While Google doesn’t require the kinds of approvals needed from Apple or Microsoft before an app goes live, the company has been taking some actions to try to keep malicious code out of its virtual storefront.

Bouncer not only looks for known malware and spyware, it also tries to detect behavior that might offer a red flag that a product is malicious. In addition, the company runs every submitted app on its own cloud infrastructure to simulate how the program would run on an Android device. Finally, when the company learns of a new type of exploit, it goes back and rescans all of the apps in the market.

“We have been working on this for a while,” Android Engineering VP Hiroshi Lockheimer said in an interview. “It’s always been a goal of ours to have a secure market.”

Lockheimer said that avoiding a manual approval process is very important to Google, but he said that shouldn’t have to mean giving up security. Bouncer, he said, is Google’s attempt to avoid that trade-off.

“It is the Google way to use technology and automation,” he said.

And, Lockheimer said, it is paying off. While lots of outsiders have said Android malware is on the rise, Google says it has seen a decline in malicious apps in the official Android market. The number of such programs was down 40 percent from the first half of 2011 to the second half of the year, Lockheimer said.

The companies — along with others such as financial-service companies Bank of America Corp., FMR LLC’s Fidelity Investments and eBay Inc.’s PayPal — are hoping to create an environment that allows the recipient of an email from, say, a bank, to feel secure that it isn’t a trick.

Read the rest of this post on the original site »

The Mobile Threat Tracker app consolidates the most recent two weeks’ worth of Lookout’s security data into a kind of mobile heat map. The user sees dots flying around the globe as a real-time visualization of where threats are happening.

When users scroll over the globe, a timeline appears, showing how much of the threat is malware and how much is spyware; the top three threats are listed along with plain-English descriptions, and why Lookout has identified them as malicious.

Kevin Mahaffey, Lookout’s co-founder and CTO, said the app isn’t necessarily about offering immediate solutions, but more about making people aware of when they might be particularly vulnerable on mobile. “People shouldn’t have to be security experts to stay safe. We want to remind them to download apps from reputable app stores, to not go to shady download sites; to look at the developer name behind an app, and make sure it’s legitimate.”

The Mobile Threat Tracker is only available on devices running an Android OS to start, and Mahaffey says it’s unclear whether there will be a version for iOS devices. “Right now, it makes less sense, because there isn’t any real malware on the iPhone,” Mahaffey said, “though at some point there might be a need for it.”

Lookout Mobile Security launched in 2007, and now claims more than 15 million users worldwide. The company says it takes an educational approach to informing people about products for malware and spyware, rather than using fear-mongering in its marketing; it offers most of its apps for free, with additional features available at a premium.

While threats on mobile devices still aren’t as high-scale as malware and spyware on PCs, Lookout’s internal research shows that the amount of malware on mobile has increased.

Lookout said the likelihood of an Android user encountering malware increased from 1 percent to 4 percent over the course of 2011. The company has identified more than a thousand instances of infected applications, double the number it saw in July 2011.

The Lookout report notes that Web-based threats like phishing can carry over easily from PCs, making the likelihood of clicking on a bad link higher than that of acquiring malware through mobile apps. The global yearly likelihood of an Android user clicking on an unsafe link is 36 percent — up 6 percent from just six months ago — while in the U.S., the likelihood is higher than the global average, at 40 percent.

(Photo courtesy of TheTechBlock/Flickr)

AllThingsD.com

Yet now that the attacks have subsided, it’s time to see them for what they are: Nothing more than a blunt instrument that accomplishes nothing constructive.

As of today, only one of the Web sites attacked by the hacker troupe Anonymous is still apparently affected, and that belongs to the Universal Music Group recording label. It currently displays only a message saying “The Site is under maintenance. Please expect it to be back shortly.” Others that had been attacked yesterday, including the sites of the U.S. Department of Justice, the Recording Industry Association of America and the Motion Picture Association of America all seemed to be operating normally.

Thursday’s attacks, which have been described as the biggest action yet organized by Anonymous, were launched in apparent revenge for the FBI’s arrest of several people associated with the file-sharing site Megaupload.com over suspicions of online piracy. Taking place against the backdrop of a wider, more civil protest against anti-piracy legislation currently before the U.S. Congress, the atmosphere around the attacks has been politically charged.

As Molly Wood of CNET put it, the #OpMegaUpload attacks — coming as they did on the heels of Wednesday’s peaceful anti-SOPA protest — seem like an “unsettling wave of car-burning hooligans that sweep in and incite the riot portion of the play,” spurring equally unsettling reactions from the powers that be.

Many outlets have portrayed the attacks as “hacks,” implying that someone had picked a lock in order to commit some kind of sabotage. But the tactic used — a distributed denial-of-service (DDoS) attack — is more aptly compared to a blunt instrument, requiring neither skill nor knowledge, only large numbers of willing participants who team up to swarm a site with more requests than it can accommodate and thus overwhelm its ability to function normally.

The adjective “willing” is debatable, and perhaps inaccurate. Anonymous was able to generate such impressive numbers with the operation — it claimed more than 5,000 participants — by spamming a link in chat rooms and via Twitter that, when clicked, triggered a tool used to launch the attack. People tricked into following the link are given no context or information, and so may or may not have any idea that they’re participating in the execution of a crime.

For the record, it is illegal in the U.S., the U.K., Sweden and other countries to launch and participate in a DDoS attack like the one Anonymous organized. As anyone who has observed the evolution of Anonymous (and its various affiliates using the names LulzSec and AntiSec) should know, the FBI arrested 16 people last July, many of them charged with participating in a DDoS attack against PayPal in protest of its shutting down an account used by WikiLeaks.

In 2009, a New Jersey man was sentenced to a year and a day in prison for launching a DDoS attack against the Church of Scientology. And in 2010, a 23-year-old Ohio man was sentenced to 30 months in prison for launching DDoS attacks against several prominent U.S. conservatives, including the author Ann Coulter, former New York City mayor Rudolph Giuliani and Fox News commentator Bill O’Reilly.

