Google Brings Open Source Security Gifts

  Google isn't just about search anymore. In recent
weeks it has announced multiple security projects including santa for mac os

The season for giving, and search giant Google wants to give security researchers and end-users some new tools. Over the past few weeks Google has released multiple security tools and open source efforts to help end-users and organizations defend themselves from modern threats.

One of the most recent tools released by Google is called Santa (yeah, that Santa), which is a Mac OS X security tool.

"Santa is named because it keeps track of binaries that are naughty and nice," states Google's Github page on Santa.

The Santa project is still quite new and isn't yet a 1.0 release. In fact, it is not an official Google product. Rather, according to the Github page, "Santa is a project of Google's Macintosh Operations Team."

In any event, Santa monitors binary files and compares them against known good and known bad elements to help prevent malicious files from executing. From an operational perspective, Santa has two primary modes: monitor and lockdown.

"In MONITOR mode all binaries except those marked as blacklisted will be allowed to run, whilst being logged and recorded in the database," the Santa project page explains. "In LOCKDOWN mode, only whitelisted binaries are allowed to run."

Google's Firing Range

Also this month Google formally announced Firing Range, a tool for testing Web application vulnerability scanners.

"Firing Range is a Java application built on Google App Engine and contains a wide range of XSS and, to a lesser degree, other Web vulnerabilities," Claudio Criscione, security engineer at Google wrote in a blog post. "We have used Firing Range both as a continuous testing aid and as a driver for our development, defining as many bug types as possible, including some that we cannot detect (yet!)."

Google's Nogotofail

Google started November by announcing its nogotofail network traffic security testing tool.

"Nogotofail is a network security testing tool designed to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way," Google's nogotofail Github page states. "It includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues and more."

SSL issues have been top of mind for many in 2014, given the Heartbleed flaw which targeted OpenSSL in April. Google helped disclose a critical SSL flaw known as POODLE, which impacts SSLv3.

Facebook integrates ESET Online Scanner to help find malware in problem PCs

     
          

Facebook has partnered with antivirus firm ESET to offer users the ability to scan their computers for malware directly from inside the social networking site.

Facebook has integrated ESET’s technology into its abuse detection and prevention system so that users will be prompted to run the ESET Online Scanner for free when Facebook flags suspicious activity on their accounts or computers, like the posting of malicious links via news feeds and messages.

“Here’s how it works: if the device you’re using to access our services is behaving suspiciously and shows signs of a possible malware infection, a message will appear offering you an anti-malware scan for your device,” said Chetan Gowda, a software engineer with Facebook’s Site Integrity Team, in a blog post. “You can run the scan, see the scan results, and disable the software all without logging out of Facebook—making it seamless and easy to clean up an infected device.”

ESET is the third antivirus vendor to integrate its technology directly into Facebook, the social networking site having signed similar partnerships with F-Secure and Trend Micro in May.

Users will likely be prompted to scan their computers with the technology of the vendor that detected the suspicious behavior. In its May announcement, Facebook said that “each product contains distinct malware signatures and is suited to different kinds of threats.”

ESET’s anti-malware service for Facebook is based on its existing online scanner that’s already available on the company’s own site. According to the antivirus vendor, 44 millions scans have been performed with the product so far and malware was detected in nearly half of those scans.

Online malware scanners, available through Facebook or otherwise, are good for one-time on-demand scans, but should not be viewed as replacements for locally installed antivirus programs that also include proactive layers of protection.

        

Data breach trends for 2015: Credit cards, healthcare records will be vulnerable

The data breaches of 2014 have yet to fade into memory, and we already have 2015 looming. Experian's 2015 Data Breach Industry Forecast gives us much to anticipate, and I've asked security experts to weigh in with their thoughts for the coming year as well.

Experian highlights a number of key factors that will drive or contribute to data breaches in 2015. A few of them aren't surprising: Organizations are focusing too much on external attacks when insiders are a significantly bigger threat, and attackers are likely to go after cloud-based services and data. A few new factors, however, merit your attention. 

First, there is a looming deadline of October, 2015 for retailers to upgrade to point-of-sale systems capable of processing chip-and-PIN credit cards. As banks and credit card issuers adopt more secure chip-and-PIN cards, and more consumers have them in hand, it will be significantly more difficult to clone cards or perpetrate credit card fraud. That’s why Experian expects cybercriminals to increase the volume of attacks early in 2015, to compromise as much as possible while they still can.

The third thing that stands out in the Experian report is an increased focus on healthcare breaches. Electronic medical records, and the explosion of health or fitness-related wearable devices make sensitive personal health information more vulnerable than ever to being compromised or exposed.

The risk of health related data being breached is also a concern voiced by Ken Westin, security analyst with Tripwire. He pointed out that part of the reason that retail breaches have escalated is because cybercriminals have developed the technologies and market for monetizing that data. “The bad news is that other industries can easily become targets once a market develops for the type of data they have. I am particularly concerned about health insurance fraud—it’s driving increasing demand for health care records and most healthcare organizations are not prepared for the level of sophistication and persistence we have seen from attackers in the retail segment.”

