Mobile Security Takes a Front Row Seat at MWC


Not too long ago, nobody really worried too much about mobile security. The worst thing that could really happen to your data on your phone, most people thought, was that you would lose the physical device and somebody could make calls or browse your address book. Today, however, with the proliferation of mobile malware that can do anything from downloading your contacts list to a remote server to sending you pricey premium SMS messages, as well as a general trend toward letting employees use a mobile phone of their own choosing, the issue of mobile security have become far more pressing. This trend was clearly on display at the Mobile World Congress in Barcelona this week, where numerous well-known security firms and even more startups showed off their latest products.

Security and Android

Most of these security products today focus on Android. To some degree, Google's mobile operating system provides the perfect breeding ground for malware, as its open nature allows users to install apps from numerous sources and stores besides Google's official app store. It's far easier then for a malware developer to create an app that exploits flaws in Android's security and get it into circulation than it would be for somebody who wants to create iPhone or iPad malware. Apple, after all, only lets users download from one store and exercises complete control over it.

Kindsight security demo

Earlier this week, I had a chance to talk to Brendan Ziolo, the VP of marketing at Kindsight. The Alcatel-Lucent spin-off provides desktop and mobile security products, but here in Barcelona, the company focused on its newly released mobile security tools for Android.

While there are now numerous Android security tools available, Kindsight takes a somewhat different approach than most of its competitors, as it also works directly with mobile carriers to provide both software to end-users that can scan a phone for known malware as well as detection software that runs on the carrier's servers. The company is working with a number of mobile operators to bring its tools to their users and there is a good chance that you will find its software on your phone at some point in the future. Given the nature of these deals, though, you may never know that it's Kindsight that is running in the background (the carriers are more likely to give it their own name).

What Hackers Can do With Your Compromised Phone

Ziolo showed me a demo of a malware app the company developed for Android. Just by installing a malware-infested clone of Angry Birds, a hacker could – within seconds of starting the app – start spamming your friends with SMS messages, download your address book, locate you and even get access to your phone's camera and see a live stream from it without you ever noticing it.

With the company's software running, of course, users quickly get an alert about what is happening and can then uninstall the application. The scan on the phone itself is similar to a standard anti-virus or malware scan you would run on your desktop. At the same time, the company's software on your carrier's servers also keeps an eye out for suspicious traffic and can even detect some malware it has never seen before.

While there has been some discussion over how widespread the Android malware problem really is today, most reports indicate that it's growing quite rapidly. As Kindsight's Ziolo also rightly pointed out, unlike the early days of desktop malware, hackers can now rely on an established infrastructure for selling personal information and other data, making the whole business even more attractive and lucrative for these criminals.

8:31 am

Good News/Bad News: Spam is Down, Malware is Up


Thanks to better spam filtering techniques, most of us probably don’t see too many ads for “herbal Viagra” and similar concoctions in our inboxes these days, but that doesn’t mean spam isn’t still a big business. According to the latest Threats Report by Intel’s online security firm McAfee (PDF), the overall amount of spam went down in the last quarter of 2011. One of the reasons for this, though, is that spammers have gotten a bit smarter and now use a more targeted – and sometimes even personalized – approach.

Spam Down (In Most Countries)

It’s worth noting, though, that while spam was down overall, there were a few countries, including the U.S. and Germany, where spam volume was up slightly compared to last year.


Malware Up

While spam is down, though, malware, though, is still growing.

With regard to PCs, the overall growth rate of malware samples McAfee encountered in the last quarter slowed down quite a bit from previous years. At the same time, though, the number of unique malware samples the company found increased.

The company’s researchers also noted that they discovered about 9,300 malicious websites per day in Q4 compared to just about 6,500 in Q3. Most of these sites were hosted in the U.S., followed by the Netherlands, Canada, South Korea and Germany.

