Monthly Archives: June 2013

Cloud, mobile and Macs the next targets for hackers

Business needs to prepare as cloud computing, mobile devices and non-Windows operating systems become the next targets for cyber attackers, says Kaspersky Lab.

Based on current trends, these are the areas that attackers are most likely to focus on next, say the security firm’s researchers and analysts.

“In 2012, we saw the first series of attacks aimed at cloud-based services such as Dropbox and LinkedIn,” said David Emm, senior regional researcher, UK for Kaspersky Lab.

Cloud-based services are likely to become increasingly targeted because a single breach can yield account details from millions of users and so is highly efficient, he said.

Analysis of the Red October cyber espionage campaign revealed that looking for network-connected mobile devices was one of the things the Rocra malware was designed to do.

“This is a strong indication that attackers have recognized that mobile devices are fast becoming a rich source of information that is worth going after,” said Emm.

Attackers typically follow the line of least resistance, naturally migrating to Adobe software as the next most ubiquitous platform as Microsoft’s Windows operating system became increasingly resilient.

With each new major release of the Windows operating system, security has improved, and Adobe is beginning to follow a similar pattern through its own similar secure development lifecycle.

Just as attackers have migrated from Windows, to Adobe and now Java – which is currently the top target – researchers expect attention to begin turning to Apple’s Mac operating system.

“The perception is that the Mac operating system is inherently more secure, but the reality is that it has simply not been targeted before as there were fewer Mac users,” said Emm.

But the discovery of the Flashback botnet in 2012 – aimed at the Mac OS X operating system – suggests this will change, he said.

Similarly, attackers are expected to begin exploiting vulnerabilities in “unsuspicious” devices that are getting smarter, said Vincente Diaz, senior malware analysts at Kaspersky Lab.

“Not only are phones getting smarter, but other items such as televisions and cars are becoming increasingly computerised and connected,” Diaz said.

He said as a growing number of devices become interconnected, it is important that they are designed, implemented and used with security in mind.

“Otherwise, such things could be open to malicious exploitation as people surrender more and more decision making to devices and online services,” Diaz said.

Diaz said he hopes the revelation of the US Prism internet monitoring programme will help raise awareness about the security and privacy implications of online services that are too good not to use.

“The big trick that many people are missing, is that if you are not paying for a service, you are the product. Is this what we really want? Would it not perhaps be better to pay a little and surrender less?”

Looking to the future of the security industry, Diaz said the vision is to move to a state where single security platforms are able to provide protection for every type of computing device.

However, he said this will require the co-operation of all device makers with the security industry and the breaking down of proprietary walls that are hampering progress in this direction.

Via: computerweekly

Cybercrooks use vacation posts to scam family members

Summertime means vacation time, and many of us brag share our plans on social networking sites like Facebook and Twitter. A recent survey by MoneyGram found that nearly one-third of consumers aged 18-49 post details about their vacations on social media before or during their trip, essentially broadcasting to the world when they will be away, where they are going, and what they will do – and more than just friends are watching.

 “Sharing summer travel plans can serve as an invitation for criminals to target family members with the relative in need scam,” warns MoneyGram, a leading global money transfer company. In the so-called “family scam,” cybercrooks target elderly family and friends of people traveling on vacation with frantic late-night phone calls or emails from a hijacked account. They make up an emergency situation and instruct the victims to wire huge sums of money to “rescue” their relatives from nonexistent predicaments. Some users have experienced this firsthand.

According to MoneyGram, victims of family scams lost an average of $1,551 each time money was sent to a scammer – with a total of more than $8.5 million in attempted transactions during summer 2012.

“When families go on vacation, they don’t do their relatives any favors when they post Facebook pictures and tell everyone how long they’ll be gone,” said Barbara Fore, an elder-related-crimes investigator for the Seminole County Sheriff’s Office in an Orlando Sentinel article. “Criminals are monitoring things like Facebook all the time, and they can often find out just about everything they need to know to run their cons.”

MoneyGram advises that “the safest way to respond to a frantic phone call is to simply hang up and call your relative directly to verify the situation, or verify the identity of the person on the other end of the line or email by asking questions with answers that only true friends or family members would know. These steps often reveal the attempted fraud, preventing any further emotional distress or monetary losses.”

Via: avast

This Account Is Tweeting Every NYPD Stop-and-Frisk

Millions of New Yorkers have been subject to a New York Police Department stop-and-frisk — and one Twitter account is telling their story, 140 characters at a time.

The account, @StopAndFrisk, was created last month by New York-based developer Simon Lawrence and journalist Michele Lent Hirsch to put a social spotlight on the controversial NYPD practice. Stop-and-frisk allows police to stop somebody they believe has committed, is in the process of committing, or is about to commit a crime. Police can search the stopped person if they have grounds to believe they are in danger, sometimes leading to arrests on drug charges when illegal substances are found on stopped persons.

