Category: Internet


The Heartbleed bug: Am I at risk and do I really have to change my password?

The discovery of Heartbleed, a flaw in one of the most widespread encryption standards used online, has panicked webmasters and users alike.

The bug has gone unnoticed for more than two years and could have potentially given hackers access to an unlimited array of secure data — everything from passwords and login details to credit card numbers and addresses.

Although it’s difficult to say exactly how many websites have been exposed, the lower estimates are around 500 million with a large number of major web companies (Google, Facebook, Yahoo, etc) all forced to update their software to protect against the bug.

However, there have been quite a lot of mixed messages as to whether or not users should change their passwords, with some outlets urging that you should create new ones immediately while others are advising that you wait.

To add to the confusion there’s also been reports of hackers sending out phishing emails related to Heartbleed — in order to trick users into giving up passwords that have yet to be compromised. Be on the look out for these and don’t follow any links in suspicious looking emails – if you want to change a password go to the site directly.

Which sites are affected?
Most Google sites and services (including Gmail and YouTube – but not Chrome) were affected, as were sites maintained by Yahoo (including Tumblr and Flickr). Facebook was also hit by the bug although Twitter and LinkedIn were not.

Other big sites that have confirmed that they weren’t affected include Amazon, Hotmail and Outlook, eBay, PayPal and all of Apple’s properties — including iCloud and iTunes. If you want to check whether or not a site you use is still affected then you can do so here — just enter the URL.

Another big worry is for online banking, but thankfully we have some good news in that department. Lloyds, HSBC, RBS, Natwest, Santander and the Co-Op have all confirmed that they were not affected by the bug (they were using different encryption standards). Barclays has yet to issue a statement.

However, this does not mean that your credit card details are completely safe — as they could have been compromised via your Gmail or another third-party site. The security of mobile banking apps is still a developing situation as well.

So do I need to change my passwords?
In a word: Yes. For the sites we’ve listed above as being affected (including Gmail, Yahoo, Tumblr, Flickr, Facebook) it definitely won’t hurt to change your password some time in the next couple of weeks.

Although security experts have warned that you shouldn’t be too quick to change passwords, this is because not all website have patched their servers and changing your password before this happens could make matters worse. The sites we’ve listed above have patched their servers and if you want to check one we’ve not mentioned — click here and enter the URL.

Unfortunately, some sites (including Google) have specifically said that users don’t need to change their passwords. While it’s true that some sites are confident that they fixed the bug a while back, as most of us are guilty of changing our passwords less frequently than we should do (aka never) we think that this is as good an opportunity as ever to be a bit more security-conscious.

What should my new password be?
In lists of the most frequently used passwords online there’s some obvious clangers that we know you’re too smart to use (these include old standbys such as ‘123456’ and ‘password’ itself) but just because a password doesn’t look obvious to you that doesn’t make it safe.

This means that you shouldn’t really use any single words that are found in the dictionary, any words connected to you (place of birth or pets’ names), nor should you use any obvious ‘substitutions’ (eg pa55w0rd — more complicated variations are required) or patterns derived from your keyboard layout (eg ‘1qaz2wsx’ or ‘zxcvbnm’).

It’s wise to use a variety of characters in your password (including upper and lower case as well as numbers) but an easy way to get more secure is to start thinking of your password as a passphrase.

The easiest way of increasing the difficulty of a password is by simply making it longer — so try combining multiple words together and then adding in numbers between them.

You could pick a number of some significance to you (for example a loved one’s birthday, ie 12/08/1970) and then splicing this with a nonsensical phrase (‘shoesplittingwatchwizard’) to get a suitably difficulty password: Shoe12Splitting08Watch1970Wizard.

Other suggested methods for making a strong and memorable password include taking a sentence or a favourite line from a song as a starting point. So you might take the line “When you call my name it’s like a little prayer” and turn it into wuCmNilaLP. Madonna is optional of course, but we think this a fun method — especially if you can work in numbers somewhere.

You should also use different passwords for your different accounts (perhaps the most difficult piece of advice to follow of all) and if you want to be really secure you should also set up two-step authentication where available.

Ryan says: I recommend everyone on any of the sites mentioned in this article to change their passwords ASAP.

‘Critical’ security warning for BlackBerry Z10

A vulnerability in the BlackBerry Protect software built into Z10 smart phones could allow hackers to gain access to the passwords of some devices, according to a security advisory issued by BlackBerry

By taking advantage of “weak permissions” malicious applications will be able to:

  • Gain the device password if a remote password reset command had been issued through the BlackBerry Web site
  • Intercept and prevent the phone from acting on BlackBerry Protect commands, such as remote wipe
BlackBerry said the issue is with the BlackBerry Protect software and not the Z10’s operating system.

