Category: Hackers


image

Mobile security company Lookout has continued to expand its list of Android Market applications that have been found to contain malicious code known as ‘RuFraud’. Researchers spotted 22 malicious apps by the start of the week, prompting Microsoft to offer victims free Windows Phone handsets, while five more have been discovered since then.

The titles include several horoscope apps, wallpaper utilities that offer pictures from movies such as Twilight and Moneyball, fake downloaders for popular Android games such as Angry birds, and fake free versions of other games.

Once downloaded, the apps trick users into agreeing to charges that will be applied to the bill due to SMS messages sent to premium numbers. The code appears to affect users in Europe and Asia, rather than North America.

Google has quickly pulled the offending titles from the app portal, however the situation has given credence to criticism of the mobile platform’s security features. The company’s open approach is said to make it easier for attackers to post malicious apps without encountering problems in the approval process. Fragmentation is also seen as a potential problem, as most Android handsets are running older OS versions that lack the latest security protection.

Thanks: Electronista

For the first time, Facebook has revealed details about how it tracks users across the web.

Through interviews with Facebook engineering director Arturo Bejar, Facebook spokesman Andrew Noyes, Facebook corporate spokesman Barry Schnitt and Facebook engineering manager Gregg Stefancik, USA Today‘s Byron Acohido was able to compile the most complete picture to date of how the social network keeps tabs on its 800 million users.

Here is what Acohido learned:

    • Facebook doesn’t track everybody the same way. It uses different methods for members who have signed in and are using their accounts, members who are logged-off and non-members.
    • The first time you arrive at any Facebook.com page, the company inserts cookies in your browser. If you sign up for an account, it inserts two types of cookies. If you don’t set up an account, it only inserts one of the two types.
    • These cookies record every time you visit another website that uses a Facebook Like button or other Facebook plugin — which work together with the cookies to note the time, date and website being visited. Unique characteristics that identify your computer are also recorded.
    • Facebook keeps logs that record your past 90 days of activity. It deletes entries older than 90 days.
    • If you are logged into a Facebook account, your name, email address, friends and all of the other data in your Facebook profile is also recorded.

Data about web searches and browsing habits could be used to figure out political affiliations, religious beliefs, sexual orientations or health issues about consumers. According to USA Today, this type of correlation doesn’t seem to be happening on a wide scale, but the concern of some privacy advocates is that selling data could become a tempting business proposition — both to social networks like Facebook and online advertising players such as Google, Microsoft and Yahoo that similarly employ cookie tracking techniques.

Facebook told USA Today that it uses data collected via cookies to help improve security and its plugins and that it has no plans to change how it uses this data. It has, however, applied for a patent on a technology that includes a method that correlates ads and tracking data.

“We patent lots of things, and future products should not be inferred from our patent application,” Facebook corporate spokesman Barry Schnitt told USA Today.

Regardless of how Facebook is handling the data it collects through cookies, by doing so it has entered a very sticky debate about whether consumers should be able to opt out of being tracked by such methods. Aproposed law that would create this option was introduced in February.

While a recent poll found that about 70% of Facebook users and 52% of Google users were either somewhat or very concerned about their privacy, some argue that online commerce would suffer without online tracking.

Thanks: Mashable

 

image

Internet safety is a topic that we are all commonly reminded of as we move to an increasingly digital age. Now, another reminder of how much we willingly share with those we don’t know has been shown, as reported by the BBC.

Using what is known as a ‘socialbot’, researchers were able to acquire information that a Facebook spokesperson rebuked as being “overstated and unethhical”. A socialbot is a botnet adapted for usage on social networks. The worst part of the socialbot’s power is how affordable it is. Dubious websites offer the bots for sale over the internet for as little as 29USD, or 18GBP.

A socialbot differs from a normal botnet in the sense that it can pass itself off as a normal Facebook user. A regular botnet is a type of virus that can infect a user’s computer, and can make use of this to send out spam or partake in digital attacks against other websites. The socialbot takes control of an existing Facebook account, and is able to perform normal activities, such as posting statuses and sending friend requests.