“There will absolutely be more breaches in 2015—possibly even more than we saw in 2014 due to the booming underground market for hackers and cybercriminals around both credit card data and identity theft,” warned Kevin Routhier, founder and CEO ofCoretelligent. “This growing market, coupled with readily available and productized rootkits, malware and other tools will continue to drive more data breaches in the coming years as this is a lucrative practice for enterprising criminals.”

The rise in data breach headlines, however, may not necessarily suggest an increase in actual data breaches. It’s possible that organizations are just getting better at discovering that they’ve been breached, so it gets more attention than it would have in previous years.

Tim Erlin, director of IT risk and security strategy for Tripwire, echoed that sentiment. “The plethora of announced breaches in the news this year is, by definition, a trailing indicator of actual breach activity. You can only discover breaches that have happened, and there’s no indication that we’re at the end of the road with existing breach activity. Because we expect organizations to improve their ability to detect the breaches, we’ll see the pattern of announcements continue through 2015.”

The combination of a rise in actual data breach attacks, and an increase in the ability to discover them will make 2015 a busy year for data breaches. Whether we’re defending against new attacks, or just detecting existing breaches that have already compromised organizations, there will be no shortage of data breach headlines in 2015.

Judge: Give NSA unlimited access to digital data

The U.S. National Security Agency should have an unlimited ability to collect digital information in the name of protecting the country against terrorism and other threats, an influential federal judge said during a debate on privacy.

“I think privacy is actually overvalued,” Judge Richard Posner, of the U.S. Court of Appeals for the Seventh Circuit, said during a conference about privacy and cybercrime in Washington, D.C., Thursday.

“Much of what passes for the name of privacy is really just trying to conceal the disreputable parts of your conduct,” Posner added. “Privacy is mainly about trying to improve your social and business opportunities by concealing the sorts of bad activities that would cause other people not to want to deal with you.”

Congress should limit the NSA’s use of the data it collects—for example, not giving information about minor crimes to law enforcement agencies—but it shouldn’t limit what information the NSA sweeps up and searches, Posner said. “If the NSA wants to vacuum all the trillions of bits of information that are crawling through the electronic worldwide networks, I think that’s fine,” he said.

In the name of national security, U.S. lawmakers should give the NSA “carte blanche,” Posner added. “Privacy interests should really have very little weight when you’re talking about national security,” he said. “The world is in an extremely turbulent state—very dangerous.”

Posner criticized mobile OS companies for enabling end-to-end encryption in their newest software. “I’m shocked at the thought that a company would be permitted to manufacture an electronic product that the government would not be able to search,” he said.

Other speakers at Thursday’s event, including Judge Margaret McKeown of the U.S. Court of Appeals for the Ninth Circuit, disagreed with Posner, saying legal limits on government surveillance are necessary. With much of U.S. privacy law based on a reasonable expectation of privacy, it’s difficult, however, to define what that means when people are voluntarily sharing all kinds of personal information online, she said.

An expectation of privacy is a foundational part of democracies, said Michael Dreeben, deputy solicitor general in the U.S. Department of Justice. Although Dreeben has argued in favor of law enforcement surveillance techniques in a handful of cases before the U.S. Supreme Court, he argued courts should take an active role in protecting personal privacy.

“A certain degree of privacy is perhaps a precondition for freedom, political freedom, artistic freedom, personal autonomy,” he said. “It’s kind of baked into the nature of the democratic system.”

David Cole, a professor at the Georgetown University Law Center, called for a change in the U.S. law that gives email stored for six months less legal protection than newer messages. The ability of law enforcement agencies to gain access to stored email without a warrant makes no sense when many email users never delete messages.

U.S. courts or Congress also need to reexamine current law that allows law enforcement agencies to gain access, without a warrant, to digital information shared with a third party, given the amount of digital information people share with online services, he said.

Some recent court cases, including the Supreme Court’s 2014 Riley v. California ruling limiting law enforcement searches of mobile phones, have moved privacy law in the right direction, he said.

Posner questioned why smartphone users need legal protections, saying he doesn’t understand what information on smartphones should be shielded from government searches. “If someone drained my cell phone, they would find a picture of my cat, some phone numbers, some email addresses, some email text,” he said. “What’s the big deal?

“Other people must have really exciting stuff,” Posner added. “Do they narrate their adulteries, or something like that?”

Smartphones can contain all kinds of information that people don’t want to share, including medical information, visits to abortion doctors and schedules for Alcoholics Anonymous meetings, Cole said. “Your original question, ‘what’s the value of privacy unless you’ve got something to hide?’ that’s a very short-sighted way of thinking about the value of privacy,” he said.

