Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
Japanese Police Urge ISPs to Block Tor
http://paritynews.com/government/item/1000-japanese-police-urge-isps-to-block-tor
Authorities in Japan are presumably worried about their inability to tackle cybercrime and, in a bid to stem one of the sources of anonymous traffic, the National Police Agency (NPA) is asking ISPs to block Tor.
Japanese police is having a hard time when it comes to crimes in the cyberspace. Just last year a hacker, going by the name Demon Killer, took remote control of systems across the country and posted death threats on public message boards.
Katayama’s PCs were seized, analysis of which revealed that the 30-year old regularly used Tor to anonymize his online activities.
Tomi Engdahl says:
The Secret Password Is…
http://www.linuxjournal.com/content/secret-password
If your password is as easy as 123, we need to talk.
Since retinal scans still mainly are used in the movies to set the scene for gruesome eyeball-stealing, for the foreseeable future (pun intended), we’re stuck with passwords. In this article, I want to take some time to discuss best practices and give some thoughts on cool software designed to help you keep your private affairs private. Before getting into the how-to section, let me openly discuss the how-not-to.
Tomi Engdahl says:
China main source of cyberespionage attacks in 2012
http://www.zdnet.com/cn/china-main-source-of-cyberespionage-attacks-in-2012-7000014325/
Summary: Chinese IP addresses account for 30 percent of data breaches worldwide last year and 96 percent of these attacks were made for online espionage purposes, according to a Verizon study.
Changing motives mean less data stolen by hacktivists
The DBIR also showed that while the number of hactivist-related attacks in 2012 remain on par with the year before, the amount of data stolen has dropped significantly. In 2011, 58 percent of data stolen were attributed to hacktivism, but this had been reduced to 2 percent a year later, it noted.
Lum said the fall in data stolen was because of the attackers’ changing motives. Where in the past hacktivists would hack into companies’ servers, steal data and post the information online to negatively impact these organizations’ reputations, they are now conducting more distributed denial of service (DDoS) attacks to disrupt companies’ Web services, he explained.
Tomi Engdahl says:
Hacked AP tweet claiming White House explosion causes Dow dip
http://www.theregister.co.uk/2013/04/23/hacked_ap_tweet_dow_decline/
A group calling itself the Syrian Electronic Army is claiming that it successfully hacked the official Twitter account of the Associated Press and is responsible for a tweet that briefly wiped billions off the Dow Jones Industrial Average on Tuesday.
“AP Twitter feed was hacked today by the Syrian Electronic Army. SEA published a false news about an explosion in the whitehouse and Obama got injured. This small tweet created some chaos in the United States in addition to a decline in some U.S. stocks,” the group said on their website.
AP has since confirmed that its account had been hacked.
Tomi Engdahl says:
Verizon: 96 PER CENT of state-backed cyber-spying traced to China
http://www.theregister.co.uk/2013/04/23/spies_verizon_security/
New statistics contained in Verizon’s Data Breach Investigation Report 2012 found that 19 per cent of all attacks were carried out by agents acting on behalf of their government. Researchers recorded more cyber-espionage incidents than ever before, although the majority of attacks were carried out by criminals looking to make money.
Bosses will be comforted by the finding that “external actors” were responsible for the majority of data breaches, with 92 per cent of all incidents involving an attack from someone working outside the the organisation.
Financial organisations suffered the most attacks, accounting for 37 per cent of recorded data breaches. Just over half (52 per cent) of all breaches involved “some sort of hacking” while 76 per cent of “network intrusions involved exploiting weak or stolen credentials” – which basically means someone didn’t set up a decent password.
Tomi Engdahl says:
Crypto guru: Don’t blame users, get coders security training instead
http://www.theregister.co.uk/2013/04/23/security_awareness_training/
Infosec 2013 Experts on both sides of the vendor-customer divide in the UK and a US cryptographer are at odds over whether or not security training is a waste of time.
American crypto guru Bruce Schneier says the fact that “we still have trouble teaching people to wash their hands” means the dosh splurged on staff training is likely better spent teaching developers to make more effective prevention tools.
The chief infosec officer at Rupert Murdoch’s News International, on the other hand, says a combination of training, “soft skills” and security kit can help organisations protect themselves.
NI security chief: ‘Techies tend to be more arrogant, perhaps more vulnerable…’
But Amar Singh, CISO of publisher News International and chair of the London Chapter ISACA Security Group, disagreed with Schneier’s assessment, describing security awareness training as a process of finding the “right balance between technology and people”.
“Security preparedness is a mixture of soft skills mixed with technical tools,” Singh concluded.
this post says:
Thanks for sharing your thoughts about straight
arrow. Regards
Tomi Engdahl says:
Twitter Now Has a Two-Step Solution
http://www.wired.com/threatlevel/2013/04/twitter-authentication/
Twitter has a working two-step security solution undergoing internal testing before incrementally rolling it out to users, something it hopes to begin doing shortly, Wired has learned.
Such a system will drastically reduce the risk of Twitter users having their accounts hacked, something that has been experienced by everyday users and major companies like the Associated Press, the BBC and 60 Minutes.
Two-step (also known as two-factor or multifactor) authentication can prevent a hacker from gaining access to an account far more effectively than a password alone. When logging in from a new location, it requires users to enter a password and a randomly generated code sent to a device, typically via a text message or smartphone application. In other words, accessing an account requires having two things: something you know (the password) and something you have (a previously registered device).
Tomi Engdahl says:
U.S. gives big, secret push to Internet surveillance
http://news.cnet.com/8301-13578_3-57581161-38/u.s-gives-big-secret-push-to-internet-surveillance/
Justice Department agreed to issue “2511 letters” immunizing AT&T and other companies participating in a cybersecurity program from criminal prosecution under the Wiretap Act, according to new documents obtained by the Electronic Privacy Information Center.