Android Malware Still on the Rise

Unsurprisingly, the largest growth area for mobile malware is Android. The last year and quarter were, in McAfee's words, “by far the busiest periods for mobile malware we have yet seen.” The largest growth area here is for-profit SMS-sending Trojans and to bypass the Android Market’s increased security measures, the malware authors apparently use forums and other outlets to distribute their wares.


11:15 am

Tweet Safer: Twitter Makes HTTPS the Default for All Users


The title really says it all. Last year, Twitter started giving its users the option to use HTTPS to keep their connections safe over unsecured Internet connections. Today, the company announced that it is now making secure SSL connections the default for all users.

HTTPS ensures that the traffic between the server and your browser is encrypted and can't easily be intercepted over unencrypted wireless networks, for example. This is essentially the same protocol you use when you access your online bank accounts, for example.

With this move, Twitter is following in the footsteps of other companies like Google, which made HTTPS the default for all Gmail users in January 2010 and for all signed-in Google Search users in late 2011. Facebook, too, users HTTPS whenever a password is sent to the service, but users have to manually activate secure connections for all of their other activity on the service.

In addition to adding these secure connections to, the company also announced that it plans to improve HTTPS support on its web and mobile clients in the future.

2:04 pm

Adobe Puts Flash for Firefox in a Sandbox


Love it or hate it, but Adobe's Flash plugin is likely one of the world's most widely distributed pieces of software. Given its popularity, it doesn't come as a surprise that Flash is also popular with hackers, who do their best to exploit flaws in it. Chrome and Internet Explorer 7+ users can already rest assured that hackers can't use Flash to compromise their browser, as the plugin runs in a sandboxed mode on Google's and Microsoft's browsers. Soon, Firefox users will get access to the same technology, as Adobe today announced the first public beta of its new Flash Player sandbox for Firefox.

With this new version of the Flash Player, Adobe is following the same playbook it used for making the Adobe Reader safer by implementing a sandbox and protected mode. Since the launch of Adobe Reader X, the company notes, there hasn't been a single successful exploit against it in the wild. According to Peleus Uhley, a senior security researcher within the Secure Software Engineering team at Adobe, Flash's "sandboxed process is restricted with the same job limits and privilege restrictions as the Adobe Reader Protected Mode implementation."

It's worth noting that it has taken Adobe and Mozilla quite a while to bring this sandboxed version of Flash to market. Internet Explorer 7, after all, has had the privilege of running Flash in Vista's and Windows 7's Protected Mode since 2006.

For now, the beta only works for Firefox 4 and later and on Windows Vista and Windows 7. You can download the beta here.

2:59 pm

German Government: Use Chrome if You Want to Stay Safe Online


Google's Chrome browser had its worst month on record in January, thanks to being demoted in Google's own search results for breaking Google's own online marketing rules. Today, the Chrome team has something to celebrate, though: Germany's Federal Office for Information Security (the Bundesamt für Sicherheit in der Informationstechnik, or BSI) just announced that it is recommending Chrome as the safest browser on the market right now, especially thanks to its sandboxing and auto-update features.

The BSI is making this recommendation ahead of Europe's "Safer Internet Day" on February 7th.

Other Recommendations:

In addition to Chrome, which is the only browser the agency recommends, the BSI also recommends a number of other security products, including Microsoft's own anti-virus software Microsoft Security Essentials, Avira Free Antivirus and avast! Free Antivirus. The BSI also recommends the use of OpenDNS Family Shield to keeps kids safe online and TrueCrypt for encrypting your data.

The agency also recommends Gmail, as it offers encrypted access to your email, even in the free version.

8:26 am

Google: That QR Login Page is Just an Experiment, “We’re Already Working on Something Better”


A nifty little undisclosed Google service made the rounds on the Internet today. By going to a specific website, Google would give you a QR code to scan on your phone and then let you log in to a desktop Gmail session without having to actually type your login credentials on the computer. Google had never announced this service officially. Now it's clear why. According to Google's Dirk Balfanz, a member of the company's security team, this was just an experiment and, says Balfanz, will likely go away at some point.