“The most severe potential impact of this vulnerability requires a BlackBerry Z10 smart phone user to install a specially crafted malicious app, enable BlackBerry Protect and reset the device password through BlackBerry Protect,” the advisory said.

With the device password and physical access to the phone, an attacker can:

• Access the functionality of the smartphone (including the BlackBerry Hub, apps, data, and the phone) by unlocking the smartphone.
• Unlock the work perimeter on a BlackBerry Z10 smartphone that has BlackBerry Balance technology enabled if the work perimeter password is the same as the device password.
• Access the smartphone over a USB tether with either BlackBerry Link or the computer’s file viewer, allowing access to the smartphone’s personal files, contacts, PIM data, and so on. The attacker could also access work perimeter content on BlackBerry Balance smartphones if the work perimeter is unlocked and access over a USB tether is allowed by a policy that the IT administrator sets.
• Enable development mode after accessing the smartphone over a USB tether, allowing remote access as a low privilege development user.
• Change the current device password, allowing the attacker to deny access to the legitimate user of the smartphone.
• Access any other local and enterprise services for which the legitimate user has used the same password as the smartphone’s password.

An attacker can also gain Wi-Fi access to the phone if the owner enables Wi-Fi storage access on the Z10 and sets a storage access password that is the same as the device password.

Sony sucker-punches Xbox on price, specs, DRM-free gaming

Microsoft may not have been listening to the rumbling of discontent over some of the new “features” coming with Xbox One, but Sony certainly has.

Sony unveiled the new PS4 console at this week’s E3 gamers conference in Los Angeles, and it undercuts Redmond Xbox One by $100, has faster graphics, won’t require an internet connection for gaming, or make users jump through tortuous DRM hoops. CEO Jack Tretton took care to put the boot into Microsoft as he unveiled the platform.

“We are focused on delivering what gamers want most without imposing restrictions or devaluing their PlayStation purchase. PlayStation 4 won’t impose any new restrictions on the use of used games. That’s a good thing,” he said, with a broad grin at the thunderous response from the E3 crowd.

“When people buy a PS4 disc they have the rights to use that game,” he said, “they can trade in the game at retail, sell it to another person, lend it to a friend, or keep it forever. PlayStation 4 games don’t need to be connected online to play or for any type of authentication. And it won’t stop working if you haven’t authenticated in 24 hours.”

Judging from El Reg‘s forums, Microsoft’s decision to require the Xbox One to check in online every day, the strict DRM controls the console can impose, and the restrictions on game resale are going to prove unpopular. Sony might have been expected to use the opportunity to follow suit, but instead is actively fighting against such a move, and actively mocking Microsoft’s policy.

 

 

The PS4 will go on sales later this year, in time for the holiday season, with a $399 price tag. There’s the usual surcharge for the Europeans, who get stung for €399 ($529.79), and the British get their hardware for £349 ($543.99).

There is, however, a slight catch. The Xbox One comes with the heartbeat-sensing Kinect camera system bundled in. If you want your Sony console to track your every move, and possibly one day check if you’re watching, then it’ll set you back $59 (or €49 and £44). Extra wireless controllers for the PS4 cost $59, €59, or £54 depending on locale.

The hardware itself is very similar to the Xbox One. Sony has gone for a rhomboid form-factor for the systems, but it carries a similar spec to its rival with USB 3.0 and HDMI ports, a Blu-Ray player, and 802.11b/g/n Wi-Fi. At the PS4’s heart there’s a customized eight-core AMD Jaguar processor and a 1.84 TFLOPS Radeon GPU that’s more powerful than its Redmond rival.

Gamers are also going to have to pay to play online. You already have to with Microsoft, and at launch Sony will require online players to pay for a PlayStation Plus membership for $50, which will also work on a PS3 and PlayStation Vita.

In a tweet during the presentation, however, Sony confirmed that a Plus account isn’t needed to access other media on the device, so if you want to use the console to watch Netflix you won’t need an online account. The same is not true with the Xbox One.

As for the games themselves, Microsoft does appear have the upper hand for the mass consumer market, with early access to the new Call of Duty and a revamped Halo out next year. In response, Sony has 30 titles under development, 20 of which will be released within a year, and independent producers will add up to 100 more.

