Monday, 13 January 2014

Mobile Shopping Apps Too Good To Be True?

HP Mobile Shopping
Black Friday and Cyber Monday shoppers got it pretty easy this past year. Not only could those of us avoid the chaotic crowds and purchase goodies on our computers, but also download an array of mobile apps for these two days to get gifts at the touch of our fingers. But do these apps put your phone in danger of malware infection?
Hewlett-Packard analyzed some of the most popular iOS apps in order to find out if there were any real security risks on Black Friday and Cyber Monday mobile apps. The company used its software security program, Fortify-on-Demand, to scan Black Friday Shopping, Black Friday 2013, Cyber Monday 2013, Black Friday, Best Cyber Monday Deals, Black Friday App by Slickdeals, TGI Black Friday, TGI Cyber Monday, and Black Friday.
The company discovered that only 11 percent of the apps passed data storage encryption standards. This means that someone who steals another user's device could access personal information without entering a PIN. Additionally, over 50 percent of the apps tracked devices via geo-location, which leaks users' locations if the app sent them to an unauthorized third party.
It doesn't stop there. Ninety percent of the scanned apps cached users' private information without encryption so passwords and account and private data could be leaked to anyone who steals the phone. The same percentage of the surveyed apps also sent out sensitive material, including purchasing information, unencrypted from the phone.
Downloading these mobile apps, or ones like these, obviously puts you at risk to even the simplest attacks. Before downloading any apps, make sure you know what information it can access. Don't let exciting discounts cloud your thinking; better to keep your information safe than nabbing a good deal at the risk of letting your personal information fall into bad hands. 

The Real Code In iOS 7 Jailbreak's Evasi0n

Taiji Market Curb your enthusiasm, jailbreak devotees; downloading Evasi0n, the new iOS 7 jailbreak, could be dangerous. Developed by Evad3rs, this jailbreak includes hidden code from a third-party Chinese vendor that resists any analysis and tampering. In a recent blog post, Lookout explains why you might not want to download Evasi0n.
What's iOS Jailbreaking?Jailbreaking your Apple device cuts the ties your gadget has with the big company. The software you download exploits a software flaw in the device's system, allowing root access to and removing limitations that Apple imposed on devices running its iOS operating system.
While jailbreaking can be useful to change user interface and unlock carrier-locked phones, it comes at a cost. A jailbreak compromises a phone's innate security defenses, leaving your device vulnerable to attacks.
The Hidden Code in Evasi0nEvasi0n for iOS 7 includes an obscured Chinese code within the installer that examines the language setting of the Mac or PC running it. If the device's language is set to Chinese, the jailbreak installs Taiji, a third party Chinese market, on the target phone. If not, it installs the "Cydia" app store.
After the Taiji Market is installed, it disables any other jailbreak community markets and resists attempts to remove it. Keep in mind that at this point the Taiji Market has full privileged access to the user's device, allowing the operators to do whatever they want with it, including hijacking data or remotely controlling the device.
Be Smart About JailbreakingIf you want to jailbreak your device, make sure you understand all the security risks that come with that decision. You should backup your device before trying to jailbreak it as well in case something goes wrong.
Be sure to only install apps from trusted stores and make sure you're protected against drive-by downloads or dropped apps. iOS devices automatically prevent drive-by downloads unless you jailbreak your phone. Jailbreaking has its perks, but it's important to be aware of some of its risks.