"We're Already Working on Something Better"

Google is, he says, always working "on improving authentication, and try out different things every now and then. We're working on something that I believe is even better, and when that's ready for a public trial we'll let you know."

Google has now also updated the login page with virtually the same message. As Balfanz notes on Google+, the team doesn't want people to start relying on an unsupported feature.

The web, of course, lit up earlier today when this service first appeared, thanks to a Google+ post by a non-Google programmer who stumbled upon the feature by coincidence. It's not often, after all, that somebody discovers an unannounced Google feature on the public web.

The interest in this service shows, though, that there is clearly a market for this, which will hopefully motivate Google to launch an official product with similar functionality in the near future.

Google smartphone message experiment

10:19 pm

Open Sesame: A Safer Way to Log In To Your Google Accounts


Google has introduced an interesting new way for logging into your Google accounts by just scanning a QR code on the screen and without having to actually type your password into a computer. To use this new feature, just head over to and a QR code will appear on your screen. Scan the barcode on your phone (you can use any app that can read QR codes for this, including the popular RedLaser app on the iPhone or Google's own apps).

This new log-in mechanism will be especially useful when you are using a public computer where you can't be sure that somebody hasn't installed a keylogger or a similar device.

Gmail login phone

The feature was first described by Walter Chang on Google+, though it's possible that this tool has been available for longer.

How it Works

Here is how it works: Google presents you with a one-time use barcode on the screen. You scan the code and your mobile scanner app will recognize that it's a link and take you to your mobile browser. Google will then ask you to type in your password on your phone and to confirm that you really want to log in on the computer, too. Once confirmed, your desktop browser will receive notice from Google that you are good to go and open a Gmail session for you.


Now, obviously, as the good folks on HackerNews point out, if you are on a computer you don't fully trust, you can never be 100% sure that whoever installed a keylogger on the machine isn't also doing other nefarious things while you are logged in.

Still, this is definitely safer than just typing your password on a computer that isn't yours and may even add some extra security for those who sometimes have to work on unsecured WiFi networks as well.

Enhanced by Zemanta

10:26 am

MelonCard Helps You Reclaim Your Online Privacy


Guarding your privacy online is becoming increasingly hard, even for those of us who really want to keep our private information to ourselves. All across the net, information brokers have set up shop and will happily sell whatever private information they were able to gather about you to the highest bidder. This includes both marketing companies, as well as services like Radaris that sell “background reports” to consumers. MelonCard, which officially became a member of startup incubator 500 Startups latest class today, wants to help you regain control over your private information. The service check which brokers have compiled a profile of you and your online activities and then allows you to purge your records with just a few clicks.

(Note: the site is going through some growing pains today, so it may be a bit slow or unavailable at times. Just keep trying or check back tomorrow if things don’t work today. It’s worth the wait.)


MelonCard’s Founders: Privacy Sucks

As the service’s founders Robert Leshner  and Geoff Hayes note, “Privacy sucks.  And by sucks, we mean, the state of privacy sucks, because there’s hardly any of it.  Our personal information has made its way online, and it’s being distributed everywhere.  Our cell-phone numbers, political views, criminal records, shopping transactions, favorite color, you name it, its online.”

Who Knows What About You?

Once you sign up for MelonCard, the service will ping the various online information brokers in its database (including RapLeaf, Acxiom, and Radaris) and give you an idea of the kind of information they have collected about you.

Once you decide you want to delete your information from one of these services, you just click the “remove” button, solve a CAPTCHA and you’re almost done. Depending on the information broker, you may have to confirm your request by email. So it’s not all automatic, but if you value your online privacy, it’s well worth the effort.

In total, MelonCard currently supports removal of your data from 16 providers (and they each may have multiple records for you, too), but only half of these are available with the service’s free plan. To purge your data from sites like PrivateEye, USA People Search or WhitePages, you have to subscribe to the company’s $7/month premium plan.

