Monthly Archives: June 2014

Google 2-Wallet’s Click Instant Buy Checkout Comes To iOS

About a year ago, Google Wallet launched its Instant Buy API for Android apps, and today it is bringing it to iOS apps. With Instant Buy, developers can integrate Google Wallet’s checkout into their apps and have users check out with as few as two clicks.

The Instant Buy API gives developers an easy way to access and store payment data in the cloud. The shipping and credit card information is stored on Google’s servers and Google only passes this information to the merchant after a user has decided to complete the order. The merchant can then run this information through any existing payment processor. Google itself does not charge any fees for this service, but it does provide its own fraud-monitoring service in addition to the credit card issuer’s existing systems.

All of this, unsurprisingly, plays together very well with Google+ sign-in.

One of the biggest issues with mobile e-commerce is that users abandon their shopping carts at alarming rates. One of the reasons for this is that mobile checkout is often annoying, given that you typically have to type in your credit card number and address — something that’s rather error-prone on a phone. Instant Buy and many other payment solutions aim to simplify this and, according to Google, the results have been pretty encouraging so far. On Android, Fancy increased its conversion rate by 20 percent after it implemented Instant Buy, for example.

Developers who want to implement this service can’t just get to work without Google’s approval, though. They will have to sign up here and then wait to get waitlisted by the company before they can integrate Instant Buy into their apps.

The new feature is launching with a number of partners, most of which already support it in their Android apps. They include B&H, Eat24, Fancy, Newegg, Sionic Mobile and




via: techcrunch

Amazon’s new Fire Phone

No, really!

Amazon has finally released its own smartphone. The Fire Phone, which runs on Amazon’s Android-based Fire OS 3.5 and incorporates a host of features designed to make your life easier, debuted Wednesday in a Seattle event hosted by Jeff Bezos. Here’s a look at what’s been brewing behind the scenes for all this time.


The look of the thing

At its core, the Fire Phone isn’t much different than any other high-end handset on the market right now – 2.2GHz quad-core processor, 2GB RAM, 4.7-inch 720p screen, 32GB of base storage, and so on. But Amazon has gone out of its way to include some unique bells and whistles, as we’ll see.

Rubberized construction

Given that we’ve had glass, plastic, and metal phones already, it was inevitable that Amazon would do its best to set the Fire Phone apart with a unique rubberized build. Oh, and it also blends in Gorilla Glass, stainless steel, and aluminum. So it’s got most of the build bases covered, really.

Cool camera

While it’s hardly unique, the Fire Phone’s 13MP main shooter is still impressive, packing HDR and optical image stabilization capabilities, along with a wide aperture lens. The coolest part of the camera, however, might be the…

Unlimited cloud photo storage

Yeah. Unlimited storage in Amazon’s cloud for your photos and videos, automatically backed up wirelessly and available on other Fire devices and Cloud Drive apps, may be the main eyebrow-raiser in the Fire Phone’s imaging suite.

Mayday button

The Mayday feature introduced in the latest models of the Kindle Fire tablet line has made it to the Fire Phone, allowing users to summon live Amazon tech support via video link at the touch of a button.


This will likely be Amazon’s most talked-about Fire Phone feature. Take a picture of a product, and Amazon searches for pricing and availability. It also recognizes music, movies, and TV shows from their audio, can capture phone numbers and email addresses from advertisements, and rubs your back when you’re stressed. (Last thing may not be true.)

Dynamic perspective

The Fire Phone uses four small but sophisticated cameras, located at each corner of the device’s front, to track head movements and gestures, allowing users to exercise a degree of one-handed control over the device.

A free year of Amazon Prime

Users can get a free year of Amazon’s Prime service if they pre-order soon enough – the device will ship July 25, and pre-orders are already open. Tough luck if you’re not an AT&T fan, though – the Fire Phone is an AT&T exclusive. The 32GB model will cost you $200 with the usual two-year contract, or $650 without a subsidy.



Via: networkworld

US court finds warrantless tracking of mobile phones unconstitutional

The US government and police regularly pull location data off of cell phone towers or stick GPS trackers on cars to track people and place criminals near crime scenes – often without a warrant.

