STE WILLIAMS

Win a top of the range HP Spectre laptop

Syrian hacktivists claim they are the vandals responsible for scribbling over the websites of CNN, Time mag and The Washington Post yesterday.

But these latest boasts by the Syrian Electronic Army (SEA) are somewhat misleading, according to computer security experts who say that the hacking crew actually ransacked Outbrain – a marketing biz used by WashingtonPost.com, Time.com and plenty of others to provided links to related articles and stuff online.

It’s understood the miscreants, who back Syria’s President Bashar al-Assad, compromised Outbrain’s systems and hijacked those embedded links to point to the SEA’s website. Outbrain confirmed its security was breached, which it said was pulled off using phishing emails posing as messages to staff from its chief exec.

Marc Gaffan, co-founder of web security firm Incapsula, explained: “The cause of the breach was actually performed by sending phishing emails to all Outbrain employees which caused them to surrender their email passwords. With access to employee email accounts the hackers were able to obtain or reset passwords to the admin areas of the content marketing platform, leading to the visible part of the breach.”

“If Outbrain’s admin areas had two-factor authentication enabled on them, this could have been prevented,” he suggested.

In a statement, The Washington Post added that one of its staffers did have his Twitter profile compromised by the SEA earlier this week, but explained that the main aspect of Thursday’s hack relied on breaking into Outbrain’s systems:

Earlier this week the Twitter account of one of our journalists was compromised as part of a larger attack aimed at social media management group SocialFlow, and Thursday an attack on content recommendation service Outbrain caused some of our stories to redirect to the the SEA homepage.

Outbrain responded to the hack by temporarily suspending its services. A detailed timeline on how the compromise unfolded can be found here.

The SEA, meanwhile, congratulated itself on drilling into Outbrain’s control panels on its official Twitter account:

@TIME, @CNN, @Washingtonpost websites hacked in one strike by hacking @outbrain #SEA #SyrianElectronicArmy #Syria pic.twitter.com/5OI1BE2oCM

— SyrianElectronicArmy (@Official_SEA16) August 15, 2013

Time, CNN and WashingtonPost Websites Hacked by #SEA | http://t.co/bkCzCDRsZe #SEA #SyrianElectronicArmy pic.twitter.com/2X2v9ZaeVU

— SyrianElectronicArmy (@Official_SEA16) August 15, 2013

‪Outbrain’s content-recommendation widget, embedded into web pages, is supposed to help internet publishers boost their online traffic. Users are offered links to articles and other stuff to read or watch.‬ SEA foot soldiers alleged they obtained access to Outbrain’s email spools, but this remains unconfirmed.

The Syrian Electronic Army is a loose-knit hacker group loyal to President al-Assad. Its campaign of online disruption began in mid-2011, and has involved distributed denial-of-service attacks against servers, phishing emails to hoover up passwords, pro-Assad graffiti on websites, and spamming against governments, online services and media outlets that are perceived hostile to the government of civil-war-torn Syria.

Its speciality is firing off spear-phishing emails to hijack Twitter accounts and other social-networking profiles run by media organisations and use the compromised logins to push links to pro-Assad propaganda.

Victims over recent months include Al Jazeera, the Associated Press, BBC, the Daily Telegraph, the Financial Times, the Guardian, Human Rights Watch, America’s National Public Radio, Thompson Reuters and more. Over recent weeks the group diversified into attacking into the backend systems of VoIP apps, namely Viber and Tango. ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/16/sea_outbrain_hack/

Win a top of the range HP Spectre laptop

A fake Adobe Flash browser plugin that hijacks on-screen web adverts to tout hardcore smut is doing the rounds, we’re told.

The rogue add-on even slaps racy adults-only teasers on websites aimed at children, according to Jérôme Segura, a security researcher at antivirus firm Malwarebytes. The software nasty, named FlashPlayer11.safariextz, poses as a “Flash Player update” and is largely distributed via X-rated web portals and grumble-flick sites.