Records like that suggest to me that DDoS attacks never accomplish anything that the people who organize and carry them out attempt to do. At most, they inconvenience the people who visit and operate the targeted sites for a few hours, until the attention spans of the attackers shift elsewhere. They also generate headlines that are forgotten by nearly everyone except the targets, and sometimes law enforcement.

And so it will be this time. Mark your calendars, because the Megaupload revenge attacks will spur a series of arrests later this year. Some of those arrested will be people who didn’t know they were committing a crime. And that certainly won’t help Anonymous’ image. Nor will it further a single bit of what passes for the Anonymous agenda.

A few years ago we moved our company completely off of Internet Explorer to Firefox because you wrote in your column that IE had security holes and lacked speed. Our IT Services provider has told us that IE9 has solved all the pitfalls of previous versions, it’s the safest yet, and there are many business-oriented sites that are much friendlier to IE. So is it OK to go back?

A:

I haven’t done a comparative browser review in a while, but I do agree that Internet Explorer has improved tremendously in speed, security and features. I think IE9 is a good browser and a reasonable choice, assuming you are a 100% Windows shop. IE is the only major browser that lacks a Mac version.

Some caveats: Each of the major browsers has improved, and, by some measures, some competitors beat IE in speed. A new, fast-rising contender since I wrote that old column is Google’s Chrome, which I find to be fast and reliable. IE’s market share, while still the highest, has shrunk dramatically and the browser market is more balanced. Finally, the number of business-oriented sites that require or do better in IE has been greatly reduced from, say, five years ago.

I wrote then:

“The unvarnished fact is that the networked society to which we’ve become accustomed in the last several years has a soft, vulnerable underbelly.

And the more we rely upon it, the more people with a combination of advanced technical skills and repugnant motivations are going to look for ways to turn it against us.

Some will do so as a means of making a personal profit. Others may see it as a way of advancing a political or ideological agenda.

But others will want to use theirs skills to do serious harm to innocent people on a large scale.”

Part of these predictions or ruminations or whatever you care to call them makes me think of the hijinks of the group that started out in the spring variously known as LulzSec, Anonymous and later adopted the moniker AntiSec. This loosely affiliated group emerged from the wake of the various attacks against Sony, and seemed to have nothing to prove but that it could make mincemeat out of whatever security measures had been put in place by Sony or whatever video game outfit it had targeted on a given day.

Sony’s Playstation Network was a favorite target, and its service was at least partially offline during two months ended in July.

Then, as summer dawned, the group’s members became aware of global politics and teamed up with Anonymous, the Wikileaks-allied band of hackers known for their campaigns of digital civil disobedience. Together they declared “immediate and unremitting war” on governments and corporations, and said their top priority would be to steal and leak any classified government information, including but not limited to email and documentation. They attacked an Arizona police agency as a way of making a statement against anti-immigrant laws in that state, and published the names and home addresses of several officers.

Later they sought to earn some street cred by stealing “secret” documents from NATO, only to learn after the fact that the documents they released had not only been released before, but weren’t even really all that secret to begin with. It wasn’t long before alleged members of the group started showing up in handcuffs, which seemed not to faze them. The prospect of body bags and real-world violence during a confrontation with Mexican drug cartels, however, did.

Yet for all the headlines they garnered and the headaches they caused, the LulzSec/Anonymous/AntiSec gang wasn’t anywhere near the scariest thing to appear on the computer security landscape in 2011. To my mind, one of the top three scariest things was the disclosure of Operation Shady RAT, which Intel-unit McAfee said appeared to be the biggest large-scale compromise ever, affecting 72 organizations and governments around the world, including the U.S., Taiwan, Vietnam, South Korea, Canada and India — some of them dating back as far as 2006. McAfee said the attacker was a “state actor,” though it declined to name it. The candidate highest on the short list was, naturally, China.

The second truly scary incident was the attack carried out against RSA Security, a unit of the IT company EMC, the maker of the popular SecurID tokens that so many people have on their keychains and use to create an added layer of security that goes beyond the password. Months later, the U.S. defense contractor Lockheed Martin was attacked with duplicate SecurID tokens.

Finally, the Stuxnet Trojan (used by parties officially unknown, but probably Israel with a little help from the U.S.) continued to fascinate and confound security researchers in 2011. Having caused nuclear centrifuges in Iran to explode in an attempt to set back that country’s nuclear weapons research program, Stuxnet was found to have a sibling called Duqu. Unlike Stuxnet, which messed with industrial control computers and made them do things they wouldn’t normally do, Duqu’s mission was much simpler: Steal everything in sight.

And after that, it was discovered by researchers at Kaspersky labs that Stuxnet and Duqu are part of an even bigger family, with at least three more siblings still undetected by researchers, and that all five were created by the same people and with the same tools. Chances are we’ll see at least a few of those final three in 2012, particularly as tension with Iran heats up.

So while there was much to consider scary happening on the Internet in 2011, I’m grateful for being wrong on one key prediction: That we didn’t see a significant computer attack used to physically harm innocent people on a large scale. That’s one prediction I hope to miss for years to come.

Identity Finder, a New York-based identity theft protection firm, has analyzed the information breached and summarized what the attackers appear to have made off with.

• 50,277 unique credit card numbers, of which 9,651 are not expired
  
• 86,594 email addresses, of which 47,680 are unique
  
• 27,537 phone numbers, of which 25,680 are unique

• 44,188 encrypted passwords, of which roughly 50 percent could be easily cracked
• 73.7 percent of decrypted passwords were weak
• 21.7 percent of decrypted passwords were medium strength
• 4.6 percent of decrypted passwords were strong
• Average decrypted password length: 7.1 characters
• 10 percent of decrypted passwords were less than 5 characters long
• Only 4.8 percent of decrypted passwords were 10+ characters long
• Presumably the remaining non-decrypted passwords were stronger than the decrypted subset
• 13,973 of the addresses belonged to United States victims; the remainder belonged to individuals from around the world

There are also an additional 2.7 million email messages that the attackers claim to have taken, but that have not yet been released.