Fake Minecraft Scams Android Gamers

Image via Flickr user Tiago A. Pereira According to F-Secure, a Trojanized version of Minecraft - Pocket Edition (or Minecraft PE) is making the rounds on third-party app marketplaces. Though it costs half as much as the genuine article, it has a few "enhancements" that players won't like.
Worse Than Creepers
F-Secure told SecurityWatch that the phony Minecraft PE is currently available on several Russian app stores. This isn't surprising as not all third party stores vet their apps as thoroughly as Google, making some of them havens for malicious applications.
Careful readers will probably remember that cloned versions of popular apps are nothing new; in fact, it's a common tactic to trick victims into downloading and installing malicious applications. These fake apps are generally free, to further entice victims, but this ersatz Minecraft PE bucks the trend by charging 2.50 Euros for the app—the real app costs 5.49 Euros.
Charging victims earns the scammers some cash right off the bat, but that's not all this app does. "The real game is included but it has one added permission: android.permission.SEND_SMS and the payment system has been 'enhanced,'" said F-Secure. This critical change means that the app can use victims' phones to send text messages.
According to F-Secure, the SMS message generated by the app are sent to so-called "premium rate numbers" in Russia. These might be signing up victims for pricey subscriptions to services they don't want. The messages might also be adding money to their phone bill—like those fundraiser shortcodes used by NPR and the Red Cross, but in this case used for evil. Interestingly, whoever made the fake app might not own the numbers the messages are being sent to, but may get a cut from whoever does.
Sneakier Than Endermen
Mojang, the creators of Minecraft, are no fools and F-Secure writes that they included some security measures in their code to prevent this kind of thing from happening. Unfortunately, the creator of this Trojanized app is clever.
"The original Minecraft includes a check inside the dex code that verifies the signature that has been used to sign the APK. If it's not [Mojang's], the code refuses to run," said F-Secure. The phony Minecraft PE includes a special tool to specifically trick this failsafe, thus allowing it to work.
Guard Your Fortress
In Minecraft, if you leave a hole in our outer defenses, dangerous monsters will find their way into your home. Likewise, turning off the default restriction on installing third-party applications on your Android device can allow malware into your phone.
And searching for free or cracked versions of popular apps is like asking monsters to come into your home. It's always better to pay the developers and get the real, secure version of any Android app. Especially in the case of Minecraft, which is worth every penny. As is usually the case, it pays to pay.

Some Handy Email Tips For The Christie Administration

Image via Wikimedia
Let's say you're David Petraeus. No wait, here's a better one: let's say you're New Jersey governor Chris Christie. And let's say it's come to light that some of your aides may have engineered a massive traffic snarl as an act of political revenge, one that ended in the death of an elderly woman after ambulances were delayed.
Now, we at SecurityWatch don't condone underhanded deals (unless we get to write about them), but this story hinges on emails obtained by subpoena and we know a thing or two about how to keep your emails safe.
Leave No Evidence
If you must carry out clandestine activity over email, then you had better make sure that those emails can't be connected to you after the fact. Even the header information embedded in emails can be examined to find your IP address, not to mention the message's content.
To keep your real IP address off your email messages, try using a Virtual Private Network (or VPN) service to connect to the internet. This re-routes your traffic and keeps your IP out of your messages. If you're willing to spend a little money, take a look at our Editors' Choice award winners Norton Hotspot Privacy or VPN Direct.
But even a VPN will leave the content of your messages readable. Remember, the emails surrounding "bridgegate" were obtained by subpoena. Though the NSA may have messed up encryption, an encrypted message is probably going to be a major roadblock for investigators. For encrypting email, PrivateSky does local encryption and decryption, keeping your messages safe from start to finish.
Destroy Everything
Encryption may render a message unreadable, but you know what's better than unreadable? Destroyed. While it's hard to run emails through a paper shredder, Send 2.0 will encrypt your messages and destroy everything every few days. However, VaporStream goes further and destroys messages as soon as they're read—no chance to copy or forward, either.
Off The Grid
No matter how hard you try to keep emails secure they still leave a trail. So consider going old-school and carrying out your clandestine operations with face-to-face meetings and voice calls. While a bit more time consuming, they require an observer to do more legwork in order to get your information. Also, cycling through disposable "burner" phones will make your communications that much harder to track.
If that's too old-fashioned, there's always texting. From looking over documentation regarding text message interception, most phone companies don't seem to sit on a stockpile of your SMS messages—though they can still be intercepted. But some services, like iMessage and TextSecure, encrypt your messages to keep them safe. Other text messaging services like the newly announced Confide make it harder to copy messages with a screenshot, and Wickr uses clever encryption strategies and self-destructing messages to keep private messages private.
Speaking in Tongues
Though the email messages of bridgegate were occasionally oblique, they could have done better. If you're giving orders for potentially illegal activities, consider using code words to further mask your operations. The best clandestine communications are disguised as everyday speech, so instead of ordering a traffic snarl on the George Washington Bridge, try asking to have your "laundry delivered."
A really well thought-out coded message could be innocuous enough to post anywhere. Instead of writing an email, sending a text, or making a phone call, you could simply make a cryptic statement on Craigslist. Perhaps that's the real function behind the Montclair pirate radio station?
Stay Silent
Even with the best efforts to secure a message, there's always a way for it to come out. Perhaps careful analysis of your Web traffic can be correlated with real-world activities, or someone in your organization snitches on your illegal activity. Sometimes the best way to keep your illicit activies secret is just to have no illicit activities.

