Tag Archive: PC Repair Abbotsford


Apple finally fixes App Store flaw by turning on encryption

Apple has finally fixed a security flaw in its application store that for years has allowed attackers to steal passwords and install unwanted or extremely expensive applications.

The flaw arose because Apple neglected to use encryption when an iPhone or other mobile device tries to connect to the App Store, meaning an attacker can hijack the connection. In addition to a security flaw, the unencrypted connections also created a privacy vulnerability because the complete list of applications installed on the device are disclosed over Wi-Fi.

It also allows the installation of apps, including extremely expensive ones that top out at $999.99, without the user’s consent, which can create serious consequences because Apple doesn’t give refunds. To do this, an attacker needs to be on the same private or public Wi-Fi network, including, for example, a coffeeshop, hotel, or airport network.

Security researcher Elie Bursztein discovered the vulnerability and reported it to Apple last July. Apple fixed the problem in a recent update that said “content is now served over HTTPS by default.” Apple also thanked Bernhard Brehm of Recurity Labs and Rahul Iyer of Bejoi.

Bursztein, who works at Google, in Mountain View, Calif., but emphasized this was work done at home in his spare time, published a personal blog post today that described details about the App Store vulnerability and included videos of how an attacker was able to steal passwords or install unwanted apps.

Publicizing this flaw, Bursztein said, highlighted how necessary encrypted HTTPS connections were. “Many companies don’t realize that HTTPS is important for mobile apps,” he said. But if they rely on Web connections or Webviews, he added, they are vulnerable to attacks: “Providing a concrete example seems a good way to attract developer attention to the issue.”

As a postdoctoral researcher at Stanford University, Bursztein published research that included demonstrating flaws in Captchas and the Web interfaces of embedded devices. At the Defcon conference in Las Vegas two years ago, he demonstrated how to bypass Windows’ built-in encryption that Web browsers, instant messaging clients, and other programs used to store user passwords.

Bursztein’s blog post comes a day after Apple’s marketing chief, Phil Schiller, took a security-related swipe at Google on Twitter by pointing to a report on the rise of Android malware.

 

Source: CNET

Sophisticated botnet steals more than $47M by infecting PCs and phones

A new version of the Zeus trojan—a longtime favorite of criminals conducting online financial fraud—has been used in attacks on over 30,000 electronic banking customers in Europe, infecting both their personal computers and smartphones. The sophisticated attack is designed to circumvent banks’ use of two-factor authentication for transactions by intercepting messages sent by the bank to victims’ mobile phones.

The malware and botnet system, dubbed “Eurograbber” by security researchers from Check Point Software and Versafe, was first detected in Italy earlier this year. It has since spread throughout Europe. Eurograbber is responsible for more than $47 million in fraudulent transfers from victims’ bank accounts, stealing amounts from individual victims that range from 500 Euros (about $650) to 25,000 Euros (about $32,000), according to a report published Wednesday.

The malware attack begins when a victim clicks on a malicious link, possibly sent as part of a phishing attack. Clicking on the link directs them to a site that attempts to download one or more trojans: customized versions of Zeus and its SpyEye and CarBerp variants that allow attackers to record Web visits and then inject HTML and JavaScript into the victim’s browser. The next time the victim visits their bank website, the trojans capture their credentials and launch a JavaScript that spoofs a request for a “security upgrade” from the site, offering to protect their mobile device from attack. The JavaScript captures their phone number and their mobile operating system information—which are used in the second level of Eurograbber’s attack.

With the phone number and platform information, the attacker sends a text message to the victim’s phone with a link to a site that downloads what it says is “encryption software” for the device. But it is, in fact, “Zeus in the mobile” (ZITMO) malware—a Trojan crafted for the Android and BlackBerry mobile operating systems that injects itself between the user and the mobile browser and SMS messaging software. With both devices now compromised, the malware waits for the victim to access a bank account, and then immediately transfers a percentage of the victim’s balance to an account set up by the criminals running the botnet.

The malware then intercepts the confirmation text message sent by the bank, forwarding it to the trojan’s command and control server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money. The same process happens every time the victim logs into their bank account, gradually withdrawing money without alerting the user.

