Monthly Archives: July 2016

Mac malware is sufficiently rare, at least compared to Windows and Android, that new OS X malware strains often get a lot of attention.

That’s both good and bad.

It’s good, because it reminds us all that Macs aren’t magically immune to cybercriminality, and that basing your digital lifestyle on that assumption would be a risky strategy.

And it’s bad, because it tends to bring out extreme views, with one side saying that the fuss about Mac malware is no better than unwarranted exaggeration, and the other side accusing Mac users of being credulous fanbuoys (and gurlz).

Nevertheless, Mac malware is often technically interesting, and offers an intriguing insight into online cybercriminality.

So, we thought you’d enjoy an article about the recently-discovered OSX/Eleanor-A malware.

This malware shows how crooks who don’t know a lot about programming can nevertheless easily and cheaply construct devious attack tools from everyday components.

By the way, we’ve tried to be unjudgmental, and to leave you to decide for yourself how safe the Mac ecosystem is against cybercrooks.

OSX/Eleanor-A

Briefly summarised, OSX/Eleanor-A works like this:

• The program pretends to be a utility called EasyDoc Converter. Tools to help Mac users read Windows files, and vice versa, are popular downloads that many of us use occasionally, and that we are therefore likely to search for and try out when the need arises.
  
• EasyDoc Converter is easy to install and try, but doesn’t seem to do much. If you’re looking around for a quick converter app, you’ll probably just delete it and try another one instead, with no obvious harm done.
  
• In the background, however, the app creates a hidden folder containing a bunch of programs and scripts. Even if you know where to look, the files seem mostly harmless when considered individually. In fact, most of them are readily available free tools. All of these components stay behind when you exit and uninstall the EasyDoc Converter “decoy” app.
  
• The malware uses an OS X utility to set up these tools to run in the background. The programs are configured as OS X LaunchAgents, software components that load in that background when you log in and that many users either ignore or don’t even know about.
  
• Background program #1 is a copy of Tor (The Onion Router). The malware starts up Tor not only to connect your computer into Tor’s anonymising network, but also to advertise your computer to the Dark Web as what’s called a “hidden service.”
  
• Background program #2 is a PHP administration script. OS X comes with PHP as a standard scripting tool, and the malware uses PHP to run this script so that your computer and your files can be accessed via a web browser.
  
• The malware connects Tor hidden service #1 to the PHP admin script #2. This means that any outsider who knows the name of the hidden service (which is random for each infected computer) can take over your Mac from afar.
  
• Background program #3 uploads the name of your hidden service to a Pastebin account.Your hidden service name is a unique, randomly chosen string of 16 characters that lets other Tor users connect in to you. Program #3 removes itself once it’s done its job.
  
• The malware also includes three handy utilities for later use by the crooks. These are Netcat (a general-purpose tool for sending and receiving data over the network), Wacaw (a free command line tool for taking pictures and videos with your webcam) and a PHP-based image browsing tool (presumably to make it easy to view and retrieve any images sneakily acquired with Wacaw).
  

The crooks used a free tool called Platypus to package all these components into a single application download that masquerades as EasyDoc Converter.

In other words, the crooks have used a bunch of free and non-malicious tools to construct a surprisingly interesting malware sample with just a few lines of Bash shell script to tie the pieces together.

The malware doesn’t need administrative privileges to run, so you won’t see any unexpected “enter your administration password” prompts.

What to look for

The app itself looks like this, and produces a simple-looking drag-and-drop window when you run it:

The Drop files here window doesn’t do anything; it serves merely as a decoy that you’ll probably drop a few documents onto before figuring out that the program doesn’t work as you expected.

The obvious next step is to close the app, drag it into the trash, and try another free converter app instead.

By this time, however, it’s too late, because the malware will already have created the following folder and files:

On Unix and Unix-like systems, including OS X, directories starting with a dot (also called a full stop or period) are hidden, so they don’t show up in the Mac Finder or even in a default file listing in a terminal window.

Even if you spot this hidden directory, the name .dropbox gives the files an aura of likely legitimacy.

(In the above list, conn is a copy of the Tor software that’s included in the malware app bundle;ego.php is a PHP admin shell known as “b374k”; and dbd is a copy of the PHP program from OS X’s own /usr/bin directory.)

The hidden background programs are kicked off as Mac services, known as LaunchAgents, using OS X’s launchctl program.

LaunchAgents are controlled by configuration files in the Library/LaunchAgents directory; the malware continues its Dropbox-flavoured disguise by creating these three plist files:

(The extension .plist is short for Property List, an XML-style file format that’s widely used by OS X applications.)

You can view plists with the command plutil -p, as we’ve done here:

How it works

The check_hostname script is component #3 listed above, and it’s responsible for exfiltrating the name of the Tor hidden service that the crooks need to access your Mac remotely:

The script works like this:

• It uses OS X’s cryptographic utility openssl to encrypt the hidden service name using a public key that’s included in the malware bundle.
  