In what the American Civil Liberties Union (ACLU) calls a “huge victory”, an appeals court on Wednesday ruled that such warrantless search violates the US Constitution.

The court – the US Court of Appeals for the Eleventh Circuit, covering Florida, Alabama, and Georgia – ruled that the government illegally obtained Quartavious Davis’ mobile phone location data to help convict him in a string of armed robberies in Miami.

The court further stated, unequivocally, that such location data is protected by the Fourth Amendment, which prohibits unreasonable searches and seizures.

From the opinion (PDF), written by Judge David Sentelle:

In short, we hold that cell site location information is within the subscriber’s reasonable expectation of privacy. The obtaining of that data without a warrant is a Fourth Amendment violation.

This ruling comes almost a year after a ruling by the US Appeals Court for the Fifth Circuit, which concluded that location data stored on mobile devices is not protected under the Constitution.

Due to jurisdiction, Wednesday’s ruling that such data is in fact Constitutionally protected won’t overrule the earlier decision from the Fifth Circuit, but it adds a strong voice to the argument that mobile devices’ constant broadcasting of location data should be protected under federal law.

The ACLU, which argued in favor of the eventual outcome in the Davis case, applauded the decision in a tweet:

      In huge #privacy victory, appeals court rules collection of cell location info w/out warrant violates #4thamendment

In their 38-page decision, the judges looked at diverse facets of intercepting wireless location data, including both as it regards the content, which they said has already been protected:

… it cannot be denied that the Fourth Amendment protection against unreasonable searches and seizures shields the people from the warrantless interception of electronic data or sound waves carrying communications.

…as well as the implications of tracking a person’s location.

With regards to tracking a person’s location, the court examined the difference between what can be gleaned over a limited tracking time – you can find that a woman went to a gynecologist, for example – and a prolonged tracking time, which creates a “mosaic” of data points that tells a fuller story: for example, a woman went to a gynecologist and then a few weeks later visited a baby supply store.

The government often relies on such mosaics in cases involving national security. The Supreme Court in the past has observed that in such a context,

…what may seem trivial to the uninformed, may appear of great moment to one who has a broad view of the scene and may put the questioned item of information in its proper context.

What implications might this have for organizations such as the National Security Agency that are using our wireless gadgets to track our movements?

Not much, unfortunately.

Specifically, I’m thinking about how the NSA tracks hundreds of millions of mobile phone locations worldwide.

They’ll keep right on doing so, regardless of this ruling, given that the agency has an executive order allowing it to conduct international surveillance as long as it’s not constitutionally protected.

Sorry, rest of the world!



Via: sophos

AT&T Blames Vendor for Customer Data Breach

Jon Rudolph, senior software engineer at Core Security, said AT&T’s statement indicated the company could not or did not sufficiently limit the partner access to its data. As Rudolph sees it, AT&T is talking about the behavior of the partner when it should be talking about how this customer data was exposed to a breach in the first place.

AT&T has confirmed a data breach but there are yet many unknown details. The telecom giant said it recently learned that three employees of one of its vendors accessed some of its customer accounts without proper authorization. AT&T did not disclose the number of accounts or what information was breached.

“This is completely counter to the way we require our vendors to conduct business,” AT&T said in a published statement. “We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously. We have taken steps to help prevent this from happening again, notified affected customers, and reported this matter to law enforcement.”

An undisclosed number of call records and Social Security Numbers were accessed sometime between April 9 and April 21, AT&T confirmed. The accounts were accessed as “part of an effort to request codes from AT&T that are used to ‘unlock’ AT&T mobile phones in the secondary mobile phone market,” the company said.

Customers can request that phones be unlocked once they have fulfilled their wireless contract. AT&T believes the aim of the breach was to spoof customer identities in order to unlock phones, which are worth more on the secondhand market.

Accounting for Shades of Gray

We caught up with Alberto Solino, a technical program manager at security
software and services firm Core Security, to get his take on the breach. He told us this is another example of companies failing to understand the risks that come along with third-party access — and facing a crisis that may have been prevented by proactively seeking out or understanding potential attack paths.