In the 1960s and ‘70s, government agencies investigated political figures, in some cases, bugging hotel rooms in search of evidence of affairs, Cole noted. Government misuse of surveillance information is still a risk, he said, and smartphones could be a treasure trove of information.

The U.S. and other governments have a long history of targeting people “who they are concerned about because they have political views and political positions that the government doesn’t approve of,” Cole said.

New bill aims to block forced government backdoors in tech products

U.S. Senator Ron Wyden on Thursday introduced a bill that would prevent the government from forcing companies to design backdoors or security vulnerabilities into their products to aid surveillance.

The Secure Data Act aims to preempt moves by the government to better eavesdrop over newer communications technologies, and is part of an overall bid by some legislators to place curbs on extensive government surveillance.

A key legislation that would put curbs on the bulk collection of phone records by the U.S. National Security Agency, called the USA Freedom Act, could not move towards a final vote on the legislation in the Senate last month, despite backing from the administration of U.S. President Barack Obama.

Wyden said his bill comes in the wake of proposals by U.S. government officials to compel companies to build backdoors in the security features of their products. “Strong encryption and sound computer security is the best way to keep Americans’ data safe from hackers and foreign threats,” Wyden said in a statement Thursday.

The U.S. Congress should pass a law requiring that all communication tools allow police access to user data, U.S. FBI Director James B. Comey said in October.

The Communications Assistance for Law Enforcement Act, or CALEA, which requires telecommunications carriers and broadband providers to build interception capabilities for court-ordered surveillance, was enacted 20 years ago, and does not cover newer communications technologies, Comey said in a speech to the Brookings Institution.

“The issue is whether companies not currently subject to the Communications Assistance for Law Enforcement Act should be required to build lawful intercept capabilities for law enforcement,” Comey said.

Apple and Google had recently announced that they would start encrypting iOS and Android user data by default, a plan that didn’t go down well with Comey.

Wyden, a Democrat from Oregon, counters that government-driven “technology mandates to weaken data security for the purpose of aiding government investigations would compromise national security, economic security and personal privacy.”

A backdoor built into a security system inherently compromises it, and companies will have less incentive to invest in new strong data security technologies, he said. Mandating backdoors would also further erode consumer trust in these products and services, which was already hit by revelations of government surveillance.

The Senate bill aims to establish that no agency may mandate that a manufacturer, developer, or seller of computer hardware, software or an electronics device available to the public should design or change its security functions for the purpose of surveillance of any user or for the physical search of a product, unless the product is already covered under CALEA.

Wyden said his legislation builds on a bipartisan effort in the U.S. House of Representatives, which approved an amendment by Representatives Thomas Massie and Zoe Lofgren to prohibit electronic vulnerability mandates in June.

How to shop online safely

With some simple tips, you can make shopping online a safer experience this holiday season.

As holiday season approaches, shopping online is an attractive option for grabbing plenty of bargains.
Like any transaction, there are security issues to keep in mind when buying online, but with some common sense you can minimize the risk.
Even if you consider yourself a seasoned online shopper, it's always worth a reminder to make sure your experience is the safest it can be.

General tips

• Don't send your credit card details via email, post them on social media (even in a private message), or enter them on an unsecured website
• Don't give away more information than you need. Retailers generally don't need to know details like your date of birth or social security number, so why disclose it if you don't have to?
• Check for a physical address and contact details like phone numbers for the vendor before buying
• Remember to log out of your account after making a purchase

Keep your PC, Mac or mobile device up to date

This means regularly checking for updates to your operating system, as well as ensuring apps and browsers are also kept up to date with the latest version. Running regular antivirus and malware scans is recommended to help avoid compromising your personal details to tools such as keyloggers.
Also, get into the habit of using strong, unique passwords for each online store you buy from. If you haven't changed your password for an existing account in some time, do it now. Password managers are a great tool if you have trouble generating and remembering unique passwords.

Keep it private (and separate)

Avoid using public Wi-Fi or public computers when shopping online. This includes library or airport PCs.
If you have to make a purchase when out and about, turn on cellular data on your mobile device rather than using Wi-Fi. A VPN is also a great option for adding another layer of security.
It's worth using a separate browser that you regularly keep up to date for shopping and banking online, and another for everyday web use.
Consider opening a second email account specifically for online shopping purposes to help minimize spam, and keep a track of which service is using your email address for what purpose.
If you have a Gmail account, you can append a plus symbol (+) to the end of your username to help filter your email. For example, you could enter your email address in the format of "osho3mtech+amazon@gmail.com" and then set up a filter within Gmail so everything sent to that address goes straight to a label called "Amazon".

Research your retailer

Make sure to fully check out the retailer's credentials if it's not a big name you have heard of before. A quick search of the site name should turn up results and reviews about the service, but keep an eye out for overly positive reviews on user forums that might not be legitimate.

Both a lock and https in the URL show you that the site is using a secure connection via SSL.

