Remote Access Tools Threatens Smartphones
March 7, 2012 by admin
Filed under Smartphones
Comments Off on Remote Access Tools Threatens Smartphones
Malware tools that allow attackers to gain complete remote control of smartphones have become a major threat to owners around the world, security researchers say.
In a demonstration at the RSA Conference 2012 here Wednesday, former McAfee executives George Kurtz and Dmitri Alperovitch, who recently founded security firm CrowdStrike, installed a remote access tool on an Android 2.2-powered smartphone by taking advantage of an unpatched flaw in WebKit, the default browser in the OS.
The researchers showed an overflow audience how the malware can be delivered on a smartphone via an innocuous looking SMS message and then be used to intercept and record phone conversations, capture video, steal text messages, track dialed numbers and pinpoint a user’s physical location.
The tools used in the attack were obtained from easily available underground sources, Kurtz said. The WebKit bug, for instance, was one of 20 tools purchased from hackers for a collective $1,400.
The remote access Trojan used in the attack was a modified version of Nickispy a well-known Chinese malware tool.
Learning how to exploit the WebKit vulnerability and to modify the Trojan for the attack, was harder than expected, said Kurtz. He estimated that CrowdStrike spent about $14,000 in all to develop the attack.
But the key issue is that similar attacks are possible against any smartphone, not just those running Android, he said.
WebKit for instance, is widely used as a default browser in other mobile operating systems including Apple’s iOS and the BlackBerry Tablet OS. WebKit is also is used in Apple’s Safari and Google’s Chrome browsers.
Several mobile remote access Trojans are already openly available from companies pitching them as tools that can be used to surreptitiously keep tabs on others.
Adobe Says No To Android’s Chrome
Chrome for Android will not run Flash Player, the popular software that Apple has famously banned, Adobe confirmed Wednesday.
The acknowledgment was no surprise: Last November, Adobe announced it was abandoning development of Flash for mobile browsers. In other words, Google missed the Flash boat by several months.
“Adobe is no longer developing Flash Player for mobile browsers, and thus Chrome for Android Beta does not support Flash content,” said Bill Howard, a group product manager on the Flash team, in an Adobe blog Tuesday.
The stock Android browser included with the operating system does support Flash, noted Howard.
Adobe explained its decision to halt work on Flash Player for mobile browsers as necessary to shift resources, notably to its efforts on HTML5, the still-developing standard that will ultimately replace many of the functions Flash has offered.
“We will continue to leverage our experience with Flash to accelerate our work with the W3C and WebKit to bring similar capabilities to HTML5 as quickly as possible,” Danny Winokur, the Adobe executive in charge of interactive development, said last year. He was referring to the World Wide Web Consortium standards body and WebKit, the open-source browser engine that powers Chrome and Apple’s Safari. “And we will design new features in Flash for a smooth transition to HTML5 as the standards evolve.”
Analysts read the move as a tacit surrender to the trend, first seen at Apple, to skip support for Flash on smartphones and tablets. In 2010, former Apple Steve Jobs had famously dismissed Flash as unsuitable for mobile devices because it was slow, drained batteries and posed security problems.
Google Goes Pay To Track
February 15, 2012 by admin
Filed under Around The Net
Comments Off on Google Goes Pay To Track
Amid widespread concern about its new privacy policies, Google is now facing additional criticism over a deal to offer users Amazon gift certificates if they open their Web movements to the company in a program called Screenwise.
Google says the program launched “near the beginning of the year,” but the company’s low-key offer was disclosed Tuesday night on the blog Search Engine Land.
Google is asking users to add an extension to the Chrome browser that will share their Web-browsing activity with the company. In exchange, users will receive a $5 Amazon gift when they sign up and additional $5 gift card values for every three months they continue to share. (Amazon is not a partner in the project.) Users must be over age 13, and minors will need parental consent to participate. The tracking extension can be turned off at any time, allowing participants to temporarily close their metaphorical shades on Google.
