Researchers: iPhones, iPads connected to Windows PCs are at risk

Attackers could compromise iPads and iPhones on a large scale through the infected computers that make up botnets, researchers say.

Nearly a quarter of zombie computers that make up certain known botnets eventually connect with Apple iOS devices, making these phones and tablets vulnerable to infection from malicious applications, a team from Georgia Institute of Technology said last week at the 23rd USENIX Security Symposium.

Attackers would install malicious applications on the iOS devices when they connect to infected PCs via USB cable or Wi-Fi, says the team led by Tielei Wang. The apps would steal passwords and other personal information.

Generally, iOS apps must come from the App Store and have been vetted. But in the past, some malicious apps have gotten in under the radar until users discovered they were malicious, and then Apple dropped them from the store, the researchers say. Placing them in the store could be done again, and bot computers could download them before they were dropped.

Then, when an iOS device attached to the bot computer, the bot would download the app onto the phone or tablet.

As a rule iOS devices will accept only those apps that are bound to their Apple ID. But the phones and tablets would accept the apps from the bot because iTunes running on the bot would be allowed to make the transfer. As the researchers put it, “Specifically, when an iOS device with Apple ID B is connected to iTunes with Apple ID A, iTunes can still sync apps purchased by Apple ID A to the iOS device, and authorize the device to run the apps.”

This will work even after Apple has removed the malicious app from the App Store, they say. “Although Apple has absolute control of the App Store, attackers can leverage [man-in-the-middle attacks] to build a covert distribution channel of iOS apps.” The covert distribution channel would be the botnet.

The researchers show another mechanism to get malicious apps onto iOS devices by using permissions granted to developers for testing apps on devices or for enterprises to distribute in-house apps. With enough developer credentials, attackers could distribute malicious applications by getting around the protections put in place for Apps Store applications.

The researchers also discovered that while an iOS device is connected to a PC, the host computer can connect to it via Apple File Connection (AFC) protocol. As a proof of concept, the researchers say they retrieved cookies from Facebook and Gmail apps on iOS devices, and transferred them to another computer where they were used to get into those Web accounts.

To estimate how many iOS devices might be vulnerable to such attacks the researchers used DNS traffic from two U.S. ISPs in 13 cities for five days last October. They searched the traffic for the domain names of known botnet command-and-control servers being tracked by security company Damballa to determine how many Windows machines on customer networks included bots. They eliminated Mac OS X machines from the count.

They came up with a conservative estimate that 23% of all the bot machines in the sample had both Windows iTunes installed and also had iOS devices connecting from the same IP address, meaning these iOS devices could be vulnerable to the researchers’ attacks. Put another way, if the attacks were bundled into payloads directed at the iOS devices, “there would be 75,714 potential victims in 13 cities, within the networks we monitor.”

The researchers say they’ve already told Apple about their discoveries. “We have made a full disclosure to Apple and notified Facebook and Google about the insecure storage of cookies in their apps,” the researchers write in their paper. “Apple acknowledged that, based on our report, they have identified several areas of iOS and iTunes that can benefit from security hardening.”

FBI, Secret Service studying 'scope' of reported bank cyberattacks

A U.S. Federal Bureau of Investigation spokesman said Wednesday the agency is working with the Secret Service to determine the “scope” of reported cyberattacks against several financial institutions.

Bloomberg reported on Wednesday that Russian hackers struck JPMorgan Chase and another bank earlier this month. A subsequent report in the New York Times said the attacks hit JPMorgan Chase and four other U.S. financial institutions.

The Times reported that “gigabytes” of information were stolen, including customer account information.

A JPMorgan Chase spokeswoman did not confirm the attacks, saying that “companies of our size unfortunately experience cyberattacks nearly every day. We have multiple layers of defense to counteract any threats and constantly monitor fraud levels.”

Representatives for Wells Fargo, Bank of America and Citigroup—also frequent targets for hackers—could not be immediately reached for comment.

