FTC picks winners in latest robocall-defeating contest, scammers keep scamming

On Thursday the Federal Trade Commission (FTC) announced the winners of a robocall-defeating contest that the commission held at DefCon in early August. Three groups of contestants each won $3,133.70, and two runners-up each won $1,337 (for being just that elite). The FTC says it receives 150,000 robocall complaints each month, down from 200,000 per month one year ago.

The contest was called “Zapping Rachel,” for the well-known scam in which a pre-recorded woman's voice tells an unsuspecting phone answerer, “Hi this is Rachel at cardholder services." The FTC separated the contestants into Creator, Attacker, and Detective categories—Creator entrants were asked to build a honeypot to lure robocallers, Detective entrants were given the honeypot data and asked to analyze it, and Attacker entrants were tasked with finding honeypot vulnerabilities. Contestants were given between 24 and 48 hours to submit their entries, depending on the category they entered.

For the Creator category, Jon Olawski, who is a software engineering director for an Internet marketing company by day, won the prize. He built a honeypot that used “an audio captcha filter, call detail analysis, and recording and transcription analysis” to automatically rate an incoming call as to whether it came from a robocaller or not. In an e-mail to Ars, Olawski described his idea as “a 10-point 'strike' system,” and if a caller hits a certain number of strikes, that number is known to be a robocaller and can be placed on a blacklist.

Read 10 remaining paragraphs | Comments

Heartbleed is the gift that keeps on giving as servers remain unpatched

Within four days of the first public reports of a major flaw in OpenSSL's software for securing communications on the Internet, mass attacks searched for and targeted vulnerable servers.

In a report released this week, IBM found that while the attacks have died down, approximately half of the original 500,000 potentially vulnerable servers remain unpatched, leaving businesses at continuing risk of the Heartbleed flaw. On average, the company currently sees 7,000 daily attacks against its customers, down from a high of 300,000 attacks in a single 24-hour period in April, according to the report based on data from the company's Managed Security Services division.

"Despite the initial rush to patch systems, approximately 50 percent of potentially vulnerable servers have been left unpatched—making Heartbleed an ongoing, critical threat," the report stated.

Read 6 remaining paragraphs | Comments

Update: JPMorgan, other banks hacked, and FBI looks to Russia for culprits

JPMorgan Chase was one of at least five US banks hit by a sophisticated attack against its networks that netted the attacker large volumes of bank account data—for an unknown purpose.

The FBI is reportedly investigating whether a sophisticated attack on JPMorgan Chase and at least four other banks was the work of state-sponsored hackers from Russia. The attacks, which were detected earlier this month, netted gigabytes of checking and savings account data, according to a report by The New York Times.

Update: According to one source Ars contacted who claims to be familiar with the investigation at JPMorgan Chase, the attack on the bank stemmed from malware that infected an employee's desktop computer. It was not clear whether the malware was delivered by a web attack or by an email "phishing" attack.

In a statement sent to Ars, John Prisco, CEO of the security firm Triumfant said, "The nature of the JPMorgan breach was a persistent threat with a backdoor that enabled the attacker to enter whenever they wanted." He expressed surprise that the breach went undetected for so long, claiming that it was "fairly easy breach to detect."

Read 5 remaining paragraphs | Comments