Monthly Archives: January 2015

Snapchat images that have “disappeared forever” stay right on your phone…

Snapchat is a wildly popular app for Androids and iDevices that allows you to share photos with your friends.

Snapchat replaces more pedestrian ways of sharing photos, such as sending them by email.

The app enables you – indeed, it pretty much encourages you – to share snapshots you would probably be wiser to keep to yourself, or better yet not to take in the first place (my emphasis below):

Snapchat is a new way to share moments with friends. Snap an ugly selfie or a video, add a caption, and send it to a friend (or maybe a few). They’ll receive it, laugh, and then the snap disappears.

The image might be a little grainy, and you may not look your best, but that’s the point. It’s about the moment, a connection between friends, and not just a pretty picture.

The allure of fleeting messages reminds us about the beauty of friendship – we don’t need a reason to stay in touch.

Give it a try, share a moment, and enjoy the lightness of being!

Clearly, Snapchat’s primary feature, if not its raison d’etre, is “managed risk”.

You can live a bit recklessly, Snapchat seems to be saying, because the snap disappears after your friends have looked at it.

In fact, the app description on Google’s Play Store goes one step further, promising disappearance for all eternity:

Snapchat is the fastest way to share a moment with friends.

You control how long your friends can view your message – simply set the timer up to ten seconds and send.

They’ll have that long to view your message and then it disappears forever.

We’ll let you know if they take a screenshot!

As fellow Naked Security writer Graham Cluley asked late last year, early on in Snapchat’s short history, “How do you reconcile ‘dispappears forever’ with ‘if they take a screenshot’?”

After all, if the screenshot warning ever does come up (assuming the screenshot detector does its job), the one thing you can be sure of is that the image has not disappeared forever, or even at all.

That’s because the screenshot function creates a new image, not managed by the Snapchat application, and saves it where your friend is in complete control of it, rather than you or Snapchat.

So “disappears forever” is something of a bogus concept to start with.

But just how meaningful is Snapchat’s promise if you completely ignore the screenshot problem, or the taking-​a-​picture-​of-​the-​screen-​with-​another-​camera problem?

US-based computer forensics geek Richard Hickman thought he’d find out.

Be prepared to laugh (or cry – it’s not really funny): according to Hickman, “expired” Snapchat photos don’t disappear at all!

He grabbed a forensic image of a phone running Snapchat, found a directory called received_image_snaps and looked in it.

Both unviewed and expired images were still there.

If Hickman’s analysis is correct (and it certainly seems to be), Snapchat relies on two steps to make your images “disappear”:

  • It adds the extension .nomedia to the filenames, which is a standard Android marker that says, “Other apps should ignore this file. Do not index it, thumbnail it, add it to any galleries, or whatnot. Leave it to me.”
  • It adds a record to its own database to say, “The following image should be treated as though it doesn’t exist. Leave it to me, and I will pretend it has disappeared forever.”

Just as egregiously, Snapchat doesn’t even come close to guaranteeing that your images get deleted from its own servers once they’ve been delivered:

When you send or receive messages using the Snapchat services, we temporarily process and store your images and videos in order to provide our services. Although we attempt to delete image data as soon as possible after the message is received and opened by the recipient (and after a certain period of time if they don’t open the message), we cannot guarantee that the message contents will be deleted in every case.

So when you share that “ugly selfie”, where does it end up?

It’s stored on your phone, but you’d expect that because you took it, so that’s your lookout.

It’s stored on Snapchat’s servers, where it will probably be deleted once it’s been delivered, but not in every case.

And it’s stored on the recipients’ phones, from where it apparently won’t be deleted at all, though it will be marked “not for display,” which seems to be synonymous in Snapchat’s argot with “disappears forever”.

What to do about this?

The obvious first step is to share snapshots only if you don’t mind them hanging around forever.

The second step is to stop using Snapchat until these issues get fixed.

And the third is to write to the Snapchat guys and suggest that they could use cryptography and positive erasure to come much closer to fulfilling their promises, so you can start using their app again.