• It uses OS X’s command-line HTTP utility curl to post the encrypted data to a Pastebin account.
  

Because the crooks have embedded their Pastebin access keys into the script, potentially allowing other crooks to access the uploaded data and use it for free, they added the public-key encryption to shield the uploaded computer names from prying eyes.

If the upload succeeds, the exfiltration script, masquerading as com.getdropbox.dropbox.timegrabber, is no longer needed and removes itself.

Once the crooks know the name of your hidden Tor service, they can connect to it anonymously by using the Tor Browser.

Their Tor Browser connects to your hidden service over Tor’s “onion network”, and the copy of Tor running on your computer relays their traffic to the PHP admin shell:

The shell has a wide range of functions, including a file browser, a process manager, and a general-purpose terminal window where the crooks can run any command, just as if they had opened the Terminal app on your computer:

Peeking through your webcam

Above, we mentioned that the malware includes a copy of a free webcam control program called wacaw:

The good news, as far as we can tell, is that Wacaw is a rather old utility, and no longer works, at least on the latest version of OS X.

The bad news, however, is that the PHP admin shell makes it easy for the crooks to upload any other software they want, and thus to replace the old utility with a new one.

Additionally, the file shown above with the strange name deamon.php (the usual spelling is “daemon”, the common term for a background process on Unix) is a web-based remote control tool that supports the following commands:

• GetInfos. Retrieves the name of the Tor hidden service. (This isn’t a huge amount of use because you need to know the hidden service name to run this command.)
  
• ExecuteShellScript. Uploads a Bash command script and runs it.
  
• GetFile. Downloads a named file.
  
• Update. Uploads a ZIP file with additions or changes to the malware and unpacks it into the hidden malware folder.
  

What to do?

You’re unlikely to encounter this malware, and if you do download it and try to run it, you will see a warning like this one by default:

That’s because the app isn’t signed with a cryptographic key issued to a registered Apple developer, and OS X’s default security setting is as follows:

This doesn’t give you complete protection, of course, not least because crooks can acquire or steal developer keys and thus make their software look legitimate, at least until Apple revokes the offending key.

So, if you haven’t already, please consider using a real-time anti-virus on your Mac, even (or perhaps especially) if you have managed unharmed for years without one.

Sophos Home is 100% free, and protects both Macs and Windows computers on your home network.

Even if you never encounter any Mac-specific threats, a good OS X anti-virus will mop up any Windows nasties that your friends or family might bring near your beloved Mac…

…and friends don’t let friends go unwarned about malware!

Via: nakedsecurity

Have you heard of Pokémon GO?

If you haven’t, you probably will soon: it’s an online game for mobile phones, and it’s taken the world by storm.

It works something like this.

You install the app, give it access to your location and your camera (amongst numerous other permissions), and set about finding Pokémon creatures in the game.

Unlike most “virtual world” games, however, the map used in Pokémon GO is the world around you, and the creatures you’re supposed to find are added to the map.

To collect them, you actually have to go to where the virtual creatures are supposed to be.

When the game figures your geolocation data is close enough to the target location, you turn on your phone’s camera, and, hey, look at that!

There’s the creature, grafted into the live image, in what’s called “augmented reality.”

Once you’ve caught the three starter Pokémons, you need to venture around your neighbourhood to find PokéStops.

PokéStops are supposed to be near important landmarks such as statues and monuments (our closest is at the local skateboard park), where you can get hold of the ammo, sorry, Poké Balls you need to catch more characters.

Once you’ve got the balls, you can wander afield looking for Pokémons to shoot, ahem, capture, ahhh, train.

Obviously, walking around an urban landscape while watching your mobile phone screen is both dangerous and anti-social, as the app warns you each time you start it up:

Runaway popularity

We’re not sure we understand why going to the skateboard park to stare at the world through your phone’s camera is more fun than going there to skate, or even just to stare at the world through your own eyes, but there’s no mistaking the runaway popularity of Pokémon GO.

Even the most perfunctory online search will bring up dozens of articles offering advice all the way from how to fix “GPS not found” errors to “when to evolve and when to power up.”

Apparently, the success of the app has also been a problem: overloaded servers, delays in signing up, and more.

For that reason, it’s currently only available in the Apple App Store and on Google Play in a handful of countries.

Nevertheless, as you can see in the screenshots above, we’ve managed not only to install the app on Android in the UK, but also to use it successfully, with the UK maps and game infrastructure working just fine.

Indeed, the game’s already wildly popular over here in the UK, which means…

…that most players will have headed off to alternative markets to grab the software unofficially:

We’re not naive enough to assume that Google Play is immune to malware.

Nor do we buy into Google’s efforts in 2015 to “define away” the problem of malware in the Play Storeby renaming all malware as Potential Harmful Applications (ironically divided into categories such asspyware, call_fraud, ransomware and even generic_malware).