“The Justice Department is helping private companies evade federal wiretap laws,”
The Wiretap Act limits the ability of Internet providers to eavesdrop on network traffic except when monitoring is a “necessary incident” to providing the service or it takes place with a user’s “lawful consent.” An industry representative told CNET the 2511 letters provided legal immunity to the providers by agreeing not to prosecute for criminal violations of the Wiretap Act. It’s not clear how many 2511 letters were issued by the Justice Department.
Tomi Engdahl says:
Why two-factor authentication wouldn’t have saved the AP from getting hacked
http://venturebeat.com/2013/04/24/ap-hack-phishing/
After a rash of major Twitter account hacks, rumor says the company will be releasing two-factor authentication. While this is a great extra protection, it’s not the panacea many are looking for.
Over the past two weeks, three major news outlets — NPR, CBS, and the Associated Press — have all had their Twitter accounts hacked.
We saw something similar when a journalist was hacked through Apple, prompting the company to figure out two-factor authentication for iCloud. The rumor now is that Twitter is going to release its own version of two-factor authentication.
“Calling on Twitter to provide two-factor authentication doesn’t solve the AP phishing incident, nor would a long, frequently-changed password. That’s not to say it’s not worthwhile. Twitter should make an effort to offer two-factor for those that want it.”
The AP confirmed that the hack was preceded by a phishing attempt in a post about the incident.
Brian Krebs provides an excellent overview of why two-factor authentication could fail in such cases. Summarized, people set up phony phishing websites where targets are tricked into submitting their login credentials, which might include two-factor authentication codes. These codes often expire, but for many consumer sites, they are left connected for days because companies don’t want to create a barrier to entry.
Many of these spoofed websites are done really well.
Tomi Engdahl says:
Citibank Phish Spoofs 2-Factor Authentication
http://voices.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html
Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called “two-factor authentication” — the second factor being something the user has in their physical possession like an access card — as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data.
These methods work, however, only so long as the bad guys don’t fake those as well.
when you click on the link, you get a very convincing site that looks identical to the Citibusiness login page, complete with a longish Web address that at first glance appears to end in “Citibank.com,” but in fact ends at a Web site in Russia called “Tufel-Club.ru.”
The site asks for your user name and password, as well as the token-generated key.
this site acts as the “man in the middle” — it submits data provided by the user to the actual Citibusiness login site.
Tomi Engdahl says:
Twitter Now Has a Two-Step Solution
http://www.wired.com/threatlevel/2013/04/twitter-authentication/
Twitter has a working two-step security solution undergoing internal testing before incrementally rolling it out to users, something it hopes to begin doing shortly, Wired has learned.
Such a system will drastically reduce the risk of Twitter users having their accounts hacked
While it is unclear exactly how or when Twitter will roll out two-factor, the recent spate of high-profile account hackings likely added a sense of urgency to getting something out the door.
Tomi Engdahl says:
These techniques substitute risky password
Time has been driven by over traditional passwords due the poor level of security.
There are far has been replaced by wholesale new ways, some of which are already in use in a high-security network environments. In the future, will be used more and more ID methods used.
One of the major existing alternatives, the RSA technique that commercial application is known as RSA SecurID . It is like an electronic version of the online banks use the key code lists. The user holds a small card, which generates a numerical algorithm for the passwords that change every few minutes.
The card is synchronized to the server with the software, so that they are reading the same password to the minute.
There is already widely used in SMS verification, which the user enters the system log user name and password, and then he gets a text message on mobile phone with verification number. Many online banking services use this option if the user does something out of the ordinary, such as a very large sum of money transfer. The same technology is also available, for example the Google Account login.
Chip cards and biometrics
State management is often used to identify a combination of smart card and a password. The chip is usually included in the employee’s official card, and, of course, also need a card reader.
Biometrics may be a thing of the future.
One possibility is the voice recognition and the combination of the code. Checking in person should recite a series of numbers, for example. This is not tamper-resistant system.
In the future, encryption programs may be familiar with the general movement of locations, routines, the way we talk, and our DNA.
Source: http://www.itviikko.fi/tietoturva/2013/04/20/nama-tekniikat-korvaavat-riskialttiin-salasanan/20135753/7
Tomi Engdahl says:
CISPA ‘dead’ in Senate, privacy concerns cited
http://www.zdnet.com/cispa-dead-in-senate-privacy-concerns-cited-7000014536/
Summary: The chairman of a key Senate committee cited “insufficient” privacy protections in the cybersecurity bill, recently passed by the House. A new report says the Senate is drafting separate bills.
The Senate will almost certainly kill a controversial cybersecurity bill, recently passed by the House, according to a U.S. Senate Committee member.
The comments were first reported by U.S. News on Thursday.
A committee aide told ZDNet on Thursday that Rockefeller believes the Senate will not take up CISPA. The White House has also said the President won’t sign the House bill.
After CISPA passed the House the first time last year, the Senate shelved the bill in favor of its own cybersecurity legislation. Following today’s statements, the Senate is edging closer to repeating its actions for a second time.
Tomi Engdahl says:
ACLU: CISPA Is Dead (For Now)
http://www.usnews.com/news/articles/2013/04/25/aclu-cispa-is-dead-for-now
CISPA is all but dead, again.
The Senate will not take up the controversial cybersecurity bill, is drafting separate legislation
“We’re not taking [CISPA] up,” the committee representative says. “Staff and senators are divvying up the issues and the key provisions everyone agrees would need to be handled if we’re going to strengthen cybersecurity. They’ll be drafting separate bills.”