The research was performed by four members of the University of British Colombia, with 102 socialbots being commanded by one ‘master’. The master sends commands to the other bots, which they then act upon. These commands would likely consist of seeking profiles and adding them. In the space of eight weeks, the bots sent out 8,570 friend requests and had 3,055 acceptances. The research showed a relation in the number of Facebook friends a user had, and the likelihood of the socialbot being accepted as a friend.

Remaining within Facebook’s limitations for sending friend requests, the bots sent only 25 requests per day. Any more and the bots risked triggering the fraud detection and prevention system existing on Facebook. According to Facebook, the research is not reflective of how they prevent socialbots operating, as the accounts operated from ‘trusted’ university IP addresses. An IP address used by a real-life criminal operating socialbots would apparently raise alarm bells within the company.

Many people are now growing more aware of friend requests coming ‘out of the blue’, so to speak, and it reflects how people could be growing more aware of the people seeking to acquire more information, whether you intended to give them the information or not.

Thanks: Neowin

Fake Netflix Android app discovered

When it comes to its streaming video service, Netflix can be access by any number of devices and software programs. That includes the official Netflix app for Android-based smartphones. But it looks like a person has now created a malicious Android app that’s made to look much like the real one. The PC security software company Symantec has sent out an alert to this fake app which it calls Android.Fakeneflic.

As you can see in the picture above, the user interface for Android.Fakeneflic closely resembles the real Netflix Android program and could easily be downloaded and installed by an unsuspecting Android smartphone user. Symantec’s alert says, “The malicious app is not too difficult to understand. Despite the fact that there are multiple permissions being requested at the time of installation – identical to the permissions required by the actual app – our analysis shows that this is, in fact, a red herring, probably used to add to the illusion that the end user is dealing with the genuine article.”

The goal of Android.Fakeneflic is apparently to record the Netflix user name and password of the affected Netflix subscriber and send that information to a remote server, although Symantec’s alert claims that server doesn’t appear to be online at the moment. It adds, “Once a user has clicked on the ‘Sign in’ button, they are presented with a screen indicating incompatibility with the current hardware and a recommendation to install another version of the app in order to resolve the issue. There is no attempt to automatically download the recommended solution.” The alert doesn’t say if the fake Netflix app is available on the Android Marketplace or if it is found on a third party app store.

Thanks: Neowin

Facebook on Monday defended its practice of gathering data from “Like” buttons even after users have logged out, saying that the collection is part of a system to prevent improper logins and that the information is quickly deleted.

The comments from the social-networking giant come after Australian technologist Nik Cubrilovic published findings showing that unique identifiers were sent from “Like” buttons when users were not logged in, raising questions about the privacy implications of Facebook’s vast presence on the Web.

“Even if you are logged out, Facebook still knows and can track every page you visit,” Cubrilovic wrote in a blog post about the issue. “The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.”

Here’s how the Facebook data collection works: When you log in to Facebook or visit Facebook.com without logging in, the site places small files called “cookies” on your computer. Some of these cookies remain on your computer even after you log out, and then whenever you visit a site that connects to Facebook – such as those with a “Like” button – information from those cookies is sent back to Facebook, providing a record of where you’ve been on the Web.

Facebook acknowledges that it gets that data but says it deletes it right away. The company says the data is sent because of the way the “Like” button system is set up; any cookies that are associated with Facebook.com will automatically get sent when you view a “Like” button.

“The onus is on us is to take all the data and scrub it,” said Arturo Bejar, a Facebook director of engineering. “What really matters is what we say as a company and back it up.”

In a statement, a Facebook spokesman said “no information we receive when you see a social plugin is used to target ads.”

Bejar said Facebook is looking at ways to avoid sending the data altogether but that it will “take a while.”

So why does Facebook keep cookies after you log out in the first place? Bejar said that it’s to prevent spam and phishing attacks and to help keep users from having to go through extra authentication steps every time they log in.

When a user logs in to Facebook from a new computer, the site will often make them take steps to prove that they are who they say they are, rather than someone attempting to log into an account improperly. Cookies allow Facebook to skip those steps when people are logging in from a computer they’ve used before, Bejar said.

