Sign up for our Technology Newsletter 
Google Snubs Privacy
August 29, 2013 by admin
Filed under Around The Net
Comments Off on Google Snubs Privacy
Search giant Google has told the British government it is immune to prosecution on privacy issues and it can do what it like. The US Company is accused of illegally snooping on its British customers by bypassing privacy settings on Apple devices, such as iPads, to track their browsing history.
A group of British people took Google to court but the search engine is trying to get the case thrown out. Its argument is that it is not subject to British privacy law because it is based in California. This is the second time that Google has tried to avoid British law by pretending to operate in another country. It has come under fire for failing to pay tax in the UK
Nick Pickles, director of Big Brother Watch, said: ‘It is deeply worrying for a company with millions of British users to be brazenly saying they do not regard themselves bound by UK law. Solicitor Dan Tench, of law firm Olswang, said this was another instance of Google being here when it suits them and not being here when it doesn’t. Ironically when the US ordered Google to stop what it was doing, it forced the search engine to pay a $22.5million to regulators.
There are some indications that Google may not get its way. In July the Information Commissioner’s Office told Google its privacy rules breached UK law so it will be very hard for it to stand up in court and say it didn’t.
PayPal Extend Bug Bounty
PayPal is expanding its bug bounty program to individuals aged 14 and older, a move intended to reward younger researchers who are technically ineligible to hold full-fledged PayPal accounts.
PayPal’s program, which is a year old this month, only applied to those 18 years and older. Under the old rule, participants in the program were required to hold valid accounts, which excluded minors, said Gus Anagnos, PayPal’s director of information security.
In May, 17-year-old Robert Kugler, a student in Germany, said he’d been denied a reward for finding a vulnerability. PayPal said the bug had already been found by two other researchers, which would have made Kugler ineligible for bounty.
In an apparent miscommunication, Kugler said he was initially told he was too young rather than the bug had already been discovered. Nonetheless, PayPal said it would look to bring younger people into its program, which pays upwards of $10,000 for remote code execution bugs on its websites.
Those who are under 18 years old can receive a bug bounty payment through a PayPal student account, an arrangement where a minor can receive payments via their parent’s account, Anagnos said.
Anagnos said other terms and conditions have been modified to make its program more transparent, such as clarifying which PayPal subsidiaries and partner sites qualify for the program.
PayPal pays much less for vulnerabilities on partner websites, which have a URL form of “www.paypal-__.com.” A remote execution bug found on that kind of site garners only $1,500 rather than up to $10,000 on the company’s main sites.
Like other bug bounty programs run by companies such as Microsoft and Google, PayPal will publicly recognize researchers on its website with a “Wall of Fame” for the top 10 researchers in a quarter. Another “honorable mention” page lists anyone who submitted a valid bug for the quarter.
Eusebiu Blindu, a testing consultant from Romania, was one of the researchers listed on the Wall of Fame for the first quarter of this year.
“I think Paypal is the best bug bounty program, and I am glad I participated in it from the first days of its launching,” he wrote on his blog.
Adobe Reader Security Issue Found
McAfee has discovered a vulnerability in Adobe’s Reader program that allows people to track the usage of a PDF file.
“Recently, we detected some unusual PDF samples,” McAfee’s Haifei Li said in a blog post. “After some investigation, we successfully identified that the samples are exploiting an unpatched security issue in every version of Adobe Reader.”
The affected versions of Adobe Reader also include the latest “sandboxed” Reader XI (11.0.2).
McAfee said that the issue is not a “serious problem” because it doesn’t enable code execution, however it does permit the sender to see when and where a PDF file has been opened.
This vulnerability could only be dangerous if hackers exploited it to collect sensitive information such as IP address, internet service provider (ISP), or even the victim’s computing routine to eventually launch an advanced persistent threat (APT).
McAfee said that it is unsure who is exploiting this issue or why, but have found the PDFs to be delivered by an “email tracking service” provider.
The vulnerability works when a specific PDF JavaScript API is called with the first parameter having a UNC-located resource.
“Adobe Reader will access that UNC resource. However, this action is normally blocked and creates a warning dialog,” Li said. “The danger is that if the second parameter is provided with a special value, it changes the API’s behavior. In this situation, if the UNC resource exists, we see the warning dialog.
“However, if the UNC resource does not exist, the warning dialog will not appear even though the TCP traffic has already gone.”
