Monthly Archives: August 2014

Hackers are using a malware, codenamed Poweliks, to steal information from Microsoft Windows customers, according to Trend Micro.

Trend Micro threat analyst Roddell Santos said in a blog post that the malware hides itself in Windows Registry code, making it difficult for traditional security services to detect and remove.

“Based on our analysis, TROJ_POWELIKS checks if Windows PowerShell is installed on the affected system, if not, it downloads and installs it to the infected system. This will be used later to execute the encoded script file,” explained Santos.

“As such, PowerShell runs the encoded script containing the malware’s executable code (which is also a .DLL) responsible for downloading other malicious files onto the infected system. This technique is done as part of its evasion tactic since it will not be directly executed by windows or any application.”

Trend Micro vice president of cloud and emerging technologies Mark Nunnikhoven told V3 that while Poweliks only features basic data-stealing powers, its detection-dodging technique could be used to mount more dangerous follow-up cyber strikes.

“The danger here is that there is almost no footprint on the infected machine. It’s an effective mule for other types of malware and attacks that the cyber criminal might wish to use,” he said.

Nunnikhoven said there are ways businesses can protect themselves from Poweliks and recommended IT managers adopt them sooner rather than later.

“In this case, your defences must be able to conduct memory analysis in order to detect TROJ_POWELIKS.A. File-based scanning won’t catch it due to it’s extremely low footprint,” he explained.

“The key takeaway here is that cyber criminals continue to innovate and develop new types of attacks. We’re seeing a significant amount of effort put into evasion and stealth techniques in order to ensure successful attacks. Businesses need to ensure that they’ve deployed modern defences in order to stay safe.”

Information-stealing cyber attacks are a constant threat facing businesses. Research from PwC and the UK Department for Business, Innovation and Skills (BIS) estimated in April that cyber attacks are costing UK businesses as much as £1.15m per breach.

FOR NORTON USERS

If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool

• Run Norton Power Eraser (NPE)
  
• Norton Power Eraser did not remove this risk
  

Trend Micro protects users from this threat via its Smart Protection Network that detects the malicious file despite its evasion tactics.

Via: v3

For the past 2 years, unlocking your cell phone without your carrier’s permission has, for absolutely ridiculous reasons, been illegal in the United States.

Not anymore!

As we covered at greater depth last week, the US Congress and Senate were both in agreement that unlocking a cell phone should not be an illegal act (punishable by up to 5 years in jail, no less!)

The only thing left was for the President to put his stamp on it. Consider it done. The bill is set to be reviewed every 3 years so things may very well change moving forward — but for now, you’re good.

So go! Be free! As long as your phone is paid in full (read: you can’t just go grab a phone at a deep discount then disappear into the ether), you’re free to unlock it without that lingering fear that you might be that one person who actually gets busted for something so dumb.

Via: techcrunch

Privacy and data protection in the cloud suffered a setback on Thursday as the US federal court ruled that Microsoft must comply with the US warrant and hand over customer email data stored in its Dublin cloud datacentre.

District Judge Loretta Preska from the US Court for the Southern District of New York upheld a US magistrate judge’s ruling on Microsoft customer data held overseas.

Microsoft’s general counsel and executive vice-president, Brad Smith, said: “The District Court’s decision would not represent the final step in this process.

“We will appeal promptly and continue to advocate that people’s email deserves strong privacy protection in the US and around the world.”

It is believed that this is the first time an American enterprise is fighting the domestic search warrant for customer data stored outside the US. Other cloud providers including Verizon, Apple and Cisco are all backing Microsoft’s challenge against the court ruling around cloud customer data.

Just a day ahead of the ruling, Smith wrote a column on the Wall Street Journal explaining why Microsoft is opposing the US government’s demand for a customer’s email stored in Dublin, Ireland.

Smith wrote, “This dispute should be important to you if you use email, because it could well turn on who owns your email – you or the company that stores it in the cloud.

“Microsoft believes you own emails stored in the cloud, and that they have the same privacy protection as paper letters sent by email.”

The federal judge ruling comes three months after a US magistrate judge ordered Microsoft to give the District Court access to the contents of one of its customer’s emails stored on a server located in Dublin.

At that time, Microsoft challenged the ruling. It said: “The US government doesn’t have the power to search a home in another country, nor should it have the power to search the content of email stored overseas.”

But on Thursday, Judge Preska upheld the ruling saying the physical location of the data is irrelevant.  According to the US Court, law authorises the American government to seek information – including content of an email – by way of subpoena, court order or warrant.

