Thursday 17 October 2013

The Death Of Cookies: Websites Can Use Accelerometers To Identify Your Smartphone

Online behavior tracking by Web advertisement agencies attempting to better target consumers with products and other ads is a pervasive, persistent, and contentious practice on the Internet. The ad firms generally do this by installing small amounts of data on the user’s browser. These data are known as tracking cookies. New research from Stanford University found that the accelerometers in our smartphones produce uniquely identifiable measurements that these firms could exploit to track users even more reliably and accurately, a troubling breakthrough for those that advocate for online privacy.
deathofcookies
An accelerometer is more or less a piece of hardware that measures the degree of acceleration experienced by the device it is embedded into. Pragmatically, for a smartphone at least, the accelerometer is the piece of equipment that enables the device to be aware of its orientation and allow you to play those flying and driving-related games.
According to an article in SFGate, researchers from the security lab within Stanford University’s Computer Science department realized that each accelerometer is subtly and uniquely flawed because of nearly unrecognizable variations in the accelerometer manufacturing process. Of course, like most modern manufacturing, the building of accelerometers is largely automated and highly precise, but it is not perfectly precise.
In theory, according to research cited by SFGate, an accelerometer should pick up the weight of gravity on a phone resting on a flat surface and quantify that measure as positive on when the phone is upright and negative one when the screen is facing downward. These measurements end up being close to, but not exactly negative or positive one respectively. As luck would have it, because of these unique manufacturing imperfections, the Stanford researchers believe they can prove that each accelerometer’s output is slightly different from every other accelerometer.
If you haven’t guessed it yet, this of course would mean that measuring the differences in output between different accelerometers is a reliable way of identifying a particular device and, at the very least, the person who owns it, which is generally the person who is using it as well.
New research from Stanford University found that the accelerometers in our smartphones produce uniquely identifiable measurements that these firms could exploit to track users even more reliably and accurately.
Generally, when I read about a uniquely identifiable characteristic, I think about the potential to apply such characteristics – often based on human biometric measures – for device and online authentication in ways that might work better and provide more security than passwords, which are at once completely imperfect and almost entirely universal.
In fact, sometime last year, a different set of researchers realized that apparently identical graphics processors are actually different in subtle, unforgeable ways. A piece of software developed by the researcher working on the “physically unclonable functions found in standard PC components” project is capable of discerning these fine differences. The magnitude of these differences is so minute, in fact, that manufacturing equipment is incapable of manipulating or replicating them. Thus, the fine-grained manufacturing differences can act as a sort of a key to reliably distinguish each of the processors from one another.
It’s not totally clear how or why the Stanford researchers came to believe that advertisers might someday use these measurement to track our behavior online, but we’ll probably be able to figure it out in the near future when Stanford publishes the results of the full research.
You can check if your own phone’s accelerometer is uniquely identifiable by running it through Stanford’s Web-based proof-of-concept.