“I think it’s dead for now,” says Michelle Richardson, legislative council with the ACLU. “CISPA is too controversial, it’s too expansive, it’s just not the same sort of program contemplated by the Senate last year. We’re pleased to hear the Senate will probably pick up where it left off last year.”
Tomi Engdahl says:
Cyber vulnerabilities found in Navy’s newest warship: official
http://www.reuters.com/article/2013/04/24/us-usa-cybersecurity-ship-idUSBRE93N02X20130424
The computer network on the U.S. Navy’s newest class of coastal warships showed vulnerabilities in Navy cybersecurity tests, but the issues were not severe enough to prevent an eight-month deployment to Singapore, a Navy official said on Tuesday.
“The details of that assessment are classified,”
The Navy plans to buy 52 of the new LCS warships in coming years
Tomi Engdahl says:
Serial killer hack threat to gas pipes, traffic lights, power plants
Report: Essential kit wide open to world+dog
http://www.theregister.co.uk/2013/04/29/serial_port_security_threat/
Analysis Corporate VPN systems to traffic light boxes are apparently wide open to hackers thanks to a lack of authentication checks in equipment exposed to the internet.
That’s according to research from security toolmaker Rapid7, which says it found plenty of systems that can be freely remotely controlled via public-facing serial port servers.
These serial port servers, also known as terminal servers or serial-to-Ethernet converters, pipe data to and from a device’s serial port over the internet. This allows workers to remotely control equipment – from sensors to factory robots – over the web or mobile phone network
These serial port servers also pop up alongside systems that track vehicles and cargo containers, and can provide auxiliary access to network and power equipment in case of some disaster.
A good deal of serial-connected machines each assumes that if someone can talk to it via a serial cable then that person is an authorised employee with physical access and thus no security checks are needed: it will accept commands from anyone communicating via its serial port, and thus it trusts the port server.
The equipment’s serial port can also be exposed directly to the network by the Ethernet converter. In this mode, the port server acts as a TCP proxy and removes itself from the equation. Suddenly, the equipment is one step closer to a lurking miscreant.
Claudio Guarnieri, a security researcher at Rapid7, told El Reg the range of vulnerable systems accessible via serial-to-Ethernet converters included medical devices, traffic control systems, fleet tracking networks and even gas and oil pipelines. The common problem in all cases was either weak or nonexistent authentication checks.
“You have to know how to look for these systems but they’re out there,” Guarnieri explained. “Once in, anything from raising the temperature in a chemical tank to controlling the traffic lights in a city might be possible. You could shut down the power grid.”
Rapid7 used three sets of data to identify open serial consoles as part of its research. The first pool of information came from the controversial Internet Census 2012, specifically an index of devices with open TCP ports 2001 to 2010 and 3001 to 3010. These ports were selected because they are commonly used by Digi and Lantronix serial-to-Ethernet converters configured as TCP proxies.
Secondly, connections to port 771 were analysed to detect Digi gear running proprietary RealPort services.
For example, building security systems may be connected to computers via Digi networking gear, but instead of using a serial port to hook up sensors and locks, the Digi device drives and monitors custom output and input signal lines to and from the security alarms and sensors, respectively.
And in some cases, organisations may not be aware that serial ports could be exposed to the public internet via the mobile phone network: a misconfiguration could expose the hardware when connected via a port server that has cellular network capabilities.
Tomi Engdahl says:
Are We Too Open to be Secure, or Too Secure to be Open?
http://rtcmagazine.com/articles/view/102995
It seems like we’re always coming back to the matter of security – sometimes with smiling optimism and at other times with a croak of doom. This time is rather less than optimistic. It is prompted by a number of recent incidents that seem to have some things in common.
Tomi Engdahl says:
NetFlow Analysis Helps Understand and Protect Distributed Networks
http://rtcmagazine.com/articles/view/102768
The ability to collect and analyze metadata on network traffic is helping administrators achieve better security as well as understand how their networks are performing so that they can maximize efficiency.
What’s going on with your network? No, what’s really going on?
An existing but not yet fully appreciated technology called NetFlow, originally developed by Cisco, can be used to collect data about network traffic and subject it to analysis for network administrators and security personnel to better monitor and understand network traffic. Primarily this applies to enterprise networks that may be both distributed and have virtual private networks (VPNs) and are connected to the larger Internet and the world in general.
NetFlow consists of metadata about network traffic that is generated by routers and switches that support it and on which it has been enabled. The routers export the NetFlow data in small messages using UDP, and it can then be collected and stored by means of a NetFlow collector and then subjected to analysis using various tools
Most of the newer routers and switches support NetFlow. NetFlow records contain, among other information, source and destination IP addresses, source and destination port IDs, start and stop times, and the number of packets and bytes. Some of the newer versions also report things like user IDs. NetFlow takes place in the background so that users are unaware of it.
Tomi Engdahl says:
Checking Rules for C: Assuring Reliability and Safety
http://rtcmagazine.com/articles/view/102990
C is the most widely used programming language—and can be quite complex. A standard set of rules is available to avoid any inherent ambiguities and to help programmers steer a course to reliable code.
Tomi Engdahl says:
Panel seeks to fine tech companies for noncompliance with wiretap orders
http://www.washingtonpost.com/world/national-security/proposal-seeks-to-fine-tech-companies-for-noncompliance-with-wiretap-orders/2013/04/28/29e7d9d8-a83c-11e2-b029-8fb7e977ef71_story.html
A government task force is preparing legislation that would pressure companies such as Facebook and Google to enable law enforcement officials to intercept online communications as they occur, according to current and former U.S. officials familiar with the effort.
Driven by FBI concerns that it is unable to tap the Internet communications of terrorists and other criminals, the task force’s proposal would penalize companies that failed to heed wiretap orders — court authorizations for the government to intercept suspects’ communications.