“You can’t make assumptions when it comes to security,” Solino said. “You have to find these attack paths and validate them before someone else does or your business and most critical assets will always be at risk.”

Andy Rappaport, chief architect at Core Security, told us privileged partners are in a gray area between insiders and outsiders. Security enforcement, network access, identity- and access-management entitlements, and auditing must account for these shades of gray.

Rappaport said he understands that business efficiency thrives on efficient supply-chains and federated partnerships. Security and access control are necessary to allow speed, he said, just like cars ultimately need brakes in order to safely travel fast.

“A company’s attack surface grows as an exponent of the reliance on partners, outsourcing and even Software-as-a-Service,” Rappaport said. “They are relying on not only their security policy and enforcement, but also on their partner’s. It stretches the trust boundaries beyond the enterprise.”

Preventing Partner Misbehavior

Jon Rudolph, senior software engineer at Core Security, said AT&T’s statement indicated the company could not or did not sufficiently limit the partner access to its data. As Rudolph sees it, AT&T is talking about the behavior of the partner when it should be talking about how this information was exposed in the first place.

“Is this about requiring partner behavior or preventing partner misbehavior? If we’re talking about security, it’s the latter,” he said, noting it’s possible that customer identity was a necessary vector in getting the phones unlocked. “Are companies thinking about what attack paths are possible through the identities in their business? In this case, it sounds like the downstream effect of getting the unlock codes was a privacy breach.”

Rudolph concluded that it’s valuable for enterprises to see events like this coming so they can stay one step ahead. Three trusted individuals allegedly looking to make some money, and potentially hundreds of customers affected as a side effect, he said, and this should matter to companies.



Via: enterprise-security-today

Iraqi government blocks social media

The government in Iraq is reportedly blocking access to social media sites amid growing armed conflict in the country.

The move comes after Islamist insurgents used Twitter to post an image of a beheaded man, and to spread propaganda messages, reports the BBC.

Getty Images/iStockphoto

Authorities in Turkey imposed a similar ban in the run up to election in March to clamp down on anti-government content.

Psiphon, a system that enables users to bypass internet censorship, reported more than 550,000 users on Sunday compared with just 8,000 before the blocks were imposed in Iraq.

Civil liberties groups have criticised the block, arguing that just like Turkey, the government blocks harm those using social media for legitimate purposes.

“They are cutting off a lifeline for activists and other to the outside world,” said Jillian York, director for international freedom of expression at the Electronic Frontier Foundation.

A Facebook spokesperson said: “Limiting access to internet services – essential for communication and commerce for millions of people – is a matter of concern for the global community.”

Iraqis were used to internet controls during Saddam Hussein’s presidency, but have had open access to the internet in the interim.


This is an example that “any” government can control things when they want to.

Start now to make sure you are staying prepared.


Via: computerweekly

Microsoft admits running out of IP addresses for Azure

Microsoft has admitted it runs out of Internet Protocol version 4 (IPv4) addresses in the US occasionally, but has assured Azure US customers that their data will remain in the US.

Some US customers of Microsoft’s Azure cloud platform service were concerned when they noticed that some virtual machines being used for their workloads had been assigned non-US IP addresses.

But IPv4 address space has been fully assigned in the US, Ganesh Srinivasan, Microsoft’s senior program manager, said in a blog post.

“This requires Microsoft to use the IPv4 address space available to us globally,” he said.

IPv4 provided a 32-bit addressing system, but that meant there was a relatively limited number of IP addresses of roughly 4.3 billion to be shared around the world.

Srinivasan said it was not possible to transfer registration because the IP space is allocated to the registration authorities by the Internet Assigned Numbers Authority.

This means that although a service may appear as though it is coming from a non-US location, the servers providing services to US customers remain in the US.

“Thus when you deploy to a US region, your service is still hosted in US and your customer data will remain in the US,” said Srinivasan.

Large companies like Microsoft bought up large blocks of IPv4 addresses, but as the number of internet-connected devices and services increase, all the available IPv4 addresses will eventually be exhausted.