Both Checkpoint and Versafe have added signature and behavior detection to their malware protection products that can block Eurograbber. Updating software that is a frequent target for Web “driveby download” exploits—such as Adobe Flash, Java, and Web browsers—can help prevent infection by the malware, as can a healthy amount of paranoia about clicking links in e-mails.

Source: Arstechnica

Latest Java software opens PCs to hackers: experts

Computer security firms are urging PC users to disable Java software in their browsers, saying the widely installed, free software from Oracle Corp opens machines to hacker attacks and there is no way to defend against them.

The warnings, which began emerging over the weekend from Rapid7, AlienVault and other cyber security firms, are likely to unnerve a PC community scrambling to fend off growing security threats from hackers, viruses and malware.

Researchers have identified code that attacks machines by exploiting a newly discovered flaw in the latest version of Java. Once in, a second piece of software called “Poison Ivy” is released that lets hackers gain control of the infected computer, said Jaime Blasco, a research manager with AlienVault Labs.

Several security firms advised users to immediately disable Java software — installed in some form on the vast majority of personal computers around the world — in their Internet browsers. Oracle says that Java sits on 97 percent of enterprise desktops.

“If exploited, the attacker will be able to perform any action the victim can perform on the victim’s machine,” said Tod Beardsley, an engineering manager with Rapid7’s Metasploit division.

Computers can get infected without their users’ knowledge simply by a visit to any website that has been compromised by hackers, said Joshua Drake, a senior research scientist with the security firm Accuvant.

Java is a computer language that enables programmers to write one set of code to run on virtually any type of machine. It is widely used on the Internet so that Web developers can make their sites accessible from multiple browsers running on Microsoft Windows PCs or Macs from Apple Inc.

An Oracle spokeswoman said she could not immediately comment on the matter.

Security experts recommended that users not enable Java for universal use on their browsers. Instead, they said it was safest to allow use of Java browser plug-ins on a case-by-case basis when prompted for permission by trusted programs such as GoToMeeting, a Web-based collaboration tool from Citrix Systems Inc

Rapid7 has set up a web page that tells users whether their browser has a Java plug-in installed that is vulnerable to attack: www.isjavaexploitable.com

Source: Reuters

Ryan says: I would recommend updating to the latest version of Java.  The latest version of Java Runtime Environment JRE-64-bit is here. For users with older computers, try downloading the latest version in 32-bit.

Valve: Agree to not sue us or lose access to Steam

Gamers beware: Valve Software, the firm behind immensely popular gaming portal Steam, wants you to waive your right to sue before you continue gathering games using its digital distribution platform. The company has amended its subscriber agreement to stipulate that by subscribing to its service, users agree to not file lawsuits against the company. Gaming giants Microsoft (MSFT), Sony (SNE) and Electronic Arts (EA) have similar policies in place, Kotaku notes.

“It’s clear to us that in some situations, class actions have real benefits to customers,” Valve said in a statement. “In far too many cases however, class actions don’t provide any real benefit to users and instead impose unnecessary expense and delay, and are often designed to benefit the class action lawyers who craft and litigate these claims.”

The statement continued, ”Class actions like these do not benefit us or our communities. We think this new dispute resolution process is faster and better for you and Valve while avoiding unnecessary costs, and that it will therefore benefit the community as a whole.”

Source: Yahoo!

Half a million Mac computers ‘infected with malware

More than half a million Apple computers have been infected with the Flashback Trojan, according to a Russian anti-virus firm.

Its report claims that about 600,000 Macs have installed the malware – potentially allowing them to be hijacked and used as a “botnet”.

The firm, Dr Web, says that more than half that number are based in the US.

Apple has released a security update, but users who have not installed the patch remain exposed.

Flashback was first detected last September when anti-virus researchers flagged up software masquerading itself as a Flash Player update. Once downloaded it deactivated some of the computer’s security software.

Later versions of the malware exploited weaknesses in the Java programming language to allow the code to be installed from bogus sites without the user’s permission.

Dr Web said that once the Trojan was installed it sent a message to the intruder’s control server with a unique ID to identify the infected machine.

“By introducing the code criminals are potentially able to control the machine,” the firm’s chief executive Boris Sharov told the BBC.

“We stress the word potential as we have never seen any malicious activity since we hijacked the botnet to take it out of criminals’ hands. However, we know people create viruses to get money.