The file is downloaded from fplcdn.com, a domain registered at the end of last month; the registrant’s details in the WHOIS database appear to be fishy, said Segura. The Safari extension is also compatible with Firefox, Chrome and Safari but not Internet Explorer, according to tests by Malwarebytes.

“In addition to injecting adverts within every single page you visit, this malicious extension is capable of ‘hijacking’ legitimate ads and replacing them with its own,” Segura explained. “With such invasive adverts, cyber-crooks are likely to generate a lot of ‘views’ and even pay per clicks.”

Web surfers are urged to check the browser extensions installed on their computers, especially if they spot a serving of salacious plugs.

“If you believe you are seeing strange or inappropriate ads on the websites you regularly visit, it wouldn’t hurt checking the extensions installed in your browser and removing the offending ones,” Segura advised, adding that netizens can avoid getting hit by the scam by taking care to install software updates from vendor’s official websites.

The Safari component of the extension was not detected as malicious by any of the antivirus vendors listed in VirusTotal at the time Segura uploaded it. However, the executable used to hijack rival browsers was detected.

A write-up of the threat, together with screenshots, can be found in a blog post by Malwarebytes here. ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/16/fake_flash_browser_plugin_feeds_smut_ads/

Attackers can spoof information relayed by the Java 7 malicious app warning system.

So says programmer Jerry Jongerius, who has released a “Java Code Signing Failure” alert detailing how app names displayed by Java security dialog boxes can be arbitrarily changed.

Java first unveiled its malicious app warning system in April — to mixed reviews — with the release of Java 7 update 21. The system is designed to warn users not to execute any Java app that hasn’t been signed with a digital certificate. For signed apps, the warning system asks users if they want to proceed, and relays information to help them make their decision, including the name of the signed app, source and publisher.

Read the full article here.

Have a comment on this story? Please click “Discuss” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/java-malicious-app-alert-system-tricked/240160654

Mother and daughter, Karen and Tracy Vasseur from Colorado, US, have been jailed for a total of 27 years after they tricked unsuspecting victims into thinking they were talking to members of the US military who needed money to be sent to them.

In total, the pair managed to con 374 people out of 1.1 million dollars with one victim stumping up as much as $59,000 according to court documents.

Authorities said the duo had other (yet to be caught) staff working for them who would trawl the internet looking for vulnerable people on dating sites or social networks.

They would then tell them they were part of the US military, serving in Afghanistan. Once they had established a relationship with their victim they would tell them they were in need of money for things like travel to the US, retrieving property and other expenses.

When a victim had agreed to pay, they were told to transfer the money to the two women who posed as ‘military agents’.

The money was then quickly passed on to other accomplices in Nigeria, the UK, India, UAE and Ecuador.

Tracy was ordered to spend 15 years behind bars, plus an extra four years for unrelated charges.

Karen received 12 years, to run concurrently with a 10-year sentence for tricking ‘at-risk’ adults into a fake loan scheme.

Colorado Attorney General John Suthers commented:

“Not only did this mother-daughter duo break the law, they broke hearts worldwide.

“It is fitting that they received stiff sentences for their unconscionable crimes committed in the name of love and the United States military,”

This sad story just acts as another reminder to be careful who you talk to online. When someone’s hiding behind a screen you can never be sure who they really are.

Be careful who you speak to, and *never* send money to someone just because they ask you to.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NQIH1OvbjFg/

Apple’s iOS and OS X are currently under what can only be described as a “jolly irritating attack.”

Certain text strings, when processed by the operating system’s CoreText rendering engine, cause the application that’s trying to display them to crash.

No-one has yet come up with a way to exploit these crashes for code execution, at least as far as I am aware, so they’re vulnerabilities of the fragility sort, rather than the you’re pwned type, but they’re still, well, jolly irritating.

The shortest string I’ve been able to come up with that provokes this bug is just eleven bytes long, and consists of six UTF-8 characters, one of which is a plain old space (hexadecimal code 0x20).

→ UTF-8 is a system for representing text that uses from one to four bytes per character. The bit pattern of each byte in a character tells you how big that character is, so moving backwards and forwards in a string is easy (you don’t need to keep re-calculating from the start of the string), and 7-bit ASCII characters are represented as themselves in one byte (so simple documents in plain ASCII don’t need converting, and don’t waste space).