Rather than antagonizing companies whose cooperation they need, federal officials typically back off when a company is resistant, industry and former officials said.
There is currently no way to wiretap some of these communications methods easily, and companies effectively have been able to avoid complying with court orders.
Instead of setting rules that dictate how the wiretap capability must be built, the proposal would let companies develop the solutions as long as those solutions yielded the needed data.
Tomi Engdahl says:
Smart gun company aims to begin production soon
http://www.computerworld.com/s/article/9238728/Smart_gun_company_aims_to_begin_production_soon
Fingerprint technology could enable only one person — or thousands — to use same gun
“So without the technology, we went from zero percent chance of preventing the shootings to having the technology and a 66% chance of preventing it,” Miller said. “Those are much better odds.”
Development of smart gun technology that — through biometrics or RFID chips — can limit who can use a gun, has been slow to evolve because of little interest from venture capitalists.
Columbus, Ga.-based SGTi’s technology uses relatively simple fingerprint recognition through an infrared reader. The biometrics reader enables three other physical mechanisms that control the trigger, the firing pin and the gun hammer.
The idea of an enabling tape switch has been lauded by police departments because in a struggle with a suspect, the first thing they often go for it the gun. With the SGTi technology, once a gun is out of an officer’s grip, it’s disabled, Miller said.
Tomi Engdahl says:
Twitter Warns Journalists: “We Believe That These Attacks Will Continue”
http://www.buzzfeed.com/jwherrman/twitter-warns-journalists-we-believe-that-these-attacks-will
In a memo sent to news organizations, Twitter warns that it expects high profile account hijackings — like the one that took down the AP’s Twitter account last week — to continue. “Please help us keep your accounts secure,” the memo pleads. It returns to a similar note: “Help us protect you.”
Some of the memo’s advice is advice any service would give its users: change your passwords, keep your email accounts secure, look out for suspicious activity — the company warns that hackers are using advanced “spear phishing” tactics.
But other sections reflect a scramble for a solution: “Designate one computer to use for Twitter,” the company recommends. “Don’t use this computer to read email or surf the web, to reduce the chances of malware infection.” Yes: Twitter is telling journalists to stay off the internet on the computers they use for Twitter. Extraordinary times call for extraordinary measures, in other words.
Twitter is currently working on a two-step authentication system to prevent future hacks, but hasn’t released it to the public yet. (One possible reason for the slow process: figuring out a two-step system for accounts that are often shared between many people is more complicated than developing one for, say, Gmail.)
Tomi Engdahl says:
Why your password can’t have symbols—or be longer than 16 characters
Even a bank that limits passwords to eight characters defends itself.
http://arstechnica.com/security/2013/04/why-your-password-cant-have-symbols-or-be-longer-than-16-characters/
The password creation process on different websites can be a bit like visiting foreign countries with unfamiliar social customs. This one requires eight characters; that one lets you have up to 64. This one allows letters and numbers only; that one allows hyphens. This one allows underscores; that one allows @#$&%, but not ^*()[]!—and heaven forbid you try to put a period in there. Sometimes passwords must have a number and at least one capital letter, but no, don’t start the password with the number—what do you think this is, Lord of the Flies?
You can’t get very far on any site today without making a password-protected account for it. Using the same password for everything is bad practice, so new emphasis has emerged on passwords that are easy to remember. Sentences or phrases of even very simple words have surfaced as a practical approach to this problem.
As Thomas Baekdal wrote back in 2007, a password that’s just a series of words can be “both highly secure and user-friendly.”
If nothing else, the varying password restrictions keep us from being lazy and using the same password for everything, which is itself good practice. But as Microsoft noted, many successful password attacks have little to do with the content of the password itself (though the situation is getting worse) and more to do with phishing or other manipulations of the user, rather than his or her password. Except in extreme cases (ahem, looking at you, Chuck Schwab), specific length and character restrictions are unlikely to have significant effects on account security.
Tomi Engdahl says:
Tracking PDF Usage Poses a Security Problem
http://blogs.mcafee.com/mcafee-labs/tracking-pdf-usage-poses-a-security-problem
Looking back this year’s RSA Conference, you might have the feeling that the current threat landscape is primarily a series of advanced attacks. This concept includes well-known advanced persistent threats (APTs) and zero-day vulnerability exploits.
Recently, we detected some unusual PDF samples. After some investigation, we successfully identified that the samples are exploiting an unpatched security issue in every version of Adobe Reader including the latest “sandboxed” Reader XI (11.0.2). Although the issue is not a serious problem (such as allowing code execution), it does let people track the usage of a PDF. Specifically, it allows the sender to see when and where the PDF is opened.
Is this a serious problem? No, we don’t want to overvalue the issue. However, we do consider this issue a security vulnerability. Considering this, we have reported the issue to Adobe and we are waiting for their confirmation and a future patch
We have detected some PDF samples in the wild that are exploiting this issue. Our investigation shows that the samples were made and delivered by an “email tracking service” provider. We don’t know whether the issue has been abused for illegal or APT attacks.
Tomi Engdahl says:
Java applets run wild inside Notes
‘Full compromise’ possible
http://www.theregister.co.uk/2013/05/02/java_runs_in_note_email/
Attackers with a desire to rummage around inside the PCs of Notes users can do so merely by sending HTML emails containing a Java applet or JavaScript, IBM has admitted in a security advisory.
Full Disclosure describes the effects as potentially nasty, saying “This can be used to load arbitrary Java applets from remote sources (making it an information disclosure as well as it can be used to trigger an HTTP request once the mail is previewed/opened)”
“Combined with known Java sandbox escape vulnerabilities, it can be used to fully compromise the user reading the email,” the site adds.