“The largest amounts of bots – based on the IP addresses we identified – are in the US, Canada, UK and Australia, so it appears to have targeted English-speaking people.”

Dr Web also notes that 274 of the infected computers it detected appeared to be located in Cupertino, California – home to Apple’s headquarters.

Java’s developer, Oracle, issued a fix to the vulnerability on 14 February, but this did not work on Macintoshes as Apple manages Java updates to its computers.

Apple released its own “security update” on Wednesday – more than eight weeks later. It can be triggered by clicking on the software update icon in the computer’s system preferences panel.

The security firm F-Secure has also posted detailed instructions about how to confirm if a machine is infected and how to remove the Trojan.

Although Apple’s system software limits the actions its computers can take without requesting their users’ permission, some security analysts suggest this latest incident highlights the fact that the machines are not invulnerable.

“People used to say that Apple computers, unlike Windows PCs, can’t ever be infected – but it’s a myth,” said Timur Tsoriev, an analyst at Kaspersky Lab.

Apple could not provide a statement at this time.

Ryan: Download Apple’s security update for the Flashback Trojan here.

Source: BBC News

Video: Microsoft responds to Pwn2Own IE hack

Just moments after researchers from VUPEN used two zero-day vulnerabilities to hack into the Internet Explorer 9 browser, I caught up with Mike Reavey, senior director in the Microsoft Security Response Center (MSRC) to get his response to the attack and some information on what happens next.

 

Microsoft Security Response Center (MSRC) director Mike Reavey talks about the CanSecWest Pwn2Own challenge that saw a successful exploit of two zero-day vulnerabilities in the Internet Explorer 9 browser.

Source: ZDNet

 

Microsoft removes ‘Start’ button from latest Windows 8 build

Do you like the Windows ‘Start’ button? Well, if you do, you’d better get used to it being gone in Windows 8 because it seems that Microsoft has removed it from the latest builds of the operating system.

Here’s a leaked screenshot from the near-final Windows 8 “Consumer Preview” version (build 8220) which comes to us via PCBeta.com:

Notice the absence of the traditional Start button? I’ve reached out to a few contacts who confirm to me that the button has indeed been removed and replaced with a hotspot in the corner that will duplicate the functionality offered by the old button.

The Start button was first introduced in Windows 95, and has been present in every version of Windows since.

Now here’s the real question … does Microsoft intend to permanently remove the Start button, or is this a trial balloon and Microsoft is looking to see what the feedback from users will be?

Source:  PCBeta

Windows 8: Dead Before Arrival?

On the cusp of an event for the Windows 8 app store, one research firm has dealt a painful blow to the forthcoming OS.

“Windows 8 will be largely irrelevant to the users of traditional PCs, and we expect effectively no upgrade activity from Windows 7 to Windows 8 in that form factor,” research firm IDC told Computerworld this week.

For its part, Microsoft  has been quite vocal about its goals for Windows 8, which primarily involve the tablet market. Microsoft, like most of the world, assumes that tablets – which are already encroaching on the desktop PC and laptop markets – will one day become the dominant player in personal computing. Personally, I do not think it will be quite that simple. Instead, I expect a wise manufacturer to combine the perfect tablet with the perfect laptop and make a computer no one can live without. It hasn’t happened yet, but we’re getting closer every day.

Still, for Microsoft to sacrifice Windows 8′s success on the PC just for the sake of tablet sales would be silly. According to Computerworld, Windows 7 has been licensed 450 million times. That’s enormous! The only way Apple (NASDAQ: AAPL) could ever top that number is if it licensed Mac OS to third-party PC manufacturers. But that will never (and should never) happen.

For new PC buyers, Windows 7 is still a fairly new OS. But Windows Vista proved to be so bad (and so draining to weak hardware) that people were eager to upgrade. Windows 7 also had the benefit of coming out at a time when laptops had finally reached a nice balance between cost, performance, and durability. Whereas in the past you could spend upwards of $1,000 for a decent Windows XP laptop, the average high-quality Windows 7 laptop retails for $700 to $900. And because Windows 7 machines tend to have at least two gigs of ram, a much larger hard drive, and a vastly superior dual-core processor, their functional value should last a little longer.

In my own personal experience, dual-core processor laptops tend to hold up better after three years of use (2008 to 2011) than laptops with a single-core processor (2005 to 2008).