But Google’s warnings about untrusted apps are worth heeding anyway, because the Play Store is relatively safe, especially compared to many alternative app markets where anything goes, and anyone can upload anything.

Pokémon GO malware

In fact, the crooks have gone there already, with at least one hacked “malware remix” of the official Pokémon GO app doing the rounds.

The “remix” is deliberately poisoned with an Android spyware/RATware/zombie toolkit that hides malware code inside a fully-functional and otherwise identical-looking version of the original app.

Spyware is malware that snoops on your online activities, such as listening into phone calls, intercepting SMSes and logging all your web browsing. RATs are Remote Access Trojans, an acronym coined to reflect the sort of creep who uses them, typically for leering secretly through other people’s webcams. Zombies, also know as bots, are remote control tools that let crooks send commands to a whole raft of infected devices at the same time, for example to steal data, send messages in bulk, or DDoS other people’s servers with massive spikes in unwanted traffic.

Sophos products blocked this Pokémon GO-based malware proactively as Andr/SandRat-C, a name that is derived from SandroRAT, a remote control toolkit that was announced publicly back in 2014, and that morphed into a snoopware “product” known as DroidJack, or DJ for short.

The big question

The big question, if you’re one of the many global users who has gone off-market to get your Pokémon GO fix, is this: “Would you back yourself to spot the difference if you downloaded a dodgy version by mistake?”

DroidJack doesn’t create an app that looks and behaves similarly to a well-known app in order to act as as a cover.

It takes an existing app and simply repackages it into an app that effectively is the original, but with some added spyware-related code that runs in the background.

For example, here are the startup screens of the original and of the malware-infected version:

Those screenshots, and the program code that’s controlling them, don’t just look identical, they areidentical.

Spot the difference

Of course, there are tell-tale signs, if you know what to look for.

The Andr/SandRat-C remix of Pokémon GO has a whole load of additional sneaky features that run in the background, so it needs security permissions that the legitimate app doesn’t require:

But permissions aren’t always a good giveway: legitimate apps routinely ask, like Pokémon GO does, for access to your camera (which includes access to the microphone), to location data, and to external storage.

A spyware Trojan that was slightly less ambitious than Andr/SandRat-C, and stuck to a smaller set of eavesdropping “features”, could put you at almost as much risk with few or no additional permissions.

In any case, how many permissions are too many?

The Google Play app that you get with closed-source versions Android 5.1, for example, grants itself more than 100 special app permssions, from READ_VOICEMAIL and READ_GMAIL, throughCAPTURE_VIDEO_OUTPUT, to DOWNLOAD_WITHOUT_NOTIFICATION. (If those aren’t enough, it also grabs the right toOBSERVE_GRANT_REVOKE_PERMISSIONS, just in case.)

Inside the SandRat

Decompiling the Andr/SandRat-C app makes the malicious parts stand out, even if you don’t have a legitimate copy of Pokémon GO to compare it with:

The functionality of these added DroidJack parts are, indeed, what their names suggest.

However, as with additional permissions, malware doesn’t have to be so blatantly obvious, and even a well-informed user with the Android Development Tools installed might struggle to spot the malicious needle in the haystack of a booby-trapped app.

For example, more subtle spyware could add fewer functions, could give them more legitimate-looking names, and could patch its extra code into existing parts of the app so it wasn’t directly visible in the application package.

After all, even to an expert, some of the components of the legitimate Pokémon GO app look suspicious at first sight:

In a programming ecosystem where names such as spacemadness.com.lunarmodule and javax.inject are unexceptionable, even a thinly digsuised malware component might effectively end up hidden in plain sight.

What to do?

What to do?

• Avoid apps with a poor or non-existent reputation. Don’t trust an app about which no one yet seems to know anything.
  
• Stick to Google Play if you can. Despite this and other recent failures, it’s still safer than unregulated Android markets where anything goes.
  
• Use an Android anti-virus. The Sophos Mobile Security product is free, and protects you automatically from malicious and low-reputation apps.
  
• Manage your business phones centrally. Sophos Mobile Control, for example, allows you to take control of options such as whether to allow untrusted app sources on phones used for work.
  

Via: sophos

Last week the U.S. Ninth Circuit Court of Appeals issued an opinion that an employee acted “without authorization” when he used a former co-worker’s login (with their permission) to gain access to “computer data owned by the former employer.” This led to the court upholding a decision that the employee violated the Computer Fraud and Abuse Act (CFAA), a federal law traditionally used to prevent computer-related fraud.

Facts and context matter

Judge McKeown, who write the majority opinion, acknowledged that this ruling could turn innocent conduct like “password sharing among friends and family” into a federal crime.

However, she also said that the circumstances in the case “bears little resemblance” to more innocent forms of password sharing — like sharing a Netflix password, or giving your friend your Gmail password so they could download a document. Judge McKeown added that “the reality is that facts and context matter in applying the term ‘without authorization.'”