But Facebook has been under fire lately over privacy, and the fact that Facebook is getting data at all after people have logged out is raising concerns. “This is not what ‘logout’ is supposed to mean,” Cubrilovic wrote.

This is not the first time people have questioned how much information Facebook gets from “Like” buttons.

In May, the Journal’s Amir Efrati wrote that Facebook would continue to collect browsing data even if users closed their browser or turned off their computers, until they explicitly logged out of Facebook. The current findings, which your Digits blogger confirmed on her computer, indicate that the collection continues even after users explicitly log out.

And earlier this year, Facebook discontinued the practice of obtaining browsing data about Internet users who had never visited Facebook.com, after it was disclosed by Dutch researcher Arnold Roosendaal.

Thanks: WSJ

Anonymous FacebookOp is a hoax

image

t wasn’t too long ago that I was lurking in AnonOps’ IRC channel during Operation Payback, the Anonymous action that “took down” a few well-known financial companies’ landing pages, and generally stirred up a lot more media than they deserved. I remember the general chaos and script kiddie-like enthusiasm that pervaded the public chat areas and trying to make sense of the mystique and reverence that the channel operators enjoyed. I also remember a lot of people yelling about Amazon.com, that it was just as bad as the other financial companies that denied donations to Wikileaks, and that it should be “taken down” in turn.

Almost every time, someone a little more wizened and experienced would chime in and say that you don’t just “take down” Amazon.com; websites, especially the ones that are the veritable bastions of distributed cloud systems, scalability, and server infrastructure, aren’t really susceptible to script kiddies en masse. Distributed Denial of Service attacks are not new and it’s amusing to watch people drool over the piece of software that enables you participate in them (Low Orbit Ion Cannon) as if it’s some sophisticated and occult hacking device that magically “takes down websites.”

I keep putting “take down” in quotation marks for a reason. The most damaging wound that Anonymous has ever inflicted on a website is temporarily taking down its homepage, which simply bars visitors from viewing it. This isn’t “taking down” a company. All you’ve done is piss off some sysadmins and alienated some users who needed the site. Putting up an alternate message on the homepage, sometimes embarrassing the site, doesn’t constitute taking down very much. As I’ve seen one comic strip put it, it’s the equivalent of defacing a poster in the lobby.

This is in stark contrast to the recent doings of LulzSec and the Antisec movement as a whole. Those groups are determined to actually do some damage, and damage they certainly do. They have distributed troves of personal and confidential information, swiped maliciously from government and law enforcement websites. While not causing downtime per se, these actions are for more harmful to an organization than simply defacing its landing page.

This is why Anonymous will never attack Facebook. Aside from the numerous other circumstantial evidence that point to yesterday’s announcement being a hoax to begin with (new YouTube account, non-standard Twitter account, non-Pastebin distribution, and none of the usual chatter), you can’t just “take down” Facebook. Facebook is not a website. It isn’t staffed by a few starving sysadmins without the resources to plan for, preempt, and defend from this kind of decidedly primitive attack.

According to Alexa, 44% of global Internet users visited Facebook.com yesterday. In 2010, Facebook was running more than 60,000 servers. 3 billion photos are uploaded to Facebook every month. These numbers are constantly growing. Think about the scale of that number for a moment and it’s quite obvious to see that trying to “take down” Facebook is about as foolhardy a fantasy as simply walking into Mordor. Furthermore, just to add another layer of disbelief, Anonymous is warning Facebook months ahead of time that this is happening!

If the FacebookOp announcement is not a hoax (and it most certainly is), then this is obviously a desperate grasp at some kind of publicity. Anonymous has been rightfully overshadowed by the much more harmful and inflammatory AntiSec groups, and is probably looking for a way to get their hacktivist agenda back on the media’s radar screen. Suffice it to say that it worked; they have the media’s rapt attention. The other possibility, albeit highly unlikely, is that Anonymous actually has the firepower and wherewithal to bring Facebook to its knees. If this really is the case, and Anonymous has evolved from the chaotic and leaderless group we know it to be, we’re obviously dealing with something much larger than hacktivism, and it’s a scenario in which 600 million or so of the world’s population would be victims. While it’s an interesting plot for a bad sci-fi movie, I’m not ready to acknowledge that Anonymous has anywhere near the capabilities required to pull off something as huge and nefarious as “killing Facebook,” and I think Facebook sysadmins would agree.