Happily, one fix is easy: just turn off the preferences that allow Java and JavaScript to run inside Notes.
Tomi Engdahl says:
Gaming app ENSLAVES punter PCs in Bitcoin mining ring
http://www.theregister.co.uk/2013/05/02/bitcoin_mining_game_client/
A competitive gaming company has admitted that for two weeks in April its software client was hijacking league members’ PCs to mine Bitcoins.
In an eyebrow-raising turn of events, the company, ESEA Gaming, admitted on Wednesday that its software client had been running Bitcoin-mining algorithms on customer PCs since April 14, generating over $3,700 worth of the virtual currency – not to mention a likely uptick in the electricity bills of the unwitting punters whose graphics cards’ GPUs been forced to mine the virtual currency.
The Bitcoin mining software had been originally rolled out in a test on ESEA Gaming admin accounts
An ESEA employee who was involved in the tests “has been using the test code for his own personal gain since April 13, 2013,”
ESEA became aware of the Bitcoin mining after concerned users made posts to the forum complaining of high GPU utilization, even when idle.
Tomi Engdahl says:
Opinions vary widely on IoT security concern
http://www.edn.com/electronics-blogs/systems-interface/4413081/Opinions-vary-widely-on-IoT-security-concern
Will the IoT (Internet of Things) become a hacker’s paradise? Or is concern over security for the embedded systems that define the IoT overblown?
Opinions about IoT security are as varied as the systems that will make the IoT, according to a study released last week at DESIGN West by UBM Tech (EDN’s parent company) and VDC Research
27% of survey participants indicated the industry is not very vulnerable or not vulnerable at all to attacks on IoT/M2M devices.
I have to assume that those who aren’t worried either figure IoT devices a) aren’t penetrable or b) lie below the threshold of interest of bad actors. It’s safe to say that any system can be penetrated
I’m having a hard time with the “somewhat worried” category: If there’s a basic acknowledgement of a security problem, we all should be very worried. Even under the assumption that the IoT will comprise billions of smart sensors with hardwired operation that can’t be modified remotely, there are too many opportunities for corrupting the data stream – make that deluge – of information flowing through the IoT
It’s difficult to identify right and wrong answers when it comes to security of devices for a system of systems that isn’t built yet and may take markedly different turns than traditional systems. It stands to reason, however, that if the foundation is vulnerable, the system of systems is vulnerable.
Tomi Engdahl says:
Cyber Tops Intel Community’s 2013 Global Threat Assessment
http://www.defense.gov/news/newsarticle.aspx?id=119776
National security threats are more diverse, interconnected and viral than at any time in history, the director of national intelligence said last week in a statement for the record delivered to the House Permanent Select Committee on Intelligence.
“This year, in content and organization, this statement illustrates how quickly and radically the world and our threat environments are changing,” James R. Clapper said in the statement’s introduction.
At the top of the U.S. intelligence community’s 2013 assessment of global threats is cyber, followed by terrorism and transnational organized crime, weapons of mass destruction proliferation, counterintelligence and space activities, insecurity and competition for natural resources, health and pandemic threats, and mass atrocities.
“We judge that there is a remote chance of a major cyberattack against U.S. critical infrastructure systems during the next two years that would result in long-term, wide-scale disruption of services such as a regional power outage,” Clapper stated.
The technical expertise and operational sophistication needed for such an attack is out of reach for most actors, he added, and “advanced cyber actors like Russia and China are unlikely to launch such a devastating attack against the United States outside of a military conflict or crisis that they believe threatens their vital interests.”
But, he stated, isolated state or nonstate actors might deploy less sophisticated cyberattacks as a form of retaliation or provocation.
In terms of eroding U.S. economic and national security, the director said in his statement: “We assess that highly networked business practices and information technology are providing opportunities for foreign intelligence and security services, trusted insiders, hackers and others to target and collect sensitive U.S. national security and economic data.”
“We track cyber developments among nonstate actors, including terrorist groups, hacktivists and cyber criminals,” Clapper noted, adding, “We have seen indications that some terrorist organizations have heightened interest in developing offensive cyber capabilities, but they will probably be constrained by inherent resource and organizational limitations and competing priorities.”
Tomi Engdahl says:
Pentagon Expects to Enlist Apple, Samsung Devices
http://online.wsj.com/article_email/SB10001424127887324582004578456940454210134-lMyQjAxMTAzMDAwMTEwNDEyWj.html
The U.S. Department of Defense expects in coming weeks to grant two separate security approvals for Samsung’s Galaxy smartphones, along with iPhones and iPads running Apple’s latest operating system—moves that would boost the number of U.S. government agencies allowed to use those devices.
Tomi Engdahl says:
Use a Software Bug to Win Video Poker? That’s a Federal Hacking Case
http://www.wired.com/threatlevel/2013/05/game-king/all/
There they discovered the secret behind Kane’s lucky streak: he was exploiting a previously-unknown firmware bug present in the Game King and nine other IGT machines – one that had been hidden for seven years.
Now Kane and the bug he exploited are at the center of a high-stakes legal battle before a federal judge in Las Vegas. The question: was it a criminal violation of federal anti-hacking law for Kane and a friend to knowingly take advantage of the glitch to the tune of at least half-a-million dollars? Prosecutors say it was. But in a win for the defense, a federal magistrate found last fall that the Computer Fraud and Abuse Act doesn’t apply, and recommended the hacking charge be dismissed. The issue is now being argued in front of U.S. District Court Judge Miranda Du, who’s likely to rule this month.
It’s the latest test of the Computer Fraud and Abuse Act, a 1986 law originally intended to punish hackers who remotely crack defense or banking computers over their 300 baud modems. Changes in technology and a string of amendments have pushed the law into a murky zone where prosecutors have charged people for violating website terms-of-service or an employer’s computer use policies.