Stratfor has promised to inform the customers whose information was taken no later than Dec. 28, which is tomorrow. Anonymous, ever seeking to justify its actions in the name of some higher moral purpose, said in a tweet that Stratfor, which sells subscriptions to its intelligence analysis reports to government, law enforcement agencies and businesses, isn’t “the harmless company it tries to paint itself as,” and that the emails will show that.

@techwriterjim It was conducted by #Antisec. Stratfor is not the “harmless company” it tries to paint itself as. You’ll see in those emails.

December 27, 2011 10:27 am via QwitReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

Whatever. Wired reported that someone who participated in the attack said that a total of four servers were breached, and the data on them wiped. The question that then logically arises is this: What was a firm that’s ostensibly in the business of advising business and government clients on security doing about its own?

Some people claiming to represent Anonymous — the lines and affiliations are always difficult to discern — said that the information taken in the attack included user names and passwords of some Stratfor subscribers, plus another 200 gigabytes worth of other data.

Stratfor founder George Friedman confirmed the attack in an email to subscribers; I received it because I’ve been an intermittent Stratfor subscriber over the years. Here’s Friedman’s email:

Dear Stratfor Member,

We have learned that Stratfor’s web site was hacked by an unauthorized party. As a result of this incident the operation of Stratfor’s servers and email have been suspended.

We have reason to believe that the names of our corporate subscribers have been posted on other web sites. We are diligently investigating the extent to which subscriber information may have been obtained.

Stratfor and I take this incident very seriously. Stratfor’s relationship with its members and, in particular, the confidentiality of their subscriber information, are very important to Stratfor and me. We are working closely with law enforcement in their investigation and will assist them with the identification of the individual(s) who are responsible.

Although we are still learning more and the law enforcement investigation is active and ongoing, we wanted to provide you with notice of this incident as quickly as possible. We will keep you updated regarding these matters.

Sincerely,
George Friedman

And here’s an update to Stratfor subscribers, from Dec. 25:

Dear Stratfor Member,

On December 24th an unauthorized party disclosed personally identifiable information and related credit card data of some of our members. We have reason to believe that your personal and credit card data could have been included in the information that was illegally obtained and disclosed.

Also publicly released was a list of our members which the unauthorized party claimed to be Stratfor’s “private clients.” Contrary to this assertion the disclosure was merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription-based publications.

We have also retained the services of a leading identity theft protection and monitoring service on behalf of the Stratfor members that have been impacted by these events. Details regarding the services to be provided will be forwarded in a subsequent email that is to be delivered to the impacted members no later than Wednesday, December 28th.

In the interim, precautions that can be taken by you to minimize and prevent the misuse of information which may have been disclosed include the following:

- contact your financial institution and inform them of this incident;
- if you see any unauthorized activity on your accounts promptly notify your financial institution;
- submit a complaint with the Federal Trade Commission (“FTC”) by calling 1-877-ID-THEFT (1-877- 438-4338) or online at https://www.ftccomplaintassistant.gov/; and
- contact the three U.S. credit reporting agencies: Equifax (http://www.equifax.com/ or (800) 685-1111), Experian (http://www.experian.com/ or (888) 397-3742), and TransUnion (http://www.transunion.com/ or (800) 888-4213), to obtain a free credit report from each.

Even if you do not find any suspicious activity on your initial credit reports, the FTC recommends that you check your credit reports periodically. Checking your credit reports can help you spot problems and address them quickly.

To ease any concerns you may have about your personal information going forward, we have also retained an experienced outside consultant that specializes in such security matters to bolster our existing efforts on these issues as we work to better serve you. We are on top of the situation and will continue to be vigilant in our implementation of the latest, and most comprehensive, data security measures.

We are also working to restore access to our website and continuing to work closely with law enforcement regarding these matters. We will continue to update you regarding the status of these matters.

Again, my sincerest apologies for this unfortunate incident.

Sincerely,
George Friedman

Then came reports that whoever had taken the information — which included credit card numbers — had used the numbers to make donations in the name of the hacking victims. Here’s a link to what is said to be a screen grab following just such a donation to CARE by an employee of the Defense Intelligence Agency.

While some might applaud the apparent cleverness of Anonymous’s “steal from the rich, give to the poor” attitude, it’s unlikely that the charities in question will ever see a dime of the money that’s been “donated” to them. As Mikko Hypponen of F-Secure pointed out here, once the credit cards in question are reported stolen, the charges will be reversed and the charities will more than likely be on the hook for any fees or penalties that result.

As is often the case with a headline-making attack carried out in the name of Anonymous, there followed a series of claims and counterclaims as to whether or not this was an “official” Anonymous attack, or just the work of someone falsely claiming the Anonymous cloak. There was, for instance, this “emergency press release,” claiming that the attack on Stratfor was “most definitely not the work of Anonymous”:

Following that, Anonymous tweeted, via its semi-official Twitter account @AnonymousIRC, that it “laughed so hard” in response to that message — essentially saying it’s a fake. The group has hinted that it is going to be busy over the next several days.

RT @FiloSottile: “Anonymous denies involvement in #STRATFOR hack. http://t.co/cQ1INYlh” | We laughed so hard at this!

December 26, 2011 5:30 am via QwitReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

One example is the annual tech prediction by analyst Mark Anderson, which I wrote about last week. Another is IBM’s recurring “Five in Five” series, wherein Big Blue looks at the unfolding technology landscape and predicts what innovations are still just this side of “gee whiz” today, but will be commonplace within five years.

Think back to what we were doing in 2006, and how far things have come in that short period of time in terms of consumer and enterprise technology. The iPhone existed only as an Apple prototype. Facebook had just opened itself up to the population at large, beyond just college and university students. Twitter was just getting started. And a tablet was a not-terribly-popular PC design.