The crash strings I’ve seen and heard of all include Arabic characters, and Arabic is, of course, written from right to left.

But whether it’s the direction of the text, how the characters are combined and composited, or some other subtlety, I can’t yet tell you.

The problem with this problem is that it can quickly become disruptive, since an offending string can be placed by an outsider into all sorts of otherwise unexceptionable places where you might stumble across it by mistake: web page titles, email subject lines, even Wi-Fi access point names.

If the Apple application that tries to display the string uses the vulnerable rendering library code…

…down she goes.

And if the application tries to recover gracefully when it next loads, for example by reloading the web page it was busy with before…

…down she goes again.

In my testing, I ended up with Safari’s history loaded with a URL aimed at my Bad Page, provoking an HTTP reply no more threatening-looking than this:

HTTP/1.0 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 11

...the dreaded 11 bytes...

As long as my web server was running and a network connection available, relaunching Safari caused it to crash again at once.

What to do?

I tried what I thought was the obvious solution, namely removing the file:

~/Library/Safari/LastSession.plist

That file certainly referenced my dodgy URL, but removing it didn’t help, so I tried:

~/Library/Caches/com.apple.Safari

No use, but I fared better when I removed:

~/Library/Saved Application State/com.apple.Safari.savedState

That made Safari forget that it had ever heard of my crashy website, and let me browse again.

Apple notoriously likes to keep completely quiet about software problems until a fix is available, as it did with the equally amusing and embarrassing but less disruptive FILE COLON SLASH SLASH SLASH bug earlier this year.

In this case, therefore, let’s hope that Apple pumps out a fix pretty jolly quickly.

By the way, you can help make Apple aware of the impact of the problem by reporting this crash if it happens to you.

You’ll see something like this:

Choosing Report… will show you what happened, much like you see below, and ask if you want to Send to Apple:

Should you send the crash report in?

Apple assures you it’s anonymous, and although it reveals a little bit about you – your timezone, what sort of Mac you have, and more – I suspect you can send it off without too much concern.

(I’m guessing, but Apple probably learns less about you when you submit a crash report than a search engine does when you try to look for a solution to it.)

Apologies that I don’t have a general workaround or mitigation for you.

If I come across one, I’ll post it here or in the comments.

In the meantime, applications that get derailed by a CRASH: GOTO CRASH loop, like my Safari did, can probably be pointed in the right direction by digging around in the ~/Library directory, as I showed above.

Oh, and as far as browsing is concerned, while Chromium is affected, Firefox isn’t.

Firefox is currently enjoying a really strong lead in our “which browser do you trust” poll – perhaps you’ve just found another reason to try it out.

Bonne chance.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jf00Dk41wyk/

Facebook has published a summary of the updates it’s proposing to make to its Data Use Policy and Statement of Rights and Responsibilities which shows a large volume of rewriting.

Most of the changes are minimal, but one area has caught people’s attention – photo tagging.

Facebook has highlighted how it plans to use members’ profile pictures as an identification tool to allow their friends to tag them in photos.

Apart from in Europe where it has been suspended, when you currently upload a photo to Facebook it uses facial recognition and current tags to suggest tags for those people who appear in the picture.

This proposed new update will allow the social network to take this one step further, by also allowing facial recognition of your main profile picture as a key indicator of your likeness on the service.

We are able to suggest that your friend tag you in a picture by scanning and comparing your friend’s pictures to information we’ve put together from your profile pictures and the other photos in which you’ve been tagged.

Facebook’s chief privacy office Erin Egan, unsurprisingly, thinks this is a good thing.

She believes additional tagging will afford users a higher level of control over their personal information because it will make it easier for them to identify posted photos in which they appear. They will then have the option of either de-tagging or reporting photos which they are unhappy about.

Egan also said that any Facebook users who feel uncomfortable with facial recognition in general can opt out of the tag suggesting feature completely, including the use of profile pictures.

