NYC mayor pins crime rate spike on iPhone, iPad theft: If it weren’t for Apple kit, crime would be down

By Neil McAllister

Major crime is on the rise in New York City, and Mayor Michael Bloomberg says the increase is due entirely to thefts of Apple’s iPhone and iPad devices, which he says are inordinately attractive to thieves.

As reported by The New York Times, Bloomberg raised the issue during Friday’s edition of his weekly morning broadcastwith John Gambling on WOR radio, during which he discusses current issues in the city.

According to Bloomberg, the New York Police Department’s annual crime index – a composite statistic that tallies such felonies as murder, grand larceny, and robbery – recorded 3,484 more major crimes in 2012 than in the previous year, an increase of 3.3 per cent.

Take thefts of iPhones and iPads out of the mix, however, and you end up with a rather different picture. 3,890 more Apple products were snatched during the year than in 2011, more than enough to account for the entire increase in overall crime.

“If you just took away the jump in Apple, we’d be down for the year,” Marc La Vorgna, the mayor’s press secretary, told the Times.

Most other types of crime in the city are indeed on the decline, and have been since 1991. For example, in 1990 the NYPD recorded 2,245 homicides. The current tally for this year is 414, putting New York on track to record its lowest murder rate since it first began compiling statistics in 1963.

On his radio program, Bloomberg said he had not broken out thefts of devices made by Apple’s competitors, such as Samsung and HTC, but he observed that iPhones and iPads seemed to be particular targets for thieves in New York. The rate of such thefts is increasing ten times faster than that of other types of crime.

Similar trends have been observed in cities across the nation. In San Francisco, home of The Reg‘s West Coast aerie, thefts of Apple products accounted for nearly half of all robberies in 2012. Cell phone robberies were also up in St. Louis, where Mayor Francis Slay observed in September, “It will take a national solution to make this problem go away.”

While federal legislation to prevent cell phone theft does not yet appear to be in the offing, however, Mayor Bloomberg did have some advice for iDevice owners in New York.

“Put it in a pocket in sort of a more body-fitting, tighter clothes, that you can feel if it was – if somebody put their hand in your pocket, not just an outside coat pocket,” he said.

http://www.theregister.co.uk/2012/12/29/bloomberg_blames_apple_for_crime_spike/

Database hacking: The year that was

By David Maman

Have you ever been to the Privacy Rights Clearinghouse site?  It tallies all the data breaches that have occurred in United States since 2005. What you read there is really scary…

I decided only to look at the past 12 months – 651 breaches, an average of 2 per day. Not a number I like to live with.
They were all there: Visa, Adobe, LinkedIn, etc. — all the big ones we heard about and the small ones we didn’t. Remember, these are only the ones made public. What about all the breaches that haven’t been announced – or discovered? Let’s say 50% – based on the success rate of the known breaches.
My first impulse was to seriously reconsider online shopping and dramatically reduce my online accounts. Apparently, all my private data is potentially an open book…my credit card numbers, my medical files, all the personal information we entrust to organizations. Sadly, they often don’t live up to our trust.
A brief look into what caused the exposure of this personally identifiable information (PII) reveals disheartening facts:

  • “An unauthorized party accessed WTH’s booking system by misusing the log-in credentials of an authorized user. Encrypted credit card numbers and expiration dates were stored there and could be decrypted in the system were exposed.”
  • “Names and Social Security numbers were discovered on the website of the Department of Health Care Services.”
  • “A dishonest employee working in the billing department used her position to access account information. She scanned checks and identification information from…”
  • “A dishonest volunteer was caught passing patient information to people who used it to file fraudulent tax returns. The volunteer used his smart phone to capture patient records while working in an emergency room.”