For this reason, companies around the world will have to start moving over to the next-generation IP addressing system, IPv6.

IPv6 is based on 128 bits, which means it provides more than four billion times more IP addresses than IPv4.

In its Azure website, Microsoft says it has built IPv6 support into many of its products and solutions like Windows 8 and Windows Server 2012 R2.

The foundational work to enable IPv6 in the Azure environment, it claims, is well underway.

“However, we are unable to share a date when IPv6 support will be generally available at this time,” the company said.

While IPv6 solves the problem of running out of addresses, organisations will have to change the way they do networking as the world moves from IPv4 to IPv6.

One important area of concern is data security.

The move to IPv6 has several security implications. First, most operating systems include some sort of IPv6 support by default.

This means networks have at least partial deployment of IPv6, often without IT realising. This in turn means IPv6 support could be used by attackers for a number of malicious purposes such as evading network security controls or triggering VPN leakages.

Second, IPv4 and IPv6 will co-exist for some time, so it will become common for allegedly “IPv4-only” nodes to communicate with IPv6 nodes through the aid of transition or co-existence technologies.

This means attackers can more easily obfuscate attacks using IPv4 and IPv6.

Finally, many organisations will need to deploy IPv6 sooner or later, and quickly learn the details of IPv6 security so that an informed deployment and transition plan can be implemented.


Via: computerweekly

Domino’s won’t pay ransom on 600,000 record hack

Details of 600,000 French and Belgian customers to be released tonight if ransom not paid today say hackers.

Domino’s Pizza in France and Belgium have had their servers hacked, with more than 600,000 customer records stolen by hacker group Rex Mundi which is demanding a €30,000 (£24,000) ($40,000) ransom or it says it will publish the details on the internet at 8pm CET (7pm BST) tonight.

In a message posted to an online clipboard Rex Mundi announced, “We downloaded over 592,000 customer records (including passwords) from French customers and over 58,000 from Belgian ones,” adding: “We used the contact forms on their websites to let them know of this vulnerability and to offer them not to release this data in exchange for 30,000 Euros….both of their websites are still up and vulnerable.” Sample data from the French website was published with the notification, including passwords, email addresses, home addresses and phone numbers – as well as customers’ favourite toppings.

Domino’s is reportedly refusing to pay the ransom, with the head of Domino’s Netherlands Andre Ten Wolde telling local newspaper De Standaard that the company will not be paying the ransom and assuring customers that no financial information is included in the stolen data. Meanwhile Domino’s France  recommended that users change their passwords.

In response, yesterday the group tweeted messages seeking to put pressure on the company,  saying:

@dominos_pizzafrcustomer, u may want to know that we have offered Domino’s not to publish your data in exchange for 30,000EUR.

“PSA: If @dominos_pizzafr doesn’t pay us tomorrow and we publish your data, u have the right to sue them. Speak to yr lawyer!

—     Rex Mundi (@RexMundi_Anon) June 15, 2014

Bob Tarzey, an analyst and director IT business and analysis house Quocirca told “Not giving in to ransom is the right thing as, once you start doing it you are encouraging others to do so.  Businesses need to take a collective stand, working with government and industry bodies.”

He adds that the level of culpability by Dominos will be determined by the regulators who will take a view on the level of security in place, its implementation and security practices, and the detailed nature of the breach.

In an email to SC George Anderson, director at Webroot, also supported the approach of not giving in to ransom, saying, “It is reassuring to see that companies that find themselves targeted by hackers looking to make a quick buck are refusing to pay up. After all, when it comes to data theft, there is no guarantee the hackers wouldn’t release the data, even if ransom was paid, as they may equally accept the money and then try to sell the data on illegal forums, in hope of doubling their profits.

“This is slightly different to what we saw last week, when Feedly and Evernote were targeted by DDoS extortion attacks. Usually, organisations that give in and pay are spared being DDoSed – but only because following through with a DDoS attack requires slightly more effort on the hackers’ side, than publishing the data that has already been downloaded.