But for those who don’t opt out, Egan discussed how facial recognition could evolve further in the future:

Can I say that we will never use facial recognition technology for any other purposes? Absolutely not. [But] if we decided to use it in different ways we will continue to provide people transparency about that and we will continue to provide control.

Facebook’s facial recognition tool has always been controversial since it’s initial introduction in 2010.

The Irish Data Protection Commission warned in 2012 that it could fine the network up to £80,000 as it reviewed the company’s compliance with Irish and EU privacy laws. Facebook responded by suspending facial recognition in Europe where it remains unavailable to this day.

Other changes to the site’s governing documents include clarification on the use of member details within Sponsored Stories after the settlement of a lawsuit earlier in the week which covered the use of members’ data in advertising campaigns:

We may use your name, profile picture, content and information in connection with ads or commercial content

Facebook users have seven days in which to read the company’s new proposals and provide feedback on the changes.

Follow @security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UdzdCkVlVeo/

Win a top of the range HP Spectre laptop

China is reportedly preparing to look into NSA whistleblower Edward Snowden’s claims that US spooks hacked into IBM, Oracle and EMC products sold to the Asian nation’s universities.

The three American corporations could face a probe by Chinese police and government officials on the subject of “security issues”. The investigation would come in the wake of Snowden’s allegations that the trio’s kit was compromised by Uncle Sam’s PRISM programme of mass global surveillance of foreigners.

News of the potential probe comes from Reuters, which cites quotes in the Shanghai Securities News, although the original piece from the state-run newswire seems to have vanished.

The action will be undertaken by China’s Ministry of Public Security, according to the newswire. The ministry has declined to comment on the reported probe.

It was former NSA contractor Snowden who revealed the existence of the US National Security Agency’s PRISM, an impressive operation for collecting personal communications and messages of foreigners, purportedly in the US national interest.

Snowden’s leaked NSA documents and the Washington Post‘s report made repeated reference to US companies such as Microsoft, Google, Facebook and Yahoo!, which operate online voice and data services.

But it seems China has turned its attention to the US-based enterprise computing trio – companies with diverse operations but which overlap in the areas of storage, information access and hardware.

According to one unnamed source in the Reuters report: “At present, thanks to their technological superiority, many of our core information technology systems are basically dominated by foreign hardware and software firms, but the PRISM scandal implies security problems.”

The report echoes anxieties in the West over the connections that Chinese tech companies – specifically Huawei and Lenovo – have with the People’s Government and the Red Army, especially when they are running growing chunks of critical national infrastructure. Huawei has denied there is any cause for concern, and has called claims of snooping “tired, unsubstantiated” and “racist corporate defamation”.

Ironically for Oracle, its chief executive Larry Ellison this week came out in support of NSA snooping. On US TV programme This Morning Ellison called US domestic surveillance “great” and “essential” to minimising attacks like the Boston Marathon bombing in April. Which, of course took place despite the existence of Prism’s carte blanche data schlup.

Separately, meanwhile, industry group the Cloud Security Alliance last month warned that US companies are losing orders from foreigners alarmed about the NSA spooks ability to access their data and communications.

The Register has contacted IBM, Oracle and EMC for comment, but they’ve yet to get back to us. We’ll update if we hear a response. ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/16/ibm_emc_oracle_prism_probe/

Win a Samsung 40-inch LED HDTV with The Reg and HP!

The NSA violated privacy laws thousands of times in the last five years by spying on US citizens, an internal audit by the super-snoopers has disclosed.

The Washington Post reports that the intelligence agency also overstepped its legal remit since Congress gave it broad powers in 2008.

Most of the violations involved unauthorised surveillance of Americans and foreigners in the US. Problems arose thanks to clumsy operator mistakes, insufficient or inaccurate research, failures to follow the correct procedures and even typos.

Meanwhile, system errors led to further problems, such as failures to recognise foreign phone users who roamed onto US soil but whose data was hoovered up anyway.

An NSA internal audit, leaked to the Washington Post by former NSA contractor turned whistleblower Edward Snowden, logs 2,776 incidents of “unauthorized collection, storage, access to or distribution of legally protected communications” in the year to May 2012.