Ensure that the site is using a secure connection, which is marked by https:// in the browser bar and a number of other indicators including an image of a lock. Some sites have an icon called a trust indicator or security seal that shows that the retailer is independently verified by a third party, such as an antivirus provider.

Use a payment method with buyer protection

Although debit cards ensure you are using your own cash to make a purchase, many do not offer the same robust buyer protection as other options if something does go wrong. A credit card, PayPal or a virtual wallet option give you more flexibility when it comes to requesting a chargeback.
A chargeback is when a transaction is reversed and a refund is given to you as the buyer. It can either be initiated by your bank on detection of fraudulent activity, or you can initiate a chargeback depending on the situation. Check with your bank for details.
Another option that you might consider using to add another layer of protection is a single-use credit card number. These are tied to your regular credit card but provide a unique number to be used for one transaction so your actual credit card number is not compromised. This is particularly useful if there is a breach somewhere along the chain that might reveal your credit card details. Again, check with your bank to see if this is an option.
Although it makes it very convenient to make repeat purchases, it is worth unchecking any option that lets the retailer store your credit card details on file. This way if your account is compromised, at least your financial details are not revealed.

Shopping on your smartphone or tablet

Apart from the tips outlined above, there are a few things to be aware of when shopping on a mobile device. Set a password, pattern or PIN lock on your smartphone, and adjust the settings so the screen locks automatically after a set period of inactivity.
The vendor's own app might be a convenient way to make a purchase, but find out if it is using a secure connection to transmit your personal information and transaction details. If unsure, it's best to use the website through a mobile browser.

Turn off Bluetooth if you are not using it, and check what permissions applications are asking for before you install them. Also, jailbreaking or rooting your device may open up more features but it can leave it more open to threats.
Finally, if you lose your device and it has personal information on it such as credit card info, or you left it logged in to an account which has access to your credit card or bank details, make sure you can remotely wipe and disable your device. For iOS, enable Find My iPhone from the settings. Android users can use Google's Android Device Manager to remotely lock and erase the handset or tablet. Windows Phone owners can use the Find My Phone feature on windowsphone.com to erase the handset if lost.

Calculate the total cost

Take into account shipping, sales tax and any other taxes or charges that might apply, especially when importing goods from overseas. Product doesn't suit or you need to get a refund? Check the retailer's policies before making the purchase to work out if you need to cover return costs and any extra fees or charges you need to pay.
It's also worth shopping around to find the best deal on the same product. Don't just assume your favourite online retailer is always going to have the best price, as you might be able to find a better deal elsewhere.

Something went wrong?

Your first port of call if something goes wrong with an online transaction should be the retailer. If you need to report identity theft or fraud, each country has a local service where you can report the issue.
If something looks suspicious, it probably is. Regularly keep an eye out for online scams on the relevant sites. Find information on USA.gov, Scam Watch in Australia,  Action Fraud in the UK and the Economic And Financial Crimes Commission in Nigeria.

How to protect your credit card online 

Keep your credit card details away from prying eyes and avoid fraudulent transactions with these tips for shopping online.

There's nothing like the feeling of snapping up a hard-earned bargain when shopping online.

There's also nothing like the feeling of falling victim to credit card fraud.
With a number of high-profile breaches this year alone, it's always a good time to be alert -- not alarmed -- about using your credit card online.
On top of these general tips for safe shopping, here are some card-specific tips to keep in mind when virtually swiping your plastic.

Only enter your credit card details on secure sites

By now, you hopefully know the drill. Look for an https connection in the URL, as well as a padlock or another digital security certificate to ensure that you are only entering your details on a site that encrypts the transaction end-to-end. Don't send your credit card information over email.

Buy a prepaid card for online transactions

MasterCard

For those who want to keep online purchases completely separate from everyday credit card transactions, prepaid cards are an option to consider. These can either be bought online or from a traditional bricks and mortar retailer for a small fee.
Prepaid credit cards allow you to load a set amount of money at the time of purchase. The advantages are plentiful when it comes to using a prepaid card for online shopping, but the big one is that even if the card's details are compromised somewhere along the chain, there is a limit to the amount of money that can be taken.
Some banks and financial institutions will let you generate a virtual credit card number to complete purchases. This is generally a single-use number that you can enter in place of your regular number.

Watch statements for any unusual transactions

While many banks have sophisticated 24/7 monitoring systems designed to detect fraud and unauthorized credit card use, it's important to also keep an eye out on financial statements both online and on paper. If you spot anything suspicious, call your bank immediately.

Turn on your credit card's added layer of security

Many credit cards will have an additional layer of security that might not be enabled by default. MasterCard has a product called SecureCode, which is a private code that you enter every time you make a transaction on a supported site, and is never disclosed to the retailer.