Tretton’s presentation made it clear how Sony is going to play the console wars. Microsoft wants the Xbox to be the single unit that can perform all of the entertainment and (Skype) communications functions in the living room – provided the internet’s up. Sony is fine focusing just on the games and being one device among many.

It’s now up to buyers to decide which strategy will prove the most popular.

Source: The Register

 

BitTorrent’s Secure Dropbox Alternative Goes Public

BitTorrent Inc. has opened up its Sync app to the public today. The new application is free of charge and allows people to securely sync folders to multiple devices using the BitTorrent protocol. Complete control over the storage location of the files and the absence of limits is what sets BitTorrent’s solution apart from traditional cloud based synchronization services.

Dropbox, Google Drive, Microsoft Skydrive and Mega are just a few examples of the many file-storage and backup services that are available today.

All these services rely on external cloud based hosting to back up and store files. This means that you have to trust these companies with your personal and confidential files, and that your storage space is limited.

For those people who want to be in control of their own data there haven’t been many alternatives, but BitTorrent Sync has the potential to trigger a small revolution on this front.

BitTorrent Sync’s functionality is comparable to services such as Dropbox and Skydrive, except for the fact that there’s no cloud involved. Users sync the files between their own computers and no third-party has access to it.

Besides increased security, BitTorrent sync transfers also tend to go a lot faster than competing cloud services. Another advantage is that there are no storage or transfer limits, so users can sync as many files as they want, for free.

Earlier this year BitTorrent started a closed Alpha test with a limited number of users, and today Sync is being released to the public for the first time.

“We’re really excited about opening up this Alpha. The feedback has been universally positive. Those in the closed Alpha have already synced more than 200TB since we started the program,” BitTorrent announces.

Over the past weeks many improvements have been made to the Sync application, prompted by user feedback. Among other things it is now possible to allow one-way synchronization and to exclude files or directories from being shared.

While Sync uses BitTorrent technology, people’s files are not accessible to outsiders. Only those who have the unique private key can access the shared folder.

“All the traffic is encrypted using a private key derived from the shared secret. Your files can be viewed and received only by the people with whom you share your private secret,” BitTorrent explains.

To increase security, the latest Sync version also has the option to let the secret key expire after a day so new devices can’t be added, even if outsiders have the private key.

BitTorrent stresses that Sync is still in Alpha development but tests carried out by TorrentFreak confirm that it works very well. It is an ideal tool for people who want to share large amounts of data between computers without going through third-party services.

The application is also surprisingly easy to configure. There’s no need to create an account and it only takes a few clicks to get going.

The Sync application is available for Windows, OSX, Linux and has the ability run on NAS devices through a web-interface. Readers who are interested in giving it a spin can head over to BitTorrent labs, where the Sync app can be downloaded.

Download BitTorrent Sync for Windows here.
Download BitTorrent Sync for Mac 10.6 or newer here.

Source: TorrentFreak

Russian BadNews bug found in Android app store

Security researchers have identified 32 separate apps on Google Play that harboured a bug called BadNews.

On infected phones, BadNews stole cash by racking up charges from sending premium rate text messages.

The malicious program lay dormant on many handsets for weeks to escape detection, said security firm Lookout which uncovered BadNews.

The malware targeted Android owners in Russia, Ukraine, Belarus and other countries in eastern Europe.

The exact numbers of victims was hard to calculate, said Lookout, adding that figures from Google Play suggest that between two and nine million copies of apps booby trapped with BadNews were downloaded from the store.

In a blogpost, Lookout said that a wide variety of apps were harbouring the BadNews malware. It found the programme lurking inside recipe generators, wallpaper apps, games and pornographic programmes.

The 32 apps were available through four separate developer accounts on Play. Google has now suspended those accounts and removed all the affected apps from its online store. No official comment from Google has yet been released.

Lookout said BadNews concealed its true identity by initially acting as an “innocent, if somewhat aggressive, advertising network”. In this guise it sent users news and information about other infected apps, and prompted people to install other programmes.

BadNews adopted this approach to avoid detection systems that look for suspicious behaviour and stop dodgy apps being installed, said Lookout.

This masquerade ended when apps seeded with BadNews got a prompt from one of three command and control servers, then it started pushing out and installing a more malicious programme called AlphaSMS. This steals credit by sending text messages to premium rate numbers.

Users were tricked into installing AlphaSMS as it was labelled as an essential update for either Skype or Russian social network Vkontakte.

Security firm Lookout said BadNews was included in many popular apps by innocent developers as it outwardly looked like a useful way to monetise their creations. It urged app makers to be more wary of such “third party tools” which they may include in their code.