FBI spokesman Paul Bresson said via email that combating cyber threats is a top priority for the government, and the agency constantly works with U.S. companies to fight attacks.

Media reports speculated the attacks could be in retaliation due to sanctions against Russia for its actions in Ukraine, but the motives remain unclear.

Quoting an anonymous source, Bloomberg wrote that one of the attacks was executed via a zero-day vulnerability in one of the bank’s websites. A zero-day flaw is one that attackers are exploiting but for which there is no fix.

CryptoWall ransomware held over 600K computers hostage, encrypted 5 billion files

A file-encrypting ransomware program called CryptoWall infected over 600,000 computer systems in the past six months and held 5 billion files hostage, earning its creators more than $1 million, researchers found.

The Counter Threat Unit (CTU) at Dell SecureWorks performed an extensive analysis of CryptoWall that involved gathering data from its command-and-control (C&C) servers, tracking its variants and distribution methods and counting payments made by victims so far.

CryptoWall is “the largest and most destructive ransomware threat on the Internet” at the moment and will likely continue to grow, the CTU researchers said Wednesday in a blog post that details their findings.

The threat has been spreading since at least November 2013, but until the first quarter of this year it remained mostly overshadowed by CryptoLocker, another ransomware program that infected over half a million systems from September 2013 through May.

CryptoLocker asked victims for ransoms between $100 and $500 to recover their encrypted files and is estimated to have earned its creators around $3 million over 9 months of operation. The threat was shut down at the end of May following a multi-national law enforcement operation that had support from security vendors.

CryptoWall filled the void left by CryproLocker on the ransomware landscape through aggressive distribution using a variety of tactics that included spam emails with malicious links or attachments, drive-by-download attacks from sites infected with exploit kits and through installations by other malware programs already running on compromised computers.

DELL SECUREWORKS

Early versions of CryptoWall (left) copied Cryptolocker (right) in both execution and design, Dell Secureworks reports.

The CryptoWall command-and-control servers assign a unique identifier to every infection and generate RSA public-private key pairs for each one.

The public keys are sent to infected computers and are used by the malware to encrypt files with popular extensions—movies, images, documents, etc.—that are stored on local hard drives, as well as on mapped network shares, including those from cloud storage services like Dropbox and Google Drive.

Files encrypted with an RSA public key can only be decrypted with its corresponding private key, which remains in the possession of the attackers and is only released after the ransom has been paid.

The CTU researchers were able to count the unique computer identifiers from the CryptoWall servers and also obtained information about their IP (Internet Protocol) address, approximate time of infection, and payment status.

“Between mid-March and August 24, 2014, nearly 625,000 systems were infected with CryptoWall,” the CTU researchers said. “In that same timeframe, CryptoWall encrypted more than 5.25 billion files.”

The largest number of infected systems were located in the United States—253,521 or 40.6 percent of the total. The next most affected countries were Vietnam with 66,590 infections, the U.K. with 40,258, Canada with 32,579 and India with 22,582.

CryptoWall typically asks victims to pay the ransom in Bitcoin cryptocurrency, but earlier variants offered more payment options, including pre-paid cards like MoneyPak, Paysafecard, cashU, and Ukash.

The ransom amount grows if a victim doesn’t pay the ransom within the initial allotted time, which is usually between four and seven days. The CTU researchers observed payments that ranged between $200 and $10,000 in value, the majority of them (64 percent) being of $500.

“Of nearly 625,000 infections, 1,683 victims (0.27%) paid the ransom, for a total take of $1,101,900 over the course of six months,” the CTU researchers said.

This suggests that while CryptoWall managed to infect 100,000 more computers than CryptoLocker, it was less effective at generating income for its creators. Researchers determined in the past that 1.3 percent of CryptoLocker victims paid the ransom for a total of over 3 million dollars.

The difference in success rate might be explained through the technical barriers involved in obtaining Bitcoins, the CTU researchers said. In the case of CryptoLocker, 1.1 percent of victims paid the ransom through MoneyPak and only 0.21 percent used Bitcoin.