Most were accidental mishaps where procedures were not followed correctly, but some involved violations of a court order – such as a February 2012 incident involving the unauthorised retention of 3,000 files that a surveillance court had ordered the NSA to destroy.

Violations include unauthorised access to intercepted communications and the use of automated systems without built-in safeguards to prevent unlawful surveillance.

NSA ‘marking its own homework’

The audit only covers figures from the NSA’s Maryland headquarters and Washington DC offices and not those from its regional collection centres.

In some cases, the NSA decided that it didn’t need to report the unintended surveillance of US residents and citizens. One glaring example of unreported dragnet overreach occurred in 2008 when a programming error resulted in the interception of a large number of calls made in the Washington DC area: buggy software confused the US telephone area code 202 with intentional calls made to Egypt (country code +20).

In another case the Foreign Intelligence Surveillance Court was not told about a data collection programme run by the NSA until months after it was up and running. The court eventually ruled in October 2011 that hoovering up international communications passing through fibre-optic cables in the United States, was unconstitutional because Americans’ emails and other net traffic was collected. The agency was ordered to drop the collection programme within 30 days unless it figured out a way to filter out US citizens’ traffic.

Evading official scrutiny

Another leaked document instructs NSA analysts about how to explain their targeting decisions without giving “extraneous information” to overseers in the Department of Justice, Congress or the special court that scrutinises surveillance. NSA personnel are “instructed to remove details and substitute more generic language in reports to the Justice Department and the Office of the Director of National Intelligence”, the Post reports.

This relates to an internal NSA document [PDF] that offers rationales for targeting and provides examples of the kinds of people the NSA may spy on – and that’s besides amassing 1.6 per cent of the world’s net communications. The document makes for an interesting read.

Other training files explain that analysts do not need to report “incidental” collection of data from US citizens, green-card holders or companies to the NSA Inspector General because (in the opinion of the NSA) it is not deemed a violation of the rules.

Signals intelligence spooks are allowed to use anonymised sets of data routinely, and with supervisory permission they may unmask the identities of US persons in reports to the agency’s clients, such as the CIA and US military, among others.

FISA judge: We can’t investigate non-compliance

In response to the Post‘s revelations about its violation of privacy rules, the NSA said it attempts to identify problems “at the earliest possible moment, implement mitigation measures wherever possible, and drive the numbers down”.

“We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line,” a senior NSA official told the Post in an interview.

The chief judge of the secret court tasked with overseeing the NSA’s dragnet surveillance said his court’s powers of scrutiny are limited because it is reliant on government reports of improper spying. There is no independent verification, the Post reports.

“The FISC is forced to rely upon the accuracy of the information that is provided to the Court,” its chief, U.S. District Judge Reggie B. Walton, said in a written statement to The Washington Post. “The FISC does not have the capacity to investigate issues of non-compliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders.”

So the FISA court isn’t a rubber stamp, they’re just totally incapable of overseeing the NSA has to trust the gov. http://t.co/BpXOhnogGh

— Christopher Soghoian (@csoghoian) August 16, 2013

The judge’s frank admission pulls the rug out from under repeated assurances from President Obama and his officials that the secret intelligence court provides robust oversight of government surveillance. ®

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/16/nsa_internal_audit_privacy_violations/

Win a top of the range HP Spectre laptop

Vid Cybercrooks in Australia are using 3D printers and computer-aided design software to manufacture ATM skimming devices.

New South Wales Police recently arrested and charged a Romanian national with fraud involving the use of an ATM skimmer made on a 3D printer to fleece Sydney residents, Australia-based iTnews reports.

Police in Sydney set up a dedicated taskforce in June after recording an increase in cash machine theft offences.

The taskforce identified one gang that targeted 15 ATMs across metropolitan Sydney, affecting tens of thousands of people and stealing around AU$100,000 (US$92,000).

Commander of the NSW Fraud and Cybercrime Squad, Detective Superintendent Col Dyson, told iTnews the gang was using 3D printers and CAD technology. Two unnamed banks are being targeted.