Half of the 32 apps seeded with BadNews are Russian and the version of AlphaSMS it installed is tuned to use premium rate numbers in Russia, Ukraine, Belarus, Armenia and Kazakhstan.

Source: BBC News

Sophisticated botnet steals more than $47M by infecting PCs and phones

A new version of the Zeus trojan—a longtime favorite of criminals conducting online financial fraud—has been used in attacks on over 30,000 electronic banking customers in Europe, infecting both their personal computers and smartphones. The sophisticated attack is designed to circumvent banks’ use of two-factor authentication for transactions by intercepting messages sent by the bank to victims’ mobile phones.

The malware and botnet system, dubbed “Eurograbber” by security researchers from Check Point Software and Versafe, was first detected in Italy earlier this year. It has since spread throughout Europe. Eurograbber is responsible for more than $47 million in fraudulent transfers from victims’ bank accounts, stealing amounts from individual victims that range from 500 Euros (about $650) to 25,000 Euros (about $32,000), according to a report published Wednesday.

The malware attack begins when a victim clicks on a malicious link, possibly sent as part of a phishing attack. Clicking on the link directs them to a site that attempts to download one or more trojans: customized versions of Zeus and its SpyEye and CarBerp variants that allow attackers to record Web visits and then inject HTML and JavaScript into the victim’s browser. The next time the victim visits their bank website, the trojans capture their credentials and launch a JavaScript that spoofs a request for a “security upgrade” from the site, offering to protect their mobile device from attack. The JavaScript captures their phone number and their mobile operating system information—which are used in the second level of Eurograbber’s attack.

With the phone number and platform information, the attacker sends a text message to the victim’s phone with a link to a site that downloads what it says is “encryption software” for the device. But it is, in fact, “Zeus in the mobile” (ZITMO) malware—a Trojan crafted for the Android and BlackBerry mobile operating systems that injects itself between the user and the mobile browser and SMS messaging software. With both devices now compromised, the malware waits for the victim to access a bank account, and then immediately transfers a percentage of the victim’s balance to an account set up by the criminals running the botnet.

The malware then intercepts the confirmation text message sent by the bank, forwarding it to the trojan’s command and control server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money. The same process happens every time the victim logs into their bank account, gradually withdrawing money without alerting the user.

Both Checkpoint and Versafe have added signature and behavior detection to their malware protection products that can block Eurograbber. Updating software that is a frequent target for Web “driveby download” exploits—such as Adobe Flash, Java, and Web browsers—can help prevent infection by the malware, as can a healthy amount of paranoia about clicking links in e-mails.

Source: Arstechnica

Latest Java software opens PCs to hackers: experts

Computer security firms are urging PC users to disable Java software in their browsers, saying the widely installed, free software from Oracle Corp opens machines to hacker attacks and there is no way to defend against them.

The warnings, which began emerging over the weekend from Rapid7, AlienVault and other cyber security firms, are likely to unnerve a PC community scrambling to fend off growing security threats from hackers, viruses and malware.

Researchers have identified code that attacks machines by exploiting a newly discovered flaw in the latest version of Java. Once in, a second piece of software called “Poison Ivy” is released that lets hackers gain control of the infected computer, said Jaime Blasco, a research manager with AlienVault Labs.

Several security firms advised users to immediately disable Java software — installed in some form on the vast majority of personal computers around the world — in their Internet browsers. Oracle says that Java sits on 97 percent of enterprise desktops.

“If exploited, the attacker will be able to perform any action the victim can perform on the victim’s machine,” said Tod Beardsley, an engineering manager with Rapid7’s Metasploit division.

Computers can get infected without their users’ knowledge simply by a visit to any website that has been compromised by hackers, said Joshua Drake, a senior research scientist with the security firm Accuvant.

Java is a computer language that enables programmers to write one set of code to run on virtually any type of machine. It is widely used on the Internet so that Web developers can make their sites accessible from multiple browsers running on Microsoft Windows PCs or Macs from Apple Inc.

An Oracle spokeswoman said she could not immediately comment on the matter.

Security experts recommended that users not enable Java for universal use on their browsers. Instead, they said it was safest to allow use of Java browser plug-ins on a case-by-case basis when prompted for permission by trusted programs such as GoToMeeting, a Web-based collaboration tool from Citrix Systems Inc

Rapid7 has set up a web page that tells users whether their browser has a Java plug-in installed that is vulnerable to attack: www.isjavaexploitable.com

Source: Reuters

Ryan says: I would recommend updating to the latest version of Java.  The latest version of Java Runtime Environment JRE-64-bit is here. For users with older computers, try downloading the latest version in 32-bit.