Essentially, the court did agree that password sharing (in this specific case) violated federal law, but empowered future courts to consider the “facts and context” when determining if password sharing violates the CFAA.

One dissenter

However, one of the judges on the court was slightly more concerned with the precedent it would set. In the opening paragraph of his dissent below, Judge Reinhardt explained the potential repercussions of the court’s decision:

This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA. — Judge Stephen Reinhardt, Ninth Circuit Court of Appeals

Clearly, Judge Reinhardt is concerned that his decision could open up the possibility of friends sharing Netflix or HBO GO passwords could constitute a federal crime. He continues, noting that his fellow judges claim that they do not have to address the effect of their decision on the wider population because Nosal’s infelicitous conduct “bears little resemblance” to everyday password sharing.

Continuing on, Reinhardt concludes that the majority decision from the two other judges “does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners.”

What does it mean for you?

According to this ruling, it seems that anyone sharing a password “without authorization” could potentially be convinced of violating the CFAA.

That being said, don’t expect the FBI to come knocking next time you stream on your boyfriend’s account. There remains some vagueness in what “without authorization” means. While providers like Netflix and HBO GO officially say that logins shouldn’t be shared, some, including Netflix, have publicly stated that account sharing is OK, a statement that would presumably kill any “without authorization” argument if for some reason someone was prosecuted for sharing their Netflix account.

Plus, this assumes that the government or a company would prosecute or sue a user for sharing passwords in the first place. The odds that you would face any legal repercussions right now for password sharing is extremely slim, especially because entertainment providers have taken a laissez-faire approach to password-sharing enforcement.

That being said, a small possibility remains that down the line one company may want to make an example out of someone, similar to how a select few individuals were sued for pirating music. But until that happens, it’s safe to assume that you won’t find yourself in a federal court for giving your girlfriend your HBO GO login.

Via: techcrunch

An infected Android version of the Pokémon GO app is infecting unsuspecting users with the malicious remote access tool DroidJack.

First released in the United States on July 6, Pokémon GO is a mobile game available for Android and iPhone. It leverages Niantic’s Real World Gaming Platform to help players find and catch Pokémon as they explore real world locations.

Pokémon GO (Source: TechCrunch)

In response to growing interest around the game, various online forums published tutorials demonstrating how Android users could download an APK for the game from a non-Google URL. Doing so involved modifying Android’s security settings so that users could install APKs from “untrusted sources.”

Researchers at Proofpoint explain that’s a poor security decision for Android users to make:

“Unfortunately, this is an extremely risky practice and can easily lead users to installing malicious apps on their own mobile devices.. Should an individual download an APK from a third party that has been infected with a backdoor,… their device would then be compromised.”

Case in point, at least one of those unofficial APKs comes modified with DroidJack, a remote access tool which like other mobile trojans gives an attacker full control over an infected device.

Proofpoint’s security team describes that the malicious app’s start screen appears identical to that of the legitimate application, which makes it difficult for users to discern whether they’ve been infected with malware.

Infected Pokémon GO start screen; it appears identical to that of the legitimate application (Source: Proofpoint)

Fortunately, Android enthusiasts of Pokémon GO can check to see whether they have a copy of the legitimate app installed on their devices. They should first review the permissions requested, as only the malicious version containing DroidJack requests the ability to modify SMS messages and record audio.

Players can also check the SHA256 hash of the downloaded APK to see if it matches that of the real Pokémon GO app.

Going forward, mobile users should be careful about from where they decide to install applications onto their applications. Proofpoint elaborates:

“Even though this APK has not been observed in the wild, it represents an important proof of concept: namely, that cybercriminals can take advantage of the popularity of applications like Pokemon GO to trick users into installing malware on their devices. Bottom line, just because you can get the latest software on your device does not mean that you should. Instead, downloading available applications from legitimate app stores is the best way to avoid compromising your device and the networks it accesses.”

Via: tripwire

Facebook Messenger wants to be your primary messaging app. As people become more and more concerned about security, being the best messaging app means being the most secure. That’s why Facebook is finally adding an option for users to encrypt their chats in Messenger.

Messenger will begin to offer an end-to-end encryption feature to a limited test group of users today. It’s a security option that’s been a long time coming for Facebook, which has considered making end-to-end encryption available for several months. The so-called “secret conversations” debuted today will be only visible to the sender and the reader, which means Facebook can’t enable some of the chatbot and payment features that are normally a part of the Messenger experience. However, end-to-end encryption boxes out law enforcement and even Facebook itself from reading users’ chats, ensuring that their conversations remain private.

Messenger has also taken steps to make sure that chats remain secure, even if a user’s device gets lost or stolen. In secret conversations, Messenger will allow users to set an expiration date for a message so that it won’t be visible in the conversation forever. Once the time runs out, the message will vanish from the devices of all users in the conversation. Facebook released technical details about its implementation of secret conversations in a white paper (PDF).