EU urges cloud computing uptake despite PRISM fallout

europe757
The European Commission (EC) has said that concerns over spying and data security in the wake of the PRISM scandal must not stop businesses from taking advantage of the benefits of cloud computing.
Ever since the scandal broke over the summer there have been concerns that the issues PRISM raised over the ability for government spies to access data would cause mistrust of cloud services.
The EC acknowledged this in a briefing document outlining its position on cloud computing use. “Users already had some reservations over security and confidentiality of information in the cloud, but PRISM aggravated this situation. Trust in cloud computing is suffering, which risks depressing the rate of cloud uptake and Europe lagging behind in cloud computing adoption,” it said.
However, the EC said despite this the benefits of cloud services must be recognised and utilised by firms in Europe to achieve the greatest economic potential.
“The cloud puts the best IT solutions within the reach of small firms and organisations,” it said. "These small firms are the bedrock of the European economy, and means the cloud will enable a particularly big leap forward for productivity in Europe if firms can be convinced to use it."
The EC also warned that while some have called for localised cloud initiatives this would further hold back cloud use and see Europe fall further behind in the digital market.
“Fragmentation or segmentation of the cloud computing market along national or regional lines could unfortunately hold back the development of cloud computing in Europe,” it said.
“National-level initiatives in particular where the software systems are adapted to local circumstances will not achieve a scale of rollout that would unlock the full economic benefits of cloud computing.”
The EC added that European firms should seek to build on the PRISM scandal by making themselves seen as the most trustworthy for storing data and running applications.
“Europe can pride itself on high standards for data protection and data security. This could be a competitive advantage for firms complying with these high standards. That is why Europe should aim to be the world’s most secure and trusted region for cloud computing,” he said.
“Second, the potential economies of scale of a truly functioning EU-wide single market for cloud computing, where the barriers to free data flow around the EU are substantially reduced, would be a massive boost to competitiveness."
The EC even went as far as to highlight some of the shortcomings of on-premise security in an effort to underline the benefits of cloud.
"The premises solutions are not completely secure, because they generally lack the ability to call on very high levels of professional security that cloud provisioning can deploy to counter some of the risks of traditional computer provisioning through implementation of more effective authentication, strong cyber defences, and state-of-the-art security implementation," it said.
"The technology systems on which they are based have the same vulnerabilities as cloud-based provisioning and indeed they may be less secure as software implemented in specific enterprise environments usually has extra vulnerabilities because the security features will not be standardised or as fully tested."
The PRISM fallout is still affecting the tech community, with German internet giant Deutsche Telekom pushing forward with plans to try and keep all its web traffic within Germany to avoid the reach of spies.
The use of the spying tactics has also led to legal challenges against the UK government, although the head of UK spy services including MI5 has defended the programmes used as vital for national security.
The latest issue of the V3 Tablet App features an in-depth look at the PRISM scandal and how it is affecting businesses. It also has an in-depth feature with the head of IT at Bet365 and our full review of the iPhone 5S device.

Oracle issues 51 critical Java patches in giant security update

Java logo
Oracle has released a whopping 51 Java fixes amid a wider update to address 127 security flaws in its October Critical Patch Update (CPU).
The fixes cover a raft of products including Oracle's Database, Fusion Middleware, PeopleSoft and the Java Standard Edition platform products. Oracle said: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible."
Security vendors echoed this call to install the updates as soon as possible as they pointed out the severity of some of the issues Oracle has fixed. Chief technology officer for Qualys Wolfgang Kandek noted that some had the potential for devices to be completely overrun by attackers.
“The Java update should be a top priority for this month as it addresses 51 vulnerabilities, 12 of which have the highest CVSS v2 [Common Vulnerability Scoring System] score of 10,” he said.
“[This means] these vulnerabilities can be used to take full control over the attacked machine over the network without requiring authentication.”
Ross Barrett, senior manager of security engineering at Rapid7, added his voice to the calls for firms to move quickly and urged wider Java security precautions to be taken given the platform's long-running security risks.
“The vast majority of these issues affect the Java browser plugin and users are advised to keep up to date with patches. Secondly, users should take advantage of all the signing and execution restrictions offered by the latest plugin versions,” he said.
“Ideally, users will disable Java plugins unless it is specifically needed and then run it only in a browser which you only use for those one or two sites that require the plugin. Otherwise, run Java in the most restricted mode and only allow signed applets from whitelisted sites to run.”
Given the huge amount of update issues, and the fact that Oracle still works on a quarter-to-quarter release cycle, rather than monthly, Chester Wisniewski, senior security advisor at Sophos, urged the company to invest more in security updates in a blog post.
“I heard that Oracle won the America's Cup recently, which leads me to give them some unsolicited advice. Put the award on the shelf in your lobby, sell the $10,000,000 boat and hire the engineers needed to update the Java patch cycle to monthly with the spare cash,” he wrote.
The update is also noteworthy as it brings the Java patch release cycle into the same quarter as the rest of the firm’s security releases for the first time. This should at least make it easier for IT administrators to keep track of all the security updates they have to tackle in one go.