Valve: Agree to not sue us or lose access to Steam

Gamers beware: Valve Software, the firm behind immensely popular gaming portal Steam, wants you to waive your right to sue before you continue gathering games using its digital distribution platform. The company has amended its subscriber agreement to stipulate that by subscribing to its service, users agree to not file lawsuits against the company. Gaming giants Microsoft (MSFT), Sony (SNE) and Electronic Arts (EA) have similar policies in place, Kotaku notes.

“It’s clear to us that in some situations, class actions have real benefits to customers,” Valve said in a statement. “In far too many cases however, class actions don’t provide any real benefit to users and instead impose unnecessary expense and delay, and are often designed to benefit the class action lawyers who craft and litigate these claims.”

The statement continued, ”Class actions like these do not benefit us or our communities. We think this new dispute resolution process is faster and better for you and Valve while avoiding unnecessary costs, and that it will therefore benefit the community as a whole.”

Source: Yahoo!

New iPhone app enables self-destructing sext messages

Sexting, or the act of sending sexually explicit messages or photographs between mobile phones, continues to grow increasingly popular. Mobile users often have private photos posted to the Internet without their permission, and politicians and celebrities alike have taken explicit photos that using mobile devices that were eventually leaked. Unfortunately for Anthony Weiner, the congressman wasn’t aware of an iPhone app by the name of Snapchat. The program is available for free in Apple’s App Store and allows users to send photos that self-destruct within 1-10 seconds. Images cannot be saved in the app, and Snapchat will even notify users if the recipient takes a screenshot — though there is no way to prevent screenshots from being taken, of course. It should also be noted that images are stored on the developer’s servers, and while the company “attempt(s) to delete image data as soon as possible after the message is transmitted,” it cannot guarantee messages will always be deleted. “Messages, therefore, are sent at the risk of the user,” the company’s privacy policy warns.

Source: Forbes / BGR

Tether: Wireless tethering for only $30 per year

For those of you constantly traveling and unable to access a Wi-Fi connection for your Mac or PC, but unwilling to dish out the $360 a year that some carriers will require for native tethering, you can download Tether’s application for $15 for the first year and $30 for the years following.

While jail breaking is one option for avoiding the cost of tethering, other people may find that paying $30 per-year is worth avoiding the hassle of hacking a phone. Plus, for those of us who have a tendency to drop our phones, voiding the warranty and keep customer support and geniuses at bay is also reason enough to avoid the hack — which is why Tether is such a great service.

Initially launched in November 2011, Tether was originally accepted into Apple’s iTunes App Store. But the app was taken down only a few days later because it violated Apple’s terms. Since then, the team had been creating a workaround. And now, they’ve unveiled the latest version of Tether, built using its patent-pending technology, made possible by HTML5. This time around, the team decided to forgo the app’s submission to Apple altogether, seeing as how acceptance into the iTunes App Store was highly unlikely. Instead, Tether is entirely We-based, letting it bypass Apple’s scrutiny.

The service is available for Blackberry, iPhone and Android, and will currently work for any carrier throughout the world. But it’s a game of cat and mouse. Once the major carriers discern how to distinguish a tethered phone using HTML5 from a non-tethered phone, Tether users will run the risk of being forcibly upgraded to the carrier’s tethering plan, or risk being charged extra for the data sent while being tethered to your computer as per the carrier’s terms of service.

Using Tether isn’t too difficult as the video below will show you. You’ll need to download and install the appropriate software for your operating system, and proceed to create an ad-hoc network on your computer by entering in a password (if desired) for the auto-generated SSID. Note that if once Tether is open on your desktop, your current Wi-Fi connection will be disabled to make way for the tethered connection.

On your phone, find and select the ad-hoc network from list of available Wi-Fi. Then, using your mobile browser, you will be required to log into your paid account on tether.com/web. After logging in, you’re tethered and able to browse the Web on your computer right away.

 

Source: DigitalTrends

Video: Microsoft responds to Pwn2Own IE hack

Just moments after researchers from VUPEN used two zero-day vulnerabilities to hack into the Internet Explorer 9 browser, I caught up with Mike Reavey, senior director in the Microsoft Security Response Center (MSRC) to get his response to the attack and some information on what happens next.

 

Microsoft Security Response Center (MSRC) director Mike Reavey talks about the CanSecWest Pwn2Own challenge that saw a successful exploit of two zero-day vulnerabilities in the Internet Explorer 9 browser.

Source: ZDNet