The company says the program will help it “improve Google products and services and make a better online experience for everyone.”
Google Defends New Privacy Policy
February 6, 2012 by admin
Filed under Around The Net
Comments Off on Google Defends New Privacy Policy
In a letter sent to eight members of Congress, Google yesterday defended its decision to consolidate its privacy policies and users’ personal information.
The 13-page letter explains Google’s decision to change its privacy policies and answers specific questions from the legislators. In sum, Google contended that its approach to privacy remains the same, that users still have control over how they use the company’s various online services, and that private information stays private.
“Some have expressed concern about whether consumer can opt out of ourupdated privacy policy,” wrote Pablo Chavez, Google’s director of public policy, in the letter.
“We understand the question at the heart of this concern. We believe the relevant issue is whether users have choices about how their data is collected and used. Google’s privacy policy – like that of other companies – is a document that applies to all consumers using our products and services. However, we have built meaningful privacy controls into our products, and we are committed to continue offering those choices in the future,” he added.
Google stirred up something of a privacy firestorm last week when company executives disclosed plans to rewrite privacy policies and to meld user information across its various products and services.
.
Apple Blasted For Not Blocking Stolen Certificates
Comments Off on Apple Blasted For Not Blocking Stolen Certificates
A security researcher blasted Apple for what he called “foot dragging” over the DigiNotar certificate fiasco, and urged the company to act fast to update Mac OS X to protect users.
“We’re looking at some very serious issues [about trust on the Web] and it doesn’t help matters when Apple is dragging its feet,” said Paul Henry, a security and forensics analyst with Arizona-based Lumension.
Unlike Microsoft, which updated Windows Tuesday to block all SSL (secure socket layer) certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same.
DigiNotar, one of hundreds of firms authorized to issue digital certificates that authenticate a website’s identity, admitted on Aug. 30 that its servers were compromised weeks earlier. A report made public Monday said that hackers had acquired 531 certificates, including many used by the Dutch government, and that DigiNotar was unaware of the intrusion for weeks.
Because almost all the people who were routed to a site secured with one of the stolen certificates were from Iran, many experts suspect that the DigiNotar hack was sponsored or encouraged by the Iranian government, which could use them to spy on its citizens.
Microsoft isn’t the only software maker to block all DigiNotar certificates: Google, Mozilla and Opera have also issued new versions of their browsers — Chrome, Firefox and Opera — to completely, or in Opera’s case, partially prevent users from reaching websites secured with a DigiNotar certificate.
Users of Safari on Mac OS X, however, remain at risk to possible “man-in-the-middle” attacks based on the fraudulently obtained certificates.
Because Safari relies on the underlying operating system to tell it which certificates have been revoked or banned entirely, Apple must update Mac OS X. The Windows edition of Safari, which has a negligible share of the browser market, taps Windows’ certificate list: That version is safe to use once Microsoft’s Tuesday patch is applied.
Download Defense Added To Chrome Browser
Comments Off on Download Defense Added To Chrome Browser
Google has updated Chrome to version 12, adding a new feature that warns users when they’ve downloaded files from dangerous Web sites.
New to Chrome 12 is a tool that flags questionable files pulled from the Web. Chrome now shows an alert when users download some file types from sites that are on the Safe Browsing API (application programming interface) blacklist, which Google maintains.
The messages reads: “This file is malicious. Are you sure you want to continue?” If they wish, users can ignore the warning and install the file on their system’s hard drive.
“This warning will be displayed for any download URL that matches the latest list of malicious websites published by the Safe Browsing API,” said Google last April when it debuted the feature in an earlier edition of Chrome.
Safe Browsing already identifies suspicious or unsafe sites, then adds them to a blacklist. Chrome, Mozilla’s Firefox and Apple’s Safari all tap into Safe Browsing to warn users of risky sites before they actually visit them.
Google SEARCH Goes SSL
Google is finally taking privacy seriously to a degree by offering its users a secure form of searching while using Google Search. Moving forward users will have the opportunity to enable SSL (Secure Socket Layer) for added security. Be advised, the service will only cover the Google search and clicks made through Google to other non-secured sites will be visible.
