Before You Sign Up: Read 'Terms and Conditions'

 

Several Britons agreed to give up their eldest child in return for the use of free wifi, in an experiment to highlight the dangers of public Internet, published on Monday.

 

Londoners were asked to agree to terms and conditions as they logged on to use free wifi in a cafe in a busy financial district and at a site close to the houses of parliament.

 

The terms included a "Herod clause", under which the wifi was provided only if "the recipient agreed to assign their first born child to us for the duration of eternity".

 

In the short period the terms and conditions were live, six people signed up.

"As this is an experiment, we will be returning the children to their parents," said the tech security firm that ran the experiment, F-Secure.

 

The experiment was aimed to highlight "the total disregard for computer security by people when they are mobile" the report said.

 

Germany ethical hacking company SySS built the device used in the study: a mobile wifi hotspot small enough to be carried in a handbag for around 200 euros ($254).

 

In just 30 minutes, 250 devices connected to the hotspot - some of them doing so automatically due to their settings.

 

The company was able to collect the text of emails they sent, the email addresses of the sender and recipient, and the password of the sender.

 

The head of Europol's European Cybercrime Centre told the study they already had reports of criminals using free wifi to steal personal data.

 

"At best, your device is only leaking information about you - at worst, your passwords are being spilled into a publicly accessible space... anybody on the network can see your information," said F-Secure Security Advisor Sean Sullivan.

Read More

أقطار المغرب الكبير 12:56 AM  No comment

Warning! what your mobile may be giving away

When popular Chinese handset maker Xiaomi Inc admitted that its devices were sending users' personal information back to a server in China, it prompted howls of protest and an investigation by Taiwan's government.

The affair has also drawn attention to just how little we know about what happens between our smartphone and the outside world. In short: it might be in your pocket, but you don't call the shots.

As long as a device is switched on, it could be communicating with at least three different masters: the company that built it, the telephone company it connects to, and the developers of any third party applications you installed on the device - or were pre-installed before you bought it.

 

All these companies could have programed the device to send data 'back home' to them over a wireless or cellular network - with or without the user's knowledge or consent. In Xiaomi's case, as soon as a user booted up their device it started sending personal data 'back home'.

 

This, Xiaomi said, was to allow users to send SMS messages without having to pay operator charges by routing the messages through Xiaomi's servers. To do that, the company said, it needed to know the contents of users' address books.

 

"What Xiaomi did originally was clearly wrong: they were collecting your address book and sending it to themselves without you ever agreeing to it," said Mikko Hypponen, whose computer security company F-Secure helped uncover the problem. "What's more, it was sent unencrypted."

Xiaomi has said it since fixed the problem by seeking users' permission first, and only sending data over encrypted connections, he noted.

INDUSTRY ISSUE

 

Xiaomi is by no means alone in grabbing data from your phone as soon as you switch it on.

A cellular operator may collect data from you, ostensibly to improve how you set up your phone for the first time, says Bryce Boland, Asia Pacific chief technology officer at FireEye, an internet security firm. Handset makers, he said, may also be collecting information, from your location to how long it takes you to set up the phone.

 

"It's not that it's specific to any handset maker or telco," said Boland. "It's more of an industry problem, where organizations are taking steps to collect data they can use for a variety of purposes, which may be legitimate but potentially also have some privacy concerns."

 

Many carriers, for example, include in their terms of service the right to collect personal data about the device, computer and online activities - including what web sites users visit. One case study by Hewlett-Packard (HPQ.N) and Qosmos, a French internet security company, was able to track individual devices to, for example, identify how many Facebook (FB.O) messages a user sent. The goal: using all this data to pitch users highly personalized advertising.

 

But some users fear it's not just the carriers collecting such detailed data.

 

Three years ago, users were alarmed to hear that U.S. carriers pre-installed an app from a company called Carrier IQ that appeared to transmit personal data to the carrier.

 

Users filed a class-action lawsuit, not against the carriers but against handset makers including HTC Corp (2498.TW), Samsung Electronics (005930.KS) and LG Electronics (066570.KS) which, they say, used the software to go beyond collecting diagnostic data the carriers needed.

The suit alleges the handset firms used the Carrier IQ software to intercept private information for themselves, including recording users' email and text messages without their permission - data the users claim may also have been shared with third parties. The companies are contesting the case.

And then there are the apps that users install. Each requires your permission to be able to access data or functions on your device - the microphone, say, if you want that device to record audio, or locational data if you want it to provide suggestions about nearby restaurants.

SHEDDING SOME LIGHT

 

But it isn't always easy for a user to figure out just what information or functions are being accessed, what data is then being sent back to the developers' servers - and what happens to that data once it gets there. Bitdefender, a Romania-based antivirus manufacturer, found last year that one in three of Android smartphone apps upload personal information to "third party companies, without specifically letting you know."

