and requires a “log in”:

Dear Bank of Ireland user,

You have 1 new ALERT message
WE ARE CURRENTLY PERFORMING REGULAR MAINTENANCE OF OUR SECURITY MEASURES FOR ONLINE BANKING AND CUSTOMER DATABASES.

Please login to your 365 Online Banking and visit the Message Center section in order to read the message.
To Login, please click the link below:
Bank of Ireland 365 Banking Online

The second one has more of a “call to action”, claiming the victim’s account will expire in 72 hours, unless they “log in”:

Dear Valued 365 ® Member,

We are sorry to inform you that your 3 6 5 account will expire within 72 hours.
To avoid this we have no other option but to ask you to verify your account before it will be disabled.

Verify NOW 3 6 5 >>>>

Many thanks for using the 365 Service Desk.
Regards
Shelly
365 Online Support TEAM

This “logging in”, of course, involves being redirected to a forged website, which collects any info the victims type in, then transmits it to the scammers, who can then attempt to assume the identity of the victim and try to rob their account. Additional security measures put in place by banks make this more difficult, as do the helpful safety tips provided, but the cybercriminals are still trying to find ways to circumvent them.

ESET Ireland recommends you do not click on any of the links in the phishing emails and do not reply to them in any way, as that only confirms your identity to the cybercriminals.

by Urban Schrott, ESET Ireland

World Backup Day: Six ways to backup your data

Today is World Backup Day, and it goes without saying that backing up data is a thoroughly sensible thing to routinely get into the habit of doing.

Not only does it make sense in case your laptop is stolen, or your hard disk fails, but it also means that should your computer become infected with ransomware. This is a particularly nasty strain of malware that encrypts your files and threatens to delete them if you don’t pay a ransom within a certain time period. ESET doesn’t recommend giving in to ransomware demands for many reasons both ethical and practical (not least because you mark yourself as a possible target for future attacks), but if your files are all safely backed up, you won’t even feel tempted to negotiate with them in the first place.

There are plenty of options available for people looking to backup up their data, all with their own pros and cons. Here are some of your options, but remember: it’s best to have more than one backup to be safe.

1. USB stick

usb stick

Small, cheap and convenient, USB sticks are everywhere, and their portability means that they’re easy to store safely, but also pretty easy to lose. There are questions about the number of read/write cycles they can take, so should be considered alongside other backup methods.

Pros:

+ Extremely portable

+ Very cheap

+ Can easily transfer data to other sources

Cons:

– Portability means they’re small and easy to lose

– Questions over read/write cycle longievity

2. External hard drive

external hard drive

External hard drives are just what they sound like – hard drives that live outside your computer, meaning they can be plugged in to other sources. If using them for backup, it’s best not to use them as an ‘extra every day hard drive’.

Pros:

+ Relatively cheap

+ Plenty of storage space for larger files

Cons:

– Potentially open to problems which lost files in the first place (a power surge or malware)

3. Time Machine

31K9Lw38KvL

For the Mac users out there, Time Machine is an option that backs up to external hard drives automatically. Apple sells  its own brand of dedicated wireless Time Capsules, but you can use any hard disk for it. Using this method, you’ll automatically keep backups hourly for the last 24 hours, daily for the last month and then weekly backups until the machine is full.

Pros:

+ Automated, meaning you shouldn’t forget to stay up to date

+ Frequency of backups means you should never be too out of date

+ Backs up whole drive, not just the key files

Cons:

– Dedicated wireless machine is expensive

– Mac only

4. Network Attached Storage

wdfMyCloud-2

Businesses tend to backup their files to network attached storage, but with more and more homes having multiple computers, the idea has a certain appeal, especially for those looking to save files from more than one source. With prices coming down, a dedicated wireless storage solution is a convenient option which requires less thought.

Pros:

+ Automatic backups mean you don’t risk forgetting

+ Wireless solutions also work with phones and tablets

Cons:

– Can be expensive

– Can be awkward to set up and maintain

5. Cloud Storage

dropbox

While network attached storage is essentially your own Cloud Server, there are plenty of third party cloud storage options around: free, paid, or free with paid extras. iCloud, Dropbox, Google Drive and OneDrive are big names, but others are available.

Pros:

+ Can be done automatically

+ A certain amount of space is usually free

+ Device agnostic

Cons:

– Requires an internet connection to work

– You can’t account for their security breaches

– Companies aren’t obliged to keep these services around forever

6. Printing

printer

At a first glance, this might sound a facetious inclusion. But while considerably less technically advanced, printing offers you a hard copy of your most important documents that will survive power outages, and are easy to store and access even if your computer is out of action for a few days. Of course it’s hard to keep documents up to date this way, and it won’t work for video or audio files, but for that novel you’d be devastated to lose, it’s certainly worth considering.

Pros:

+ A backup that won’t be affected by hardware outages or tech headaches

+ Impossible for hackers to access

Cons:

– Impossible for certain file types

– Awkward to manage

– Less practical for longer documents

– Not great for the environment

However you choose to backup your data (and it’s smart to consider using more than one solution, at least for your life-or-death files), make sure that you do it. Often people don’t think about what were to happen if their valuable files were to be lost, until it’s too late. Don’t make that mistake, and use World Backup Day to make sure your files are all safe and accounted for.

by Alan Martin, ESET

Follow

Get every new post delivered to your Inbox.

Join 88 other followers