The CTU analysis found similarities between CryptoWall samples and those of an older ransomware family called Tobfy. If the same attackers are behind both threats, it means that they have at least several years of experience in ransomware operations.

EU satellites fired into wrong orbit by 'software bug' 

Two satellites commissioned by the European Union were accidentally sent into the wrong orbit at launch because of a simple software bug - potentially rendering the multi-million pound devices less capable than intended, or even entirely useless

An anonymous source from Russian space Agency Roscosmos told Osho3mtech that: “The nonstandard operation of the integrated management system was likely caused by an error in the embedded software. As a result, the upper stage received an incorrect flight assignment, and, operating in full accordance with the embedded software, it has delivered the units to the wrong destination.”

Also  Russian newspaper Izvestia reports that a software error in the upper stage, which was developed by a Russian government-owned corporation, was the likely cause.

Nigeria's President Goodluck Jonathan on Thursday(28th of August 2014) launched a national electronic identity card scheme

Nigeria's President Goodluck Jonathan on Thursday launched a national electronic identity card scheme, which is said to boost access to financial and government services in Africa's most populous nation.

The head of state was issued with his own card, which features a credit card-style chip with personal as well as biometric data and doubles up as a prepaid charge and debit card.

A number of Nigerian government agencies, from the police to the Independent National Electoral Commission, have embarked on their own separate ID card schemes.

But Jonathan said the plan was to eventually include details such as driving licence, health insurance, tax and pension information on the single card.

"The regime of duplication of biometric databases must now have to give way to harmonisation and unification with the e-ID scheme, which shall be the primary database," he told reporters.

Only 32 percent of Nigeria's adult population are thought to have bank accounts, according to a 2012 study.

View gallery

Nigerian President Goodluck Jonathan tries to make cash withdrawal with his electronic identity card …

Nigeria's central bank has been pushing for a move away from cash to electronic payments and has trialled a scheme in the financial capital, Lagos, with the help of private partners.

But the pilot project has not been plain sailing, with retailers and customers often facing frequent power supply and connectivity problems that slowed down transactions.

The cards will be available initially to Nigerians aged 16 and older and all residents in the country for more than two years.

Cardholders will be given a unique national identification number and have to provide fingerprint data, a photo and digital signature to cut the risk of fraud and embezzlement.

The scheme has so far cost about seven billion naira ($42.5 million, 32 million euros), according to the National Identity Management Commission.

Financial services firm MasterCard, the scheme's payment technology provider, said 13 million cards would be available in the first phase, with more than 100 million to be issued in total.

"Nigeria is ready for this," the firm's head of Sub-Saharan African operations, Daniel Mohin, told AFP.

"Nigeria has been left out of electronic financial payment for decades but now Nigeria is saying we want to take our rightful place in payment. There has not been a project of this magnitude... that's been rolled out at this scale."

Africa's most populous nation has an unenviable reputation for fraud, particularly involving financial transactions.

But Monehin said the card was "secured with the best form of security that is available".

'Digital condom' 
that protects against USB infections

Information Security experts have created a “USB condom” which allows you to charge smart phone or tablet batteries from strange USB ports without risking accidental syncing of private data or contracting a computer virus. 

The USB condom is a small chip with male and female ports which connects between your device and the unknown USB port, linking-up the power cables but severing any potential data connection.



Now that most devices charge via ubiquitous USB leads it can be tempting to top-up batteries by connecting to any nearby computer or charging station. But because USB offers data transfer as well as a power source, it is not without its risks.
Fake charging stations can be created to harvest sensitive data, and plugging a smartphone into a strange computer can accidentally backup your data to the computer, leaving it accessible by the owner.
USB cables are actually composed of several entwined cables, wrapped in a single protective covering. Some of the cables allow data transfer, while two provide five volts of electricity. To charge a device you only need the power cables, not the data cables – which can actually put you at risk of unnecessary data transfer or infection by malware.