McAfee said that it has reported the issue to Adobe and is waiting for their confirmation and a future patch. Adobe wasn’t immediately available for comment at the time of writing.
“In addition, our analysis suggests that more information could be collected by calling various PDF Javascript APIs. For example, the document’s location on the system could be obtained by calling the Javascript “this.path” value,” Li added.
Google Fights NSL Over Data Privacy
April 16, 2013 by admin
Filed under Around The Net
Comments Off on Google Fights NSL Over Data Privacy
Google is fighting a National Security Letter (NSL) issued by the US government, with the Electronic Frontier Foundation (EFF) acknowledging it is one of the first firms to do so.
Google took the unusual step last month of revealing, albeit in vague terms, the number of NSLs it received from the US government. At the time the company said it was working with the authorities to improve transparency around the subject, but according to court filings it is also fighting against handing over users’ data.
In March, Google filed a petition to set aside a legal process. Kevan Fornasero, a lawyer for Google said in the filing that petitions “filed under Section 3511 of Title 18 to set aside legal process issued under Section 2709 of Title 18 must be filed under seal because Section 2709 prohibits disclosure of the legal process”.
Fornasero’s reference to Section 2709 refers to the ability of the FBI to issue NSLs and force the handover of user data. According to the EFF, Google is one of the first communications companies to fight an NSL, but because Section 2709 doesn’t allow firms to disclose the legal process, few people can be certain that others haven’t tried to stand up to the US government.
Matt Zimmerman, a lawyer for the EFF said, “The people who are in the best position to challenge the practice are people like Google. So far no one has really stood up for their users’ among large Internet service providers.”
Google has tried in recent years to provide users with some information on how it deals with government agencies’ requests for user data. If the firm can succeed in its fight against NSLs then it could open the floodgates for others to stand up against a law that some see to be nothing more than a snooper’s charter.
Mozilla Touts WebRTC
Mozilla has shown off WebRTC integration in its Firefox web browser, demonstrating real-time video conferencing and file transfer capabilities.
All major web browser developers have started to integrate the WebRTC protocol and now Mozilla has shown off how far its integration has come. The firm demonstrated working video conferencing, file transfer and sharing capabilities through the Firefox web browser.
Mozilla was keen to push its implementation of the Datachannels API that is part of WebRTC to allow instant messaging and file transfer. The firm’s impressive demonstration shows off seamless sharing between two clients that had initiated a video conversation, with tabs and files being sent and viewed with little user interaction.
Mozilla’s demonstration does highlight the need for tight sandboxing within the web browser, however as a peer-to-peer protocol that automatically encrypts communications between two hosts, WebRTC could challenge some existing closed communication protocols such as Skype.
Maire Reavy, product lead for Firefox Platform Media at Mozilla said, “WebRTC is a powerful new tool that enables web app developers to include real-time video calling and data sharing capabilities in their products. While many of us are excited about WebRTC because it will enable several cool gaming applications and improve the performance and availability of video conferencing apps, WebRTC is proving to be a great tool for social apps.”
Mozilla didn’t say when its WebRTC implementation will enter the stable release channel, however given the outfit’s rapid release schedule, it should be a matter of weeks rather than months.
Mozilla Fixes Major Security Issues
July 26, 2012 by admin
Filed under Around The Net
Comments Off on Mozilla Fixes Major Security Issues
Mozilla has fixed a number of security vulnerabilities in the latest versions of its internet applications, including Firefox 14, Thunderbird 14 and Seamonkey 2.11.
Following the release of its Firefox 14 browser for desktop operating systems on Tuesday, Mozilla said it has removed security holes in the Gecko rendering engine that all the applications run, some of which it rated as “critical”.
The bugs fixed included a code execution problem related to javascript URLs, a JSDependentString::undepend string conversion bug that can be exploited to cause a crash and a same-compartment Security Wrappers bypass issue.
Critical use-after-free problems, an out-of-bounds read bug, and a bad cast in the Gecko engine that could lead to memory corruption have also been addressed, Mozilla said.
These bugs were deemed “critical” due to their vulnerability to being exploited remotely by hackers that could execute arbitrary code on an unsuspecting victim’s system.
USA In Danger Of Cyber Experts Shortage
Comments Off on USA In Danger Of Cyber Experts Shortage
Leading cyber experts warned of a shortage of talented computer security experts in the United States, making it extremely difficult to keep corporate and government networks safe at a time when attacks are on the rise.