As you’ll see, some of these five predictions aren’t exactly mind-blowing, especially if you pay attention to general technology trends. Over the past decade, you’ve probably already heard predictions saying that computer passwords will go away and be replaced by biometrics of some kind, whether in the form of fingerprints or voice authorization or some part of your eyeball. Also: Junk mail I actually want? That one I’ll believe when I see it. However, I really like the “think to call” idea, which sounds like a super speed-dial.

Anyhow, here are IBM’s predictions for stuff we’ll see by 2016, and a video explaining them in a little more detail:

You will make your own energy: Anything that moves has the potential to create energy. Your running shoes, your bicycle and even the water flowing through your pipes can create energy. Advances in renewable energy technology will allow individuals and scientists to collect this energy and use it to help power our homes, offices and cities.

You will not need a password: Your biological makeup is the key to your individual identity, and soon, it will become the key to safeguarding it. Each person’s unique biometric data such as facial definitions, retinol scans and voice files will be composited through software to build your DNA-unique online password. You will be able to log into your mobile phone or have access to an ATM machine by simply speaking your name or looking into a camera.

Mind reading is no longer science fiction: Scientists are researching how to link your brain to your devices, such as a computer or a smartphone, so you just need to think about calling someone and it happens. Scientists have designed headsets with advanced sensors to read electrical brain activity that can recognize facial expressions, excitement and concentration levels, and thoughts of a person without them physically doing anything.

The digital divide will cease to exist: In five years, the gap between information haves and have-nots will narrow considerably due to advances in mobile technology. Growing communities will be able to use mobile technology to provide access to essential information and better serve people with new solutions such as mobile commerce and remote healthcare.

Junk mail will become priority mail: Think about how often we’re flooded with advertisements we consider to be irrelevant or unwanted — it doesn’t have to be that way anymore. In five years, unsolicited advertisements may feel so personalized and relevant it may seem spam is dead. Systems will be able to filter and find only the data that’s important and relevant to you and will bring you the information without you having to ask for it.

With its shares trading down 39 percent since the end of 2010, there’s clearly still a lot of work to be done. But analysts are taking notice and expressing new confidence. In a note to clients this morning, ISI analyst Brian Marshall says HP is looking better for a variety of reasons — one of them is its little-noticed IT security business.

If you break down HP’s various lines of business, you’ll find, Marshall argues, that its security assets are surprisingly strong. In 2009 and 2010, HP made two key acquisitions in the area of security: It spent $1.5 billion for ArcSight, a security software player; before that, it nabbed the networking concern 3Com for $2.7 billion. A key asset in that deal was TippingPoint, a network intrusion prevention product.

Marshall writes that HP’s security assets bring in about $1.5 billion in sales and are growing at about 30 percent year, with gross profit margins in the neighborhood of 80 percent. This compares favorably with security outfit Check Point, which trades at a multiple of about 10 times sales, Marshall says.

Security is going to matter a lot more to HP’s corporate customers, as they start sweating over intrusions by hackers and nation-states poking holes in the infrastructure and looking for valuable information to steal, he says.

If you conservatively assume that HP’s security assets are worth half as much as Check Point, or only five times sales, and then assume that they report a reasonable $2 billion in revenue in calendar 2012, (nearly 2 percent of HP’s expected total sales), you wind up with a business unit that’s worth about $10 billion, or one-fifth of HP’s market cap. Suddenly, the security push that HP announced in September makes a lot more sense.

Security, Marshall says, is just one leg of a four-legged stool that HP has in its favor. The other three legs are its enterprise storage, networking and server businesses, and the “seat” of the stool which tie them all together are the software and IT services businesses. The one weakness, he concedes, is its software portfolio, which has historically been small and limited, and accounts for about 2 percent of sales despite such big acquisitions as Mercury Interactive and Opsware.

Even so, Marshall sees a 30 percent upside to HP’s valuation, and has pegged it with a $34 price target and Buy rating.

One security company has been looking to the device many students have in their hands at all times — their smartphone — to see if a one-touch security app could mean even faster response times.

Colorado-based MyForce has developed the MyForce Campus System, with a compatible mobile app, for university safety officials to receive alerts placed within campus borders. It provides access to such details as a student’s location, health conditions and emergency contacts. The app works on iPhone, BlackBerry and Android smartphones.

The app overrides the phone’s lock feature so — as long as the user has the MyForce app open — the interface will always be accessible, though the screen may dim a bit. If a user is in imminent danger, he or she can press the large button featured on the app that sends an immediate notification to MyForce and to campus security officials (provided they are equipped to use the MyForce monitoring software). MyForce also begins to pinpoint the user’s GPS location and record streaming audio from the phone. (MyForce says this information remains private in the company’s database, aside from sharing it with law enforcement officials at the time of the emergency. It can also be submitted later on as evidence of a crime.)

When the user sends an alert, the phone vibrates and also prompts the user to enter a PIN code — so if it’s a misfire that the user didn’t mean to send, he or she can disarm the app by entering in the PIN. At that point, MyForce says it then stops tracking the user.

“The one thing students always have in their hands these days is a smartphone,” said Brad Zotti, MyForce’s co-founder. The idea for the app occurred to him when he was visiting a college campus and thought about integrating the “blue light” emergency phone stands into a mobile phone. “Even if you call 911, it might take some time for your location to be recognized,” he said. “And other security apps promise to send texts or emails to your closest contacts, but who knows if or when they’ll be able to respond?”

MyForce is currently being used at the University of Colorado Anschutz Medical Campus and the University of Colorado at Colorado Springs. The privately owned company just signed a deal with e2Campus, another school security solutions company, to potentially bring the mobile-app version of the “blue light” system to e2Campus’ client base of around 800 schools in the U.S.

Part of MyForce’s challenge will be convincing more schools to use the app. There may be some resistance on the part of school law enforcement bodies to adopt a third-party security monitoring system, and there could also be varying layers of approval needed at the administrative level.

Even if administrators don’t officially opt in to the MyForce monitoring system, students and parents can still purchase the app themselves, though it may offer a less immediate response action. In that case, MyForce still offers to work with school officials to create a virtual “geo-fence” around a college campus that establishes which areas should be monitored. If a student is in danger and presses the button within that geo-fence, the alert goes to MyForce’s dashboard, and MyForce can then call campus security directly.