Why spammers persist despite filters and well-informed users

In a world where everyone knows about the dangers of spam, and
every email program has a spam filter, these dreadful messages just keep coming.

To put it bluntly, some people don’t get it. As George Carlin put it, “Think of how stupid the average person is, and realize half of them are stupider than that.”

Spammers don’t even need to count on the less intelligent half of humanity. All they need to turn a profit is a very tiny fraction of the population.

Now then, about spam filters: They’re not perfect. Some spam will slip through. That’s not an accident; spammers work hard at outsmarting the filters. And once they outsmart a filter, they get a chance to outsmart a sucker.

Remember that a sucker doesn’t have to lack intelligence. They could be uninformed or fooled in a new way that few people know about yet. Or they could just be really tired.

It doesn’t take many suckers to make spam profitable. I’ve read estimates claiming that for every million spam messages sent out (including the majority stopped by filters), only three people fall into the spammer’s trap.

That sounds like a very bad business model, but it’s actually a very lucrative one. There are tens of billions of spam messages sent each day—possibly an many as 100 billion. That means 300,000 suckers a day.

Let me put it this way: If all I cared about was making money, and I didn’t mind breaking the law or hurting innocent people, I’d become a spammer. It’s a lot more profitable, and a lot safer, than breaking into homes.

Since spam is unlikely to stop, you need to remain vigilant. Don’t trust promises of cheap drugs, obscene pictures, or get-rich-quick schemes. If something seems too good to be true, it’s probably too good to be true. If a friend sends you a desperate message that doesn’t sound as if your friend wrote it, they didn’t.

Have a company laptop? Here's how to keep your browsing private

Amosiye often takes an office laptop home. He wants to know if "the System admin from Osho3mtech office" can see what websites he visits at home.

Virtually all browsers these days have private modes (Chrome calls it Incognito Mode). In this condition, the browser doesn't keep records of where you've been. In theory, and often in fact, you can use these modes and leave no trace of where you've been.

But the chance that a private mode will protect you drops considerably on a company computer. It's quite possible that this computer contains software that tracks everything you do on it. (If you're a parent, you may be using similar software to track your kids' browsing habits.)

Remember that this is not your computer. It belongs to your employer, who has a legal and (in my opinion) moral right to know what happens on it. The company could lose huge amounts of money from a malware attack, and therefore has good reasons to limit what you can do with Internet-connected company property.

But whether your employer's rules make sense or not, you have to follow them. And unless you've been explicitly told otherwise (and maybe even if you have), you should assume that your office PC is spying on you, at the office and when you take it home.

US agencies to release cyberthreat information faster to the health-care industry

U.S government agencies will work to release cyberthreat information faster to the health-care industry after a massive breach at hospital operator Community Health Systems, representatives of two agencies said.

While the FBI issued an alert about the Community Health Systems breach one day after it was announced, government agencies can still do more to warn health-care providers about ongoing threats, said Michael Rosanova, a supervisory special agency at the FBI.

It can be “frustrating” for health-care providers to get threat information from government agencies, Rosanova said during a briefing hosted Thursday by the Health Information Trust Alliance (HITRUST), a health-care cybersecurity vendor.

If cyberthreat information is classified by the government, the FBI and other agencies have to take additional steps before sharing the information, he said. “It’s not that easy, unfortunately, to take something with a fairly high security classification ... and get that in a useable context to people that need it,” Rosanova said.

In the Community Health Systems breach, “we did make every effort to get the industry the information that was being requested,” he added. “We did do the best that we could.”

The FBI and other agencies can do a better job of informing health-care providers about cyberthreats that are “about to break,” Rosanova said. The FBI wants to be more proactive with warnings, but in some cases, it won’t be able to share as much information as health-care providers would like because of national security issues, he said.

U.S. agencies are already looking for ways to learn from the Community Health Systems breach and concerns about the speed of information sharing, added Danell Castro, program manager at the Critical Infrastructure Information Sharing and Collaboration Program at the U.S. Department of Homeland Security.