Each tweet features the subject’s age, location and police reason for making the stop, per records made available by the New York Civil Liberties Union. It does not include the subject’s race, as the creators feel the racial bias of stop-and-frisk (55% of those stopped last year were black, 30% latino) has been well-covered by other media. It uses a photograph of New York City Mayor Michael Bloomberg, a fierce defender of stop-and-frisk, as its profile image.

“The thought was, let’s look at individuals, their age, and when they were stopped,” Lawrence told Mashable. “The idea was to bring a more human face to the raw stats and to put information out there that people may not be as familiar with — like the reason NYPD stopped people [might be] wearing clothes commonly used in a crime. What are clothes commonly worn in a crime?”

The Stop and Frisk account resembles Dronestagram, an Instagram account populated by satellite images of villages struck by a U.S. drone aircraft.

“I haven’t actually seen that one, so I can’t say directly,” said Lawrence when asked if Dronestagram was an inspiration for the project. “But we’re operating on the same idea, bringing a face to these numbers. People think, ‘Oh, they stopped 600 people, that’s bad’ — but when you’re seeing they stopped a 12-year-old using force or something like that, that humanizes it a little bit.”

Lawrence said they originally wanted to tweet at the same rate the NYPD stops suspects, but then realized that would be too frequent for Twitter to handle.

“One of the reasons we use Twitter is we wanted to have this steady drumbeat of stops just like one stop after the other, after the other, after the other, and these are all people being harassed by the police,” he said. “We actually wanted to tweet at the rate the NYPD stops people. Unfortunately, we couldn’t do that because Twitter would’ve blocked us — it would’ve been too much.”

Is @StopAndFrisk an effective way to tell the story behind a controversial NYPD policy?

Via: mashable

Like Google Voice But Live Outside The US? Then Try VoxSci’s New iO6/Andoid App

Google Voice remains a pretty useful service if you want your voice mails turned into text messages. However, it’s ability to do so accurately is a little hit and miss. Indeed, there are numerous websites that contain hilarious Google Voice transcriptions, often on Tumblr blogs. Plus, Google Voice is only available in the US. VoxSci is a service which has been operating for a while in the UK, but has now launched an iPhone and Android app to do what Google Voice does, but for the rest of us outside the US.

VoxSci converts the first 50 characters of your voicemail for free, however the user can listen to the entire voicemail within the App. if the user wants the voicemail fully transcribed they will need to subscribe. To get the whole voicemail converted to text costs £5, £10 or £25 per month with payment charged to an iTunes Account on the iPhone.

VoxSci has a number of useful features including voicemail search and you can respond; by text, email or call. There are numerous other features.

Alternatives like Hullomail charge for the first 10 seconds of a voicemail to be transcribed and don’t have the ability to fully transcribe a voicemail. Also Hullomail charge to copy voicemails to emails whereas VoxSci doesn’t.

The main difference between the service and Google Voice can be summed up in one word: quality. It’s by far the most accurate voice to text service I’ve come across and is worth checking out.

Via: techcrunch

Android Fakedefender malware attacks Google smartphone and tablet users

New ransomware masquerading as a legitimate Android security app has been uncovered by Symantec researchers.

Symantec’s Joji Hamada said the malicious app infects users’ machines by pretending to be a legitimate free antivirus app. However, unlike a legitimate security app, rather than protecting the user from malware, it loads it onto the device.

“The scam has evolved over time and we are now seeing FakeAV threats making their way onto Android devices. One interesting variant we have come across, detected by Symantec as Android.Fakedefender, locks up the device just like Ransomware,” wrote Hamada.

“Once the malicious app has been installed, user experience varies as the app has compatibility issues with various devices. However, many users will not have the capability to uninstall the malicious app as the malware will attempt to prevent other apps from being launched. The threat will also change the settings of the operating system.”

Hamada said the malware is particularly nasty as it can in some cases block the device’s hard reset command. “In some cases users may not even be able to perform a factory data reset on the device and will be forced to do a hard reset, which involves performing specific key combinations and/or connecting the device to a computer in order to perform a reset using software provided by the manufacturer,” he wrote.

“If they are lucky, some users may be able to perform a simple uninstall due to the fact that the app may crash when executed because of compatibility issues.”

FakeDefender is one of many targeting the Android operating system. Hamada said the high success rate of the attacks will lead criminals to increase the number of threats using the tactic, calling for Android users to install legitimate, trusted mobile security applications.

“We may soon see FakeAV on the Android platform increase to become a serious issue just like it did on computers. These threats may be difficult to get rid of once installed, so the key to staying protected against them is preventing them from getting onto your device in the first place,” he wrote.