More Retailers Hit As Part of Target, Neiman Marcus Heist

Credit Cards The attackers behind Target's credit card breach also went after customers at other retailers around the country, including high-end retailer Neiman Marcus. Maybe it's time to go back to just using cash.
Shoppers already jittery after Target reported a credit card breach over the holiday season are now faced with the prospect that the attacks were far more widespread than originally thought. It appears Target wasn't the only retailer affected in this breach, as Neiman Marcus and at least three other retailers experienced similar incidents over the same time period, Reuters reported. Security experts have long warned that banks, credit card processors, and retailers are not taking the necessary steps to secure payment card data and personal information, leaving customers vulnerable to fraud and identity theft.
"The impact of the Target breach and other retailers in similar circumstances (and not yet fully disclosed) can have far reaching effects on consumer confidence and impact on the US economy unless steps are taken to address this vulnerability immediately," said Anup Ghosh, founder and CEO of security company Invincea.
More Victims FoundNeiman Marcus discovered its breach on Jan. 1, after receiving reports from a credit card processor about possible unauthorized charges on the accounts of people who had shopped at its stores, reported security writer Brian Krebs. The attack appears to be on a smaller scale, with fewer than one million cards compromised.
While Krebs was not sure whether this breach was related to the attack on Target, sources told Reuters the incidents used similar techniques and could be linked. Like Target, Neiman Marcus said only shoppers who used their cards in the store were affected, not online shoppers.
Target initially reported that 40 million shoppers who used their credit card at one of its retail outlets during the holiday shopping season were affected in a credit card breach. Last week, the CEO of Target acknowledged the breach was bigger than originally thought, as personal information of at least 70 million customers, including names, mailing addresses, telephone numbers, and email addresses were also stolen. There may be some overlap in customers between the initial 40 million and the later 70 million, but Target was unable to say how many were counted twice. Target also admitted that all US shoppers over 2013 were at risk, not just those that visited the store over the holiday season.
Questions, But No AnswersThe investigation is still in the early stages, so there are more questions than answers at this point. This presents a whole new set of challenges, security experts said.
Right now, the big question is, "Am I affected?" and it's hard to tell. Reuters said three other retailers were currently investigating, but had not publicly disclosed the breach at this time. It is also possible there were other, smaller, breaches earlier in 2013, which still have not been publicized.
"All retailers should err on the side of disclosing all consumers that are potentially affected while at the same time disclosing fully what they know about the breach and how it happened," Ghosh said.
Neiman Marcus said it is notifying customers who had fraudulent transactions posted to their accounts, but this leaves a lot of consumers who did shop at the stores wondering and waiting for bad news. It creates what an expert called "data security limbo," as users are aware of a breach but can't take any steps until they receive confirmation. Target also said it was notifying customers about personal information being stolen if an email address was on file.
This kind of selective notification opens up a window of opportunity for attackers to launch secondary attacks, said Angel Grant, director of anti-fraud solutions at RSA. Attackers can take advantage of the confusion to send out emails or even make phone calls to scam users into revealing their personal information and payment card details. Users need to be vigilant for follow-up phishing attempts in the wake of this breach.
Silence is DangerousWhile it's understandable to want to keep information close at hand until the investigation is complete, it doesn't help other retailers. Target is not discussing what happened, and Neiman Marcus is even more close-mouthed about the methods the attackers may have used. At the moment, Target has admitted its point-of-sale software was compromised, and Reuters cites sources who say the attackers used a RAM scraper, a type of malware which captures the temporary data in the computer's memory. There have been a surge in attacks using memory parsing malware recently, and Visa even issued alerts with technical information on how to thwart these types of attacks last year.
While it was not clear whether Target or other retailers had implemented any of the methods to defend against these attacks, sources told Reuters the attackers were much more sophisticated and would have been able to bypass those measures. Based on the fact that personal information was stolen, it was more than likely that Target's breach was "a more widespread compromise of Target's network than simply PoS machines," Ghosh said.
Retailers are likely investigating their networks and trying to figure out whether they have also been affected. This is where information sharing between retailers would be helpful.
As for you and me, maybe we should stick with cash for the time being. It is safer, and the only thing you have to worry about is pickpockets.