Thanks: Neowin

image

China suffered about 493,000 cyber attacks last year, about half of which originated abroad, particularly the United States and India, according to a computer security report issued Tuesday in the northeastern port city of Dalian.

Most of the attacks came in the form of malicious “Trojan” software used by hackers to gain access to target computers, according to the National Computer Network Emergency Response Coordination Center of China, the country’s primary computer security monitoring network.

The report said 14.7 percent of the malicious programs came from Internet Protocol addresses (IPs) located in the United States, with another 8 percent located in India.

International cooperation has been enhanced, the report said, citing an example of Beijing and Seoul cooperating to thwart Republic of Korea-originated cyber attacks targeting a ring-back tone website registered in northwest China in May 2010.

The report said hacking that tampers with web pages is often politically or religiously motivated, though sometimes it is purely to show off. Some government agencies’ websites are often targeted by IPs that originate from Turkey, with hackers displaying texts and pictures intended for political and religious campaigns, it said.

Hackers tampered with nearly 35,000 web pages — including 4,635 government websites — in the past year, the report said, up 67.6 percent from a year earlier. It said 60 percent of websites of ministry-level government departments are at risk of being hacked.

Concerning domestic cyber attacks, the report said an increasing number of financial institutes or online payment platforms are being fabricated. Hackers steal customer information on these fabricated websites and use it to gain access to financial accounts through online banking.

The Chinese report came days after U.S. cybersecurity company McAfee said it had no direct evidence that a particular nation is behind the global scheme and added that it never accused China of being involved. The company’s recent report discovered an unprecedented series of cyber attacks on 72 government agencies and business organizations worldwide.

China has the world’s largest online population — 485 million Internet users.

Thanks: English News

image

As Android devices get more popular (today comScore reports Android phones comprise 40% of the U.S. smartphone market), they’re becoming a more attractive target for cybercriminals. If you use an Android smartphone, you are now 2.5 times more likely to encounter malware (malicious software) than you were six months ago.

This isn’t just about apps. This year, 30% of Android users are likely to encounter a Web-based threat such as phishing scams, “drive by downloads” and browser exploits.

This is according to a new threat report from Lookout Mobile Security. Obviously, Lookout is selling mobile-security tools. However, individual and collective mobile security risks are real.

Whether you opt to pay for mobile security, use a free service or manage it yourself, you should be aware of the risks and use basic mobile safety skills.

Cybercriminals aren’t simply targeting Android devices more often, they’re also getting sneakier about it.

Specifically, Lookout notes that attackers are using new techniques to distribute malware to phones. These include “malvertising” (ads served up through legitimate apps that lead you to a fake Android market and trick you into downloading malware, like GGtracker) and “upgrade attacks” (where the initially downloaded app is clean, but later upgrades deploy malware).

How can mobile malware harm you? First of all, cybercriminals can rack up charges to your phone bill through “carrier billing,” a payment option that wireless carriers are increasingly pushing –and which Google is starting to make possible for Android market app purchases. Malware also can sign you up for “premium SMS” text messaging services.

Furthermore, mobile malware and spyware can pull sensitive data from your phone — such as your credit card numbers, online banking or e-mail account login credentials or your contacts list.

Infected phones also can become part of a “botnet,” which means your phone could be used without your knowledge as part of a larger attack scheme. This can also drive up your data traffic, which can push you toward your data plan’s cap faster.

Why is Android a bigger mobile security concern? It’s an open platform, which presents significant pros and cons.

On the bright side, Android’s openness has made it easier for vendors to offer cheaper smartphones (especially without costly two-year contracts) to a much broader consumer market. On the downside, Android’s openness also makes it especially susceptible to malware.

Users of Apple and BlackBerry mobile devices are not immune to mobile security threats. But the closed nature of those platforms does make it harder for cybercriminals to infiltrate those devices with malware.

