The HP study focused purely on custom business apps, but there’s no reason to believe the issue doesn’t extend to commercial apps you find in the Apple App Store or Google Play. Many apps have access to data or permission to perform functions they shouldn’t.
If you want to play a game like Angry Birds, there’s no reason that it needs to have access to your contacts, and A a weather app probably doesn’t need to be able to send email on your behalf. The security risks in apps go beyond permissions, though. There are issues in how the apps integrate with core functions of the mobile operating system, as well as how they interact with and share information with one another.
In the HP study, 97 percent of the apps contained some sort of privacy issue. HP also found that 86 percent of the apps lack basic security defenses, and 75 percent fail to properly encrypt data. Assuming similar percentages across the hundreds of thousands of consumer apps in the app stores, it’s likely that you have a few security or privacy concerns floating around your smartphone or tablet.
But this isn’t about malicious apps designed to steal your data. It’s mostly a function of lazy coding. Developers write apps that access everything because it’s easier than writing more specific code, and it also paves the way for any future enhancements that might actually need it.
In a BYOD scenario these security and privacy risks are exaggerated for both the employer and the employee. In most cases, the line between business and personal is not clearly defined, and apps can easily blur that line and put both company and personal data at risk. The problem is exacerbated by the fact that apps are impulse purchases for many users, thanks to low prices and easy installation.
The mobile operating systems have improved in terms notifying users about the permissions an app is requesting and providing the user with more control to allow or block access to specific functions. But the system still puts too much burden on the user, both to know those controls exist and how to use them, as well as to understand the implications and security concerns of the apps.
The better solution is for developers to build security and privacy into the apps from square one. Developers should be aware of the potential implications of how their apps access data and interact with other apps, and design them to be secure by default.
Via: Network World
Two million logins and passwords from services such as Facebook, Google and Twitter have been found on a Netherlands-based server, part of a large botnet using controller software nicknamed “Pony.”
Another company whose users’ login credentials showed up on the server was ADP, which specializes in payroll and human resources software, wrote Daniel Chechik, a security researcher with Trustwave’s SpiderLabs.
It’s expected that cybercriminals will go after main online services, but “payroll services accounts could actually have direct financial repercussions,” he wrote.
ADP moved US$1.4 trillion in fiscal 2013 within the U.S., paying one in six workers in the country, according to its website.
Facebook had the most stolen credentials, at 318,121, followed by Yahoo at 59,549 and Google at 54,437. Other companies whose login credentials showed up on the command-and-control server included LinkedIn and two Russian social networking services, VKontakte and Odnoklassniki. The botnet also stole thousands of FTP, remote desktop and secure shell account details.
It wasn’t clear what kind of malware infected victims’ computers and sent the information to the command-and-control server.
Trustwave found the credentials after gaining access to an administrator control panel for the botnet. The source code for the control panel software, called “Pony,” was leaked at some point, Chechik wrote.
The server storing the credentials received the information from a single IP address in the Netherlands, which suggests the attackers are using a gateway or reverse proxy in between infected computers and the command-and-control server, he wrote.
“This technique of using a reverse proxy is commonly used by attackers in order to prevent the command-and-control server from being discovered and shut down — outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down,” Chechik wrote.
Information on the server indicated the captured login credentials may have come from as many as 102 countries, “indicating that the attack is fairly global,” he wrote.
Source: Network World
I am going to post this article here from TorrentFreak mainly because this is the site I have recommended to convert mp3′s in my article How to Download Free Music on the BlackBerry PlayBook and BlackBerry 10.
One of the world’s largest sites dedicated to converting YouTube videos to downloadable MP3s has lost a court battle with representatives from the music industry. YouTube-MP3, a site that was also threatened by Google in 2012, agreed to cease and desist from its current mode of operation after it was revealed it was not only ripping music from YouTube, but also archiving the MP3s for future download. Despite the loss, the site remains online – legally.
In addition to obtaining music from file-sharing networks, those looking for free tracks often get them from so-called tube-rippers, sites and services that transform YouTube videos into downloadable MP3s.
These tools are available in several formats including desktop packages, apps for mobile devices, and more commonly browser-based tools. In mid-2012 YouTube owners Google, believed to be under pressure from the music industry, started to make life more difficult for web-based YouTube converters and some cases issued threats to sue.
While some sites decided to shut down, many others continued business as usual, including the German site YouTube-MP3, one of the largest YouTube ripping services around with around 30 million visits per month. The site has long insisted that it has a right to provide ripping services but having fought off Google it recently found itself up against fresh adversaries.
Three music companies under the umbrella of industry group BVMI challenged YouTube-MP3′s assertion that it operates legally and sued it in the Hamburg District Court. The companies said that while YouTube-MP3 claimed to be offering only a rip-and-download service, there were serious technical issues behind the scenes that rendered the site in breach of copyright law.
YouTube-MP3 claimed that users of its service could enter the URL of a YouTube video and have the site convert and churn out an MP3 for download. Apparently, however, that wasn’t always the way it worked. Once a video had been converted to MP3, that audio was stored on YouTube-MP3′s servers. If another user subsequently entered the same YouTube URL, no conversion or ripping was carried out. They were simply handed a copy of the previously stored MP3 for download.
In a statement sent to TorrentFreak, BVMI said that this was a clear breach of copyright law.
“Contrary to the common assumption that YouTubeMP3 is a streamripper that allows users to record songs from the Internet (much as cassette recorders were used to record music from the radio back in the day), in fact the online converter often simply made the pieces available for download without a license,” BVMI said.
BVMI said that by the time the case had arrived in court last month the owner of YouTube-MP3 had already signed cease and desist declarations and agreed to refrain from reproducing and distributing copyright content.
