A Hacker's Tool Kit - Cybercrime is growing ever more pervasive—and costly.

Cybercrime is growing ever more pervasive—and costly. According to researcher Cybersecurity Ventures, the annual cost of cybercrime globally will rise from $3 trillion in 2015 to $6 trillion in 2021. Enabling this boom are thriving marketplaces online, where hackers sell tools and services to criminals. Virtually anything is available for the right price, points out Andrei Barysevich, director of advanced collection (“a fancy name for ‘spy,’ ” he says) at threat intelligence firm Recorded Future. A former consultant for the FBI’s cybercrime team in New York, Barysevich trawled the shadiest corners of the web to compile the cybercrime shopping list above, exclusively for Fortune. In the market for some basic malware? It’ll cost you as little as $1.

Read more »

WPA2 security flaw puts almost every Wi-Fi device at risk of hijack, eavesdropping

A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack.

The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.

That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.

In other words: this flaw, if exploited, gives an attacker a skeleton key to access any WPA2 network without a password. Once they're in, they can eavesdrop on your network traffic.

The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk.

"If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website.

But because Vanhoef hasn't released any proof-of-concept exploit code, there's little risk of immediate or widespread attacks.

News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.

The warning came at around the time of the Black Hat security conference, when Vanhoef presented a talk on networking protocols, with a focus on the Wi-Fi handshake that authenticates a user joining a network.

The cyber-emergency unit has since reserved ten common vulnerabilities and exposures (CVE) records for the various vulnerabilities.

Cisco, Intel, Juniper, Samsung, and Toshiba are among the companies affected.

At its heart, the flaw is found in the cryptographic nonce, a randomly generated number that's used only once to prevent replay attacks, in which a hacker impersonates a user who was legitimately authenticated.

In this case, an attacker can trick a victim into reinstalling a key that's already in use. Reusing the nonce can allow an adversary to attack the encryption by replaying, decrypting, or forging packets.

Windows and latest versions of Apple's iOS are largely immune from the flaws, according to security researcher Kevin Beaumont, in a blog post.

However, Vanhoef said the security issue is "exceptionally devastating" for Android 6.0 Marshmallow and above.

via zdnet

Read more »

Mcommerce fraud rate higher on Android devices

Mobile commerce fraud rate is higher on Android devices, a recent report points out.

According to data from Kount, a provider of fraud detection technology, instances of fraud on Android devices was 44% higher than on iOS devices in 2014. The same source mentions that until 2013, fraud on iOS devices was more frequent than on Android, but currently, this has significantly changed.

Findings indicate that Android’s US platform share has increased substantially since 2013. Android’s US platform share increased from 51.5% in June 2013 to 66.1% in June 2015, according to Kantar Worldpanel, while iOS's share declined from 42.5% to 30.5% during the same period. Fraud likely occurs on Android more often than iOS because there are now more Android devices.

The report has also unveiled that mobile fraud will intensify compared to online and in-store. Research shows that merchants have a blind spot when it comes to mobile. In 2014, the share of organizations that believed mobile was far riskier than other forms of commerce was only 15%, and most see it as “just as risky” or “less risky” than standard commerce. A prevailing belief that mobile behaves similarly to other channels could reduce a sense of urgency among merchants to tighten their mobile security, which could invite further fraud.

The study mentioned that fraud moves to the weakest channel. As in-store security tightens, fraud is moving online, and mobile is quickly emerging as the new target. Mobile fraud increased 81% between 2011 and 2015 to date. Meanwhile, non-mobile fraud decreased 50% from 2011 to 2014, and an additional 50% in the first six months of 2015. Increased EMV penetration and digital identity verification will continue to push fraud out of the stores and onto digital channels, of which mobile is the most vulnerable.

via paypers

Read more »