The ransomware is one of many new mobile threats uncovered this year. Russian security firm Kaspersky reported detecting 23,000 new mobile threats in its Q1 2013 Threat Report.

Via: v3

AOL Reader Launches as Google Reader Checks Out

Just a few days after news circulated that AOL was bringing its own RSS reader to the web, the company launched on Monday its response to the nearly defunct Google Reader.

AOL Reader — which bears the tagline “all your favorite websites, in one place” for both desktop and mobile devices — aims to make reading content from around the Internet easier, engaging and more social. It comes with a clean, organized interface and is extremely intuitive to use.

It’s fast, too. In fact, it imported my full Google Reader subscription library in about four minutes. It also provides helpful instructions on how to transfer feeds from Google Reader to AOL Reader.

The launch comes just one week before Google Reader shuts down for good, which has upset many of its dedicated users and even sparked a White House petition to keep it running. Since then, other companies are looking for a slice of the reader pie. In fact, Facebook is rumored to be experimenting with its own RSS feed — possibly a Flipboard competitor — and Digg is also poised to launch its on RSS reader on June 26.

Although AOL Reader will likely be a true contender in the RSS space, especially with Google Reader on its way out, it’s not reinventing the wheel. Some nice bells and whistles include sharing content across Facebook, Twitter and Google+, the ability to save articles for future reading and an API for developers and third party apps. You can also tag articles for archiving.

Here’s how it works: After signing up with an AOL account, which can be created for free, you’re prompted to add new subscriptions or import your old ones.

To add a new subscription, simply select various categories such as technology and entertainment. AOL Reader populates each category with some media outlets, but you can also type in a particular organization to follow. After subscribing, a list of stories appears in a feed via its headlines; the most recent stories are listed first.

After clicking on a link, the story and lead image enlarge. By clicking it, you will be redirected to the article’s page on the outlet’s website. As you add new subscriptions, they will be added to the left-hand toolbar and can be later filtered by the content you want to read.

For a full walkthrough on AOL Reader, check out the gallery above. To sign up now, click here.

Via: mashable

Facebook owns up to serious privacy breach. Tells the world late on a Friday night (again)

Any time that Facebook admits that it has exposed the privacy of millions of its users, it’s sure to gain the attention of the world’s newspapers and tech bloggers.

The latest news is that approximately 6 million Facebook users had their email addresses or telephone numbers inappropriately shared.

Bad enough, you might think, but when you dig down into how the breach occurred you realize that the users may *never* have uploaded those email addresses and contact numbers to Facebook themselves.

Pardon me for being cynical, but it seems somewhat convenient that Facebook releases the news on Friday afternoon Pacific Time when many reporters are either looking forward to a weekend away from their keyboards, or are already shutting down their computers or are even tucked up in bed.

If I was in charge of Facebook’s crisis communications team, I might also counsel that the best way to minimize fall-out from the announcement you don’t really want to make is to release it at precisely the same time – when America’s East coast reporters have left the office for the weekend, and Europe is already asleep.

The hope would be that by Monday, when the media settles down for another working week, the story will already seem stale. Facebook is saying all the right things in an attempt to dampen any flames, saying (and I believe them) that it has seen “no evidence that the “bug” has been exploited maliciously”.

It doesn’t do the company any harm either, of course, if they give the embarrassing announcement a dull title like “Important Message from Facebook’s White Hat Program”, rather than using words like “Privacy Breach” or “Sorry, we screwed up”.

It’s called damage limitation. For the Facebook brand, at least. It’s not called doing your level best to get the issue reported to as wide an audience as possible.

It’s not the first time that Facebook has made an announcement of a privacy/security snafu at the best possible time of the week, PR-wise.

For instance, at a near identical time on another Friday (February 15, 2013) earlier this year, the social network announced that malware breached its developers’ systems, exploiting a zero-day Java exploit.

Two announcements that no company ever really wants to make. Both released at the same time of day, at the same time of the week, to minimise damage to the social network’s reputation.

Hats off to Facebook’s PR team. They’re earning their money.

In all likelihood, they’ll be proving their worth to the company again. After all, Facebook’s internal mantra is “Move fast and break things”.

Via: grahamcluley

Android app lies to users that their device is infected by viruses, asks for money

Scammers are busily working out the kinks in a rogue anti-virus application designed to target Android users – a threat that marks the criminal underground’s first attempt to spread mobile ransomware, according to researchers.

Security firm Symantec recently detected an Android trojan dubbed Fake Defender, which is capable of locking users’ devices. In a worst-case scenario, it also can require users to perform a hard reset to eradicate the malware.

In a Friday blog post, Joji Hamada, a researcher at Symantec, said users should be able to perform a “simple uninstall” of the app, called Android Defender by its purveyors. But that option exists only because of existing bugs that the app’s creators are trying to work out.