Secret conversation mode will only be available on iOS and Android, not in Messenger.com, Facebook chat, or the desktop Messenger app — at least for now. Facebook’s vice president of messaging products David Marcus told TechCrunch that the addition of end-to-end encryption is intended to help Messenger become everyone’s go-to app.

“We wanted to make Messenger your primary messaging platform, and while we currently were already using a lot of security to ensure that your messages are safe and confidential, we felt that we needed to go one more extra step with this new mode,” Marcus explained. The combination of end-to-end encryption and a message countdown clock “will truly empower people to have any type of conversation they want to on Messenger,” he added.

Secret conversations will bring stronger security to some of Messenger’s nearly 1 billion users — but only if they turn it on.

Like Google’s chat app Allo, end-to-end encryption will not be enabled by default in Messenger, and that decision may draw criticism from the security community. When Google announced that Allo would only offer end-to-end encryption as an opt-in feature, Edward Snowden tweeted that it was “unsafe” and one of Google’s own security engineers wrote in a blog post he would push for end-to-end encryption to become the default (he later edited out that portion of the post).

But Marcus says end-to-end encryption needs to remain optional so that users can access other popular Messenger features, read their messages on multiple devices, and access a backup of their chats if they lose their device — and that security experts Facebook has consulted with about its end-to-end encryption implementation have been sympathetic to those needs. Facebook also notes that “rich content” like GIFs, videos and payments won’t work in secret conversations.

“The reality is you probably don’t need end-to-end encryption for all the conversations you’re having. Like if you’re following the Euro 2016 game right now and you’re chatting — so people are just having fun and they’re sending stickers and doing all these things where you want the full-fledged functionality and you’re moving from your computer to your mobile. Why would you need end-to-end encryption?” Marcus asked.

“It’s that extra layer that you’ll want for those special conversations where you send a Social Security number, a username or password, checking account information for a payment, medical data of some kind. For those types of things, you want to have a little bit more peace of mind. We feel like the approach for us, given how people use our product, is really the right one and the security experts out there have been very supportive of the approach we’ve taken.”

Messenger’s secret conversation feature is built on the Signal Protocol developed by Open Whisper Systems. The partnership with Open Whisper Systems is a natural progression for Facebook — WhatsApp, a chat platform owned by Facebook, also uses the Signal Protocol for encrypted messaging.

Secret conversations are slated to become available to all Messenger users over the course of the summer, with access expanding to all by early September. “During this test, we will gather feedback about the functionality, measure performance, and introduce tools to enable you to report objectionable content to us,” Facebook said in a blog post announcing secret conversations.

How can I start a secret conversation?

To start a secret conversation, just tap on your friend’s name at the top of your current message thread. If you’re part of Facebook’s test group, you’ll see an option called “Secret Conversation.” Once you click it, a new conversation thread opens, with a notice at the top informing you that the chat is end-to-end encrypted.

The timer feature that allows messages to be erased after a certain time period has elapsed is located right next to the text field. It offers a drop-down list of times you can select for how long you want your message to last before it expires, ranging from 5 seconds all the way up to 6 hours.

Why is Messenger using the Signal Protocol?

Facebook sees quite a few benefits to using the Signal Protocol; it’s free and open-source, it’s widely considered one of the best in the security industry and the company building its own cryptography would be quite a challenge.

“Typically when companies try to build their own security and encryption end of things, they’ll find problems sooner rather than later,” Tony Leach, a product manager on Messenger, told TechCrunch. “The Signal Protocol has evolved to be the best-in-class method of encrypting asynchronous messages between people, and so we wanted to follow what we see as the industry standard in helping protect people’s conversations.”

For Open Whisper Systems, making end-to-end encryption easily available to large companies that don’t specialize in cryptography has always been the goal. “Our thesis is that organizations haven’t deployed end-to-end encryption in their products because it has just been hard to do until now,” Open Whisper Systems founder Moxie Marlinspike told TechCrunch. “Our hope was that, by developing the technology, designing a protocol from the ground up, and writing the open-source software, that would make it easier and people would actually deploy it. To some extent, that’s what’s happened. We’re getting to the point where it’s easier and easier.”

What technical challenges did Facebook encounter?

Although rumors have swirled that Messenger would include end-to-end encryption, several technical kinks needed to be ironed out before Facebook could debut the feature.

“These essentially are new types of conversations that we’re building, so a lot of the messaging architecture that we originally built that would automatically fan out your messages to lots of different devices, we had to work around so that we could enable this new device-to-device kind of communication,” Leach said. “Also we’re used to relying on our servers to act as backups for all your messaging. So now in the end-to-end encrypted world, we can’t really do that. We had to make sure we maintained the same level of reliability without relying on backing up your messages on our servers for these encrypted conversations.”

Why now?

Consumer demand for strong encryption is driving Facebook, Google, Apple and other companies to reassure users that their communications are secure. “It’s a really good time to do this,” Marcus said. “We felt this was the right time to do it, to complete the capabilities with something that enabled people to have the conversations they wanted to have on Messenger.”