 

Not only is this hidden from the user, it's often unrelated to the app's purpose.

 

Take for example, an Android app that turns your device into a torch by turning on all its lights - from the camera flash to the keyboard backlight. When users complained about it also sending location-based data, the U.S. Federal Trade Commission forced the app's Idaho-based developer to make clear the free app was also collecting data so it could target users with location-specific ads. Even so, the app has been installed more than 50 million times and has overwhelmingly positive user reviews.

 

While most concerns are about phones running Android, Apple Inc's (AAPL.O) devices aren't free from privacy concerns.

 

Carriers control the code on the SIM, for example, and this is one possible way to access data on the phone. And, despite stricter controls over apps in Apple's app store, FireEye's Boland says his company continues to find malicious apps for the iOS platform, and apps that send sensitive data without the user knowing. "The iPhone platform is more secure than the Android platform, but it's certainly not perfect," he said.

 

Apple says its iOS protects users' data by ensuring apps are digitally signed and verified by Apple's own security system.

BACK IN THE DRIVING SEAT

 

The problem, then, often isn't about whether handset makers, app developers and phone companies are grabbing data from your phone, but what kind of data, when, and for what.

"If we look at the content sent by many apps it's mindboggling how much is actually sent," said Boland. "It's impossible for someone to really know whether something is good or bad unless they know the context."

 

Handset makers need to be clear with users about what they're doing and why, said Carl Pei, director at OnePlus, a Shenzhen, China-based upstart rival to Xiaomi. OnePlus collects "anonymous statistical information" such as where a phone is activated, the model and the version of software that runs on it, Pei said, which helps them make better decisions about servicing customers and where to focus production.

 

Unlike Xiaomi, Pei said, OnePlus' servers are based in the United States, which in the light of recent privacy concerns, he said, "gives people greater peace of mind than having them based out of China."

That peace of mind may be elusive as long as there's money to be made, says David Rogers, who teaches mobile systems security at the University of Oxford and chairs the Device Security Group at the GSMA, a global mobile industry trade association.

 

"Users are often sacrificed to very poor security design and a lack of consideration for privacy," he said. "At the same time, taking user data is part of a profit model for many corporations so they don't make it easy for users to prevent what is essentially data theft."

Reuters

Read More

أقطار المغرب الكبير 12:34 AM  No comment

Adverts Overtake Adult Material As Largest Mobile Security Threat

Mobile adverts have overtaken pornography as the biggest threat to phone security, according to new research.

Malware delivered through adverts, known as malvertising, leaves mobile users vulnerable to security breaches and has now overtaken pornography as the biggest threat to phone security.

During February 2014 one in every five times a mobile internet user is directed to malware, it was through web adverts - three times the rate of November 2012.

Malware can harvest user data, copy and store passwords and credit card information, and infect devices with viruses.

Blue Coat Security Labs found that pornography has fallen to the third largest security threat behind "suspicious" material, but remains the most dangerous area as it accounts for more than 16 per cent of all security attacks, when requests for porn via mobile devices doesn't reach even one per cent of available content.  

The malware threats targeting mobile devices are largely confined to potentially unwanted applications and premium SMS scams. 

Potentially unwanted applications, or PUAs, are simply apps, usually disguised as something interesting like the hottest mobile game, that engage in tracking user behaviour or otherwise sharing personal information.

Among the type of data that is tracked are User-Agent strings, which identify the mobile operating system, its version, the type of installed browser and version, and (depending on the app) additional information about the mobile app the user is running. In addition, HTTP traffic generated by the mobile device’s browser or by mobile advertising services may reveal the mobile device user’s habits, interests, or searches.

Blue Coat predicts that mobile malware will continue to present a threat to users, and urges the makers of mobile phone operating systems to help users better manage how, when, and with whom mobile applications can communicate with the outside world.

Read More

أقطار المغرب الكبير 9:25 AM  No comment

Tips for making smartphone apps safe for children

The last year has seen many stories of children racking up app purchases on their parents’ credit cards, simply by clicking yes to the offer of in-game currencies and items. Thankfully, it’s an area that’s being tightened up by the smartphone giants. Here are some simple steps to ensure your children are safely using apps:

In-app purchases

The majority of new games produced for children now include in-app purchases, in which the player can pay a small (or sometimes terrifyingly large) amount to make progress easier in some way. Most phones require you to enter your account password to authorize a payment, but they often then give the user a grace period to make further purchases without authorization.

 

To prevent this in iOS, go to Settings | General | Restrictions, and choose to Enable Restrictions. You’ll be asked to set a passcode, and further down the page you can disable the slider on In-App Purchases. Every single attempted in-app purchase will now require your passcode. In Android, open Google Play, select Settings and scroll down to the User Controls section. Choose Use PIN for purchase, and choose a passcode.