Database breaches happen every day – internally, from dishonest employees and subcontractors, to external sources such as hackers using SQL injections, worms infecting public web sites, massive phishing attacks, and targeted attacks on financial institutions and defense organizations.
The more I read, the more I thought: “Why don’t the database administrators understand how vulnerable their records really are? Why isn’t the person at the company responsible for oversight in all other departments also ensuring electronic records are just as secure?” After all, these attacks aren’t a new phenomenon.
Instead of incurring damage-control related expenses such as hiring lawyers and public relations teams after their databases have been penetrated, it would be much easier, much-much cheaper and for sure more ethical to take serious prevention measures to stop these attacks from happening.
The technology exists and is readily available. Companies can find affordable database security providing dynamic data masking, separation of duties, database firewall, application security, and database activity monitoring. Just look for it. It’s there.

http://www.net-security.org/secworld.php?id=14165

Judge Refuses to Step Down from Stratfor Hacker’s Case

By Eduard Kovaks

After alleged Stratfor hacker Jeremy Hammond was denied bail, Anonymous hacktivists and his supporters have asked the judge assigned to oversee the case to step down because of a “direct conflict of interest.” The judge has refused to do so. Anonymous argued that Judge Loretta Preska’s husband was working for a Stratfor client at the time of the hack, so she shouldn’t be allowed to handle the case.
However, according to Democracy Now, the federal judge has refused to recurs herself from the trial.
“You have the judge; her husband has been hacked. Her husband’s email is accessible and she is sitting on the case of the very person who they allege hacked into that email account,” Michael Ratner, president emeritus of the Center for Constitutional Rights, told the publication.
Ratner added, “Well, the rules seem to me very clear in federal court, that if there’s any appearance of impropriety, appearance of a closeness to the case, that basically you have to recuse yourself from being a judge in the case. You have to do it automatically, even if the defendant doesn’t make a motion.”
Jeremy Hammond, an alleged member of the LulzSec hacker group, was arrested back in March after Sabu turned him and the other members of the collective over to law enforcement.

http://news.softpedia.com/news/Judge-Refuses-to-Step-Down-from-Stratfor-Hacker-s-Case-317858.shtml

Sites of CitiBank and Bank of America Disrupted by al-Qassam Cyber Fighters

By Eduard Kovaks

The websites of a couple of United States financial institutions have fallen victim to the distributed denial-of-service (DDOS) attacks launched by Izz ad-Din al-Qassam Cyber Fighters. The hacktivists’ latest targets appear to be CitiBank and Bank of America – the sites of both companies experiencing temporary interruptions.
On Thursday, domains such as citicards.com, citibank.com and citi.com were inaccessible at times, Hilf-ol-Fozoul reports.
“Currently we are aware & are working on technical issues with Citi websites. We will let you know when service is fully restored. We apologize for the inconvenience. Please call the number on the back of your card if you need immediate assistance,” the bank’s representatives wrote on Twitter.
The website of Bank of America also suffered some downtime. The bank’s representatives have not issued any statements on the matter.
The site of BoA has been attacked before as part of Operation Ababil, but the one of CitiBank hasn’t been targeted until now. http://news.softpedia.com/news/Sites-of-CitiBank-and-Bank-of-America-Disrupted-by-al-Qassam-Cyber-Fighters-317445.shtml

‘Shake to charge’, similar crapps foul up Amazon Android store

By John Leyden

Security researchers have sniffed out dodgy apps floating around the Amazon App Store for Android-powered devices. Roel Schouwenberg, a Kaspersky Lab Expert, ran into the “malware” while looking for benchmarking apps for his Kindle Fire HD on the online shop. The “Internet Accelerator Speed Up” program, for example, is supposedly designed to boost internet connection speeds however it fails to “do much of anything”, according to Schouwenberg. The app is free but does show adverts from a mobile marketing network. The independent developer behind the software has also released another app intriguingly called Shake Battery Charger. The appearance of suspicious apps on the Amazon store reflects the popularity of the online bazaar. Schouwenberg has filed a complaint with Amazon about the potentially dodgy software. Source: http://www.theregister.co.uk/2012/12/21/amazon_app_store_dodgy_app/

New WordPress vulnerability emerges

By Richard Chirgwin

Sorry to spoil the day for any sysadmins that thought today would be a slow day, but a security researcher has announced a serious vulnerability in the default configuration of a popular WordPress plugin. W3 Total Cache, which boasts high-traffic sites like Mashable and Lockergnome among its users, has serious vulnerabilities, according to this post on the Full Disclosure list. The default setup – that is, when users simply choose “add plugin” from the WordPress catalogue – left cache directory listings enabled, according to poster Jason Donenfield. This, he said, allows database cache keys to be downloaded on vulnerable installations – and that could expose password hashes. “A simple google search of “inurl:wp-content/plugins/w3tc/dbcache” and maybe some other magic reveals this wasn’t just an issue for me”, he writes. Source: http://www.theregister.co.uk/2012/12/27/wordpress_cache_plugin_vulnerable/

Health-care sector vulnerable to hackers, researchers say

By Robert O’Harrow Jr.