Here are some cryptographic tricks that Snapchat might consider:

  • When user X signs up, generate a public/private key pair on his device and send the public key to the Snapchat servers.
  • When storing an image for delivery to X, encrypt it with X’s public key so it can’t be decrypted unless and until X receives it on his device. That way, images implicitly ‘disappear’ from the Snapchat servers even before they are delivered.
  • Encrypt each image delivered to X’s device with a random key, and keep the key on the Snapchat server until X requests to view the image. That way, the key and the decrypted image only ever need to exist in memory on X’s device, and thus implicitly ‘disappear’ once viewed.
  • When ‘disappearing’ an image, positively erase (i.e. actively overwrite) the random key off the Snapchat servers. Without the key, the encrypted image becomes shredded cabbage.
  • When ‘disappearing’ an image, positively erase the encrypted image file on X’s device, just in case the key survived, for defence in depth.
  • When uninstalling the app, positively erase X’s private key. That way, as-yet unviewed images become shredded cabbage.
  • Whenever X has no unexpired images left to view, positively erase X’s private key and generate a new keypair as though starting a fresh install.

The bottom line?

Call me a killjoy, but don’t share a selfie, ugly or not, or any other file, for that matter, unless you are willing to risk it being in circulation forever.

And if you’re not willing to risk it being in circulation forever, consider not even taking it in the first place.


Via: nakedsecurity

Your app survival kit for the 2015 blizzard

With a “potentially historic” blizzard on the way, millions of Americans are already in emergency preparedness mode.

But while stocking up on food and other essentials is a given, loading your smartphone with the right apps can also help make the upcoming storm more manageable.

See also: Live cam: Blizzard hits NYC

From emergency alerts to real-time weather updates and first aid tips, these apps should help you prepare for any situation and keep you in the loop with the latest news throughout the storm.

Also, be sure to check out our guides to conserving your smartphone’s battery so you can squeeze the most life out of your devices should you lose power.

  • Dark Sky

    One of the most beautiful weather apps available, Dark Sky is known for its extremely accurate forecasts. The app pinpoints your location and provides up to the minute updates about when rain or snow will hit your neighborhood.

    The interactive map view allows you to see global temperature and precipitation info so you can track storms around the world. Opt in to alerts, and the app will also send push notifications right before heavy rain or snow begins so you can take cover.

    iOS ($3.99)

    Image: Jackadam

  • First Aid

    Whether you’ve had first aid training before or not, it’s a good idea to have the Red Cross’ guide handy should you need it. The app provides comprehensive guides on basic first aid procedures, as well as detailed checklists on how to prepare for extreme weather situations like winter storms.

    First Aid also has a series of quizzes to test your knowledge of how to react in emergencies. And, should a medical emergency arise, the app shows you the closest hospitals and has one-touch access to 911.

    iOS, Android (free)

    Image: American Red Cross

  • NOAA Radar Pro

    NOAA Radar Pro provides real-time updates and forecasts based on the latest satellite information from the National Weather Service. It allows you to keep tabs on severe weather alerts for specific locations by type of event.

    This means you can set winter weather notifications for friends on the east coast, tornado warnings for relatives in the midwest and hurricane and tropical storm alerts for those in the south, for example.

    The app also provides forecasts for the coming days and weeks around the U.S., and breaks down other stats such as pressure levels, humidity, and wind speeds. It also comes with a handy iOS 8 widget so you can see the latest updates without launching the app.

    ($1.99; there’s also a free version

    Image: Apalon Apps

  • Plowz & Mowz

    Think of it as an Uber for snow removal. Plowz and Mowz provides on-demand snow plowing (and lawn mowing in the summer) to users in 30 U.S cities, including Boston, Pittsburgh, Syracuse, Rochester and Buffalo.

    Create an account, get a quote and one of the app’s providers will come plow your driveway (unfortunately, the app doesn’t offer shoveling services so you’ll still have to clear walkways and sidewalks yourself). Once finished, they send you a photo of your cleared driveway so you can check their work even if you’re not home and the app charges your credit card for the work.

    iOS, Android (free)

    Image: Caribou Apps

  • Privacy Flashlight

    iOS has a flashlight app baked into its operating system, but Android and Windows Phone users still need to download a separate app to take advantage of their camera’s flash. While there are hundreds of flashlight apps in the Play and Windows Phone Store, we like Privacy Flashlight because of its clean ad-free interface and small app size.

    The main app includes a built-in timer so the app will automatically disable after a set period of time, and also comes with a widget for your home screen for easy one-touch access.