 

Verified by Visa, on the other hand, offers a personal message that greets you when you are making a transaction, as well as a password to authorize a purchase. Check with your bank or financial institution to see if one of these options is available. The check for SecureCode is here, while Verified by Visa can be found on your region's Visa page.
On top of these safeguards, some banks also have their own verification system in place that works in place of SecureCode and Verified by Visa. This may include the bank sending a one-time PIN or security code to your phone as a second layer of authorization.
Check with your bank or credit institution to work out what other protections you have if your details are compromised. Both MasterCard and Visa offer Zero Liability protection against fraudulent transactions for both online and offline use.

Check your browser settings

Turn off your browser's autocomplete settings to avoid it inadvertently storing your credit card or personally identifiable information.
In Chrome, go to Settings and select Show Advanced Settings. Under the Passwords and Forms section, click Manage Auto-fill Settings. Delete any credit card information that is automatically stored there, then uncheck Enable Auto-fill to fill in web forms in a single click.

 

In Firefox, click the Menu button and choose Options. Find the Privacy panel and look for the History drop-down box. Here, choose Use custom settings for history. Then, unchecked Remember search and form history.

In Safari, find Preferences. Click on the AutoFill tab and then uncheck the options to remember form data, including the credit card option.
In Internet Explorer, click the settings cog and choose Internet Options. From the Content tab, click Settings next to the AutoComplete section and uncheck Forms.

Be sensible about where and how you use your card

Reduce the chance of falling victim to a large-scale breach by not allowing the retailer to store your credit card details on file (if applicable). Enter your credit card details each and every time you make a purchase.

MasterCard

Also, make sure to use a separate password for every account you make with an online retailer. It should be different to passwords used for email accounts and other online services.
Something that you might not think about is the physical location where you enter credit card details.
It sounds obvious, but don't type your details out in public view where people can see your screen. For example, on public transport it might be super convenient to whip out a tablet and make a quick impulse purchase, but think about who might be watching over your shoulder.

Use another service to make it easy

Blur (formerly known as DoNotTrackMe) offers a service that helps to add another layer of security between you and the online retailer. For premium subscribers, it offers a masked credit card feature that generates a new number for every purchase you make. You can also assign a set value for that transaction, so there's no chance of taking more money than you designate. It's $39/year but only available for users in the United States, although the service will roll out to a select number of other countries soon.

 

Today's Top 5 Malware Threats 

                              

Today attackers are not being held back by anything, and malicious software is still a surprisingly common issue around the world. No wonder that more and more IT and business leaders are feeling so concerned about security these days.
How do you prevent security breaches? I've previously described six tips on how to ensure website security, but the starting point is awareness that the threat exists and is real. Understanding the 

Here are what I consider to be the top five malware threats to websites and mobile devices, ranked by how dangerous and widespread they are:

Backoff

Backoff is a malware family that draws a bead on Windows-run point-of-sale (PoS) systems to steal customer credit card data such as names, mailing addresses, credit/debit card numbers, phone numbers and email addresses. Dairy Queen and the Supervalu supermarket chain are among retailers that suffered data breaches due to Backoff.
After copying itself to the infected machine, it calls on an API, WinExec., which replaces names with hashed values to hinder analysis process. Besides hashing the blacklist processes, the malware also collects the stolen card information locally on the system.
Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware and uninstalling the malware. Backoff breaches may affect your business reputation by storing consumers' information and using it for different scams such as counterfeit purchases and account data compromises.

Dyreza 

The Dyreza trojan (Dyre) has been triggering much fuss in the security world since the last year. By neglecting SSL, this malware sets its sights on the users of specific business apps and has targeted a range of influential financial institutions, namely Bank of America, RBS, Citybank, Ulsterbank and Natwest. Thus, Dyreza aims to steal users' credentials for online banking and other financial sites.
Using a browser hooking technique which interrupts traffic flow between users' devices and the target website, Dyreza has "conquered" Google Chrome, Mozilla Firefox and Internet Explorer. As a rule, Dyreza arrives as a bank notification message with a zip file attached. After being opened, the malware installs itself on the machine under C:\\Windows\[RandomName].exe and then contacts a command-and-control server, appearing as a false Google Update every time you start your device. Now the Trojan is exploiting the recently disclosed CVE-2014-4114 vulnerability in Windows.

BlackEnergy 

Among a variety of purposes the BlackEnergy malware family (with BlackEnergy and BlackEnergy Lite as the latest 2014 variants) was created for, its key functions include DDoS attacks, spam distribution and bank scams. Its manners of spreading include technical infection methods through exploitation of software vulnerabilities, as well as social engineering through spear-phishing emails and decoy documents (Microsoft Word or PowerPoint), or a combination of both.
Installation of the malware is accomplished through the exploit shellcode that drops two files to the temporary directory: the malicious payload named "WinWord.exe" and a decoy document named "Russian ambassadors to conquer world.doc." Then these files are opened due to the kernel32.WinExec function. The WinWord.exe payload serves to extract and execute the BlackEnergy Lite dropper. At the same time, another document is exploiting CVE-2014-1761.
The danger of this malware lies in network discovery and remote code execution for collecting data off the targets' hard drives. The document is also caught in the act of exploiting the CVE-2014-1761 vulnerability in Microsoft Word, and was spotted in other attacks, including MiniDuke.