Information sharing has come a long way, she said, but still can be improved. Vetting information takes time, but DHS is looking at ways to speed up the process, she said.

While Rosanova talking about health-care providers sometimes needing security clearances to get threat information, those clearance aren’t the “secret sauce,” Castro said. Instead, participating in a collaborative environment, such as HITRUST’s monthly threat briefing, will help drive forward more information sharing, she said.

“The more collaboration you do like this, the better off you will be,” he said.

The Community Health Systems breach was tied to the Heartbleed bug, a known vulnerability, with the breach happening earlier this year, when Heartbleed was at its peak, noted Roy Mellinger. vice president and CISO of health-care provider WellPoint.

The news of the breach raised many questions from WellPoint executives, Mellinger said.

The health-care industry’s cybersecurity efforts took some criticism following the announcement of the breach, but the industry has “come a long way in the last two or three years,” Mellinger said. Still, cybersecurity “practices across the entire industry are not as sufficiently robust as we would all like,” he added.

Mellinger called on U.S. agencies to communicate more quickly about threat information. In some cases, even advisories saying, “stay the course, this [threat] is nothing new” would calm executives and shareholders, he said.

NIST taking input for mobile security guidelines

The U.S. National Institute of Standards and Technology (NIST) is developing a guide for testing third-party apps to ensure that they are secure and don’t introduce any vulnerabilities.

The government agency has prepared a draft of its recommendations, “Technical Considerations for Vetting 3rd Party Mobile Applications,” and is seeking industry feedback by Sept. 18. The aim is to help enterprises make full use of commercial mobile programs.

“Agencies and organizations need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks,” said NIST computer scientist Tom Karygiannis in a statement announcing the release of the draft.

The draft publication “describes tests that allow software security analysts to discover and understand vulnerabilities and behaviors before the app is approved for use,” Karygiannis said.

The document, once finished, will give organizations a guide for testing third-party apps that they may want to use for official business. It will also detail the different types of vulnerabilities commonly found on Android and Apple iOS devices.

Many of today’s mobile apps, such as calendars, require access rights to various parts of the device’s OS. Granting permissions to these apps, however, can introduce security vulnerabilities to a secured system. For instance, giving a collaboration app access to a contact list could inadvertently reveal names on the list that should remain private.

Mobile devices can also gather a lot of data unbeknownst to the owner of the device. Malware, for instance, could be surreptitiously installed to record phone conversations, or users could be secretly tracked through the phone’s GPS functionality.

In addition to offering techniques for testing and vetting apps, the publication will also provide descriptions of undesirable behavior, how to manage an app through its entire life cycle, and examples of how vulnerabilities could lead to system compromises.

Beyond security, the publication will also detail how to manage the power that apps can consume on a device.

An agency within the U.S. Department of Commerce, NIST works with industry to develop standards and technologies to encourage innovation, advance U.S. economic competitiveness and improve the quality of life.

Security spending gets boost from mobile, social and cloud, says Gartner

The increased adoption of mobile, social and cloud computing is driving growth in security spending among organizations that are also becoming more aware of threats on all those fronts.

Worldwide spending on information security will top US$71 billion this year, an increase of 7.9 percent over 2013, with the data loss prevention segment recording the fastest growth at 18.9 percent, research firm Gartner said Friday.

Research director Lawrence Pingree pointed to what he called the “democratization” of security threats, with malicious software tools that can be used to launch advanced attacks now more broadly available online via an underground economy. While this has made life even more difficult for CISOs, it has also resulted in increased awareness. Security is no longer seen as just an IT function or a cost center, he said.

Organizations are shifting existing resources away from security device administration and monitoring, toward mitigation and incident response.

The growing popularity of hosted applications and infrastructure is also changing the security sector. In 2015, roughly 10 percent of overall IT security enterprise capabilities will be delivered as a cloud service, Gartner said. Small and medium sized companies will rely on hosted security services to an even greater extent.