Via: techcrunch

Reports that as many as 40 million iCloud accounts have been compromised by Russian attackers have not been confirmed by Apple. But they haven’t been denied either.

“For now, let’s assume there hasn’t been a massive iCloud data breach,” writes Steve Ragan at CISO.

So… what do the reported attacks look like?

“It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim’s device into lost mode,” Ragan writes. “At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.”

Then they demand the ransom — usually $30 to $50 or all the data will be deleted.

What can you do to avoid such an attack?

Get your security basics right.

“So make sure that you have a unique, hard-to-crack, hard-to-guess password protecting your Apple ID account,” Graham Culey writes. “And, if you haven’t already done so, I strongly recommend enabling two-step verification on your Apple ID account to make it harder for hackers to break in.”

It’s about a four-minute process. So do it. Now. 

You start by logging into your Apple ID.

And while you’re thinking about it, why don’t you activate two-factor authentication on any account you can — especially Google, which calls it “two-step verification” even though it’s really “two-factor” since it involves your phone, and Facebook, which calls it “Login Approvals.”

Via: f-secure

Security giant Avast has announced it intends to acquire fellow Czech-based antivirus software maker AVG for a purchase price of $25.00 per share in cash — resulting in a transaction that will total around $1.3 billion.

Avast intends to finance the transaction using cash balances it holds, along with committed debt financing from third party lenders.

The deal is aimed at gaining scale and geographical breadth, Avast said today. It also wants to build out its security offerings with an eye on emerging growth opportunities such as in the Internet of Things, as well as on serve existing customers with “more advanced” products.

IoT has been dubbed a security nightmare for consumers, given the accelerating trend for network connectivity to be pushed into all sorts of devices — often by companies with little or no security expertise. But the opening up of this vast new front of potential vulnerabilities is clearly also an opportunity for experienced security players to step in and address.

Organization efficiencies are also expected as a result of the acquisition, so presumably there will be some staff reductions owing to duplicate roles.

On this, a spokeswoman for Avast said: “We haven’t started planning the team integration yet. Over the next months we will be analyzing and planning the organizations, but can’t speak to any potential staff reductions until after that.”

Avast notes that the combined user-base of the two companies will result in an entity with a network of more than 400 million endpoints, of which 160 million are mobile — so that means not just more customers but broader access to intel on malware which it will feed into building out the next waves of its personal security and privacy products.

“We are in a rapidly changing industry, and this acquisition gives us the breadth and technological depth to be the security provider of choice for our current and future customers,” said Vince Steckler, chief executive officer of Avast Software, in a statement.

“We believe that joining forces with Avast, a private company with significant resources, fully supports our growth objectives and represents the best interests of our stockholders,” added Gary Kovacs, chief executive officer, AVG. “Our new scale will allow us to accelerate investments in growing markets and continue to focus on providing comprehensive and simple-to-use solutions for consumers and businesses, alike.

“As the definition of online security continues to shift from being device-centric, to being concerned with devices, data and people, we believe the combined company, with the strengthened value proposition, will emerge as a leader in this growing market.”

Avast’s spokeswoman confirmed the AVG brand will not be disappearing, saying the company will use a combination of the two brands owing to associated strengths in different markets.

The purchase price of AVG represents a 33 per cent premium over the July 6, 2016 closing price and a premium of 32 per cent over the average volume weighted price per share over the past six months.

The contemplated tender offer — of either 95 per cent or 80 per cent of AVG shares, the latter depending on shareholders approving an asset sale — will be subject to the receipt of regulatory clearances, it notes.

The transaction is expected to close sometime between September 15 and October 15, 2016, depending on the timing of regulatory review.

Via: techcrunch

Mac users get a desktop OS they can talk to.

Less than a month after it’s unveiling at Apple’s Worldwide Developers Conference in June, macOS Sierra arrived today for beta testers who have signed up to try Apple’s new desktop operating system. This is the third year in a row Apple has offered a public beta of an upcoming desktop OS.

This year the Mac platform gets some significant enhancements, with Sierra bringing one notable feature that promises to change how users interact with their Mac. After teasing users in 2015 with a revamped Spotlight in OS X El Capitan that understood sophisticated requests, Sierra finally brings Siri to the Mac.

Siri’s integration means you’ll be able to control certain functions on your Mac using natural language voice commands, and Siri on the desktop is just as functional as Siri on the iPhone, and with Mac-specific tricks, too. From what I’ve seen using the early Sierra betas, I expect to be spending more time talking to my Mac.

Siri is accessed from an icon in the Dock, by invoking a key command or from the menu bar.

Sierra gets more than just Siri

Sierra isn’t due out in final form until sometime this fall. But beta users, as of today, can check out the tweaks and additions the upgrade offers to make using your Mac a better experience. Those features include picture-in-picture for videos, better photo organization, improved device collaboration via the Universal Clipboard, iCloud Drive (which allows shared Desktop and Documents across all of your Apple devices), and Auto Unlocking your Mac when you wear your Apple Watch (running watchOS 3).

macOS Sierra will allow Apple Watch users to unlock their Mac automatically. (The option is tucked away in the Security preferences.)