“Microsoft’s argument is simple, perhaps deceptively so,” Judge Francis had said in an official document in April when Microsoft challenged the ruling.

But Microsoft has argued that, just like a US search warrant in the physical world can only be used to obtain materials that are within the territory of the US, the same rules should apply in the online world. According to the Azure cloud provider, the data privacy provisions in the Electronic Communications Privacy Act (ECPA) do not apply outside of US territory.

The first US warrant for data was issued back in December 2013 when the US judges wanted access to a Microsoft customer’s email data stored in Ireland in connection with a narcotics investigation. Microsoft has continuously challenged the ruling.

Microsoft’s €480m European datacentre in Dublin, catering to its Azure cloud users, opened in 2009.

Microsoft can appeal the district judge’s decision to the second US Circuit Court of Appeals. But the ruling may reinforce the data protection and privacy concerns in cloud services prevalent among European customers.

Via: computerweekly

The UK is planning to allow driverless cars to use public roads by next year. At the moment, autonomous vehicles are only allowed on private roads. It’s expected that the first vehicles will be seen on some British streets by January next year.

Previously, the Department for Transport had said it would allow self-driving cars to be trialled on public roads by the end of 2013. Last December, the Treasury outlined a plan to create a £10m prize to fund a town or city to test driverless cars.

Both the Business Secretary Vince Cable and Chancellor George Osborne have been pushing for the legislation to ensure that “the UK is the right place to develop and test driverless cars.”

The announcement was hinted at earlier this month when we reported that the UK’s government-backed Technology Strategy Board had called for the establishment of test sites where robotics and autonomous systems (RAS) could be tested.

So while driverless cars will be the technology the media obsesses about, in fact it’s part of a much wider push to test and deploy other kinds of robotic and autonomous systems.

In December last year the government released a National Infrastructure Plan that outlined its commitment to the development of a robot-powered driverless future, but no timetable was set out.

This new announcement is therefore officially committing the UK to a driverless car future.

Via: techcrunch

Hilton hotel chain plans to let smartphones unlock guest rooms starting next year.

Hilton Worldwide plans to allow guests to check-in and choose their rooms using mobile devices, and even to unlock their hotel rooms.

By the end of the year, Hilton says it will offer digital check-in and room selection at 11 of its brands, across more 4,000 properties. The service will be available to Hilton HHonors members in more than 80 countries, the company said.

“We analyzed data and feedback from more than 40 million HHonors members, as well as guest surveys, social media posts, and review sites, and it’s clear that guests want greater choice and control,” said Geraldine Calpin, SVP and global head of digital at Hilton Worldwide, in a statement.

Calpin cited a company-commissioned study conducted by Edelman Berland that indicates some 84% of business travelers want the ability to choose their own room. Calpin said Hilton is enabling guests to select rooms, room types, and room numbers, subject to availability, using mobile devices.

Hilton began piloting an early version of its digital check-in application five years ago and released the first version of its hospitality software, Conrad Concierge, in 2012. Its study was conducted July 7-11 this year, making the findings a convenient affirmation of a longstanding commitment to hospitality-oriented technology.

Starting next year, that commitment includes enabling guests to use their smartphones as room keys. Hilton plans to introduce the technology to lock and unlock hotel rooms via smartphone in 2015 and to make the technology available at US hotels across four of its brands by the end of next year. By the end of 2016, the company expects the majority of its rooms worldwide will accept smartphones as keys.

Christopher J. Nassetta, president and CEO of Hilton Worldwide, said that since travelers are using smartphones as boarding passes, it follows that they will want to use their mobile devices as keys.

“We have spent the past few years testing a number of different options to make this vision a reality, and we are developing proprietary technology that is safe and reliable for our guests to use, and cost-effective for our hotels to install,” he said in a statement.

Ensuring that the technology can be used safely may not be that easy. In September 2012, according to a report published two months later by Forbes, an IT services consultant for Dell returned to her Hyatt room in Houston, Texas, to find her laptop stolen. The hotel concluded that the thief had entered the room by exploiting a vulnerability in a digital lock made by Onity. The vulnerability had been disclosed at the Black Hat security conference in July, 2012, and Onity said it shipped a fix to customers the following month.

Hilton did not immediately respond to a request for comment about its approach to lock security.