Unfortunately, many organizations continue to lack staff with the appropriate security skills. To keep up with hackers, more than half of organizations will by 2018 rely on security services firms that specialize in data protection, risk and infrastructure management, according to Gartner.

Regulatory compliance has been a major factor driving spending on security in the last three years, particularly in the U.S, according to Gartner. Privacy and data protection laws in various stages of implementation or planning in Australia, the European Union, Singapore and Malaysia will further help drive growth.

Gartner will take a more in-depth look at these trends during its upcoming Security and Risk Management Summits in Sydney, London and Dubai.

Your living room is vulnerable to cyber attacks

At the Black Hat security conference in Las Vegas earlier this month, researchers demonstrated how a Nest thermostat can be hacked, to show how easily connected appliances—the household technologies that make up the Internet of Things—can be compromised. When you look beyond the demo's hyperbolic headlines, it turns out the hack requires physical access to the Nest device, but the questions remains, “How vulnearable is IoT?”

To find out, David Jacoby, a security researcher with Kaspersky Lab, hacked his own living room. 

In a blog post detailing the exercise, Jacoby describes the array of connected devices in his home. He has two different NAS (network-attached storage) units, a smart TV, satellite receiver, printer, and the router from his Internet provider. Aside from the NAS units, it's all technology you can find in just about any house.

Jacoby identified 14 vulnerabilities just in the two NAS units, one in the smart TV, and several concerning issues with his Internet router. He found remote code execution flaws and weak passwords on the NAS devices, a potential for a man-in-the-middle attack on unencrypted traffic between the smart TV and the TV vendor’s servers, and hidden backdoors in the router designed to provide the Internet provider support personnel to remotely access any device on the private network.

The results are concerning. It took Jacoby less than 20 minutes to find and verify extremely serious vulnerabilities that expose his home to significant risk. He explained, “Individuals and also companies need to understand the security risks around connected devices. We also need to keep in mind that our information is not secure just because we have a strong password, and that there are a lot of things that we cannot control.”

Unfortunately, securing IoT devices is a bigger challenge in many cases than patching and securing traditional computing devices. Many IoT technologies lack any sort of direct user interface, so you are dependent on the vendor to make it as secure as possible off the shelf and to deploy updates in a timely manner when flaws are discovered.

There are a few things you can do yourself, though. Jacoby says users should keep devices that do offer firmware and security patches up to date. He also stresses that all default passwords should be changed. Finally, Jacoby recommends exploring more advanced features in some routers that will enable you to restrict access so that only designated devices on your network are allowed to connect to the network or access other resources.

The best way to completely wipe your Android device

The default data wipe tool in Android may not be enough to permanently eliminate personal data on your old device.

A study from security software vendor Avast has suggested that the factory reset option built into the Android operating system isn't effective in eradicating your personal data from old devices. The firm purchased 20 used Android smartphones on eBay and was able to recover more than 40,000 photos, 750 emails and text messages, and 250 contacts, along with the identities of four of the previous device owners, and even a completed loan application. To make matters worse, Avast employees were using readily available data recovery software to get the job done.

While Avast and other companies like it offer data deletion tools, there are other steps you can take to securing your personal data when performing a factory reset.

Step one: Encrypting

I recommend encrypting your device before you are getting ready to wipe it. The encryption process will scramble the data on your device and, even if the wipe doesn't fully delete the data, a special key will be required to unscramble it.

To encrypt your device on stock Android, enter settings, click on Security, and select Encrypt phone. The feature may be located under different options on other devices.

Step two: Perform a factory reset
The next thing you will want to do is perform a factory reset. This can be done on stock Android by selecting Factory data reset in the Backup & reset option in the settings menu. You should be aware that this will erase all of the data on your phone and that you should backup anything you don't want to lose

Step three: Load dummy data

Following step one and two should be enough for most people, but there's an extra step you can take to add another layer of protection when erasing your personal data. Try loading fake photos and contacts on your device. Why you ask? We will address that in the next step.

Step four: Perform another factory reset

You should now perform another factory reset, thus erasing the dummy content you loaded onto the device. This will make it even harder for someone to locate your data because it will be buried below the dummy content.