However, threats such as e-mail phishing attempts and PDF exploits can put any mobile user at risk — even on the iPhone. (Apple recently patched its latest PDF vulnerability, but future iOS risks are always a possibility.)

Learn more about mobile security risks

John Hering, co-founder and CEO of Lookout, explains that a credulous user mindset has been a key factor in mobile security risks.

“We’ve observed that most mobile users are far more trusting about how they download and install software on their phone, compared to their computer,” he said. “But fortunately that’s starting to change. Android users especially are starting to get more discerning.”

However, the way people tend to use smartphones can also put them at risk. Hering noted that mobile users tend to be in distracting environments, so they generally provide only short bursts of divided attention to their phones.

Kevin Mahaffey, Lookout’s CTO and co-founder, explained that spotting malware on mobile devices is a bigger technical challenge than on computers.

“Personal computers have lots of power — both energy and processing capacity — so it’s easy to run security analyses in that environment. If it were even possible to run the same types of analytics on a mobile phone, that would destroy battery and take two decades to build,” Mahaffey said.

“So we had to consider, what if we could change the way malware detection is done? Instead of doing it on individual devices operating out in the world, what if we put it all on a big server and treat it as a data mining problem?”

This concept formed the genesis of Lookout’s Mobile Threat Network, which provides mobile device security through an online platform that aggregates and constantly scans anonymized data gathered from over 700,000 mobile apps.

One advantage of this approach is speed. Also, users don’t have to remember to update Lookout security software; the system constantly updates itself.

Mahaffey notes that if your phone is running an older version of the Android operating system, you face greater mobile security risks.

On Android phones, OS updates get deployed via a variety of manufacturers and wireless carriers. Because of this complexity, on many phones system updates lag behind — sometimes far behind — the latest “flavor” of Android (currently 2.3 “Gingerbread” for phones).

Unless you’ve rooted your Android phone to gain complete control over it, it’s up to the carrier and manufacturer, not you, when your phone will get a system update.

In contrast, iPhone system updates get deployed by a single source: Apple. So at any given time most iPhones in use probably have a fairly up-to-date version of iOS (unless it’s a much older device, such as the iPhone 3G).

Complicating this picture, to keep costs down some Android phone manufacturers skimp on processing power and other device capabilities. So some cheaper phones simply are not able to run the latest version of Android well, or at all.

This is why some brand new but cheaper models come with vastly outdated flavors of Android — like the Huawei Ascend, currently sold by MetroPCS for $99 on a $50/month no-contract plan, which comes with Android 2.1 (“Eclair,” released back in January 2010).

What red flags should mobile users watch for? According to Hering and Mahaffey, strange text messages coming from unknown sources are a common clue that you may have been subscribed unwittingly to a premium SMS service. You should contact your carrier immediately to report these.

Also, check your phone bill online periodically — probably more often than once a month.

Malware can cause a lot of surreptitious activity on your phone, so battery performance might be a clue. “If your battery suddenly starts draining really fast, consider that it might be malware,” Mahaffey said.

Hering also recommends healthy skepticism.

“Scrutinize permissions for Android apps before you download them. Does that game or utility really need permission to send premium SMS messages? Probably not,” he said.

Thanks: CNN

Microsoft has collected the locations of millions of laptops, cell phones, and other Wi-Fi devices around the world and makes them available on the Web without taking the privacy precautions that competitors have, CNET has learned.

The vast database available through Live.com publishes the precise geographical location, which can point to a street address and sometimes even a corner of a building, of Android phones, Apple devices, and other Wi-Fi enabled gadgets.

Unlike Google and Skyhook Wireless, which have compiled similar lists of these unique Wi-Fi addresses, Microsoft has not taken any measures to curb access to its database. Google tightened controls last month in response to a June 15 CNET article, and Skyhook uses a limited form of geolocation to protect privacy.

Microsoft assembled the database through crowdsourced data gathering from Windows Phone 7 devices and through what it calls “managed driving” by Street View-like vehicles that record Wi-Fi signals accessible from public roads. Its Web interface is, the company says, intended to provide “search results, weather, movie times, maps and directions based on a device’s current location.”