“However, companies that fall victim to money extortion attacks should under no circumstances agree to play by hackers’ terms. Instead, organisations that hold customer data should ensure they maintain a structured, multi-layered approach to security spanning data encryption through to security software that is updated and reviewed on a regular basis, to limit their chances of becoming an easy extortion target.”

Jason Hart, VP Cloud Solutions at SafeNet also encouraged better use of encryption in an email to journalists, saying: “The latest breach continues to raise public awareness of the need for encryption – not just of financial data, but also wider customer information.

“The fact that financial information was not compromised minimises the severity of the breach. But given the increasing number of data breaches we’re seeing, it’s clear that companies need to start thinking about encrypting more than just financial data. If not they run the risk of losing customers to those competitors that do.

According to SafeNet’s own Breach Level Index, which classifies the severity of a breach, the Domino’s breach is given a severity rating of 7.7, making it a ‘severe’ data breach.”

David Emm senior security researcher at Kaspersky Lab, agreed that data security needs to be given a higher priority in an email to SC saying: While it’s important to try and keep out intruders, it’s equally important that organisations secure data that’s behind their perimeter defences so that, if those defences are breached, an attacker isn’t able to obtain confidential data that can be used to compromise the online identities of its customers.  The fact that credit card details and other financial data weren’t stolen in this case is good, but the theft of personal information is bad news for customers too.  This is especially true of passwords since, sadly, many people use the same passwords for many of (or all) their online accounts.”

Steve Smith, MD of data security firm Pentura was also concerned that the personal details of so many customers were seemingly left unencrypted and susceptible to this kind of attack, saying: “If claims are accurate and indeed 600,000 customer records have been compromised that is a truly staggering amount of data that should have been better protected.  The value of that data to criminals and fraudsters should not be underestimated nor should the potential damage that could be caused to individuals.”

Tarzey questioned whether either encryption or password security were necessarily a factor every time there is a breach, commenting: “Encryption isn’t the be all and end all – depending how the data has been accessed.  Similarly, the instruction to change passwords should have a caveat, depending on the practice you use: not everyone uses the same password for everything – and if your financial details are not included, a low level access such as a social networking log-in could be appropriate for ordering pizza.  There are other solutions.”

Tarzey also pointed out that the data gathered was only the first stage of any exploitation and would then need to be used to gather more data to commit a fraud.  Smith also addressed this aspect, commenting: “People should also be very cautious about clicking on links in emails which claim to be from Domino’s, no matter how authentic they seem to be.  There’s a very real risk that attackers will try and exploit this attack to send phishing emails to users, to try and harvest more sensitive data.”


Via: scmagazineuk

Cyber crime a top fraud concern for UK business

Cyber crime is a top fraud concern for UK businesses, according to the latest EY Global Fraud Survey.

UK businesses see cyber crime as a bigger threat than their international counterparts, with 74% of respondents rating it as a high risk to their organisation, compared with 49% globally.

Businesses are also more concerned with the cyber threat from their own employees (36%) than from organised crime (26%).

Paul Walker, head of forensic technology and discovery services at EY, said this may not necessarily indicate mistrust between employers and employees.

“The issue is whether employees take cyber crime as seriously as management do, and the fact that employees are sometimes seen as the weak link,” he said.

The survey included in-depth interviews with more than 2,700 executives across 59 countries, including chief financial officers, chief compliance officers, general counsel and heads of internal audit.

“The rest of the world is playing catch-up with the UK in recognising cyber crime as a serious threat,” said John Smart, head of EY’s UK fraud investigation and dispute services practice.

“High-profile cyber crime incidents and a number of government initiatives may have played an important role in ensuring high awareness of this issue among UK business leaders,” he said.

However, Smart said businesses now need to look at how they respond to these dangers.

“Awareness is just the beginning and business leaders need to ensure robust incident response strategies are in place,” he said.


Via: computerweekly

Amazon Adds Audible Integration To iOS And Android Kindle Apps For Easy Listening

Sometimes you want to read, and sometimes you want to listen – and you might get through more books if you can switch easily between the two options. Amazon recognizes this, and has used its Audible acquisition to make it easy to switch seamlessly between reading an e-book and listening to an audiobook in its Kindle apps for iOS and Android.