Right now the threat is minimal. Since the malware was detected on June 2, the Fake Defender trojan has infected fewer than 50 devices, according to Symantec’s research. But it signals the rising tide of threats traditionally segregated in the PC market making their way into the mobile realm.

The app acts the same way that rogue anti-virus software installed on desktops and laptops would. Users are made to believe their device is infected with viruses, and to remove the issue, they must pay money – in this case $100 over a year – to remove the nonexistent malware.

After victims install the malicious app, there will be no relief from the notifications, since the alerts can continue even if they don’t agree to pay the money.

Symantec posted a video of how the malware works.

Vikram Thakur, principal security response manager at Symantec, told that the app has been hosted at various sites, but has not been seen in the official Google Play store.

Interestingly enough, users often believe they are downloading a Skype app from sites that allows them to make free phone calls, Thakur said.

It’s only when they download the Fake Defender app that they see their device overtaken by the “Android Defender” virus scan.

The malicious app also warns users that malware is trying to steal pornographic content stored on their device – an additional con to spur victims into emptying their pockets.

“In our testing, there was no simple solution to removing this [ransomware] – just as we’ve experienced on the PC side,” Thakur said.

Depending on the malware’s compatibility with the infected device, a factory data reset may be necessary. But if the trojan makes that impossible, users may have to do a hard reset, which requires them to enter a specific key combination or to connect the device to a computer – which could mean shipping the device back to the manufacturer, Thakur said.

Rogue AV scams in the mobile environment could make the schemes even more successful, he said. Since users spend so much time on their mobile devices, they may move quickly to respond to any threats, even if they are bogus.

“People are getting a lot more reliant on their phones these days,” Thakur said. “They probably carry out about 80 to 90 percent of their waking day on them. In terms of urgency, people are a lot more sensitive about their phones than their PC.”

Via: scmagazine

AT&T promotion makes 16GB iPhone 5 just $99 with contract

It appears that retailers are in full-on inventory clearance mode with the iPhone 5, in anticipation of a new model. Best Buy is currently taking $50 off the handset, Walmart is offering the device at a $70 discount, and it looks like AT&T wants in on the fun too.

This morning, the country’s second largest carrier started a promotion that takes 50% off its entire smartphone lineup. Yes, that even includes the iPhone 5, which means that you can score an entry-level model of the popular handset for just $99 with contract…

According to 9to5Toys, who was first to spot the promo, the offer is valid for both the iPhone 5 and 4S (for those interested, it makes the 4S $50) and includes both free shipping and activation if purchased online. The discounts show up just before checkout.

It’s not unusual to see one outlet offer the iPhone at a slight discount, but when multiple retailers start cutting the price tag by $50+, you know something’s up. These companies are obviously trying to clear out their iPhone inventory ahead of the new model.

That new model is believed to be the iPhone 5S, a familiar-looking handset with substantial internal and camera upgrades. Everything we’ve heard about the smartphone up to this point suggests Apple will unveil it sometime around September, as it did last year.

It looks like AT&T’s half-off promotion is just good through the end of the month, so if you’re interested you’ll want to act fast. Also worth noting is that it appears the deal requires a trade-in device when redeemed in-stores, so order the phone online if you can.

Via: downloadblog

Paint a computer interface anywhere: Forget touchscreens

WorldKit lets you create interactive apps on any surface, just by waving your hand.

Ubiquitous, gesture-controlled interfaces are one step closer to reality, thanks to a new system developed at Carnegie Mellon University. WorldKit lets you create interactive apps on any surface just by waving your hand. The project was announced by the university on Thursday.

Instead of being tethered to your hardware, WorldKit is designed to make access to computing instant and mobile by making the world your touchscreen. Right now, the system involves a ceiling-mounted camera and projector that record hand movements and then project onto the surface of your choice. Some potential uses include TV remote controls, which can be accessed by rubbing the arm of a sofa, or calendars that can be swiped onto doors.

With projectors and depth-sensing cameras (the current system uses a Kinect) getting smaller, the researchers envision a system like WorldKit could eventually fit into a light bulb. Any room thus equipped could become a smart environment, where objects and walls become display surfaces. One member of the research team, Chris Harrison, previously worked on the Skinput device that allows users to turn their own arms into touch interfaces.

In the future, users should be able to design their own interfaces with WorldKit. The system currently allows for things like buttons, multitouch drawing (akin to a whiteboard), and counting the number of object within an interaction “bubble.” The existing prototype still has limited resolution and input dimensions, but hardware advances and future research could allow voice commands or even interaction in free space rather than on surfaces. The CMU team will be presenting their work at CHI2013 on April 30.

Image via Chris Harrison/Carnegie Mellon University

Via: stumbleupon