In the Game King case, the arguments are largely focused on whether Kane and his codefendant, Andre Nestor, exceeded their legal access to video poker machines by exploiting the bug. Kane’s attorney, Andrew Leavitt, says Kane played by the rules imposed by the machine, and that’s all that matters.
“All these guys did is simply push a sequence of buttons that they were legally entitled to push.”
It was during one of his video poker binges that Kane discovered the bug. “He accidentally hit a button too soon, and presto,” says Leavitt, “It was a fluke. There was no research… Just playing.”
“Who would not win as much money as they could on a machine that says, ‘Jackpot’? That’s the whole idea!”
Tomi Engdahl says:
Rogue Employee Turns Gaming Network Into Private Bitcoin Mine
http://www.wired.com/wiredenterprise/2013/05/esea/
If you’ve been playing Counter-Strike on the ESEA gaming network, you’ve been doing a lot more than tossing virtual hand grenades and firing virtual machine guns. You’ve been mining Bitcoins for an unnamed staffer inside the company that runs the network.
The mining started on April 13 and may have affected as many as 14,000 gamers.
Tomi Engdahl says:
Hacker Breached U.S. Army Database Containing Sensitive Information on Dams
http://www.wired.com/threatlevel/2013/05/hacker-breached-dam-database/
A hacker compromised a U.S. Army database that holds sensitive information about vulnerabilities in U.S. dams, according to a news report.
The U.S. Army Corps of Engineers’ National Inventory of Dams contains information about 79,000 dams throughout the country and tracks such information as the number of estimated deaths that could occur if a specific dam failed.
The breach began in January and was only uncovered in early April, according to the Free Beacon
Unnamed U.S. officials told the Free Beacon that the breach was traced to “the Chinese government or military cyber warriors,” but offered no information to support the claim.
Tomi Engdahl says:
Financial Stability Oversight Council (FSOC) Releases Third Annual Report
http://www.treasury.gov/press-center/press-releases/Pages/jl1914.aspx
n the report, the Council’s recommendations address the following topics:
Heightened risk management and supervisory attention
Operational risk (cybersecurity, infrastructure)
Risk of prolonged period of low interest rates
Capital, liquidity, resolution
Tomi Engdahl says:
U.S. intelligence agencies have issued a threat assessment that terrorism is no longer the worst security risk. Number one is the internet and the resulting threat of attack. Soon after, authorities said, that the internet is the number one threat to the economy.
Source: http://www.3t.fi/artikkeli/uutiset/teknologia/uhkakuvien_karkeen_nousee_internet
Tomi Engdahl says:
U.S. Department of Labor website harnessed to enter malicious software onto your computer.
The malware will examine the victims of machinery, in particular, whether the installed Flash, Adobe Reader, Java, Microsoft Office, or any of the many virus protection software.
This information was sent to the network server.
Attacks have ravaged the U.S. government more generally in recent times. For example, the Department of Energy website infiltrated in January .
Source: http://www.digitoday.fi/tietoturva/2013/05/02/jenkkiministerion-sivusto-syotti-haittakoodia–usan-ja-kiinan-hauras-kyberrauha-saroilee/20136338/66?rss=6
Tomi Engdahl says:
Mozilla Blog: Protecting our brand from a global spyware provider
https://blog.mozilla.org/blog/2013/04/30/protecting-our-brand-from-a-global-spyware-provider/
A recent report by Citizen Lab uncovered that commercial spyware produced by Gamma International is designed to trick people into thinking it’s Mozilla Firefox. We’ve sent Gamma a cease and desist letter today demanding that these illegal practices stop immediately.
As an open source project trusted by hundreds of millions of people around the world, defending Mozilla’s trademarks from this type of abuse is vital to our brand, our users and the continued success of our mission. Mozilla has a longstanding history of protecting users online and was named the Most Trusted Internet Company for Privacy in 2012 by the Ponemon Institute. We cannot abide a software company using our name to disguise online surveillance tools that can be – and in several cases actually have been – used by Gamma’s customers to violate citizens’ human rights and online privacy.
Through the work of the Citizen Lab research team, we believe Gamma’s spyware tries to give users the false impression that, as a program installed on their computer or mobile device, it’s related to Mozilla and Firefox, and is thus trustworthy both technically and in its content.
Each sample demonstrates the exact same pattern of falsely designating the installed spyware as originating from Mozilla. Gamma’s own brochures and promotional videos tout one of the essential features of its surveillance software is that it can be covertly deployed on the person’s system and remain undetected.
Tomi Engdahl says:
FinSpy
http://www.schneier.com/blog/archives/2013/03/finspy.html
Twenty five countries are using the FinSpy surveillance software package (also called FinFisher) to spy on their own citizens:
The list of countries with servers running FinSpy is now Australia, Bahrain, Bangladesh, Britain, Brunei, Canada, the Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, the United Arab Emirates, the United States and Vietnam.
It’s sold by the British company Gamma Group.
Finfisher promo videos | Fintrusion kit (full HD)
https://www.youtube.com/watch?v=OvrmQg4NEL8
Tomi Engdahl says:
Samsung, BlackBerry devices cleared for use on U.S. defense networks
http://www.reuters.com/article/2013/05/03/us-usa-defense-smartphones-idUSBRE94204E20130503
The Pentagon on Thursday cleared BlackBerry and Samsung mobile devices for use on Defense Department networks, a step toward opening up the military to a wide variety of technology equipment makers while still ensuring communications security.