It won’t cost anything to download the mobile app, but subscriptions to MyForce cost $11.99 per month or $119 annually.

Since the Virginia Tech massacre in 2007, many schools have put more sophisticated emergency alert systems in place. Universities are required under the Clery Act to provide campus crime reports and timely warnings in potentially dangerous situations.

As we’re reminded today, there are instances in which no amount of campus security, call boxes or instantaneous mobile applications can prevent danger. And apps like MyForce rely on working wireless and data networks in order to send emergency notifications.

Hopefully, as the technology improves, more solutions will emerge to bring help to users in desperate situations and speed up response times even more.

The reason? A scary vulnerability in Java that was detected over the summer, and which Oracle has subsequently fixed, is being exploited by people who create the malware and crimeware that causes so many headaches for home users and corporate IT departments.

The risk is especially acute at large companies with big fleets of desktops and notebooks to manage. If you’re a home user, the patch is easy to install. But most employees don’t have administrative privileges on their work desktops or notebooks, so someone from the IT department has to come and install the patch for them.

That’s a big, time-consuming process, says HD Moore, chief security officer at Rapid7, a Cambridge, Mass-based company that specializes in helping companies stay ahead of new computer security vulnerabilities. He’s also the chief architect of Metasploit, which Rapid7 owns.

One of the reasons this particular vulnerability is so bad is that even after it was detected and fixed, it wasn’t fully understood how dangerous it is, Moore says. Crimeware creators somehow figured it out ahead of most security researchers, and started adding code to Web sites designed to take advantage of it. And that’s especially dangerous at this time of the year, when people are shopping online both at home and the office. “It’s kind of like a perfect storm,” Moore told me yesterday. Add to that the fact that many companies have IT staff taking vacation during the holiday season, and the timing couldn’t be worse.

Enterprise is historically bad at patching Java vulnerabilities anyway, because it doesn’t have the same automatic update tools that Windows or Adobe Flash does. “The tools for patching Java aren’t that great,” Moore told me. “A Java update just isn’t treated with the same fervor as a Windows update.”

So how bad is this one? The National Vulnerability Database rates it a 10 out of 10 on the severity scale, and also rates it as “low” on the access complexity scale — meaning it’s really easy for the bad guys to carry out an attack using it.

Security blogger Brian Krebs discovered the vulnerability being “weaponized,” that is, built into the software that computer criminals buy on the black market. For instance, those who have bought something called the Blackhole Exploit Kit, a $4,000 software toolkit used to target Windows machines, are getting automatic updates that include tools to take advantage of the Java vulnerability.

What to do until you can get all your machines updated with the latest version of Java? Simple, really: Disable it and block it at the firewall, until all the machines on the network that need the update have it, Moore says.

Rapid7, incidentally, is a security company on the rise. Just last month it raised a $50 million series C round of funding, led by Technology Crossover Ventures and joined by previous investors Bain Capital Ventures; Tim McAdam, a TCV partner, joined Rapid7′s board.

The findings of a Connecticut-based systems administrator have sparked alarm in millions of smartphone users, after security researcher Trevor Eckhart published a video showing how a cellphone software company has the ability to log users’ Web searches and keystrokes.

The technology, made by Carrier IQ, is currently deployed on more than 150 million devices worldwide.

Research In Motion and HTC — the maker of the phone targeted in the security demo — have issued statements denying that Carrier IQ is preinstalled on their devices. Meanwhile, U.S. Sen. Al Franken (D-Minn.) has sent a letter to Carrier IQ seeking more information on what the software does.

Carrier IQ has told AllThingsD that while its software has the ability to receive a tremendous amount of information, some of which could be relayed to a carrier for diagnostics purposes, the company doesn’t log keystrokes and the software is not being used to gather intelligence about the phone’s user.

But while we wait for more answers, what’s a smartphone user to do?

Google Android Phones: If you’re wondering whether your Google Android phone might have Carrier IQ installed on it, Eckhart, the researcher behind all of this, points people to a Logging Test app that he claims can be used to verify “what logging is being done on your phone and where the data is going to.” If successfully installed — which we hear may take some finagling, including emailing the app link to yourself to access it, and “rooting” your phone first — the $1 app is meant to detect Carrier IQ and remove it.

According to his blog post, Eckhart has tested this app on the HTC Evo 3D phone; he believes it works on the Sprint Evo 4G and HTC Thunderbolt, as well.

But since the Google Android operating system runs on devices from multiple manufacturers, it is not known at this point which models could be running Carrier IQ and which ones are not.

It should be noted that some manufacturers have denied responsibility for the app; HTC, for example, has put the blame on wireless carriers, and basically advises HTC phone owners to contact their carriers. The company did add it was looking into an option for allowing its customers to opt out of the Carrier IQ application, but no further details were given beyond that.

Sprint has not yet responded to my inquiry as to whether the wireless company was actively involved in the installation of Carrier IQ, or how users might disable such applications on Sprint. AT&T said it uses Carrier IQ solely to improve its network performance; Verizon claims not to use it at all, although my colleague John Paczkowski reports that may not be the case.

RIM BlackBerrys: While RIM hasn’t explicitly pointed to wireless carriers as HTC did, the BlackBerry maker also denies any involvement with Carrier IQ, stating “RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution.”

However, the next part of RIM’s statement on the BlackBerry developers forum indicates that it’s possible Carrier IQ could live on a BlackBerry device.

According to BlackBerry Development Advisor Mark Sohm: “If the Carrier IQ application is present on a BlackBerry smartphone, it does not mean that the Carrier IQ application has ‘hacked’ the BlackBerry platform. It means that either the BlackBerry smartphone user or the user’s BlackBerry Enterprise Server admin explicitly installed the application and authorized it to run.”

In other words, if it’s on your phone, you may have granted it access in some way, shape, form or click of your Qwerty keypad.