‘Do Not Track’ Internet Legislation, Advances
Comments Off on ‘Do Not Track’ Internet Legislation, Advances
California is a moving closer to making into law the first Do Not Track legislation in the U.S., aimed at protecting Internet users from invasive advertising.
The proposed Senate bill, SB-761, passed a Senate Judiciary Committee vote late Tuesday, but it still has a long road ahead before having a chance of being signed into law. It now moves on to the Appropriations Committee, and must also pass the Senate and State Assembly before being sent to Governor Jerry Brown’s desk.
Still, it’s the first time such a bill has made it out of committee, and that’s a big deal, according to John Simpson, director of Consumer Watchdog’s Privacy Project. “This is the first time that a ‘do not track’ bill has actually had a hearing and been debated and then voted forward in the legislative process,” he said.
The bill would give California consumers a simple way of opting out of data collection systems that keep track of their online activities. “It puts up a no trespassing sign on our device,” Simpson said.
Opponents of the bill, including Google, the Direct Marketing Association, and the wireless industry group CTIA, say it puts an unnecessary burden on online commerce.
Online marketers love this type of data because it helps them fashion highly effective targeted advertising. But many consumers don’t want to hand marketers every detail of what they do on the Web.
Under the proposed law, users would have a way — possibly a through a browser setting — of telling Web sites not to track them. If a company disregarded this and collected data without permission, it could face stiff fines.
FTC Singles Out Google’s Chrome
Federal Trade Commission Chairman Jon Liebowitz this week singled out Google for not adopting “Do Not Track,” the privacy feature that allows consumers the ability to opt out of online tracking by Web sites and marketing entities.
In an interview Monday with Politico, Liebowitz called out Google for not supporting Do Not Track in its Chrome browser.
Noting that Do Not Track had gathered momentum, Liebowitz said, “Apple just announced they’re going to put it in their Safari browser. So that gives you Apple, Microsoft and Mozilla. Really the only holdout — the only company that hasn’t evolved as much as we would like on this — is Google.”
Do Not Track has been promoted by the FTC and by privacy advocates including the Electronic Frontier Foundation (EFF), as the best way to help consumers protect their privacy.
The technology requires sites and advertisers to recognize incoming requests from browsers as an opt-out demand by the user. The information is transmitted as part of the HTTP header.
As Liebowitz said, Microsoft and Mozilla have added Do Not Track header support to their Internet Explorer 9 (IE9) and Firefox 4 browsers. While Apple hasn’t confirmed that the next version of Safari will include Do Not Track, developers have reported finding the feature in early editions bundled with Mac OS X 10.7, aka “Lion,” the upgrade slated to ship this summer.
Firefox 4 Coming Next Week
Mozilla’s Firefox 4, the latest offering of the second most popular Web browser in the world, will be officially released on March 22, 2011.
It’s been a long time coming. The first Firefox 4 beta was released July 6, 2010. At the time, Mozilla was aiming to deliver a release candidate this past autumn.
Launching several months late isn’t ideal but Google’s release practices have made Firefox’s tardiness look worse. Google launched Chrome 5 on May 21, 2010. On March 8, 2011, Google released Chrome 10. Is Firefox now five generations behind Chrome? Hardly. The four major Web browsers — Chrome 10, Firefox 4, Internet Explorer 9, and Safari 5 — are more comparable and competitive than ever before.
Johnathan Nightingale, director of Firefox development, says Firefox has more than 400 million users worldwide and a 30% global market share.
NetApplications, an Internet metrics company, suggest that figure is closer to 22% and flat, if not falling. The most significant number Nightingale cites is six: “Firefox 4 is fast,” he said. “It’s blazing fast. Six times faster than any Firefox we’ve done before.”
Other browser makers make similar claims too, though some of those claims are more actively disputed than others, like Microsoft’s assertions about hardware acceleration. Read more……