Google Chrome 'Fails to Protect Sensitive Personal Data'

Chrome Sensitive Data Risks
You're very careful with sensitive personal data like your credit card number, right? Before filling a Web form with this kind of information, you always check the Address Bar for the padlock that indicates a secure connection. But if you use Google Chrome for your browser, all your precautions are for naught. The sensitive data specialists at Identity Finder report that Chrome keeps local copies of that data in databases that aren't secured at all.
Not the First Time
This isn't the first time Chrome has come under fire for failing to protect users' privacy. A study by NSS Labs a few months ago evaluated the latest versions of Internet Explorer, Firefox, Chrome, and Safari. They checked each browser's default configuration for handling of various privacy-related issues, among them third party cookies and geolocation. Internet Explorer came out a clear winner here, while Chrome's privacy protection was the poorest.
What's the Risk?
Researchers at Identity Finder scanned computers belonging to several employees using the company's in-depth Sensitive Data Manager. The scan found tons of private information in Chrome's SQLite databases and protocol buffers, including "names, email addresses, mailing addresses, phone numbers, bank account numbers, social security numbers and credit card numbers." This data was exposed for every employee who used Chrome as a primary browser.
Anyone with physical access to the computer or access across the local network can easily read out all of this sensitive personal data. It could also be sifted out and phoned home by a data-stealing Trojan. To double-check that this is a real danger, the researchers cobbled up a proof-of-concept exploit. According to the report, "Attackers could acquire vast amounts of personal information without requiring users to enter anything into a form, or system credentials." In addition, if you sell an old computer without completely overwriting and wiping its hard drive, the buyer could easily access all of this stored information.
The report notes that these risks have been around since Chrome 2.0, and that other browsers may share similar vulnerabilities. Google has been notified of the findings, but hasn't yet responded.
What Can You Do?
Naturally the report encourages all browser makers to beef up security and definitely refrain from storing sensitive data in unprotected databases. Meanwhile, you can take matters into your own hands. Any time you complete a transaction involving sensitive personal data, delete your recent browsing history. In Internet Explorer, Firefox, or Chrome, pressing Ctrl+Shift+Del brings up a window that lets you clear specified data during a specified time period. You can clear just the last hour, if you like, or clear your browsing history "from the beginning of time."
If you're currently relying on Chrome as your primary browser, review the infographic below (you can click on it for a larger image). Maybe it's time to switch back?
Chrome Sensitive Data Risks

Mobile Threat Monday: Leaky Document Signing Apps and Ad-Packed Plagiarized Apps

Image via Flickr user Tiago A. Pereira
This week, we take a look at two very different potential threats to your privacy and your peace of mind. First we look at document signing apps, which though useful, might not be storing your documents in the most secure fashion. We also take a look at repackaged apps that copy-cat developers have stuffed with aggressive advertising.
Signedoc
Despite being pretty deep into the 21st Century, we're still required to sign physical documents and even asked to fax said documents. That's where the attraction of document signing apps comes in: these mobile applications will let you sign documents and then send them back to whoever requires your John Hancock.
But as Appthority found, some of these applications don't put security first. For instance, your documents are sent up to the cloud for processing, though you might not necessarily be aware of it. Also, Signedocs stores documents on your SD card. "This exposes private documents that can be picked up from other untrusted applications and used for data exfiltration," said Appthority.
Appthority also noted that Signedocs stores your password in plaintext on your device.
Worst of all, the documents you sign with Signedoc are stored online in a public server. The file name is hashed and obfuscated, so guessing the URL for the documents would be difficult if not impossible. But there's also no authentication in place to verify that only authorized people are looking at your documents. We've seen similar, though more pressing issues, with messaging apps in the past.
Signedocs is clearly not malicious, and the service it provides is genuinely valuable. But from the sound of it, the developers may need to tighten things down for the safety of their users. Especially because these documents are likely to contain personal identifiable information like Social Security numbers, birthdates, and so on.
Reverse Engineered and Repackaged Apps
According to Bitdefender, a surprising 1.2 percent of 420,646 applications on Google Play turned out be plagiarized. These 5,077 apps are 90 percent identical to other apps and in some cases have been repackaged with different ad networks and little thought to your private information.
"These duplicates or repackaged applications should not be mistaken for different versions of an app," said Bitdefender Chief Security Strategist Catalin Cosoi. "Here, it's about a publisher who takes an application, reverse-engineers its code, adds aggressive advertising SDKs or other beacons, then repackages and distributes it as his own." Bitdefender also pointed out that the process of unpacking an existing app is extremely simple.
Bitdefender told SecurityWatch that sometimes the repackaged apps only add a new advertising SDK, or change the Advertiser ID in order to make money from plagiarized apps. Other copy-cat developers are more aggressive, adding extra modules to put spam in the notification bar, report your location, access to your contacts, and more. This is a similar tactic to the fake Disney Princess wallpapers, which lured downloaders with images from popular films.
These copied apps are usually swiftly found and deleted by Google, along with the plagiarizing developer's account. But the cost of creating a new account is a mere $25, small change compared to the money a popular plagiarized app could bring in—some of which average between 1,000 and 5,000 downloads.
Copy-cat apps are bad for legitimate developers as well. Looking at the game Riptide GP 2, Bitdefender found four free copies of the game on Google Play. They estimate that the original developer lost between $6,000 and $31,000—depending on download figures.
Make sure when you download a free version of an app that it's made by the same developer as the for-pay version. You can also use security apps like our Editors' Choice award winners Bitdefender Mobile Security and Antivirus and avast! Mobile Security & Antivirus to view what private information apps can access. Lookout has also become the standard bearer for adware, and should detect the more aggressive advertising SDKs.