Apple iPhones: Apple has issued a statement to AllThingsD declaring that the company stopped supporting Carrier IQ with iOS 5, its latest version of mobile software, and plans to remove it from future mobile software updates, too.

But what if you’re running an earlier version of iOS on your iPhone and are worried about where your data is going? Apparently, you can opt out of having your usage data submitted for diagnostics. To do that, go to to Settings → General → About → Diagnostics & Usage. Select “Don’t Send.”

More info to come as I get it.

Related Posts on Carrier IQ:

• Exclusive Interview: Carrier IQ Gets Transparent About Its Mobile Monitoring
• Carrier IQ: How to Hack Back Your Phone
  
• Carrier IQ Speaks: Our Software Monitors Service Messages, Ignores Other Data
• Apple: We Stopped Supporting Carrier IQ With iOS 5
• RIM, HTC, Google on Carrier IQ: Blame the Carriers
• Carrier IQ Improves My Wireless Service by Logging My Keystrokes? Please Explain.

Full Carrier IQ Coverage »

Printers are Internet-connected devices just like computers. They have their own operating systems and software, and so, in theory, are vulnerable to attacks by hackers just as computers are. There was an old urban myth that in the run-up to the first Iraq War in 1991, hacked HP printers shipped to Iraq were instrumental in shutting down Iraqi radar systems. It wasn’t true — it was published on April 1 of that year by the trade magazine InfoWorld — but the idea stuck, and at least one group of security researchers has been studying the use of Trojans installed into printers.

The Columbia researchers had claimed that a part inside a printer called a fuser, used to dry the ink, could be remotely instructed to overheat, eventually causing paper inside the printer to turn brown and start to smoke.

Conceptually it’s not that different from the Stuxnet attack against the Iranian nuclear research program. The attackers in that case, thought to be Israel with a little help from the U.S., attacked industrial control computers known as SCADA systems that serve as the bridge between typical Windows-based machines and industrial equipment that the SCADA systems control. In the case of Stuxnet, the SCADA systems were controlled — often they have only default passwords or no passwords at all — and the machines they were connected to could be instructed to literally destroy themselves.

Some researchers at the U.S. Department of Energy’s Idaho National Lab did just that in the video below, showing in a controlled environment that a generator could be hijacked over the Internet and made to destroy itself.

But could you do the same thing with a printer? Theoretically, I’d say it’s possible. But in this case, HP says not where its printers are concerned.

Below is an internal HP memo from Vyomesh “VJ” Joshi, the head of HP’s Imaging and Printing Group, that was circulated to employees today.

First off, he says, the fire issue is not true. As noted in the public statement, HP’s printers have a component called a thermal breaker that prevents the fuser from overheating, and it can’t be overcome by a firmware upgrade.

But Joshi also spanks the Columbia researchers for turning to the media and not calling HP first, which is the way security researchers usually operate when they identify a serious vulnerability. There is, he concedes, a vulnerability to malicious firmware modifications, especially on printers that are left unprotected on a network without a firewall running. HP aims to fix that. But usually in these situations, the media doesn’t get called until a fix is ready. “Unfortunately in this situation, a Columbia representative took it upon himself to contact the media and reports were published prior to a solution being available,” he writes.

Joshi’s full memo is below.

From: IPG, Vyomesh Joshi
Sent: Tuesday, November 29, 2011 4:40 PM
Subject: Inaccurate Printer Security Press Coverage

Dear IPG Employees,

As many of you have read today there has been sensational and inaccurate press coverage regarding potential security risks with some HP LaserJet printers. I wanted to make sure you had the most current information and context for this situation. No customer has reported unauthorized access. We have also seen speculation in the media regarding the potential for devices to catch fire due to a firmware change. This claim is inaccurate. We have issued a public statement communicating to customers and partners and refuting inaccurate information.

This information first came to us late last week from a research lab based at Columbia University. As a result, we have identified a specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall or if a malicious effort is made to modify the firmware of the device by a trusted party on the network. Our security team is taking immediate measures to build a firmware upgrade to resolve any potential risk and will be communicating this proactively to customers and partners who may be impacted.

Typically when a security issue is identified, responsible disclosure is followed so that vulnerabilities are not made public until a solution is available. Unfortunately in this situation, a Columbia representative took it upon himself to contact the media and reports were published prior to a solution being available.

We have always taken security very seriously. In fact, HP’s reputation for security continues to be among the highest in the industry. I want to assure you that our security experts are working around the clock to mitigate any potential risk.

We will make every effort to communicate new information as it becomes available.

Regards,

VJ

The company was founded last year by security hacker Moxie Marlinspike (pictured) and robotics researcher Stuart Anderson. It offered software for Android phones that secured user data, created firewalls and encrypted calls and texts.

Whisper said its products would “live on” post-acquisition but would be taken offline for the moment.

Gone are the days when you’d get a company-issued BlackBerry and laptop locked down and secured to within an inch of its life. Now, everyone — from the CEO and the board of directors on down to interns — expect to get their corporate email, access to internal corporate networks and documents on their personal iPads, iPhones and Android devices.

IBM today announced a new service aimed at helping IT admins get control of the devices they’re being asked to support. Big Blue calls it IBM Hosted Mobile Device Security, and its capabilities include making sure personal devices comply with corporate security policies, protecting them against malware, tracking user activity and making sure network connections are secured. It’s working with Juniper Networks on the service. And it covers pretty much every smartphone platform you can think of: Apple’s iOS, Android, BlackBerry, Nokia’s Symbian, and Microsoft’s Windows Mobile.

The BYOD — or “bring your own device” — trend is the sort of thing that gives IT administrators night sweats. A Dell Kace survey of 750 IT managers found that 87 percent of companies have employees using some kind of personal device accessing a corporate network. The same survey found that 62 percent of IT admins feel they don’t have the tools to properly manage them all.