The Kindle apps now let you switch to the Audible version with a single tap, provided you’ve paid for the audio upgrade of the book you’re reading. The audio upgrades start at $0.99 per title, but range up to around $3.99 or more for top-selling titles like “The Hunger Games.” Remember that you’ve already purchased the Kindle versions of these books, too, so it’s very possible that you’ll essentially be paying double for the same content, though in most cases the Audible upgrade is quite a bit cheaper.

It’s a smart way to drive additional revenue from existing purchases for Amazon, but it’s also genuinely useful for people who have a mixed commute or a busy schedule and would like to continue “reading” even when they’re unable to do so – like when they go from a subway ride to a drive for the final leg of their trip home, for instance.

The update should be rolling out to the iOS App Store and Google Play today, so check your updates if you want to start listening to those books.



Via: techcrunch

Audibly Turns Multiple iOS Devices Into A Wireless Surround-Sound System

A team of three young coders has come up with a way to turn your iPhone’s speakers into a wireless surround-sound system, thanks to a mobile app called Audibly.

The app, which is perfect for parties or for blasting music when decent speakers aren’t readily available, uses technology found on newer devices (running iOS 7 or higher) in order to sync songs to multiple people’s iPhones or iPads simultaneously, effectively turning them into an ad hoc surround-sound system.

Audibly’s co-founders first met last year at WWDC 2013 after receiving one of the many scholarships Apple gives to student coders who would never be able to otherwise afford the ticket prices. In 2013, Apple invited 150 students to attend its annual developer conference, but this year, it expanded that to 200. Explains Audibly co-founder Veeral Patel, a 17-year-old high school student from New Jersey, one of the best things about attending WWDC was meeting other like-minded people.

“We hadn’t known any developers in our area, and WWDC gave us the chance to make friends that were just like us,” he says.

Patel and the remaining team members, Nick Frey and Chris Galzerano, were sitting in a WWDC session on multi-peer connectivity — then being introduced in iOS 7 — when they came up with the idea for the app. In fact, they were so excited to get started, they didn’t even finish the session. Instead, they ran to WWDC’s Labs to get help from Apple engineers as they began to code.

By the end of the conference, they even had a working prototype of their idea in place.

Over the course of the next year, the founders, who were all attending high school in separate states (Frey in Iowa, Galzerano in Pittsburgh), continued to refine their idea. They chatted over Facebook Messenger, taking some breaks along the way to focus on school.

Initially, they had the app actually transferring the entire song from one phone to the next, but found that took far too long. So they settled on streaming the song instead. In other words, the person who has a physical copy of the song saved on their iPhone can use Audibly to stream it to their friends’ devices by tapping the “broadcast” button in the app.

Those who want to receive the stream will launch Audibly, and tap on their friend’s name to connect. The person streaming then approves the request and – tada! – makeshift wireless speakers.

Patel admits the system, which relies on peer-to-peer Wi-Fi, isn’t always perfect. If you don’t have a good signal, for example, a stream could get out of sync for a second. And they haven’t really “stress tested” how far apart the devices can be for this to work. (But those in the same room together should be fine, he says.)

Plus, when you’re listening to a shared track, you can favorite it with a heart. Later, you can return to your list of favorites to play those again in Spotify or Rdio, or buy the track for yourself on iTunes.

Now that Audibly is live, the team is working on what comes next: integrations with more services. Now you have to have a physical copy of the song to start the stream, but they’re looking to tap into APIs for other services, like Spotify or Beats, to share tracks via cloud music services, too. They’re also working on YouTube integration, which would let one person paste a YouTube URL to allow recipients to hear the audio stream for that video.

The co-founders also just met up for a second time at this year’s WWDC 2014, where they’ve now learned another handy trick: making money. In a future release, they’ll implement an affiliate model, allowing them to take a percentage of the iTunes purchases made through their app.

In the meantime, Audibly is a free download here on iTunes. It works reliably with up to 6 devices, we’re told, but you can use more.


via: techcrunch