As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews. Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems. A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems. “I have never seen an industry with more gaping security holes,” said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.” Source: http://www.washingtonpost.com/investigations/health-care-sector-vulnerable-to-hackers-researchers-say/2012/12/25/72933598-3e50-11e2-ae43-cf491b837f7b_story.html

Flaw in Facebook Camera for iOS Allowed Hackers to Hijack Accounts

By Eduard Kovaks
On December 21, Facebook released the 1.1.2 version of the Facebook Camera app for iOS to address a vulnerability that allowed cybercriminals to hijack user accounts by launching man-in-the-middle attacks. Egyptian security researcher and CEO of Attack-Secure Mohamed Ramadan – the one who identified and reported the flaw to Facebook – told Softpedia that an attacker connected to the same wireless network as his victim could easily sniff the traffic and intercept account credentials. “The problem is the app accepts any SSL certification from any source even evil SSL certs and this enables any attacker to perform Man in The Middle Attack against anyone uses Facebook Camera App for iPhone,” Ramadan explained. “This means that the application doesn’t warn the user if someone in the same Wireless Network trying to hijack his Facebook account. This vulnerability is very dangerous because we connect to wireless networks everywhere, we can use hotel wireless service or restaurants wireless service, etc.” Source: http://news.softpedia.com/news/Flaw-in-Facebook-Camera-for-iOS-Allowed-Hackers-to-Hijack-Accounts-317253.shtml

Spammers Using Fake YouTube Notifications to Peddle Drugs

By Christopher Brook

Spammers are attempting to deceive unsuspecting users into clicking on fake YouTube links that lead to a counterfeit drug website, according to a report yesterday from security firm Webroot. Dancho Danchev writes that pharmaceutical scammers are circulating emails that mimic legitimate Youtube notifications. The emails claim someone from Youtube Support has sent the user a personal message, yet once the user clicks on a link in the email, they are redirected to a dubious looking drug website, Canadian Family Pharmacy. Danchev goes on to write that while the site was being analyzed, it had a hard time staying online and in turn, seemingly stopped any potential victims from being tricked into purchasing fake drugs. Pharmaceutical spammers have been using affiliate programs to push their pills for years now. Faux and rogue pharmacies have been using botnets, spam email campaigns and disguised notifications from Facebook, Twitter and like this attack, Youtube, to spread their spammy links around.
Source: http://threatpost.com/en_us/blogs/spammers-using-fake-youtube-notifications-peddle-drugs-122612

New DDoS Attacks Slam US Banks, Attackers Say Worst Is Yet To Come

By Fahmida Y. Rashid

In a Pastebin message posted on Monday, a hacker group called Izz ad-Din al-Qassam Cyber Fighters warned it would launch a series of distributed denial of service (DDoS) attacks against U.S. financial institutions this week, and named U.S. Bancorp, JPMorgan Chase,Bank of America, PNC, and SunTrust as its targets. Users started reporting problems accessing banking websites Tuesday evening, and some sites were still intermittently inaccessible on Wednesday afternoon. Users started reporting Bank of America’s Website was not loading beginning Tuesday morning, till about 3pm Eastern Wednesday, according to Sitedown.co. The site websitedown.com reported intermittent outages at SunTrust’s site around noon on Tuesday. PNC took to Facebook and Twitter to keep customers informed of the attacks. “PNC and other banks have experienced an unusual volume of internet traffic. As a result, some customers may experience slowness or difficulty when logging into online and mobile banking. We are working to resolve this issue as quickly as possible. Please continue to follow our page for additional updates. We apologize for the inconvenience and appreciate your patience,” PNC posted on its Facebook page Tuesday evening.
Source: http://www.securityweek.com/new-ddos-attacks-slam-us-banks-attackers-say-worst-has-yet-come