Lieutenant Colonel Damien Pickart, a Pentagon spokesman, said the department cleared the use of BlackBerry 10 smart phones and BlackBerry PlayBook tablets using its Enterprise Service 10 system, as well as Samsung’s Android Knox.
The Pentagon said on Wednesday it also expected to clear Apple mobile devices using the iOS 6 system at some point in early May.
Tomi Engdahl says:
Security company warns in common network protocols has holes
Printers, routers, surveillance cameras, and other devices with network connection are increasingly used in large-scale denial of service attacks, security company Prolexic warned this week.
Prolexicin according to the report, particularly simple network management protocol (SNMP) -, network time protocol (NTP) – and the character generator protocol (chargen) protocols used in denial of service attacks. All are commonly used devices in the market.
SNMP has a number of problems. Some versions of the transfer data in human-readable form. The protocol also allows the IP-address spoofing
In addition, all SNMP versions are vulnerable to brute force attacks
forged IP address requests from the SNMP host, and able to respond to messages that bytesize is the initial request higher.
Denial of service attacks that can reduce the risk of being, for example by preventing SNMP, if it is not needed.
Also the NTP protocol vulnerabilities may lead to a denial of service attack.
Chargen protocol, which is used remote testing and measurement tools. Prolexicin that attackers can do chargen to harmful packets and redirect them.
Source: http://www.tietoviikko.fi/kaikki_uutiset/tietoturvayhtio+varoittaa+yleisissa+verkkoprotokollissa+on+reikia/a899032?s=r&wtm=tietoviikko/-03052013&
Tomi Engdahl says:
China’s Cyberspies Outwit Model for Bond’s Q
http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html
Among defense contractors, QinetiQ North America (QQ/) is known for spy-world connections and an eye- popping product line. Its contributions to national security include secret satellites, drones, and software used by U.S. special forces in Afghanistan and the Middle East.
QinetiQ’s espionage expertise didn’t keep Chinese cyber- spies from outwitting the company. In a three-year operation, hackers linked to China’s military infiltrated QinetiQ’s computers and compromised most if not all of the company’s research. At one point, they logged into the company’s network by taking advantage of a security flaw identified months earlier and never fixed.
“We found traces of the intruders in many of their divisions and across most of their product lines,”
QinetiQ was only one target in a broader cyberpillage. Beginning at least as early as 2007, Chinese computer spies raided the databanks of almost every major U.S. defense contractor and made off with some of the country’s most closely guarded technological secrets, according to two former Pentagon officials who asked not to be named because damage assessments of the incidents remain classified.
“The line forms to the left when it comes to defense contractors that have been hacked,” said James Lewis, a senior fellow in cybersecurity at the Center for Strategic and International Studies in Washington. “The damage has been significant.”
The lengthy spying operation on QinetiQ jeopardized the company’s sensitive technology involving drones, satellites, the U.S. Army’s combat helicopter fleet, and military robotics, both already-deployed systems and those still in development, according to internal investigations.
The spies’ trail at QinetiQ begins in late 2007, and so do the company’s mistakes.
On Jan. 7, 2008, NASA alerted the company that hackers had tried to infiltrate the space agency from one of QinetiQ’s computers.
QinetiQ treated a series of attacks over the next several months as isolated incidents.
More investigations uncovered more security holes.
“All their code and trade secrets are gone,” Phil Wallisch, senior security engineer at HBGary, wrote in an e-mail after being briefed on the loss by the company.
It was about to get much worse.
The hackers logged on through the company’s remote access system, just like any employee.
HBGary installed specialized software on more than 1,900 computers, then scanned the machines for snippets of malicious code. Glitches surfaced almost immediately.
The State Department, which has the power to revoke QinetiQ’s charter to handle restricted military technology if it finds negligence, has yet to take any action against the company. Two former federal law enforcement officials said that, despite its authority, the State Department lacks the computer forensics expertise to evaluate the losses and neither could recall department involvement in several major data theft investigations.
The investigations didn’t affect the company’s ability to win government contracts, even to provide cyber-security services to federal agencies.
The investigations didn’t affect the company’s ability to win government contracts, even to provide cyber-security services to federal agencies.
In that time, the hackers had gained almost complete control over the company’s network.
Tomi Engdahl says:
IBM open sources new approach to crypto
Work on files – without decrypting them
http://www.theregister.co.uk/2013/05/03/ibm_open_source_homomorphic_crypto/
A group of IBM researchers has released a Githib project that implements a homomorphic encryption system – a way to work on encrypted data in a file without first decrypting the whole file.
Why would anyone want to do that? Partly because if you have to decrypt the file to work on it, it’s going to exist as plaintext somewhere. IBM has other ideas about this as well: leaving the encrypted file encrypted would keep data protected in the cloud while still letting users work on it. Big Blue even envisages such schemes as offering truly private Internet search.
The Github project is called HElib – the homomorphic encryption library.
Tomi Engdahl says:
To fend-off @eldarmurtazin ‘s “previews” Nokia created a secret leaker ident system. Wants to patent it now
http://www.unwiredview.com/2013/05/02/to-fend-off-eldarmurtazin-s-previews-nokia-created-a-secret-leaker-ident-system-wants-to-patent-it-now/
One of the most prolific Nokia leakers was Russian mobile tech journalist Eldar Murtazin, publishing full reviews of Nokia flagships weeks before the announcement and months before they shipped.
So instead of further complaining , Nokia decided to do something about it internally. And a pretty clever software system to identify the source of the leaks was the result. It showed-up in Nokia’s patent application called “Method an apparatus for providing product source leak identifications”, today.
The leaker identification system relies on the fact that there aren’t too many prototype devices floating around before the phone gets into mass production. So Nokia will create unique, hard to notice user interface elements for each of them.