Age restrictions

If you’re worried about your children finding apps they shouldn’t be using, you need to set up parental controls. In most big app stores every app, song and video is age rated, so you can simply set your device to only allow content at or below an appropriate age rating. If your child tries to download something they shouldn’t, they’ll be asked for your password – this way the adults can still access any content they choose. The method varies by platform, but the settings tend to be in the same place as those for in-app purchases, as described above.

The best part is that this doesn’t only work for apps. The same controls can easily be set up to restrict the camera, file transfers, the web browser and any specific sites you want to block, and even any virtual assistants your phone might offer. Explore the settings pages fully – you might be surprised just how safe you can make today’s devices.

Catching rogue apps

Of course, none of this is any good if the app itself is the problem. Compromised apps can contain malware (malicious software), that can steal data from your device and slow performance. To be safe, use a tool such as Norton Mobile Security to scan for harmful apps, and Norton Spot to look for those that display intrusive adware. That way you can hand the phone over safe in the knowledge that it won’t be compromised.

Read More

أقطار المغرب الكبير 11:56 AM  No comment

Hackers hit web accounts of MtGox boss

Hackers have taken over some of the web accounts of Mark Karpeles - boss of the troubled MtGox Bitcoin exchange.

 

The attack on Mr Karpeles seems to have been motivated by growing frustration over the actions of MtGox.

 

Last month MtGox stopped trading and filed for bankruptcy after finding out that $465m (£279m) in bitcoins had been lost via a security bug.

 

The attacks were mounted on the personal blog and Reddit account of Mr Karpeles and left the hackers in charge of both social media accounts.

 

The attackers used their access to grab detailed information about trading activity at MtGox. They then shared their findings by posting a 716MB file containing much of what they had found.

 

The material posted included an Excel spreadsheet of more than one million trades, entries from MtGox's business ledger and information about its back-office administration software.

Read More

أقطار المغرب الكبير 1:22 PM  No comment

Free Wi-Fi hotspots pose data risk

Sensitive information should not be sent over public wi-fi hotspots, to avoid hackers stealing it, Europe's top cybercrime police officer has warned.

Troels Oerting, head of Europol's cybercrime centre, said people should send personal data only across networks they trusted.

He said the warning was motivated by the growing number of attacks being carried out via public wi-fi.

Europol is helping a number of countries after such attacks, he said.

Stolen data

"We have seen an increase in the misuse of wi-fi, in order to steal information, identity or passwords and money from the users who use public or insecure wi-fi connections, we should teach users that they should not address sensitive information while being on an open insecure wi-fi internet." he said.

The attackers are not using novel techniques, but rely on well-known approaches that attempt to trick people into connecting to a hotspot that, superficially, resembles those seen in cafes, pubs and restaurants and other public spaces.

Man in the Middle

The attacks meant that data swapped when people communicate with a bank, shop via the web or log in to social media sites could be captured by attackers.

As its name implies, in the Man in the Middle attack thieves attempt to insert themselves between users and a hotspot to gather all data passing between the two points. 

Read More

أقطار المغرب الكبير 9:18 AM  No comment

Android users, beware of growing malware threats

New data suggests that mobile malware is becoming more advanced in its capacity to target smartphone users, according to internet security firm Kaspersky.

In a report published for the years 2012-13, Kaspersky found that in 2013 over 143,000 new modifications of malicious programs targeting mobile devices were detected, indicating a rapid increase in the amount of programs that exist.

Additionally, over 3.9m installation packages were used by cybercriminals in 2013 to distribute mobile malware - a figure that rises to 10m unique installation packages over the two years.

The report reads: "The mobile malware sector is growing rapidly both technologically and structurally. It is safe to say that today’s cybercriminal is no longer a lone hacker but part of a serious business operation.

"It is now clear that a distinct industry has developed and is becoming more focused on extracting profits, which is clearly evident from the functionality of the malware."

Concerns have been raised about the percentage of Android users being targeted, with Kaspersky explaining that over 98 per cent of the malware was aimed at smartphone users that use the popular operating system, highlighting its "vulnerabilities and growing popularity".

Worryingly enough, the number of banking trojans circulating is also increasing. Kaspersky say the number of mobile malware modifications for phishing, stealing bank card information and money from bank accounts represented a twenty-fold increase, with 2,500 infections prevented by the company in 2013 alone.

“The cyber industry of mobile malware is becoming more focused on making profits more effectively, i.e., mobile phishing, theft of credit card information, money transfers from bank cards to mobile phones and from phones to the criminals’ e-wallets,” explains Kaspersky.

Read More

أقطار المغرب الكبير 2:14 PM  No comment