Unfortunately for Microsoft, this could mean that there will be fewer consumers buying new laptops when Windows 8 arrives than there were when Windows Vista and Windows 7 were released.

However, I am not convinced that IDC’s assessment is accurate. Will the Windows 8 upgrade rate be lower than Windows 7? Probably. From a consumer standpoint, and especially a business standpoint, Windows 8 may not provide enough of a difference to justify a purchase. The layout is cool and inspired, and it may very well be an important step in the Windows evolution. But that’s true of XP, one of the better versions of the software. But did everyone upgrade to XP when it was released? Nope. Did everyone need to make the switch? Nope.

That is the bigger challenge Microsoft faces: convincing us that Windows 8 is must-own software.

Since the company is so determined to make a dent in the tablet market, Microsoft needs to ensure that when Windows 8 is released, there is at least one (preferably several) must-have tablets available. If the company launches a true iPad competitor – or better yet, a true iPad-killer – then there will be very little preventing Windows 8 from attaining long-term success.

Source: Forbes

BlackBerry 7 sales sputter after strong start

After some initial excitement for the new line of BlackBerry 7 smartphones and a strong launch–both unusual for RIM for the past year–sales are starting to sputter. That’s according to Canaccord Genuity analyst T. Michael Walkley, who said his checks indicate a slowing trend for BlackBerrys.

It’s likely sales have been blunted by the release of the iPhone 4S, as well as the lower price of the legacy iPhone 4 and 3GS models as well. The coming release of the Galaxy Nexus and phones running on the recently unveiled Android 4.0 Ice Cream Sandwich operating system is expected to provide additional pressure, while Nokia may take some shine off RIM’s growth overseas, Walkley said.

“We anticipate increasing competition across all tiers of RIM’s products in 2012,” he said in a research note sent to clients today.

RIM had hoped for its upgraded BlackBerry 7 operating system to inject some life back into the company’s prospects and get it back on track as it migrates to a slicker next-generation platform. With that platform, BBX, expected to be delayed until the middle of next year, it’s more important than ever for its current BlackBerry 7 phones to have a strong showing.

A RIM representative wasn’t immediately available for comment.

But aside from the flagship Bold 9900 smartphone, which has generally received favorable reviews, its other BlackBerry smartphones haven’t sold so well. RIM was suffering from weaker sales to consumers at Verizon Wireless, T-Mobile, and Sprint Nextel, as sales were dominated by the iPhone and Android devices, Walkley said. Even the Bold has lost its momentum following the launch of the iPhone 4S and subsequent price cuts to the older models, he added.

Overseas, Walkley said he was more bullish on Nokia’s prospects as it prepares to roll out its first Windows Phone devices in a few European markets. He expects Nokia to make more of a run in emerging markets where RIM has seen recent strength, which could cut into RIM’s growth. He added that RIM’s lower-tier BlackBerry devices that had been popular are slowing considerably in the face of new Nokia phones and sub-$200 Android smartphones showing up in Latin America and Eastern Europe. Nokia, meanwhile, is seeing more interest in its Asha series of phones in markets such as India and Indonesia, he added.

The troubled PlayBook

Walkley was also bearish on the prospects of the PlayBook, saying he only expects “soft sales” of the device. The PlayBook has been heavily discounted in recent weeks, with Black Friday specials pulling the price down to $200, but sales have still been anemic. The missing core features of the device–e-mail access, messenger services, and calendar–won’t arrive until an update next year. Walkley dropped his fiscal 2012 estimate for unit sales to 900,000 from 1.5 million units. In total, RIM has only sold 700,000 units to its retail partners through the August quarter, an extremely disappointing number.

The competition is only going to get worse with the $199 Kindle Fire out and Ice Cream Sandwich-powered tablets hitting the market in the coming months.

All of this bodes poorly for RIM, which has a rough year. Even its traditional stronghold of enterprise customers is vulnerable. A recent study by iPass found more corporate users on an iPhone than a BlackBerry. IPass was quick to note that the change in market share may be more due to the extreme growth of iOS, as opposed to RIM losing customers.

But it can’t be good if iPhone is beating RIM at its own game.

Source: CNET

Google Android 4.0 Ice Cream Sandwich source code is now available

Google promised, and Google delivered: the source code to Google Android 4.0.1, codenamed “Ice Cream Sandwich,” has been released to the open source community. And as a nice side bonus, the code now available encompasses the complete source code history tree, which includes the never-before-open Android Honeycomb family of releases.