Microsoft Twitter accounts hit again by Syrian Electronic Army

Microsoft logo
The Syrian Electronic Army (SEA) hacktivist group has hijacked the Microsoft News and Xbox Support Twitter accounts, marking the second attack on the firm's social media accounts this year.
The SEA targeted the accounts over the weekend, leaving tweets that said: "The Syrian Electronic Army was here." Blogs on its Technet pages were also compromised for a short time. Microsoft confirmed in a statement to V3  its services were breached, but said no user data was affected.
The statement said: "Microsoft is aware of targeted cyber attacks that temporarily affected the Xbox Support and Microsoft News Twitter accounts. The accounts were quickly reset and we can confirm that no customer information was compromised."
The offending messages from its accounts and blogs have now been deleted.
The attack is the second by the SEA to target Microsoft's Twitter accounts this year. The SEA hacked into Skype's blog and Twitter accounts earlier this year. In the previous attack the SEA used the hijacked accounts to post a series of messages criticising Microsoft's privacy practices.
The hacks will no doubt serve as an embarrassment to Microsoft, especially as it would have been working to try and ensure a similar incident could not happen again. The SEA said the attack was designed to punish Microsoft for its supposed involvement in the National Security Agency's (NSA) PRISM campaign.
News of the PRISM campaign broke in 2013 when ex-CIA analyst Edward Snowden leaked documents to the press proving that the NSA was siphoning vast amounts of web user data from several companies, including Microsoft.
The NSA has since moved to downplay the significance of PRISM, claiming its agents only saw 0.00004 percent of the world's web traffic during their missions. Experts have since warned that the PRISM campaign will cause lasting damage to the global economy, despite the NSA's claim.

Google creates privacy concerns with Gmail and Google+ email address sharing plans

Google logo
Google has raised questions over privacy with the announcement of a new Gmail feature that allows users to email people without knowing their email addresses. The function, which links users' Gmail and Google+ contact lists, will be opt-out, so users who do not want to receive unsolicited emails will have to alter their privacy settings.
Every Google+ user – apart from celebrities and public figures with many followers – will by default be able to receive messages from anybody using Gmail who has added them to their Circles. The email address of the recipient is not revealed unless they reply (pictured below). This policy differs slightly to Facebook, which allows users to reply but keeps the interactions within the Facebook platform.
Users can now send emails to Google contacts without email addresses
With Gmail, emails sent in this way will end up in the "social" section of a user's inbox, which separates marketing, personal and social media emails into separate inboxes, depending on a user's preference.
Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), told Reuters the new feature was "troubling", likening it to the Google Buzz tool, which automatically created social networks based on users' email address books. Google Buzz was shut down in 2013 after the firm settled with the Federal Trade Commission two years earlier.
Google is making the most of Gmail's huge user base, attempting to entice users to its other products such as Google+. While the Google+ user base continues to grow – to beyond 300 million active users, according to Google – several of the firm's services now require a Google+ sign-up in order to use them, such as YouTube.
Google said in a blog post that it would be sending emails to users to fully explain the change as the feature is gradually rolled out. David Nachum, product manager, tried to explain the positive behind the move: "Have you ever started typing an email to someone only to realize halfway through the draft that you haven't actually exchanged email addresses?"
If you are nodding your head 'yes' and already have a Google+ profile, then you’re in luck, because now it's easier for people using Gmail and Google+ to connect over email."
However, it looks as if Google is opening itself up for another privacy backlash, at a time when it is being hit with fines for its privacy policies in nations across Europe.