“The current case provides deep insights into the workings of so-called ‘recording services’
and exposes a trick that not only hoodwinks the rights owners but also misleads the users of
these services,” said BVMI Managing Director Dr Florian Drücke.
“Under the guise of private copying [YouTube-MP3] deceives people into thinking that
everything is above-board, even though the user – unwittingly – avails himself of an illegal download platform. We have for some time pointed out that the vague definition of ‘private copies’ encourages cat-and-mouse games in matters of streamripping, so a clarification at the political level is needed here.”
With the signing of the declarations the Hamburg District Court considered the case closed but ordered YouTube-MP3 to pay everyone’s costs.
TorrentFreak contacted the site’s owner for a comment but as yet we’ve received no response. Presumably life at YouTube-MP3 will continue, but without storing converted MP3s for subsequent download. The end result, of course, is that users of the site will still get ripped MP3s just as they did before, a point not lost on BVMI.
“One thing is clear: this platform, as well as most other streamripper sites, generate considerable advertising income that is not shared with the artists or their partners. This has nothing to do with fairness, nor does it fit with our current digital age, when many music sites – some of them free – can be used perfectly legally on the Internet,” BVMI conclude.
Google is expanding its bug bounty program to include awards for patches that make material security improvements to open source software – even when the software isn’t directly maintained by Google itself.
The Chocolate Factory has been rewarding developers for security fixes to its own software since 2010, when it kicked off its bounty program for the Chrome web browser. Now the company says it will also shell out cash to developers who submit fixes to select non-Google software, too.
To qualify for the program, developers must produce “down-to-earth, proactive improvements that go beyond merely fixing a known security bug,” according to a blog post by Google security team member Michal Zalewski on Wednesday.
Initially, the bounty program applies only to a select group of open source projects, such as the OpenSSL and OpenSSH secure communications libraries, the BIND DNS software, and security-critical components of the Linux kernel, to name a few.
After an initial trial period, it will be expanded to include even more projects, including such popular packages as the Apache webserver, the Sendmail, Postfix, and Exim email servers, and the Gnu software development tools.
Zalewski said Google chose this selective approach because it believes it will be more productive than offering bug bounties for just any old open source software.
“In addition to valid reports, bug bounties invite a significant volume of spurious traffic – enough to completely overwhelm a small community of volunteers,” he wrote. “On top of this, fixing a problem often requires more effort than finding it.”
Aside from ponying up the cash, Google’s approach will be mostly hands-off. Developers don’t need to clear their fixes with Mountain View before submitting their patches. Instead, they should submit them directly to the maintainers of the projects in question. Once the patches are accepted and the updated code has shipped, they can then email firstname.lastname@example.org with a description of what they did.
“If we think that the submission has a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,133.7,” Zalewski writes.
In fact, the online ad giant may choose to cough up even more in cases of “unusually clever or complex submissions” – the actual amount of each award being left to Google’s sole discretion.
Then again, some developers may choose to contribute security patches strictly out of a sense of duty. In these cases, Google says they can opt to donate their bounty awards to charity and it will match their donations. Bounties that haven’t been claimed after 12 months will be donated to a charity of Google’s choice. ®
Source: The Register
Android users are probably familiar with the Swype keyboard which basically allows users to type on their phones just by swiping (or “swyping”) between characters versus pecking at individual letters one at a time. In fact one iOS developer has event attempted to port Swype onto iOS devices although it didn’t exactly take off. However it seems that Apple did think about keyboard alternatives back in the day, and thanks to a recent patent that was published, it looks like Apple’s idea was pretty similar to Swype. According to the patent filing, it was filed for back in 2007 which is the same year that the first iPhone debuted, suggesting that Apple was already looking for keyboard alternatives for touchscreen devices back in the day.
However given that it’s 6 years later and the only revision to the Apple keyboard on iOS would be its design, it’s safe to say that Apple decided not to pursue this idea, or other keyboard ideas the Cupertino company and its team might have cooked up then. In any case Apple’s keyboard is more than functional and is pretty accurate as far as onscreen keyboards are concerned.
If an Android device (phone or tablet) has ever logged on to a particular Wi-Fi network, then Google probably knows the Wi-Fi password. Considering how many Android devices there are, it is likely that Google can access most Wi-Fi passwords worldwide.
Recently IDC reported that 187 million Android phones were shipped in the second quarter of this year. That multiplies out to 748 million phones in 2013, a figure that does not include Android tablets.
Many (probably most) of these Android phones and tablets are phoning home to Google, backing up Wi-Fi passwords along with other assorted settings. And, although they have never said so directly, it is obvious that Google can read the passwords.
Sounds like a James Bond movie.
Android devices have defaulted to coughing up Wi-Fi passwords since version 2.2. And, since the feature is presented as a good thing, most people wouldn’t change it. I suspect that many Android users have never even seen the configuration option controlling this. After all, there are dozens and dozens of system settings to configure.
And, anyone who does run across the setting can not hope to understand the privacy implication. I certainly did not.
In Android 2.3.4, go to Settings, then Privacy. On an HTC device, the option that gives Google your Wi-Fi password is “Back up my settings”. On a Samsung device, the option is called “Back up my data”. The only description is “Back up current settings and application data”. No mention is made of Wi-Fi passwords.
In Android 4.2, go to Settings, then “Backup and reset”. The option is called “Back up my data”. The description says “Back up application data, Wi-Fi passwords, and other settings to Google servers”.
Needless to say “settings” and “application data” are vague terms. A longer explanation of this backup feature in Android 2.3.4 can be found in the Users Guide on page 374:
For details and more information click the source link below.