“These devices are actually manufactured for specific models of ATMs so they fit better and can’t be detected as easily,” Det Supt Dyson explained.

“Parts of the devices are internally fitted, either by the offenders moving part of the slot and replacing it with their own, and pushing circuitry into the machines. [Another model] is so small it’s entirely self-contained and entirely pushed in, with some force, into the card slot.”

Skimmers are designed to fit around the card slot of cash machines in order to read and extract data from the mag stripe of cards as they are pushed into a compromised machine. The devices are often used in conjunction with a hidden miniature pin-hole video camera, or an unobtrusive keypad overlay, to record PIN data.

The collated information, sent to fraudsters using mobile phone technology or stored for later retrieval, provides enough data to clone a magnetic-stripe-only credit card. Fake cards are then used in combination with stolen PIN information to make fraudulent withdrawals. Pictures of hardware-based ATM skimming devices, fake cash machine fascias and more can be found in a blog post by cybersecurity blogger Brian Krebs here.

Skimmers have been used by fraudsters for years but introducing 3D manufacturing into the process has obvious advantages to cybercriminals, according to veteran IT security expert Paul Ducklin.

“Crooks can quickly try a new design (or tweak an old one) in order to make their devices as surreptitious as possible,” Ducklin explains in a post on Sophos’s Naked Security blog. “The better a skimmer fits, the more smoothly it blends with the ATM’s shape, and the closer the colour, the more likely it is go unnoticed.”

“Also, 3D printouts can be made on demand, so that the crooks can quickly replace skimmers that have been detected, removed and destroyed,” he adds.

Previous controversial uses for 3D printers have famously included blueprints for “printing” parts for firearms at home. Home-made plastic gun parts routinely snap under the stresses of firing, if they work at all, but that hasn’t stopped the issue of the “Liberator” 3D-printed pistol and derivatives from creating a media fire fight storm.

In response, Danish 3D printer maker Create It Real has decided to ensure [PDF] its products can’t print a gun. Manufacturers might conceivably decide to do something similar to prevent 3D printers from being used to manufacture ATM skimmer parts.

One blacklisting snag might be that while blueprints for the Liberator gun are out there in public, any CAD design for an ATM skimmer would be a closely guarded secret.

If preventing the abuse of 3D printers isn’t an option, we can at least attempt to bolster consumer awareness about the threat posed by ATM skimmers.

A video from the Queensland Police Service stars Fiscal the Fraud-Fighting Ferret, who tells consumers how to spot ATM skimmers and guard against the possibility of fraud when using cash machines.

The use of ATM skimmers is a problem worldwide. Extensive background information on the problem in Europe can be found on the European ATM Security Team’s website here. ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/16/3d_printed_atm_skimmers/

Win a top of the range HP Spectre laptop

A group of researchers presenting at Usenix last week turned up a startling new way to sneak malicious apps through the AppStore and onto iOS devices. By spreading malicious chunks of code through an apparently-innocuous app for activation later, the researchers say they were able to evade Apple’s test regime.

The Georgia Tech-led team’s aim, described in this paper, was to create code that could be rearranged after it had passed AppStore’s tests. That way, the code would look innocuous running in the test environment, be approved and signed, and would later be turned into a malicious app.

For their proof-of-concept, the researchers created an app that operated as a Georgia Tech “news” feed. They explain that the malicious code was distributed throughout the app as “code gadgets” that were idle until the app received the instruction to rearrange them. “After the app passes the App Review and lands on the end user device, the attacker can remotely exploit the planted vulnerabilities and assemble the malicious logic at runtime by chaining the code gadgets together”, they write.

The instructions for reassembly of the app arrive through a phone-home after the app is installed.

The researchers continue that “despite running inside the iOS sandbox, [the] Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.”

Long Lu, a Stony Brook University researcher who took part in the project, explained to Technology Review that the exploit exists because apps only run in the Apple test suite “for a few seconds”.

“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu told Technology Review. ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/19/fooling_the_appstore_one_codechunk_at_a_time/