Win32/Crowti 

A real "trick-or-treat" for your computer is Crowti, a family of ransomware that tries to encrypt the files on a user's PC or block a user's access to the computer and ask for payment to unlock it. The fraud-scheme is classic: Win32/Crowti makes you pay for restoring your PC. This malware knocks on users' doors in the form of spam email campaigns and exploits.
Moreover, this threat can be downloaded by other malware, such as TrojanDownloader:Win32/Onkods or TrojanDownloader:Win32/Upatre. The attachment is usually hosted in a zip archive that triggers malware action when opened. Win32/Crowti is also spread through exploit kits such as Nuclear, RIG, and RedKit V2 that may take advantage of Java and Flash vulnerabilities. Win32/Crowti can be also installed via other malware, such as Upatre, Zbot, and Zemot.

Andr/BBridge-A 

Last but definitely not least is mobile trojan Andr/BBridge-A, blamed for exposing users' personal data (in particular, subscriber's ID, IMEI, phone number, network country ISO, phone model, Android OS version and Sim Card info) on a specific server relying on HTTP to communicate with it.
The trojan may be distributed as an Android installation package with an enticing file name such as "anserverb_qqgame.apk." Dropping its payload (located in "assets/anServerB.so" in the original package) as com.sec.android.bridge.apk, the malware snaps a button asking users to install it. Andr/BBridge-A also sends, scans and removes text messages (SMS) from phones.

Conclusion: Know Your Enemy

With the rapid growth of information technologies and online data storage, maintaining security at the necessary level has become a real challenge. Staying alert is a large part of staying secure, so keep up with the new security challenges that arise and know your enemy to win the security battle.

 

American Express aims to dump credit card numbers for tokens

         

In an effort to make to make Internet and mobile transactions more secure, American Express has launched a new service that aims to replace payment card numbers with unique tokens.E-commerce sites and digital wallet applications that use the company’s new token service won’t have to store customers’ card details. Instead merchants, banks and payment processors will be able to work with digital tokens that are mapped to real payment card accounts.The payment tokens can be tied to specific merchants, transaction types or payment devices, limiting the ability of cyber criminals to misuse them if compromised. This means that widespread adoption of tokenization for card-not-present transactions would likely reduce fraud.Unlike payment card numbers, if tokens are compromised, they can easily be revoked and replaced without the need to physically reissue the cards they link back to.The American Express Token Service is based on the Payment Tokenization Specification and Technical Framework published this year by EMVCo, the organization that maintains the EMV standard for chip-enabled payment cards. It is already available in the U.S. and American Express plans to start rolling it out internationally in 2015.The service’s release comes at a time of growing mobile payments adoption, partially driven by the launch of Apple Pay, which also uses tokenization. Major U.S. and international banks are also planning to launch their own mobile payments apps next year.Those apps will likely use a technology called Host Card Emulation (HCE) that is present in NFC-enabled mobile devices running Android 4.4 “KitKat.” American Express has also developed network specifications for HCE to enable its card-issuing partners to use the technology.

Apple sold 4 million iPhone 6 and 6 Plus in first day

Apparently, a lot of people want the iPhone 6.

Apple sold a record 4 million iPhone 6 and iPhone 6 Plus smartphones on Friday, the first day that the new iGadgets were available for pre-order, the company said Monday.

Demand for the new iPhones was so high that the iPhone 6 Plus sold out within hours. While many people who pre-ordered the iPhone 6 will get them this Friday, many others won't get their iPhones delivered until next month.

"Demand for the new iPhones exceeds the initial pre-order supply," Apple said in a statement. The company noted that an additional supply of iPhone 6 and iPhone 6 Plus smartphones will be made available to walk-in customers on Friday Sept. 19, beginning at 8:00 a.m. local time at Apple stores. People have already begun camping outside Apple Stores around the world to be among the first to get their hands on one of the new iPhones.

Related: Apple's Tim Cook on TV, Steve Jobs and the iPhone 6

This is the first year that Apple announced how many iPhones it sold in the first day -- rather than in the first weekend. A year ago, Apple said it sold 9 million iPhone 5S and 5C smartphones in the first weekend.

 

iPhone 6 or 6 Plus: Which should you buy?

But the numbers aren't exactly "apples to apples," pardon the pun. The iPhone 5S was not available for pre-order. Also, the iPhone 5S went on sale in China at the same time as as it hit store shelves in the United States.

This year, the iPhone 6 will not be available in China until at earliest October. China was not listed among the 30 countries that will get the iPhone this month. 