Hotels tend to be safer than homes. People are far more likely to experience property crime in or around their own homes (63.7% of incidents, 2004-2008) than in a hotel or motel room (0.3% of incidents, 2004-2008), according to the Bureau of Justice Statistics. Nonetheless, hotel crime remains a significant problem. A 2004 study of crimes against hotel visitors in Miami found 600 police reports during the 2000-2003 period.

Cody Brocious, the senior security consultant with Accuvant LABS who identified the flaw in Onity locks, said in an email that as long as we have digital locks, there will be vulnerabilities.

“Bugs are always going to be present; we’re talking about fairly complex pieces of tech that can’t easily be updated in the field and generally have very little in the way of proper testing,” Brocious said. “As long as these locks are protecting valuables, there will be the chance that someone will hunt down those bugs and exploit them.”

Consumerization means CIOs must grant personal devices access to corporate data and networks. Here’s how to avoid loss and corruption. Get the new Mobile Security Action Plan issue of InformationWeek Tech Digest today (free registration required).

via:  informationweek

If flooding in your town is imminent,  do you know where to go to stay safe? If a heat warning has been put in place, can you find the nearest cooling center to cool down? Using the Federal Emergency Management Agency‘s OpenFEMA Initiative, Appallicious created the Disaster Assessment and Assistance Dashboard (DAAD) that offers communities a tool for recovery efforts.

Appallicious is a civic startup that helps governments better serve its citizens using data. Today, CEO and founder Yo Yoshida will be one of about 20 presenters at the White House Innovation for Disaster Response and Recovery Initiative Demo Day, following a speech from President Obama.

DAAD, which emerged from the White House Safety Datapalooza, is a web-based (mobile enabled) application that uses data from FEMA’s open data portal. The dashboard provides a world map, where you can zoom into your town or city and find data sets. So once you click on resources and hit Police, all police stations will be labeled with a pointer on the map.

Appallicious announced today that they will be launching the pilot program of DAAD in San Francisco in two weeks.

What makes DAAD special is it allows community members to go into the service and add items they own that can be useful in emergency situations.

“A chainsaw, it’s probably one of the most valuable tools, and you probably have six of them in your local zip code or within your neighbors resources but that’s not listed anywhere,” Yoshida said. “The idea is to give people or empower them to be able to identify what they have within their own community, and power FEMA to be able to identify and look at what they have in different communities.”

The dashboard isn’t just for community members to input data, but cities can utilize its power by addings places such as cooling centers in the event of a heat warning, and organizations can add places that people can sleep if they own large open spaces.

DAAD is trying to help communities prepare for a disaster before it strikes by giving them a place to integrate their own data to empower the community, creating a sustainable economic recovery initiative that FEMA can benefit from during emergencies. You might think DAAD is useless in a post-disaster scenario if internet access is down, but the goal is to have printed manuals of these data sets and resources available in the community before disaster hits. The dashboard allows users to print anything they find useful.

Today’s White House briefing will also feature the likes of Google and Airbnb. In the same vein as DAAD, Google now allows users to add data to its crisis map service and will be discussing that at the presentation.

Start now to make sure you are staying prepared.

Via: techcrunch

Signal is compatible with RedPhone, its Android sibling.

An open-source project has released the first free application for the iPhone that scrambles voice calls, which would thwart government surveillance or eavesdropping by hackers.

Signal comes from Open Whisper Systems, which developed RedPhone and TextSecure, both Android applications that encrypt calls and text messages.

The application is compatible with RedPhone and eventually RedPhone and TextSecure will be combined in a single Android application and called Signal as well, according to a blog post.

Signal is notable for two reasons. First, it’s free. There are many voice call encryption products on the market for various platforms, most of which are not cheap and are aimed at enterprise users.

Second, Signal is open source code, meaning developers can look at the code and verify its integrity. That’s important because of concerns that software vendors have been pressured into adding “backdoors” into their products that could assist government surveillance programs.

The beauty of Signal is its simplicity. Setup requires verifying the device’s phone number through a one-time code that is sent by SMS. Signal displays only the contact details of the other user who has it installed.

It provides end-to-end encryption of voice calls over a data connection. Signal displays two words on a screen during a call, which are meant to be verified with the party on the other end to ensure a man-in-the-middle attack isn’t underway.

Signal adds to a growing number of mobile encryption offerings from software vendors. Silent Circle, based in Washington, D.C., offers encrypted calling and texting services for a monthly subscription, and is a partner in Geneva-based SGP Technologies which makes the BlackPhone, a security minded device released last month.

Via: itworld