But the biggest standout feature is Siri, which arrives on the desktop years after its debut as an app in iOS and then as a tent-pole feature for the iPhone platform. Apple now joins the ranks of other big-league developers, including Microsoft, Google and even Amazon, who are rapidly rolling out voice-activated features for their products. (FYI: Siri stacks up well against Cortana.)

Before I get into more details about Sierra, a programming note: If you haven’t signed up for Apple’s beta program but would like to, you can do so here. Just a warning: thisis a beta, so there will likely be issues if you’re running this operating system. Apple still has months of work ahead to bring Sierra to its final, shipping form. Remember: before you rush to install it, always have a backup of your computer, and never use a beta on production-critical hardware.

A Siri-ously big deal

It’s been five years since Siri’s introduction on the iPhone. Since then, public acceptance of using voicing commands to control a device has slowly been on the rise. Amazon, Google and Microsoft all have virtual assistants now, and, for Apple’s part, the Siri technology has been expanding the use of voice commands in a variety of devices. Siri has bounced from the iPhone to the iPad to Apple TV and CarPlay. If history is any indicator — and by history, I mean Apple’s other product releases — Siri integration will absolutely change how you interact with the Mac — even if you’re still not sold on voice interaction.

Why? Because over the years, Siri has learned platform-specific tricks that make interacting with devices much more effective. For instance, when Siri is prompted on the Apple TV for a specific show, Siri searches across all supported apps and displays the relevant results, saving you the trouble of opening and poking around for that specific show. And on Apple TV, rewinding and fast-forwarding to specific spots isn’t much of an issue when you can tell Siri to just skip back or ahead with your voice.

Siri will be no different. It’s still as whimsical as it is on the iPhone (ask how it feels about living in a Mac and Siri might joke about living in an aluminum housing with no Windows). But there are a variety of new tricks that should be helpful for day to day users.

Siri’s new Preference pane under System Preferences allows you to customize it and change voices.

Siri in use

On the Mac, Siri is accessed from an icon in the Dock, by invoking a key command (Command-Space, by default) or from the menubar, next to the Notification and Spotlight icons. (The “Hey, Siri” voice invocation used in iOS – where Siri is always listening and can respond — isn’t yet an option on the desktop.)

Once active, you can use Siri to create appointments and reminders, send messages, ask for current or future weather forecasts, play a specific song (or an entire album or playlist), check sports scores, or even ask for directions. All of these requests work just as expected. However, I did have trouble getting Siri to bring up photos in my Photo Library, but I’m chalking this up as a bug. (Remember, as I’ve already noted: using a beta, even a public one, means you will likely encounter issues.)

Siri still provides online and local searches, and when performing local searches, it recognizes Finder tags, dates and other attributes. That allows you to perform specific inquiries you’d normally turn to Spotlight for. Since Siri does a decent job following a particular train of thought, you can refine searches with follow-up questions or requests. Just don’t be surprised if you get the occasional Siri sass. (During the WWDC keynote, Craig Federighi, Apple’s senior vice president of software engineering, asked Siri to bring up some files he was looking for and she noted that his “data filin’ was stylin’.”)

Even better, Siri can save your queries and the results in the Notification area for quick access later. That means everything from local file searches to sports scores can be pinned there for easy access later. And from these search widgets, you can keep track of specific files for that project you’re working on, drag and drop the results into live documents, or simply store sports scores for current games you’re interested in.

Other changes in Sierra and final thoughts

Of course Siri isn’t the only new feature in Sierra. Other useful additions include:

• The ability to play any video in a small window that hovers above your work
  
• Optimized storage, which can be used to free up space by clearing your hard drive of older files (and storing them in Apple’s iCloud servers for later retrieval, or, in the case of obsolete system files, removing them entirely).
  
• Advanced Continuity features that allow Apple devices to communicate and work more effectively with each other, including the new Universal Clipboard. This lets you copy data or a picture on your iPhone and paste it into a document on your Mac without using Messages, Notes or AirDrop. The ability to easily move data between Apple devices is coming, and it already works pretty well in the public beta. (Note: For this to work, every device needs to be running the latest beta software.) This feature alone might be worth the upgrade in the fall for many.
  

When Siri was first released, I mused that any technology hoping to gain mass appeal had to be good enough to change someone’s thought process from “Why are you using that?” to “Why aren’t you using that?” Siri’s capabilities and accuracy have grown over the years, and its features continue to evolve as the tech spreads from one Apple product to another. At the time, I wondered where the technology would go.

Now we know the answer: on our Macs. And now you can try it for yourself, months before other Mac users get their shot.