California OKs first tests of self-driving cars

California, a state synonymous for cars, has issued its first approvals to test self-driving cars.

Audi and Google have both received an autonomous driving permit from California.

Audi said the permit was issued the same day that new state regulations governing the testing of self-driving cars go into effect.

Audi (AUDVF)said that it's already tested self-driving cars in Europe and other U.S. states where testing is permitted. It said the California is particularly important as a testing ground, since it's home to the company's Electronics Research Lab.

The lab, known as the ERL, is owned by Audi parent Volkswagen (VLKAF) and is located in the Silicon Valley city of Belmont.

Google (GOOG)revealed its self-driving prototype in May and expects it to hit the market in the next five or six years.

Google has also been prepping its self-driving test cars to fit California standards, which requires the test vehicles to have manual controls.

"After each vehicle is assembled, we fit a temporary steering wheel and set of controls into it," said Google, in a recent blog post. "We'll remove these manual controls after the prototypes have finished being tested and permitted, because our vehicles are ultimately designed to operate without a human driver."

Related: Americans warm up to self-driving cars

Nevada, Florida and Michigan have also passed legislation allowing for the testing of self-driving cars on public roads. Audi said that in 2012 it was the car maker to receive a Nevada license plate allowing autonomous driving.

Nissan (NSANF) plans to have a self-driving car on the market by 2020.

Apple beefs up security with 2-factor authentication for iCloud backups

A sneaky method hackers use to crack your iCloud back-ups won’t work anymore if you’re serious about your security. On Tuesday night, Apple turned on two-factor authentication for iCloud, which will protect against the kind of social engineering exploits that helped hackers steal celebrity photos last month.

Until Tuesday, Apple’s brand of two-factor authentication only protected your Apple ID, preventing people from making purchases from your account. But if thieves were able to guess the answers to your security questions and recover your password, they could easily use third-party software to access your iCloud backup. Your photos, documents, text messages: All of it was up for grabs.

Check your e-mail, iCloud users: There's important information about Apple's new security measures.

That’s no longer the case. Ars Technica tried to install an iCloud backup with two-factor turned on using the most common software, made by Elcomsoft, and found it no longer worked.

Two-factor authentication works by requiring a second means of verification, aside from your password, to sign in to your accounts. That second method is usually an SMS code sent to your phone, which you then enter to gain access. If you don’t even have two-step verification turned on for your Apple ID, you’re forgiven. Apple buried the option in your settings and the process was cumbersome once you actually found it. It’s still not exactly easy to turn on two-step verification, but we created a handy how-to guide with step-by-step instructions.

Apple sent out an e-mail to iCloud users on Tuesday night with information about its security measures and how to use them. On Oct. 1, the company will let you generate app-specific passwords for third-party apps with access to your iCloud account, like Microsoft Outlook, BusyCal, and Mozilla Thunderbird. The new option prevents those apps from knowing your iCloud password and will keep your account safe.

The new security measures are too little, too late for celebrities like Jennifer Lawrence, but turning on two-factor authentication for every account that offers it is the safest way to protect your information.

Court throws out $368.2 million patent award against Apple

A U.S. appeals court has thrown out a US$368.2 million award against Apple in a patent infringement case brought by patent-holding and software company VirnetX.

The U.S. Court of Appeals for the Federal Circuit on Tuesday declined to invalidate VirnetX’s four Internet security-related patents, but ruled that Apple’s VPN On Demand service did not infringe one of the Nevada firm’s patents. The U.S. District Court for the Eastern District of Texas also erred in defining the value of the patented technology related to secure communications links in two patents, and should reexamine whether Apple’s FaceTime application infringes the two patents under a correct claim construction, the appeals court ruled.

The district court must also reconsider the jury’s damages award based on the appeals court ruling, the higher court said.

“In calculating the royalty base, [the district court] did not even try to link demand for the accused device to the patented feature, and failed to apportion value between the patented features and the vast number of non-patented features contained in the accused products,” Chief Judge Sharon Prost wrote for the appeals court.

VirnetX acquired the four VPN-related patents from SAIC in 2006. Two of the patents involve DNS and resolving domain names using secure communications links. The other two patents involve using DNS proxies to intercept Web traffic to determine whether a DNS request is for a secure site.

VirnetX, in a patent lawsuit filed in late 2012, accused Apple’s iPhone 5, iPod Touch 5th Generation, iPad 4th Generation, iPad mini and Mac computers running the Mountain Lion operating system of infringing the four patents.

VirnetX said it was disappointed with the appeals court’s decision. “We are bolstered by the fact that the patents were again found valid and that it was confirmed that Apple’s VPN on Demand functionality infringes the VirnetX patents,” Kendall Larsen, VirnetX CEO and president, said in a statement. “We look forward to readdressing the FaceTime infringement and damages issues as soon as possible.”

Apple representatives didn’t immediately respond to a request for comments on the appeals court decision.