    Android, Windows Phone (free)

    Image: SnoopWall Tools

  • Storm Shield

    Storm Shield relies on the latest info from the National Oceanic and Atmospheric Administration for real time alerts about storms in your area. It also has an in-app weather radio from the National Weather service and gives updates on school closures in some areas.

    The app also allows you to share alerts with friends and family and keep tabs on different areas of the country.

    iOS, Android ($2.99)



via: mashable

Critical DNS hijacking flaw affects D-Link DSL router

Critical DNS hijacking flaw affects D-Link DSL router, the flaw affects the ZynOS firmware that is used also by other vendors, including TP-Link and ZTE.

A security vulnerability affects DSL router model from D-Link, the flaw could be exploited by a remote attacker to change device DNS settings and hijack users’ traffic. The Bulgarian security expert Todor Donev, member of the Ethical Hacker research team, explained that vulnerability is found in the ZynOS firmware, which is present in many other devices from other vendors, including D-Link, TP-Link, ZTE.

At least one D-Link router is affected by the flaw, the D-Link’s DSL-2740R ADSL modem/wireless router, but every manufacturer using the same firmware is potentially exposed to remote hacking.

Todor Donev published a proof-of-concept exploit for the D-Link DSL-2740R model, which has been already phased out, but might still receive support if covered by warranty.

By exploiting the flaw, the attacker can access the D-Link device’s Web administration interface without authentication. The attacker can then modify the DNS settings to redirect users to phishing websites or domain used to serve malware. Even if the Web administration, it’s not exposed on the Internet, the attacker can access the router’s interface from within the local area network with a cross-site request forgery (CSRF) technique.

“If the administration interface is exposed to the Internet — routers are sometimes configured in this way for remote administration — the risk of exploitation is higher. But even if it’s only accessible from within the local area network, hackers can still use cross-site request forgery (CSRF) techniques to reach a router’s interface. CSRF attacks hijack users’ browsers to perform unauthorized actions when they visit compromised sites or click on malicious links. Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers. Large scale CSRF attacks against router owners that were designed to replace DNS servers configured on their devices with servers controlled by attackers were observed on the Internet in the past.” reported ComputerWord.

Donev hasn’t notified D-Link of the vulnerability, but the availability of the exploit in the wild urges all vendors that adopt the flawed firmware to check if their products suffering the same security issue.

Pierluigi Paganini

(Security Affairs – D-Link, ZynOS firmware)



Via: securityaffairs

New Chrome extension spots unencrypted tracking

A new Chrome extension highlights tools embedded in websites that could pose privacy risks by sending data unencrypted over the Internet.

It’s hard to find a major website that doesn’t use a variety of third-party tracking tools for online advertising, social media and analytics. But if the trackers send data unencrypted, it is possible for those who have network-level access — such as an ISP or government — to spy on the data and use it for their own tracking.

It’s partly the fault of websites that have not yet enabled HTTPS, which encrypts data sent between a computer and server, as well as companies that have not enabled it in their tracking tools.

Documents leaked by former U.S. National Security Agency contractor Edward Snowden showed the spy agency was using cookies in order to target users, according to a December 2013 report in the Washington Post. Cookies are small data files created by online trackers that are stored within a person’s Web browser, recording information such as a person’s browsing history.

The Chrome extension, called TrackerSSL, alerts users when a website is using insecure trackers and gives them an option of tweeting a message to the website letting it know of the issue. TrackerSSL was created by Open Effect, a digital privacy watchdog, and Citizen Lab, a technology-focused think tank at the University of Toronto.

“As demand for secure technology grows, most websites will not be able to protect their readers unless they stop using insecure ad trackers,” wrote Andrew Hilts, executive director of Open Effect and a research fellow with Citizen Lab.

TrackerSSL shows a list of trackers embedded into a website. Websites that don’t use HTTPS show more warnings, as some trackers would be more secure if it was used.

Other trackers simply don’t ever encrypt data transmissions, which puts users at risk that data could be intercepted and misused.

“For content-driven websites such as online newspapers, such snooping can take the form of what’s known as ‘pattern of life analysis’,” Hilts wrote. “Analysts may compile the web browsing history of a target and build the profile of a target by inferring from the target’s lifestyle, demographics, political views and more.”