Via: computerworld

The developing world can’t join the age of social video since streaming sucks up too much costly data and is sluggish on slow connections. But Facebook wants to change that with a new video download option it will start testing on July 11th with a small percentage of users in India. While on WiFi, people can sync videos to their device for offline viewing within Facebook’s app.

Facebook is touting this as a win for video publishers, who might be grumpy about Facebook’s recent feed ranking algorithm change that prioritizes friends over pro content creators. “This will ensure a great user experience and allow your video content to reach new audiences” Facebook writes.

To prevent downloads from turning into piracy, Facebook is securely locking the videos within its app, and they won’t be visible in a device’s local memory. Publishers can also opt out of the feature to prevent people from downloading their videos via their Page’s Content Distribution setting. People can only download original videos posted by users on personal accounts or from Pages.

Rather than announce this on one of its blogs, Facebook buried the news at the bottom of an email to media publishers like TechCrunch about Live Video options like the ability to remotely end a broadcast by another team member or see analytics.

Opt Out option for publishers

When asked about the feature, Facebook told me:

“We’ve heard feedback that in markets like India, mobile data and internet connectivity is limited and many people struggle with poor video experiences. So we’re testing an option for people to download videos to Facebook while they’re online on good internet connections, to view the video at anytime, online or offline, without using extra mobile data.”

The bottom of Facebook’s email to publishers that explains the new feature

Facebook has been slowly bringing connectivity and rich media to developing world users with expensive data rates and janky cell networks. Today it announced its new OpenCellular wireless access platform to bring connections to remote areas, plus it has Internet.org’s Free Basics apps as well as drones and satellites that beam Internet to the outback.

The social network launched a special stripped down Android app called Facebook Lite in 2015. Then it built Slideshow, a new ad unit that combines photos into what looks a little like a video, but requires much less bandwidth.

“People are coming online at a staggering rate in emerging markets and, in most cases, are doing so on mobile” Facebook tells me. “We’re continuing to improve Facebook so it works seamlessly and easily for people in all parts of the world, regardless of their device.”

Together, these and other localized ad products have helped Facebook quadruple the average revenue per user it earns in the Rest Of World region since 2012. That’s critical since Facebook has maxed out its user count in many key developed countries, and must rely on emerging markets for user growth.

Facebook’s video-esque Slideshow ad unit for the developing world

Bigger screens, better cameras, and faster connections have spurred an explosion of mobile video viewership in the Western world. Facebook hasn’t shared its daily video view count since it announced nine months ago that it had reached eight billion per day. You can bet that number is far higher now.

Video is the marketing format of the future. But video ads injected amongst text and photo content can feel interruptive.

By unlocking the ability to watch video offline, Facebook could acclimate developing world users to organic Facebook videos, thereby allowing it to slip in lucrative video ads without sticking out. Facebook says you won’t be able to download Sponsored video ads for now, but I’d imagine that could arrive in the future if the feature is a success and rolls out more widely.

Via: techcrunch

It seems we now live in a world where everyone is free to snoop on everyone else to their heart’s content.

If you connect your computer to the Internet, like billions of people, then you can’t expect any privacy. Or so says a judge in Virginia.

According to eWeek:

A federal judge for the Eastern District of Virginia has ruled that the user of any computer connected to the Internet should not have an expectation of privacy because computer security is ineffectual at stopping hackers.

So, does that mean we can’t expect privacy in our own homes because burglars can get in if they really try? If so, surely we may just as well just leave our front doors wide open?

FBI didn’t need a warrant

This court ruling goes back to Playpen, the child porn site that the FBI operated for two weeks in 2015 as a honeytrap.

We reported in May that, during that time, the agency used a so-called “network investigative technique” (NIT) to identify the website’s users.

Computers visiting the site were unwittingly infected with code that could reveal their IP address, defeating anonymity afforded by Tor. (Users and sites on the Tor network hide their IP addresses from each other to help maintain anonymity.)

Senior U.S. District Judge Henry Coke Morgan Jr. upheld the use of a single warrant for the FBI’s mass hacking. He even stated that the FBI’s original warrant was unnecessary because of the type of crime being investigated:

The court finds that any such subjective expectation of privacy—if one even existed in this case—is not objectively reasonable.

Behind closed doors

However, while the FBI is focused on establishing the IP addresses of child porn users, another interesting court case could scupper the FBI’s efforts completely.

Gizmodo reports on the story of Thomas Gonzales, who was accused of illegally downloading Adam Sandler’s film “The Cobbler” from a shared computer. Oregon District Court Magistrate Judge Stacie Beckerman argued that you can’t hold someone accountable for copyright infringement unless you can prove they actually did it, ruling:

IP-addresses aren’t enough to prove that Gonzales was directly involved with copyright infringement.

While the precedents in these cases could affect us all, it’s actually really hard to determine where we stand.

Looks like the FBI may have to wait until we’re all signing in with biometrics before they can prosecute anyone for online child abuse… but even that might not be enough.

Via: sophos