Hacker Horrorshow Shaping Up for Halloween

Blue Coats Malware Security Get yourself ready for the frights of October! We're not talking about ghosts or ghouls, but malware threats. In a recent blog post, Solera Network, a Blue Coat company, warned victims of this month's malware infection campaign to keep a watchful eye out for more dangers. These include the ransomware CryptoLocker, clickfraud on a massive scale, and the theft of personal data like passwords.
CryptoLocker CountdownIn early September, malware present on actively infected PCs began to receive instructions from its Command and Control server to download the CryptoLocker ransomware application. CryptoLocker wastes no time and encrypts most document file types on the victim's computer. Other ransomware campaigns normally try to convince the user that he or she is going to be arrested for an alleged cybercrime.
CryptoLocker isn't joking around. It employs a 72-hour countdown clock with the following warning: pay up 300 dollars before time runs out or the malware will delete the decryption key which will render files unreadable. A year ago, ransomware criminals typically charged 200 dollars for data retrieval. CryptoLocker changes the desktop background to a threatening message that is revealed if your antivirus program deletes the program. It warns that you won't be able to decrypt your files unless you download the Trojan again.
CryptoLocker threat
CryptoLocker is pretty simple to find, kill, and delete because this malware runs under a suspiciously long, random-looking filename in the device's Application Data folder. However, if the Trojan finds a way into your system and you don't have your files already backed up, they're likely gone for good.
You should run regular backups on your computer for recovery, as well as antivirus software to keep CryptoLocker from breaking in. In case you find CryptoLocker on your system, the best possibility to get your data back is to recover it from your backup.
Medfos MaladvertisingUnfortunately, the malware campaign doesn't end here. It also employed Medfos, a Trojan that has write-ups from 2012. Medfos is a clickfraud Trojan that earns profit for malware distributors by running on unattended computers.
Medfos receives a list of websites that allow Pay Per Click advertising. Advertising agencies pay associates based on the number of clicks through an advertisement. This Trojan loads these websites in "headless" web browser applications that do not have visible windows and pretends to click an advertisement.
It only takes one computer infected with Medfos to overwhelm a home broadband connection; it loads hundreds of ads per minute. To add insult to injury, the bot controller performs regular checks to make sure Medfos is continually running and reinstalls the Trojan as needed.
Watch out for signs that your computer has been infected by Medfos. The Trojan runs from two DLLs that are visible in the process list from the Application Data folder. Additionally, it adds a new browser add-on, most recently dubbed Addons Engine 3.0.1 to Firefox, but normally uses Internet Explorer for heavy downloading. Medfos hijacks search engine settings in your browser so that when you think you're searching Google, you're actually sending information to Medfos-controlled pages.
Kegotip Wants EverythingIt's common for cybercriminals to steal and spread victims' personal information like passwords. In this recent malware campaign, perpetrators scan the infected system's files to search for anything that resembles an email address.
The Trojan, called Kegotip, sends a batch of email addresses every 15 to 30 seconds in a specially crafted packet to a server specifically listening to them on Transmission Control Protocol) (TCP) port 20051. You can identify this packet because the data portion always starts with the text string "Asdj," which ends up actually translating to "QXNka" according to the encoding format used by the bot.
Kegotip sifts through Internet-enabled applications, like File Transfer Protocol (FTP) clients, email apps or browsers, for stored credentials. These cybercriminals work efficiently: the report claims that two Kegotip attacks carried out transmitted over 15MB of stolen email addresses and fake credentials from two infected machines in the lab network.
Stop Infection Before It StartsMalware threats are certainly frightening, so it's important that you protect your devices before they get infected. Invest in antivirus software and keep it updated to protect yourself against future threats. Some good choices are our Editors' Choice Bitdefender Antivirus Plus (2014), Norton Antivirus (2014), or Webroot SecureAnywhere Antivirus 2013. Remember the fight against cybercriminals isn't hopeless; you can overcome these malware demons like your childhood nightmares.