I’m not a developer, so I’ll defer to Google Android Open-Source Project software engineer Jean-Baptiste M. “JBQ” Queru’s post to the Android Building mailing list for details:

This is actually the source code for version 4.0.1 of Android, which is the specific version that will ship on the Galaxy Nexus, the first Android 4.0 device. In the source tree, you will find a device build target named “full_maguro” that you can use to build a system image for Galaxy Nexus. Build configurations for other devices will come later.

Later in the same post, he writes:

 

This release includes the full history of the Android source code tree, which naturally includes all the source code for the Honeycomb releases. However, since Honeycomb was a little incomplete, we want everyone to focus on Ice Cream Sandwich. So, we haven’t created any tags that correspond to the Honeycomb releases (even though the changes are present in the history.)

This is a very cool thing for Google to do – I stand by my opinion that Google had been misrepresenting the openness of the Android operating system to everybody up to and including the US Senate, but this goes a long way towards realigning perception with reality.

But on the other hand, it seems pretty transparent that they only did it for fear that Google’s rushed Motorola Mobility buy coupled with the closed Google Android 3.0 release tree would intensify the scrutiny on the search giant at a time when it can’t afford much more of the legal spotlight.

There’s no point looking a gift horse in the mouth, though, and I’m looking forward to seeing what the Android hacker community puts together with Ice Cream Sandwich as its new foundation.

Download it here.

 

 

Source: Googling Google

PlayBook has a Flash-filled future; RIM’s worst decision to date?

Summary: Now that Flash has had its day in the sun, the PlayBook may now have a chance to quietly sail off into the deathly sunset.

Research in Motion plans to continue supporting Adobe Flash, days after it emerged that the platform was not only on its last legs, but that it was to be taken round the back of the stable and beaten over the head with a rusty spade.

In a statement on the company’s corporate blog, the BlackBerry maker said:

“Earlier today, Adobe announced plans to stop investing in Flash® for mobile browsing, and focus more efforts on HTML5. As an Adobe source code licensee, we will continue to work on and release our own implementations, and are looking forward to including Flash 11.1 for the BlackBerry PlayBook.”

At roughly 10am this morning, a collective face-palm slapping sound was heard across the United States and Canada.

It is as though the BlackBerry maker is purposefully trying to continually do things to deliberately lower its stock price. I’m serious; is this some game show that I’m not aware of, where contenders win a vacation to the Bahamas if they successfully cripple their company within the space of a year?

The PlayBook has hardly been the most popular tablet the market has seen in recent years. In fact, come Christmas, I would place money that out of the ‘major players’, including Samsung, Motorola, and obviously Apple, that Research in Motion’s tablet will still come bottom of the pile.

But to continue to support an already dead platform on a dying tablet is like throwing salt in the wound of an already squashed slug.

It’s not the best analogy I should have come out with, but you get the idea.

Granted, the PlayBook does support HTML5, at least giving the tablet a break from a major software update that would be necessary to effectively replace the world’s most used web plug-in. It saves on a lot of headaches down the line, which from the perspective of future proofing was not a far off move.

The Ontario-based company will have the ability to continue to develop Flash on its own moving forward, keeping a ‘healthy’ following of developers interested and supported — that is, if you considered the aforementioned slug analogy to be healthy.

The PlayBook never really stood a chance, stood in line like the nerdy, glasses-wearing kid next to its prom-queen older sister. Even when the PlayBook had a chance to shine, in its secure emailing client that emulated the BlackBerry enterprise encryption, the tablet launched without it. In effect, its most favourable feature was left behind its launch.

But the linchpin to the PlayBook has always been its less than desirable advertising.

Nearly all of the company’s advertising and marketing efforts have been on the fact the PlayBook, unlike the iPad, as the supreme competitor to all other tablets on the market, will support Flash-based content. Though it still will, and Flash will not suddenly drop off the edge of the planet in the next few months, the BlackBerry maker is going to have to think of a brand new marketing strategy.

At least now Research in Motion can advertise the PlayBook as something it should have been marketed as a long way back: “The most expensive paperweight you never needed in the first place”.

Source: ZDNet