Symantec Corp Chief Executive Enrique Salem told the Reuters Media and Technology Summit in New York that his company was working with the U.S. military, other government agencies and universities to help develop new programs to train security professionals.
“We don’t have enough security professionals and that’s a big issue. What I would tell you is it’s going to be a bigger issue from a national security perspective than people realize,” he said on Tuesday.
Jeff Moss, a prominent hacking expert who sits on the U.S. Department of Homeland Security Advisory Council, said that it was difficult to persuade talented people with technical skills to enter the field because it can be a thankless task.
“If you really look at security, it’s like trying to prove a negative. If you do security well, nobody comes and says ‘good job.’ You only get called when things go wrong.”
The warnings come at a time when the security industry is under fire for failing to detect increasingly sophisticated pieces of malicious software designed for financial fraud and espionage and failing to prevent the theft of valuable data.
Moss, who goes by the hacker name “Dark Tangent,” said that he sees no end to the labor shortage.
1 In 5 U.S. PCs Have No Antivirus Protection
Comments Off on 1 In 5 U.S. PCs Have No Antivirus Protection
Nearly a fifth of Windows PCs in the U.S. lack any active security protection, an antivirus vendor stated on Wednesday, citing numbers from a year-long project.
“The scale of this is unprecedented,” argued Gary Davis, the director of global consumer product marketing for McAfee, talking about the scope of his company’s sampling of PC security.
McAfee took measurements from scans of more than 280 million PCs over the last 12 months, and found that 19.3% of all U.S. Windows computers browsed the Web sans security software. Owners of those systems downloaded and used McAfee’s free Security Scan Plus, a tool that checks for antivirus programs and enabled firewalls.
Globally, the average rate was 17%, putting the U.S. in the top 5 most-unprotected countries of the 24 represented in the scans.
Of the unprotected PCs in the U.S., 63% had no security software at all, while the remaining 37% had an AV program that was no longer active. The latter were likely trial versions of commercial antivirus software that had expired.
Antivirus trials are a fact of life in the Windows world. Most new machines come with security software that runs for a limited time. Some new Dell PCs, for example, come with a 30-day trial of McAfee’s Security Center program.
Privacy Advocates & Lawmakers Push For Google Probe
Comments Off on Privacy Advocates & Lawmakers Push For Google Probe
Privacy groups and lawmakers are pushing for a new and more expansive investigation into Google and its privacy practices after the U.S. Federal Communications Commission announced that it found no evidence that the company violated eavesdropping laws.
Late last week, the FCC reported that there was no legal precedent to find fault with Google collecting unprotected home Wi-Fi data, such as personal email, passwords and search histories, with its roaming Street View cars between 2007 and 2010.
However, the FCC did fine Google $25,000 for obstructing its investigation.
A Google spokesperson took issue with the fine.
“We disagree with the FCC’s characterization of our cooperation in their investigation and will be filing a response,” said the spokesperson in an email to Computerworld. “It was a mistake for us to include code in our software that collected payload data, but we believe we did nothing illegal. We have worked with the relevant authorities to answer their questions and concerns.”
The Electronic Privacy Information Center (EPIC), a national privacy watchdog, disagreed with the FCC findings.
In a letter sent to U.S. Attorney General Eric Holder today, EPIC asked that the Department of Justice investigate Google’s surreptitious collecting of Wi-Fi data from residential networks.
“Given the inadequacy of the FCC’s investigation and the law enforcement responsibilities of the attorney general, EPIC urges the Department of Justice to investigate Google’s collection of Wi-Fi data from residential Wi-Fi networks,” wrote Mark Rotenberg, executive director of the advocacy group.
“By the [FCC’s] own admission, the investigation conducted was inadequate and did not address the applicability of federal wiretap law to Google’s interception of emails, usernames, passwords, browsing histories and other personal information,” Rotenberg added.
Apple Loses Court Case
Apple has lost a patent lawsuit against a small Spanish company, allowing the firm to continue selling its tablet computer.
Apple filed the case a year ago when it obtained an injunction from a local court to ban imports of the NT-K tablet into Spain. However, according to court documents, the Spanish court has vacated the injunction, saying that there are no legal grounds to block sales of the device.
According to the Wall Street Journal, the NT-K tablet is made in China and sold in Europe by Nuevas Tecnologias y Energias Catala, based in the eastern Spanish region of Valencia.
The NT-K tablet runs a Spanish language version of Android written by Nuevas Tecnologias’ programmers.