Enhanced by Zemanta

8:06 pm

Has Lulzsec Leaked Your Data Online? Here’s a Simple Tool to Check


Over the last few months, we witnessed the rise of a new hacker group that works under the name Lulzsec. So far, they have hacked into networks from organizations that range from Sony BMG to Nintendo, and PBS. In doing so, they have retrieved thousands of names, passwords and other personal data from unsuspecting users. While most of these organizations then go on and sell this information on the black market, Lulzsec regularly releases all of the data it collects online (they are, after all, just doing it for the ‘lulz’). Now, a new tool helps you to find out if any of your own personal data was made public in one of these leaks.

The above widget allows you to just type in your email address and see if any of your data is available in one of Lulzsec’s releases. It’s hosted by cloud hosting company cloudControl, but the author apparently wants to remain anonymous. Our friends from The Next Web assure us that there is no email harvesting or other shenanigans involved here, though. Update: For those worried about this widget harvesting emails, I have confirmed the identity of the developer and it does indeed do what it promises to do. The group behind this tool wants to remain anonymous to ensure they don’t get hacked by Lulzsec themselves.

We can safely assume that Lulzsec hasn’t released all of the data it has amassed yet. Just today, the group released another file with more than 60,000 email addresses and passwords. Chances are that this is just the tip of the iceberg.

[via: The Next Web]

Enhanced by Zemanta

6:50 pm

CloudFlare Wants to Make Your Site Faster and Safer


Eight months ago, CloudFlare launched its free content delivery network service, which I’ve been using on all of my sites since the day it became available. Today, at the TechCrunch Disrupt conference, the company announced its newest product: CloudFlare Apps. This new service allows CloudFlare users to install popular web apps like Apture, Typekit, Pingdom or web analytics software Clicky with just one click from their CloudFlare dashboard. The service will be available starting June 1.


5:42 pm

New Twitter Worm Promises to Tell You Who Unfollowed You


A new Twitter worm is spreading quickly this morning by pretending to tell users who has unfollowed them. Through using this kind of smart social engineering (who wouldn’t want to know who these ungrateful people are?), this rogue Twitter app gains access to a user’s account by using Twitter’s standard authentication mechanism. The worm also attaches terms to every one of these tweets that are currently trending on Twitter, ensuring these messages get seen by an even wider audience.

A typical example of these scam tweets looks like this:

9 people have unfollowed me, find out how many have unfollowed you: [URL] #duringsexplease #youneedanasswhoopin

Graham Cluley at security firm Sophos took a closer look at the inner workings of this worm. Instead of telling users who unfollowed them (a service that some reputable companies actually offer), the service just brings up a typical online survey that pretends to offer users the chance to win a free iPad 2 or Gucci shopping spree. The scammers then, as Cluley notes, make money each time one of these surveys  is completed (probably because they can harvest confirmed email addresses this way).

If you fell for this scam for some reason, head over to your Twitter account, click on Settings -> Connections and revoke access to the app. The worm uses different names for the “service,” but the most common are “App Services,” Follow Finder” and “Data Machine.”


Image credit: Sophos

8:10 am

Paper: Android's Graphical Passcodes are Insecure


Most Android phones allow users to protect their phones from unauthorized access by drawing a pattern on their device’s touchscreens. According to a team of researchers from the University of Pennsylvania, however, these graphical passwords are actually extremely easy to crack, as “oily residues, or smudges, on the touch screen surface, are one side effect of touches from which frequently used patterns such as a graphical password might be inferred.”

The team, which presented its findings during the Woot ’10 USENIX workshop in Washington, DC, found that by simply taking photographs of the screens with the right lightning and camera positions allows unauthorized users to guess a user’s security pattern.

If you think that just cleaning the screen regularly would prevent this, then think again. According to the researchers, “smudges are surprisingly persistent in time.” They found that “it is surprisingly difficult to incidentally obscure or delete smudges through wiping or pocketing the device.” In the team’s experiments, the pattern was partially identifiable 92% of the time and in 68% of cases, it was fully identifiable.

You can find the full paper here.

10:10 pm