CNET has confirmed how Live.com’s interface works independently and also with Elie Bursztein, a postdoctoral researcher at the Stanford Security Laboratory who recently analyzed Microsoft’s application programming interface, or API. He plans to summarize his findings in a related talk with two other researchers at the Black Hat security conference in Las Vegas next week.

Bursztein recommended that Microsoft adopt some of the same limits that its competitors already have. “I think what Google does is the smart thing to do,” he said. “It’s a pretty good solution.”

Reid Kuhn, a program manger with Microsoft’s Windows Phone Engineering Team, sent CNET this statement: “To provide location-based services, Microsoft collects publicly broadcast cell tower IDs and MAC addresses of Wi-Fi access points via both user devices and managed driving. If a user chooses to use their smartphone or mobile device as a Wi-Fi access point, their MAC address may also be included as a part of our service. However, since mobile devices typically move from one place to another they are not helpful in providing location. Once we determine that a device is not in a fixed location, we remove it from our list of active MAC addresses.”

Microsoft did not, however, respond to questions whether its database includes only Wi-Fi devices acting as access points, or whether client devices using the networks have been swept in as well–something that Google did with its Street View cars. A May blog post touts “Transparency About Microsoft’s Practices,” but doesn’t provide details.

If Microsoft collects and publishes only the Wi-Fi addresses of access points, the privacy concerns are lessened. But millions of phones and computers are used as access points–tethering is one example, and the feature is built into Apple’s OS X operating system–meaning that their locations could be monitored.

It’s true that Wi-Fi addresses, also called MAC addresses, aren’t typically transmitted over the Internet. But anyone within Wi-Fi range can record yours, and it’s easy to narrow down which addresses correspond to which manufacturer.

Someone, such as a suspicious spouse, who can navigate to the About screen on an iPhone or a laptop’s configuration menu can obtain it in a few seconds as well. And hobbyist hacker Samy Kamkar created a proof-of-concept code last year that uses what’s known as a cross-site scripting attack to grab the location of Wi-Fi routers that can be seen from an unsuspecting visitor’s computer.

A Microsoft representative pointed CNET to a list of Web pages, including one describing how geolocation works in Internet Explorer 9 and another discusses Windows Phone 7 and geolocation. Microsoft does not appear to provide an opt-out mechanism that would allow someone to remove his or her Wi-Fi address from the Live.com database.

Microsoft’s database extends beyond U.S. locations. A CNET test of a range of Wi-Fi addresses used by HTC devices showed that Live.com returned locations linked to street addresses in Leon, Spain; Westminster, London; a suburb of Tokyo, Japan; and Cologne, Germany.

Some Wi-Fi addresses appeared to change positions, meaning the Live.com database–located at http://inference.location.live.com–could be used to track the movements of a handheld device. In addition, some Wi-Fi addresses were added or deleted to the database over the period of a few days.

Google has taken multiple privacy steps that Microsoft has not, including using geolocation to filter requests (to find out where a wireless device is, you already have to know it’s approximate location to about one city block). Another is that the search company’s database does not appear to include the Wi-Fi addresses of Android devices acting as wireless hotspots.

Here’s how it works: iPhone and Android devices automatically change their Wi-Fi MAC address when acting as an access point. Android devices appear to choose a MAC address beginning with 02:1A.

Google’s database doesn’t include the MAC address 02:1A:11:F2:12:FF. But Microsoft’s does, and reports that it is located in the Embassy of Montenegro on New Hampshire Avenue in Washington, D.C.

Source: cnet / Fayerwayer

The Internet brings remarkable benefits to society. Unfortunately, some people use it for harm and their own gain at the expense of others. We believe in the power of the web and information, and we work every day to detect potential abuse of our services and ward off attacks.

As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or “malware.” As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results. (see image above)

This particular malware causes infected computers to send traffic to Google through a small number of intermediary servers called “proxies.” We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections.

We hope to use the knowledge we’ve gathered to assist as many people as possible. In case our notice doesn’t reach everyone directly, you can run a system scan on your computer yourself .

Thanks: Google (via google blog)