For the best security, both the website and the individual trackers should use HTTPS. It’s a tall order, especially for sites that use many trackers, and HTTPS can be tricky to set up sometimes. Hilts wrote that “if just one out of a dozen third-parties on a website do not use HTTPS, then a gaping security hole is left open.”


Via: csoonline

Admins Urged to Patch Linux Now as ‘Ghost’ Bug Emerges

Security experts are warning of yet another potentially major vulnerability in Linux systems, which could allow hackers to take remote control of a system.

The flaw – assigned CVE-2015-0235 – was dubbed ‘GHOST’ by the Qualys researchers who discovered it during a code audit, as it relates to a buffer overflow affecting the gethostbyname functions in the GNU C Library (glibc).

It’s exploitable remotely and locally, allowing for arbitrary code execution and therefore unauthorized access.

Qualys said it developed a “full fledged remote exploit” against the Exim mail server as proof of concept, in which a specially crafted email was able to bypass all existing protections and give the firm full control over a Linux machine.

The vendor said it will publish its exploit as a Metasploit module in the near future.

Qualys CTO Wolfgang Kandek claimed in a blog post that the firm “has worked closely with Linux distribution vendors and patches are available” as of Tuesday.

IT managers are therefore urged to contact their Linux vendors to see if a patch is available. Reports suggest this is already the case for Red Hat, Debian, Novell and Ubuntu, at the time of writing.

David Stubley, CEO of Edinburgh-based information security consultancy, 7 Elements, argued that as it’s still early days it’s difficult to anticipate the true scale and impact on systems.

“While the difficulty to exploit will reduce the potential impact of this vulnerability, the widespread adoption of glibc within disparate technology will make this a troublesome issue to fully remediate and it is likely to rumble on for some time,” he told Infosecurity.

“As more research is undertaken, expect new and novel attacks to come to the surface.”

Ironically, the flaw itself was fixed back in 2013. However, it wasn’t recognized as a security threat at the time and so most stable and long-term support distributions were left un-patched.

HD Moore, chief research officer at Rapid7, argued that the flaw is not another Heartbleed.

“In a general sense, it’s not likely to be an easy bug to exploit. One easily-exploitable case identified so far is the Exim mail server. An attacker could abuse this vulnerability to execute arbitrary commands on an unpatched server,” he added.

“Still, it could potentially be nasty if exploited so we strongly recommend immediate patching and rebooting. Without a reboot, services using the old library will not be restarted.”



Via: infosecurity-magazine

Yahoo Shuts Down Its Email Service In China

As reported on TechCrunch and elsewhere, Yahoo’s Chinese email service is no more. Warned all the way back in April, current users of the Chinese version of Yahoo! Mail were given the opportunity to transition their accounts to Alibaba’s email service, Alimail.

As of January 1st, any attempt to mail a user at the or domains is rejected with a “550 relaying denied” error message.

If you run an email service that maintains a filter of dead ISPs or dead domains, I recommend adding and to your “dead domains” list or similar. There’s no point allowing mail to be sent to those domains, as no mail will be successfully delivered.

There is nothing to indicate that users will automatically have the same username at Alimail that they had in Yahoo! Mail, so it likely is not safe for senders to just try to automatically update addresses in their email lists.



Via: spamresource

Get ready for the 24-hour laptop: Battery life hits new highs

Tired of carting around that power cord? Have patience, the 24-hour laptop is almost here.

A handful of new systems are promising more than 15 hours’ battery life on a single charge, or 20 hours with an optional second battery installed. The days of plugging in on the road are almost over, at least for short business trips.

On Monday, for instance, Panasonic introduced its newest Toughbook 31, which can run for up to 18 hours depending on the use case, or 27 hours with an optional second battery installed. The laptop, which has a tough briefcase-type exterior so it can withstand a fall, will go on sale next month starting at US$3,699.

The Toughbook beats out two other recently introduced laptops for battery life—though it’s also a lot heavier. Dell claims 15 hours for its XPS 13, or 22 hours with a second battery. And the two batteries in Lenovo’s ThinkPad X250 can power it along for up to 20 hours. The latter two were both were announced at this month’s CES.