Still feeling a little paranoid? Repeat steps three and four as many times as you like. As I mentioned above, though, for most people simply following steps one and two should be enough. Without the encryption pin, which is overwritten in the initial factory reset, it will be almost impossible to unscramble your data.

Then again, you could always take a hammer to your phone or toss it in the toilet. You know, if you aren't interested in selling it.

Your Speed Test for Desktop, Laptop, Mobile and Tablets

               BANDWIDTHPLACE SPEED TEST BENEFITS
The speed test at BandwidthPlace incorporates HTML5 technology that allows you to test your bandwidth on any device without updating your browser, downloading a separate mobile app or installing Flash. We use the latest in responsive design to bring you the best web experience. A lot of our improvements come from BandwidthPlace.com user suggestions – and we welcome your ideas to make the site even better.
Whether you are testing your broadband at home, at work, or on your tablet or mobile device – simply access BandwithPlace.com. Next you will see that the speed test and website automatically detect your device and your screen size.  Click on “start” and the speed test will run. Monitoring and managing your broadband connection is that easy!
We recommend testing your Internet speed frequently to measure the bandwidth you are receiving at different times. Try using the different servers to see how your bandwidth performs as it travels to varying locations that host the websites you visit. If you are running applications, or streaming more broadband than you have on your current plan, consider upgrading or looking at other options.
Your Thoughts?
BandwidthPlace.com now has a new face! We’ve upgraded our site and enhanced the speed test so you can use it anywhere you use broadband – on any device. And, soon you will see a LOT more content focused on maximizing broadband connections and the latest about all things “Online”.
The next upgrades to the speed test will be based on your Feedback and advice from our Technical Community. We will continue to evolve the speed test and content tailored to the way you use broadband today. Our Feedback form is easy to fill out and is located on any page of the site.
We look forward to hearing from you!

                                                                                                 

Top five free website builders

In the nascent days of the Internet, building your own website was something of a time-consuming and costly undertaking. Not only did you need to know how to write in a variety of different programming languages, but you also had to use one of a number of expensive computer applications to perfectly design the site in question to make sure that every visitor to your site got the same experience. As technology continues to advance, though, building your very own website becomes easier and cheaper with every passing day.

There are a variety of free website builders that are available for you to choose from, depending on your needs. While a free site or service may lack some of the more advanced features that their expensive counterparts include, they are still invaluable tools when it comes to getting your personal or business website off the ground and onto the Internet as efficiently and inexpensively as possible.

WordPress

In the world of free website builders, WordPress has a wide variety of different benefits that can’t be ignored. For starters, the service is shockingly simple to use. By the time you’re finished signing up for your free account, you’ve practically done the majority of the hard work already, like choosing a site domain and picking a template. Creating your own website on WordPress is not dissimilar to creating a text document with pictures and other multimedia elements in a program like Microsoft Word. You can create as many free sites as you want with the same free account.

IM-Creator

The reason why IM-Creator will always make any list of free website builders has to do with just how easy it is to use and exactly what it allows you to do. IM-Creator is a website builder that allows you to create elegant personal websites in the simplest ways possible. If you want to design your site from the ground up, you have the freedom to do so. If you want to use one of the built-in templates to get started as quickly as possible, you can do that, too. You don’t have to worry about understanding complex programming languages, as IM-Creator allows you to drag and drop content onto your site and have it appear in the exact location that you want it to. You can also update, maintain and even promote your website right from the same graphical user interface.

SquareSpace

Another service that will always be high in the running on any list of the top website builders is SquareSpace. SquareSpace includes a drag and drop interface that makes it easy to create your own site from the ground up, even if you don’t even know what a programming language is, let alone how to write in one. Your account includes design tools, a domain name and even hosting. You can get your own custom domain name, which is one of the key benefits that SquareSpace offers that certain other free website builders lack. You can also market your site directly from the SquareSpace interface and drive traffic to it from sources like Bing, Google and even Yahoo search engines.