Apple updates privacy policy: 'We sell great products,' not your data, says Tim Cook

Need another reason to upgrade to iOS 8? Apple can’t see any of your personal information if you have a passcode enabled on devices running the new OS. And if Apple can’t see it, the government can’t, either.

Apple CEO Tim Cook revealed the company’s new privacy measures in a Wednesday night letter that not-so-subtly slammed other tech companies like Facebook and Google.

“Our business model is very straightforward: We sell great products,” Cook said. “We don’t build a profile based on your e-mail content or web browsing habits to sell to advertisers. We don’t ‘monetize’ the information you store on your iPhone or in iCloud. And we don’t read your e-mail or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple.”

Apple launched a new privacy page detailing how it protects your data from prying eyes. If you’re using a device running iOS 8 and have a passcode activated, Apple can’t see any of the data behind the passcode. That includes photos, e-mails, messages, notes, call history, and contacts. Even if the police issue a warrant for that data, Apple said it’s “not technically feasible” to hand it over.

Apple can't see e-mails or messages on devices running iOS 8 with passcodes enabled.

Apple has worked tirelessly over the last few weeks to clarify and strengthen its security tools as it seeks to handle your most private information. iOS 8’s HealthKit will centralize the health and medical data third-party apps collect on you, with your permission, so Apple has put in place developer guidelines that prevent those apps from selling that data to advertisers. In the wake of the celebrity photo hacking scandal, the company addedtwo-step verification for iCloud backups. Apple has a slew of privacy measures put in place when it launches Apple Pay, a mobile payments platform that uses Near Field Communication technology baked into the iPhone 6 and iPhone 6 Plus. Apple Pay won’t store your financial information on your phone or on its servers, instead generating a one-time-use number, and will require Touch ID to authenticate your purchases.

HealthKit and Apple Pay have the potential to streamline your life, but they won’t find mass adoption until users are convinced that their information isn’t up for grabs—especially in the post-Snowden era. That’s where the iOS 8 passcode comes into play. But even before the new OS rolled out, Apple didn’t actually receive that many national security-related requests—less than 250 total in the first six months of this year.

“We have never worked with any government agency from any country to create a backdoor in any of our products or services,” Cook said. “We have also never allowed access to our servers. And we never will.”

 How virtual office technology changes everything

We’re in the middle of a sea of change that’s upending every aspect of computing as we know it. One of the biggest trends driving this change is the rise of the virtual office – the ability to relocate our workspaces from central offices to just about anywhere in the world. In every aspect of business, from file sharing to tech support, new tools and services collapse the entire world into an immediate, shared experience.

Here are five key ways that trend manifests itself today:

Work Follows You (Not the Other Way Around)

The commute to downtown. Wrestling your way into an anonymous cubicle. Outdated equipment that doesn’t work the way you want it to. The office as we know it hasn’t changed much in the last two or three decades, but virtual offices are finally revolutionizing all of it in one fell swoop. With technology like videoconferencing, remote access, and cloud-based storage you can work where you’re most productive, whether that’s your kitchen table or the coffee shop. Just bring your laptop and a wireless connection and let tools like LogMeIn Hamachi’s VPN software do the heavy lifting.

Shaking Up Support

Most organizations offer support of some kind, whether it’s tech support for company employees or offering live chat to customers experiencing trouble or prospective buyers with pre-sales questions. Managing a support operation used to require a large-scale help desk and call center: a huge investment for any company. That’s no longer needed thanks to the virtual office. Now you can engage support experts from anywhere with tools like LogMeIn Rescue. This enables support teams with live, remote access to the customer’s devices - no cubicle required. It also allows you to find hire best tech support crew regardless of their location, and to scale up for your busy season without having to worry about adding desks or buying more hardware. 

The End of Big Hardware

The virtual office doesn’t just do away with the front office, it’s replacing the back office as well. Not long ago running a tech-savvy company meant investing thousands of dollars in an array of high-end file servers, each gobbling up power, requiring special cooling, and reliant on an army of IT staff to keep running. Servers are now easily accessed via third-party providers which let you buy only the storage space and bandwidth you need for only as long as you need it. 

Software When You Want It

The flipside of outsourced hardware is SaaS, software as a service. Need a project management tool? Sign up for one online instead of buying dozens of software licenses and installing them on every computer in the organization. Ditto email, CRM, accounting, human resources, and just about any other business function you might conceivably need. Now it’s all is available through the cloud – which means it can reach your employees anywhere they happen to be, on any device they choose to use.

Backups You Can’t Forget

Dealing with backups at the enterprise level has become increasingly difficult as staff rosters have swollen. Not to mention, it’s always tough to get users to run backup software on a regular basis. Enter the virtual office, which gives you much greater control over what devices are backed up and when. Advanced, secure, centrally-managed backup software now protects all your organization’s computers no matter where they’re located, letting you scale up or down to easily back up all the devices in your worldwide organization.