Phones get lost, for one thing. A lost phone that can still access confidential information is a liability. And worse, because of the value of information they can store and access, hackers are paying more attention to mobile devices than ever before. A study by IBM projects that the number of software weaknesses that can give a criminal access to data stored on or accessed by a phone or tablet will double this year over 2010. More or less nonexistent as recently as 2006, IBM’s X-Force security unit tracked 15 exploits last year and expects to see more than 30 this year. And malware on the Android platform is also on the rise.

If it sounds like a business opportunity, you’re right. Mobile security companies have been springing up. Lookout Security is one that comes to mind. As mobile devices multiply, especially with younger people just entering the workforce, you can expect to see a lot more activity from companies large and small around making sure they’re secure. As is often the case with IT security, some of that will be wasted effort, because too often security is something you consider only after something bad has happened, not before. But not always.

(Image from Wikipedia.)

In a blog post by one of its execs, titled “Flash to Focus on PC Browsing and Mobile Apps; Adobe to More Aggressively Contribute to HTML5,” Adobe said what had already been reported: That it would no longer be developing its well-known Flash for mobile devices.

Here’s the key graph:

“Our future work with Flash on mobile devices will be focused on enabling Flash developers to package native apps with Adobe AIR for all the major app stores. We will no longer continue to develop Flash Player in the browser to work with new mobile device configurations (chipset, browser, OS version, etc.) following the upcoming release of Flash Player 11.1 for Android and BlackBerry PlayBook. We will of course continue to provide critical bug fixes and security updates for existing device configurations. We will also allow our source code licensees to continue working on and release their own implementations.”

Last night, reports surfaced that the high-profile software company — whose Flash technology has been a flagship product — was halting development on the mobile version of its browser plug-in.

Now, Adobe will focus its PC Web browser business on tools that allow Flash developers to create mobile apps by packaging their code to run on Adobe’s AIR platform.

The move has big implications for Adobe going forward and also for mobile device makers, such as Google and Research In Motion. But not Apple.

As Ina Fried wrote:

“The move, if true, would be a major blow to Android device makers, who have long touted Flash compatibility as a key competitive advantage over Apple’s iPhone and iPad.

It would also mark a posthumous vindication for former Apple CEO Steve Jobs, who took a controversial stand by not supporting Flash on Apple’s mobile products.”

Turns out Jobs was prescient, as usual.

Here is the full version of the Adobe blog:

Flash to Focus on PC Browsing and Mobile Apps; Adobe to More Aggressively Contribute to HTML5

POSTED BY DANNY WINOKUR, VICE PRESIDENT & GENERAL MANAGER, INTERACTIVE DEVELOPMENT AT ADOBE ON NOVEMBER 9, 2011 5:59 AM IN BUSINESS PROFESSIONALS, CREATIVE PROFESSIONALS, DEVELOPERS, VIDEO

Adobe is all about enabling designers and developers to create the most expressive content possible, regardless of platform or technology. For more than a decade, Flash has enabled the richest content to be created and deployed on the web by reaching beyond what browsers could do. It has repeatedly served as a blueprint for standardizing new technologies in HTML. Over the past two years, we’ve delivered Flash Player for mobile browsers and brought the full expressiveness of the web to many mobile devices.

However, HTML5 is now universally supported on major mobile devices, in some cases exclusively. This makes HTML5 the best solution for creating and deploying content in the browser across mobile platforms. We are excited about this, and will continue our work with key players in the HTML community, including Google, Apple, Microsoft and RIM, to drive HTML5 innovation they can use to advance their mobile browsers.

Our future work with Flash on mobile devices will be focused on enabling Flash developers to package native apps with Adobe AIR for all the major app stores. We will no longer continue to develop Flash Player in the browser to work with new mobile device configurations (chipset, browser, OS version, etc.) following the upcoming release of Flash Player 11.1 for Android and BlackBerry PlayBook. We will of course continue to provide critical bug fixes and security updates for existing device configurations. We will also allow our source code licensees to continue working on and release their own implementations.

These changes will allow us to increase investment in HTML5 and innovate with Flash where it can have most impact for the industry, including advanced gaming and premium video. Flash Player 11 for PC browsers just introduced dozens of new features, including hardware accelerated 3D graphics for console-quality gaming and premium HD video with content protection. Flash developers can take advantage of these features, and all that our Flash tooling has to offer, to reach more than a billion PCs through their browsers and to package native apps with AIR that run on hundreds of millions of mobile devices through all the popular app stores, including the iTunes App Store, Android Market, Amazon Appstore for Android and BlackBerry App World.

We are already working on Flash Player 12 and a new round of exciting features which we expect to again advance what is possible for delivering high definition entertainment experiences. We will continue to leverage our experience with Flash to accelerate our work with the W3C and WebKit to bring similar capabilities to HTML5 as quickly as possible, just as we have done with CSS Shaders. And, we will design new features in Flash for a smooth transition to HTML5 as the standards evolve so developers can confidently invest knowing their skills will continue to be leveraged.

We are super excited about the next generations of HTML5 and Flash. Together they offer developers and content publishers great options for delivering compelling web and application experiences across PCs and devices. There is already amazing work being done that is pushing the newest boundaries, and we can’t wait to see what is still yet to come!

In a weird sort of mash-up of villains, one decidedly more evil than the other, a Mexican affiliate of Anonymous Veracruz announced that it was going to start publishing the names and addresses of the cartel’s business associates in response to the kidnapping of an Anonymous member. Anonymous had accused taxi drivers, police officers and journalists of being Zeta “servants.”

Of course, the publication of that information would give an advantage to rival cartels, who would probably have them whacked. According to a report on Stratfor, the Zetas had taken the threat seriously enough that the cartel dispatched its own computer experts to track down the people behind various anti-cartel blogs. A few people have been killed.

Having hassled Sony over the summer, attacked targets as varied as NATO and the U.S. Senate, and posted the addresses of state cops in Arizona, all Anonymous seems to have accomplished is getting some of its lesser members arrested.

TalkingPointsMemo has a pretty good rundown. Basically, it comes down to this: Anonymous didn’t have the stomach for real-world violence.