When a new prototype makes it into the leaker’s hands, and he publishes the live pictures with the device turned on, all Nokia has to do is check its database for the combination of these unique UI elements to know where it came from.
elder scrolls online says:
Hi my loved one! I want to say that this article is awesome, nice written and include almost all significant infos. I’d like to look extra posts like this .
tattoo design says:
Simply desire to say your article is as surprising. The clearness for your publish is just spectacular and that i can suppose you are a professional in this subject. Well together with your permission let me to grab your feed to stay up to date with drawing close post. Thanks one million and please keep up the rewarding work.
Tomi says:
Finnish companies are at bot war
Botnets formed from hijacked computers are one of the biggest security challenges. Recently, the range is, after all heard the news of successful attacks on networks and their back against the criminals. A number of Finnish companies now combine forces bot war.
Data to Security (D2S) ecosystem program, which aims to commercialize a new kind of security solutions against botnets. Included are Elisa, Exfo, F-Secure, Nokia Siemens Networks and Stonesoft.
Aim will be achieved by working with the data analysis methods and algorithms in the development and use of advanced data mining technologies. The final sighting of the new business clusters.
The project is planned to last 28 months. The program costs are paid by participating companies and Tekes.
Source: http://www.tietokone.fi/uutiset/suomalaisfirmat_kayvat_bottisotaan
Tomi says:
Antivirus Firms “Won’t Co-operate” With PC-Hacking Dutch Police
http://it.slashdot.org/story/13/05/04/0024202/antivirus-firms-wont-co-operate-with-pc-hacking-dutch-police
“Dutch police are set to get the power to hack people’s computers or install spyware as part of investigations — but antivirus experts say they won’t help police reach their targets.”
“So far, Hypponen hasn’t seen a single antivirus vendor cooperate with such a request, and said his own firm wouldn’t want to take part.”
Tomi says:
Antivirus firms “won’t co-operate” with PC-hacking police
http://www.pcpro.co.uk/news/security/381643/antivirus-firms-wont-co-operate-with-pc-hacking-police
Dutch police are set to get the power to hack people’s computers as part of investigations – but antivirus experts say they won’t help police reach their targets.
Mikko Hypponen, chief research officer at F-Secure, said such requests won’t only come from Dutch police, as authorities in other countries will increasingly ask for such powers – not least as most investigations already involve looking through smartphones or PCs.
“This isn’t going to go away, it’s only going to get more and more important. All countries will be wanting rights and regulations,” he told PC Pro.
Hypponen said it’s understandable why police want such powers, and admitted few would complain if it’s used sparingly and only against guilty parties. However, there’s no question that innocent people would get caught up in police investigations, making transparency key.
“They should have to have serious enough crimes to even request such strong tools to be used,” he said. “And then, they should have to get a judge or court order, and even more importantly, they should afterwards make public how many citizens were hacked, and how many turned out to be guilty or innocent.”
That last point is the most important, Hypponen said. “This is the key thing: if the police hack into your systems, the public needs to know,”
Whether police have the skills to successful hack into computers isn’t clear, but Hypponen said it wouldn’t be ideal for them to outsource such tasks. However, it’s likely police would follow the lead of other government agencies – such as intelligence and security – and buy vulnerabilities from third-party firms.
“Many of the exploits being stockpiled are actually being developed by third parties, such as defence contractors or private companies looking for vulnerabilities.”
Tomi says:
Indictment: Sysadmin passed over for promotion quits, then strikes back
Angry “ERP Guru” allegedly steals credentials, wreaks havoc on former employer.
http://arstechnica.com/tech-policy/2013/05/sysadmin-passed-over-for-promotion-quits-then-strikes-back/
The idea of the disgruntled sysadmin turning techno-Robin Hood and giving his or her employer a taste of their own medicine is almost universally popular on tech-centric sites and message boards. However, things almost never work out positively for the people who turn revenge-fantasy into reality. The latest sysadmin to strike back, Smithtown, NY-based Michael Meneses, is facing federal charges for allegedly causing over $90,000 in damage to his employer, the Spellman High Voltage Electronics Corporation.
However, more than just stealing credentials and “corrupting the network,” the FBI says that Meneses also inflicted substantial damage on the company’s operations. Once in possession of several employees’ credentials, he is alleged to have altered the company’s business calendar by a full month, causing problems across all aspects of the business, including finance and production.
Tomi says:
Thank you for not viewing: “Hidden” display ads hurt Web ad networks
Researcher finds at least 2% of US Web ads are stuffed in invisible webpages.
http://arstechnica.com/tech-policy/2013/05/thank-you-for-not-viewing-hidden-display-ads-hurt-web-ad-networks/
There’s more than one way to fleece people using Web advertising. Botnets have been harnessed to generate fake clicks by injecting fake links into search results and to click randomly on webpages the infected computer’s user never sees. But fraudsters are starting to get more sophisticated in their efforts to get rich off Web advertising.
As Dr. Douglas de Jager, CEO of Spider.io, reported in a blog post today, fraudulent advertising networks are now acting as middlemen between advertising networks placing Web display ads and those stuffing whole hidden webpages of ads into ad slots on legitimate sites. Instead of using bots, this sort of ad fraud uses real humans to generate the traffic—but it never actually shows them the ads that are served up to them.
Display advertising fraud targets ads that are paid for by pageview rather than by click. The use of real-time bidding to auction ad space on websites through exchanges such as Google’s DoubleClick Ad Exchange and Microsoft’s AdECN has made it possible for fraudulent ad traders to purchase an ad slot through one exchange and then sell it multiple times across others.
Because the page is “displayed” within the ad frame (again, even though the ads are invisible to the person viewing the page), the ads are often reported back as viewable to the advertiser, so the fraudulent ad trader gets paid for the impression.