The Toughbook might be difficult to lug around for hours on end, but as the name implies it’s designed for harsh environments. With a 13.1-inch touchscreen, it weighs 3.58 kilograms with one battery and 3.7 kilograms with two.

For all these estimates, battery life will depend partly on the applications you’re running. Watching movies and playing video games generally draws more juice than surfing the web or using a word processor. The display draws the most power, and the brighter the screen the less battery life you’ll have.

Ongoing improvements to storage, memory and CPUs are all helping to lengthen battery life, however.

Laptops that get more than 15 hours on a charge usually have solid-state drives, which are more power-efficient than spinning hard disks.

The above laptops also use Intel’s latest Core processors based on the Broadwell microarchitecture, which is more power-efficient than its predecessors. Intel says Broadwell alone can extend battery life by an hour when watching HD movies or browsing the Web.

Panasonic’s claim of 18 hours is for a power-saving mode, with the wireless off and screen brightness reduced. That’s probably not a typical use case for most people. And while Dell claims up to 15 hours for the XPS 13, Intel’s measured only 11 hours for the same laptop. Dell hasn’t provided benchmarks to prove its claims, but says it’s confident in its dense battery and unique chemical formula.

Battery technology itself hasn’t improved much lately, but laptops are getting smarter, more sophisticated circuitry to help them run longer, said Nathan Brookwood, principal analyst at Insight 64.

Intel used to focus more on horsepower than energy efficiency, but that’s switched in recent years, he noted. Displays are also advancing, with laptop makers using tricks to improve perceived quality of images by modulating the backlight.

Intel and AMD are both reducing the size of processors while packing in more cores, controllers and other features. That reduces the number of components on a motherboard, reducing power use further.

The Broadwell chips are manufactured on Intel’s latest 14-nanometer process, which means smaller transistors. A Broadwell chip is 37 percent smaller than a comparable chip based on the Haswell microarchitecture.

AMD claims its PC chips will be 25 times more energy efficient over the next few years, which could mean 50 hours battery life in idle mode.

But for now, 15 hours is the exception rather than the rule. It’s pretty impressive when you compare it to just a few years ago, and for now it’s probably enough.

“That’s unless you want to walk around with a 10-pound battery, which no one really wants to do,” Brookwood said.


Via: networkworld

Android banking apps riddled with malware

Research of 350,000 banking-related Android apps has revealed about 11% contain malware or suspicious binaries.

The study of Android mobile banking apps in 90 app stores, carried out by RiskIQ, found 40,000 were suspicious. Apps were labelled suspicious based on whether they contained malware or suspicious binaries identified by a consortium of 70 antivirus suppliers.

RiskIQ CEO Elia Manousos said mobile banking is now a way of life for most people but also presents an opportunity for criminals to commit fraud.

“One of the easiest ways to steal a victim’s login and other personal information is using malware and apps with excessive permissions,” he said.

“These findings show that criminals are using look-a-like banking apps to distribute malware and capture data on the device to commit crimes.

“Policing app stores for malicious apps and taking them down is a never-ending battle for banks, and any other brand that uses the mobile channel to interact with customers.”

RiskIQ continuously monitors mobile application stores and websites using software agents that emulate human behavior to detect suspect applications, application tampering and brand impersonation.

Out of the 40,000 suspicious apps, 21,076 contained adware, 20,000 contained Trojan malware, 3,823 contained spyware, 209 contained exploit code and 178 contained malicious JavaScript.

Mobile is the most dominant form of banking in the world and is enabling competitors to eat into banks’ business without being noticed, according to a massive study of 80,000 people.

Research from Bain & Company revealed mobile accounted for about a third of transactions in 13 out of the 22 countries it surveyed. The study showed banking using a mobile is taking over online banking via a computer, which decreased by 3% in 2013.

According to Forrester in its digital banking forecast for 2014 to 2018, tablet banking will more popular than mobile banking by 2018, partly due to less security fears.

European mobile banking will increase from 42 million users in 2013 to 99 million in 2018. Meanwhile, tablet banking will grow from 19 million users in 2013 to 115 million in 2018.

Forrester said increasing tablet ownership, more tablet banking apps and fewer security fears among tablet users versus mobile users are key drivers.