Government urges firms to be 'Cyber Streetwise' with online security campaign

The UK government has launched a new Cyber Streetwise campaign, hoping to educate businesses about how to protect themselves from hackers.
As part of the campaign, the government has launched a new Cyber Streetwise website that offers businesses interactive guides, videos and articles about cyber security. The site is co-sponsored by several private sector companies and agencies including Sophos, Facebook, RBS Group, and Financial Fraud Action UK.
The Home Office claims the site is necessary as recent research shows half of all UK citizens are failing to take even basic measures to protect themselves online.
The research showed that only 44 percent of Brits install antivirus software on new devices and only 37 percent install software patches. It also revealed that 57 percent of UK citizens do not check websites' security credentials before loading their financial details while shopping online.
To counter this the new Home Office Cyber Streetwise site advises businesses to adopt five basic measures. These include, using "strong, memorable passwords", installing antivirus software on all work devices, checking privacy settings on social media, checking the security of online retailers before loading card details and patching systems as soon as updates are available.
Security minister James Brokenshire said the Cyber Streetwise campaign is an essential step in the government's ongoing bid to protect and develop the country's digital economy.
"The internet has radically changed the way we work and socialise. It has created a wealth of opportunities, but with these opportunities there are also threats. As a government we are taking the fight to cyber criminals wherever they are in the world," he said.
"However, by taking a few simple steps while online the public can keep cyber criminals out and their information safe. Cyber Streetwise is an innovative new campaign that will provide everyone with the knowledge and confidence to make simple and effective changes to stay safe online."
The service has been welcomed by numerous security vendors. Global head of Security Research at Sophos James Lyne said the service will be of particular use to small and medium-sized businesses.

"Consumers and SMEs alike are finding new ways to interact online, including via a greater range of devices, but with this enhanced technology comes risk. Sophos Labs finds over 30,000 new infected websites distributing malware every day and, contrary to popular belief, the majority – around 80 percent – are legitimate small business websites that have been hacked,” he said.

“It's therefore vital that small businesses in particular get the basics of security right, from installing antivirus to regularly updating and patching software, using complex passwords and protecting data."

Symantec's UK and Ireland vice president Simon Moor reiterated Lyne’s sentiment, warning that criminals are developing increasingly sophisticated ways to target businesses.

“Online threats are constantly evolving, however people can be lulled into a sense of false security by the sheer ubiquity of connected technology, leaving themselves open to being tricked into downloading malware, or cyber criminals accessing their personal data,” he said.

“Even those tech-savvy people can benefit from a regular reassessment of our usage of web-connected devices. This is why Symantec is supporting cyber streetwise through the provision of information to the site as well as communications to our staff and customers.”
The new campaign is part of the government's ongoing Cyber Security Strategy. The strategy launched in 2011 when the government pledged to invest £650m to bolster the nation's cyber defences. Educating businesses about the threat facing them and cyber best practice has been a staple part of the strategy.
The government launched its Cyber Security Information Sharing Partnership (CISP) in March 2013. CISP is designed to facilitate the sharing of information regarding cyber threats between the public and private sector.

President Obama mulls NSA spying power overhaul after PRISM fallout

US President Barack Obama
US president Barack Obama is considering plans to reform the powers of the National Security Agency (NSA) in the wake of the PRISM security scandal that broke last year.
The White House commissioned a report in December urging the president to address government spying concerns raised by whistleblower Edward Snowden in June. In total, the report suggested 46 recommendations including a ban on mass, unfiltered data collection.
Obama is now consulting on these recommendation and considering what action to take, according to White House press secretary Jay Carney.
“He [Obama] is still in the process of deliberating over the review group’s report and hearing from others on the issues that were raised in the review group’s report,” he said.
“So he’s at that stage still where he’s listening and discussing with a variety of stakeholders these issues, and appreciates very much the opinions and counsel he’s getting on these matters.”
Carney also confirmed that Obama was meeting with the NSA to discuss these plans. “I know he wants to hear from them [the NSA] to discuss with them the status of his review, which is ongoing. The review group’s report was publicly released, as you know, so everybody has had a chance to digest that.
“The president certainly has spent time with it, and as we've said, he believes, with the exception of the one recommendation on which a decision has already been made, a personnel issue, he wants serious consideration of every recommendation from the review group.”
The report issued back in December said: “We recommend that, as a general rule, and without senior policy review, the government should not be permitted to collect and store all mass, undigested, non-public personal information about individuals to enable future queries and data-mining for foreign intelligence purposes."
Major tech firms such as Microsoft, Apple and Google will be hoping Obama acts decisively on the issues raised, as they have been highly vocal in their anger at the extent of spying that came to light.