Weebly

One free website builder that is gaining in popularity in recent years is Weebly. Weebly is a free website building platform that allows you to start the process of creating your own website quickly and easily by picking one of the themes that comes with your free account. You can choose a theme based on the way you want your site to look and feel to visitors and can even change that theme later on once you get your content in place. Weebly is great for blogging in particular and even supports eCommerce features and mobile applications. Not only will you be able to take payments on your website via Weebly, but your visitors will also be able to do so right from an interface that is tailor-made for their smartphones, tablets and other types of portable devices that they may be using.

Wix

Wix is a free website builder that currently boasts more than 51 million users. The major selling point of Wix is that it allows you to create a website that is easy to customize without the need to really get down and alter the code. There are hundreds of different templates that you can choose in a variety of different categories, all of which are totally compatible with HTML5. This means that your website is essentially future-proof as HTML5 replaces traditional HTML as the programming standard on the Internet moving forward, which is a process that has already begun.

If you’re making the decision to shun a costly web-building application and instead want to go with a free, online counterpart, you’ll have everything you need to make sure that the job gets done properly in some of the top website builders on the Internet today.

Researcher says PayPal's two-factor authentication is easily beaten

A security feature offered by PayPal to help prevent accounts from being taken over by hackers can be easily circumvented, an Australian security researcher has found.

PayPal users can elect to receive a six-digit passcode via text message in order to access their accounts. The number is entered after a username and password is submitted.

The security feature, known as two-factor authentication, is an option on many online services such as Google and mandatory on many financial services websites for certain kinds of high-risk transactions. Since the code is sent offline or generated by a mobile application, it is much more difficult for hackers to intercept although by no means impossible.

Joshua Rogers, a 17-year-old based in Melbourne, found a way to get access to a PayPal account that has enabled two-factor authentication. He published details of the attack on his blog on Monday after he said PayPal failed to fix the flaw despite being notified on June 5.

By going public with the information, Rogers will forfeit a reward usually paid by PayPal to security researchers that requires confidentiality until a software vulnerability is fixed. Rogers estimated the reward might be around $3000, although PayPal didn’t give him a figure.

“I don’t care about the money, no,” he said via email. “Money isn’t everything in this world.”

The attack requires a hacker to know a person’s eBay and PayPal login credentials, but malicious software programs have long been able to easily harvest those details from compromised computers.

The fault lies in a page on eBay that allows users to link their eBay account with PayPal, which eBay owns. Linking the accounts creates a cookie that makes the PayPal application think the person is logged in, even if a six-digit code has not been entered, Rogers wrote on his blog.

The problem lies specifically in the “=_integrated-registration” function, Rogers wrote, which does not check to see if the victim has two-factor authentication enabled. An attacker could repeatedly gets access to the PayPal account by linking and de-linking the eBay and PayPal accounts of a person, he wrote. He posted a video of the attack on YouTube.

PayPal officials could not be immediately reached for comment.

The payment processor’s two-factor authentication could potentially be defeated in other ways. For example, if a user doesn’t have a way to receive the six-digit code, PayPal allows them to skip it and instead answer two security questions.

Those questions, which include “What’s the name of your first school?” and “What’s the name of the hospital in which you were born?” arguably aren’t difficult ones for a hacker who has been profiling a victim to answer.

But as with many online defenses, companies are often forced to make trade-offs between convenience and security, attempting to strike the right balance between safety and not alienating users locked out of their accounts.

Rogers has a record of finding problems in online services. Last month, he accepted a caution from police rather than face charges for discovering a vulnerability in the website of one of the country’s public transport authorities late last year.

A database flaw within the website of Public Transport Victoria (PTV), which runs the state’s transport system, allowed Rogers to gain access to some 600,000 records, including partial credit card numbers, addresses, emails, passwords, birth dates, phone numbers and senior citizen card numbers. Rogers notified the agency of the problem and did not try to profit from the information, but the incident was still referred to police.