Webroot Proves 'Secure' Need Not Mean 'Slow'

Fast planes
Back in the dark days of 2005 and 2006, many computer users started noticing an unpleasant phenomenon. They'd install a recommended security suite only to find that ordinary activities got sluggish, or worse. Norton had a particularly bad reputation for hogging resources. Some people were permanently traumatized by the experience; to this day, they believe that installing a security suite will bring their daily computer use to a grinding halt. Well, it just ain't so, not anymore. One suite in particular is both crazy small and crazy lightweight, but suites in general are doing much better.
Measuring Performance Impact
Starting five or six years ago, security vendors got the message. It's not enough to pile on code for protection against phishing, malware, spam, and exploits. They also needed to streamline that code, make it as efficient as possible, and look for every possible way to limit use of system resources. And they're succeeding!
I run several tests to evaluate what impact a suite's protection has on system performance. One script moves and copies a ton of huge files between drives. A suite whose real-time antivirus spends too much time checking these files might slow down that process. The same might happen to another script that zips and unzips this same collection. I time ten or twelve runs with no suite and average the result, then do the same with a security suite installed. Recent suites have averaged a 20 percent increase in time required for the move/copy test, and 16 percent for the zip/unzip test, which is nothing compared to the bad old days.
Getting all of those security services running at startup can take time, so I also measure boot time with and without a suite. This one's a little harder, because a number of modern security suites will let the user trade security for speed by choosing to delay the launch of some security components. If there's a choice, I always switch to maximum security. The average modern suite slows the boot process by 24 percent. Give that might mean the system boots in a minute and a quarter instead of a minute, again that's not so bad.
The Tiniest Impact
I find that some security suites run ten or fifteen distinct processes and services. A few actually install and run multiple separate modules—Trend Micro Titanium Maximum Security 2014 is an example. At the far opposite extreme is Webroot SecureAnywhere Complete (2014), with just one process. Not surprisingly, Webroot has less impact than any other suite in my tests.
Webroot also takes less space on disk than any other suite I've seen. The installer (which is the same for all Webroot products) is about three quarters of a megabyte in size, and Webroot SecureAnywhere Antivirus (2014) takes barely more than that once installed. Even with all of the additional features in the full Webroot suite, it's still less than 100MB on disk.
I spoke with Joe Jaroch, a VP of Engineering at Webroot, about just how this is possible. Jaroch explained that the designers always look for ways to re-use code. The same antivirus code that checks for a changed file can be used by the backup system to identify a file that needs to be re-synced, for example. Also, as much of the malware analysis process as possible occurs in the cloud, not on the local system. He noted that the user interface is almost entirely created using drawing commands, not by stored bitmaps and other resources.
However they manage to do it, Webroot is definitely the smallest suite around, with the lightest performance impact I've measured. Sure, it does omit spam filtering and parental control, but not everyone needs those. If you're still traumatized by the days of big, resource-hogging suites, Webroot may be just what the doctor ordered