And with that story — entirely plausible but in this case a lie — a customer-service representative turned over customer account numbers and other details with a readiness that makes banks and other companies cringe.

Mr. Patten, a 35-year-old cybersecurity expert who was with the U.S. Air Force before he started working for a consulting firm in Kansas City, Mo., didn’t actually use or sell the data, which he gathered in running a test for the investment firm of its security arrangements. But the ease with which the employee was persuaded to divulge the information points to a troubling trend, security experts and law enforcement officials say.

Read the rest of this post on the original site »

On Wednesday, Los Angeles City Council member Dennis Zine filed a motion requesting a status report on Google’s contract with the city. Google and Computer Sciences Corp., its partner implementing Apps, have been unable to meet the security requirements of the city’s police department, Mr. Zine wrote in the motion.

Read the rest of this post on the original site »

The company announced a new free app aimed at delivering protection for iPhone users, including help finding lost devices and protecting against attacks on iPhones that are still safe in their users’ hands. While the iPhone app is similar to what the company has offered for Android, there are some key differences.

“It’s not something where we have just taken the Android product and plopped it on the iPhone,” Lookout CEO John Hering said in an interview. One feature the company is not able to offer for the iPhone is its Plan B software, which allows a user to track down a lost Android phone even if they hadn’t planned ahead.

“I will be very excited if we figure out how to do that,” Hering said.

The software focuses on other areas, such as warning those who have a jailbroken iPhone about some of the added risks associated with that, as well as warning users when they are using an unsecured Wi-Fi network. The app also explains the concept of location-based services and offers details on which apps are making use of such services.

Over time, Hering said, the company hopes to establish for the iPhone a model similar to the one it has on Android — that is, offering a base set of services for free and then charging for more advanced features on a subscription basis.

“You should expect you will see a very similar path,” Hering said.

Hering declines to say whether Lookout is profitable, but he did say that the company is more focused on growth than it is on making a profit. The company has been racking up the funding, including a $40 million round announced last month.

The company currently has about 10 million users. Moving to the iPhone is key to its longer-term goal of reaching 100 million or more.

“The iPhone is going to be a huge step forward in that path,” Hering said.

It’s been more than 30 years since my favorite American bard, John Prine, sang that lyric, and it came to mind as I sat down today to meet with Brian David Johnson, who is, to my recollection, the first person I’ve ever known to carry the job title “futurist.” And yes, it sounds a little specious, until you find out he works as a futurist for the chipmaker Intel, which certainly has a long-term strategic interest in anticipating the demands of the future well before they happen.

Johnson was a guest today on The Wall Street Journal’s “Digits” program, which I co-hosted with the Journal’s affable Simon Constable. Johnson is in New York to speak at Comic Con about Intel’s Tomorrow Project, which aims to ask honestly what computing may be like 15 or 20 years from now — and the implications for our daily lives.

Think back to 1996 and you probably had some idea of what 2011 would be like. But did you really? You may have had a cellphone, but would you have imagined how much of your daily life would be punctuated by its use, beyond making phone calls? If you were to zap back in time and have a conversation with the 1996 you about life in 2011, you’d probably have to rely on science fiction to get the point across. “You know the communicator and tricorder from ‘Star Trek’? Yeah, we basically have those. We call them smartphones, and they’re kind of a big deal,” the 2011 you might say. “And they’re also the talking computers from ‘Star Trek.’ And you won’t believe who makes them.”

Science fiction makes it possible, Johnson says, to have a conversation about the future, by giving us the metaphors we need to figure out what we want and don’t want to happen. Hence “The Tomorrow Project Anthology,” a collection of short stories set in the future, imagining plausible situations emerging from science fact of today. One volume of the anthology was published earlier this year, and a new one is out now.

What happens, on some hypothetical day in the future, when passwords are easily and readily hackable and all our personal information is more or less available for all the world to see and take and use? That’s what the writer Cory Doctorow asks in his story, “The Knights of the Rainbow Table,” which appears in the new volume.

So these are some of the things that Simon and I talked about with Johnson in today’s closing segment on “Digits,” which you can see below. Enjoy.

*Lyrics from “Living in the Future,” by John Prine, from the 1980 album “Storm Windows.”

After his unusually enthusiastic declaration at a Silicon Valley event last week that “we are very, very interested” in buying the “whole” of Yahoo, you might imagine Alibaba Group co-founder and CEO Jack Ma running out of the speech looking for a giant pile of cash to pay for it immediately.

Instead, according to sources close to the situation, what the Chinese entrepreneur got was a cold dose of CFIUS — or Committee on Foreign Investment in the United States, the federal interagency review process for foreign investment deals.

Translation: If you are from China and want to buy our U.S. companies, we are going to have to give you a major look-see and it is not going to be pretty.

Perhaps that’s fair, but the prospect that even a purchase such as Yahoo, a consumer business that seems to have little in the way of national security concerns, might enter the buzzsaw of U.S. politics apparently surprised Ma.

Thus, sources said, that while it remains very interested, Alibaba is now at least a little concerned about the feasibility of the deal and that Ma is “perplexed” about why the U.S. has such restrictive rules against foreign ownership of a consumer business.

That said, he has been in touch with Yahoo co-founder and board member Jerry Yang and is likely to make a more official visit soon with others involved in Yahoo’s strategic review.

In addition, sources said, rumors of an imminent Yahoo bid hook-up with DST Global and Silver Lake — which recently invested in Alibaba — are overblown. While Ma did say last week at his much-noticed speech at Stanford University that he was talking to a lot of buyers, Alibaba is not closely aligned with anyone as yet.

Of course, given that Yahoo owns a 40 percent stake in Alibaba, Ma will be a big player in any deal done.

That’s because of a 2005 agreement that stipulates that if there is a change of control, Yahoo must give Alibaba a 15-day chance to buy back its stake.

Still, after his effusive I-want-Yahoo-now speech that caught the Internet giant and its bidders off guard, dialing back the rhetoric a bit is probably no surprise given the delicate dancing now going on.

In other words, a case of wanna-be-buyer’s remorse.