Via: computerweekly

Mozilla Wants To Bring Virtual Reality To The Browser

Last summer, Mozilla launched a very experimental version of Firefox with support for web-based virtual reality apps that could be experienced through the Oculus Rift. Earlier this week, support for WebVR also landed in Firefox’s Nightly and Developer Edition release channels.

So why is Mozilla working on virtual reality when its mission is to “promote openness, innovation and opportunity on the Web?” At a talk last summer, Mozilla’s Josh Carpenter argued that the organization knows VR will be a “really big deal” and because “it presents a really great challenge — and we like great challenges.” To give users that feeling of actually being present in a different world (and not just that of looking at a simulation), you need to get the latency between head movements and the screen reacting to them down to an absolute minimum. Mozilla argues that, in the end, all of this work will not just benefit the VR experience, but also the Web experience as a whole.

To do this, Mozilla has thrown its weight behind WebVR, an experimental API that makes it easier to connect the browser to virtual reality headsets. Google, too, has started to experiment with this as well, so there’s already some cross-browser support for it, even though it’s still far from being an official standard and from becoming a default feature of Mozilla’s and Google’s mainstream browser release channels.

For now, the new Firefox builds only work with the Oculus Rift (though you still have to install a small plugin to make this work), but Mozilla says it also plans to add built-in support for Linux, Firefox for Android and Google’s Cardboard.

With projects like asm.js and others, Mozilla has worked hard to bring native-like speeds to browser- and JavaScript-based applications. I’m not completely sold on the idea that the browser is the best place for experiencing virtual reality, but there is something to be said for Mozilla’s approach of creating an open ecosystem that could side-step the walled gardens of the different VR vendors in the long run. For now, achieving that feeling of presence greatly depends on getting the lag down and even if Mozilla manages to get JavaScript performance even closer to native speeds, native VR apps will always be just a little bit better. Still, if this project yields nothing more than better browser performance and acceptable (but not stellar) browser-based VR experiences, I’m all for it.


Via: techcrunch

Unpatched Apple Vulnerabilities Latest Google Project Zero Disclosures

OK Apple, your turn.

After raising a ruckus with the disclosure of three unpatched Windows vulnerabilities, Google’s Project Zero research team did the same this week with a trio of security issues in Apple OS X.

Project Zero imposes a 90-day deadline on vulnerabilities it reports to affected vendors; if a patch is not delivered inside that time frame, details are automatically made public via its external database.

The respective OS X bugs were reported to Apple in late October and 90-day deadlines began expiring this week. The Project Zero disclosures also come with proof-of-concept exploit code.

A request for comment from Apple was not returned in time for publication.

The vulnerabilities affect different components of Apple’s flagship operating system, and range from memory corruption, kernel code execution and a sandbox escape. All three require some kind of local access to exploit.

The sandbox escape vulnerability, OS X networkd “effective_audit_token” XPC type confusion sandbox escape as labeled by Google, may have been mitigated starting in the Yosemite version of OS X. Google refers to a separate advisory for those details.

In its disclosure on Tuesday, Google said that the networkd system daemon implements an XPC service API which communicates on behalf of an application. Project Zero said that XPC messages using get parameters are used without checking the type of returned value. This allows messages to reach functions outside the sandbox, Google said.

One day later, the 90-day deadline expired on an OS X IOKit kernel execution vulnerability.

“Calling IOConnectMapMemory on userclient type 2 of “IntelAccelerator” with memory type 3 hits an exploitable kernel NULL pointer dereference calling a virtual function on an object at 0x0,” Google said in its advisory. Part of this disclosure originally included a kernel ASLR bypassed, but that was patched in Yosemite 10.10, Google said.

The third disclosure happened yesterday and is another OS X IOKit kernel memory corruption vulnerability. Google said a Bluetooth device must be connected to exploit this bug, which is due to a bad bzero in IOBluetoothDevice.

“Userspace can modify the size in shared memory leading to the bzero writing a controlled number of NULL bytes off the end of the buffer,” the advisory said.

Project Zero’s automated disclosures are the latest salvo in the industry’s eternal debate over the sharing and distribution of vulnerability details. Microsoft fought back after Google spilled the beans on a trio of its unpatched bugs, one of which Google refused to sit on for an additional two days before Microsoft was to release a patch.


Via: threatpost