STE WILLIAMS

It’s not the Android app stores that you need to worry most about: the biggest security weaknesses in most Android smartphones today are the custom apps and features that come packaged with the devices, new research shows.

Those are some of the findings from researchers at NC State, who recently studied how custom vendor features on Android smartphones affect the security of the devices. Some 60 percent of all vulnerabilities the researchers found in popular smartphone models were due to what the researchers call “vendor customizations,” or features the smartphone manufacturers tweak or include with the phones.

Another shocker: newer smartphone models aren’t necessarily more secure, according to the NC State researchers Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, and Xuxian Jiang, who will present their research tomorrow at the ACM Conference on Computer and Communications Security in Berlin, Germany.

“We all know that Android, though popular, has one major problem: fragmentation. Among other [things], vendor customizations play a key role in contributing to the fragmentation,” Jiang said in an email interview. “We are interested in better understanding how vendor customizations will impact overall Android security.”

[Google Android’s single sign-on feature ‘weblogin’ convenient but risky to an organization’s Google Apps, DEF CON researcher shows. See One Hacked Android User Can Lead To An Enterprise Breach .]

Jiang and his team studied Android Version 2.X and Version 4.X models from Samsung, HTC, LG, Sony and Google – specifically, the Samsung Galaxy S2 and S3; the HTC Wildfire S and One X; the LG Optimus P350 and Optimus P880; Sony Xperia Arc S and Xperia SL; and the Google Nexus S and Nexus 4. Some 80 percent of the apps on those phones were pre-loaded and customized by the smartphone manufacturers; all 10 devices were vulnerable due to those pre-loaded apps.

Jiang says the team’s research uncovered other surprising trends: on average, 85 percent of all of these pre-loaded apps have too many user privileges on the devices thanks to vendor customization. That means an app gets permissions it wouldn’t actually use, such as the ability to send SMS messages, record audio, or make phone calls without the user’s permission, for example.

The Android Version 2.x phones each contained an average of 22.4 vulnerabilities, and the newer Version 4.x phones, an average of 18.4 vulnerabilities.

Upgrading to the newest smartphone model doesn’t necessarily help security-wise, the researchers found. Every time the vendor customizes more features on the phone, it opens the door for more security flaws. “While a newer Android phone may run a newer version of OS , which might already fix vulnerabilities present in older versions, vendor customizations, however, being significant on these devices, could still introduce additional vulnerabilities into newer phones,” Jiang says.

Of the Android 4.x phones, the Google Nexus 4 performed the best, with just three total vulnerabilities, and the Galaxy S3 fared worst, with 40 total bugs. That was only a slight improvement overall from the Android 3.x phones, however, where the Google Nexus S and the Sony Xperia Arc each had eight flaws (the lowest), and the HTC Wildfire S had 40 flaws, and the Samsung Galaxy S2, 39.

Buyers can’t do much about these pre-loaded apps, Jiang says, but smartphone manufacturers can step up by taking security and privacy more seriously in their designs. He says they should adopt the least-privilege principle when building apps and conduct white- and black-box vulnerability analysis to find and fix bugs.

“Through this study, we hope to highlight the need for heightened focus on security by the smartphone industry. And the work was supported in part by the US National Science Foundation,” Jiang says.

The full NC State research paper, titled “The Impact of Vendor Customizations on Android Security,” is available here (PDF) for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/custom-features-incur-security-flaws-in/240163598

Woburn, MA – November 5, 2013 – Kaspersky Lab has announced a new version of Kaspersky Small Office Security, the company’s security solution built specifically for businesses with fewer than 25 employees. This solution includes new features that help small businesses stay ahead of modern security challenges, and includes Kaspersky Lab’s latest anti-malware technologies in an easy-to-use product that doesn’t require business owners to be IT experts.

According to IDC estimates, there are more than 75 million businesses worldwide that operate with fewer than 10 employees[i]. These “very small businesses” will process millions, if not billions, of dollars in 2014. Yet this segment has been traditionally under-served by IT security vendors that don’t offer products with these businesses in mind. As a result, business owners have been forced to use consumer-level products that don’t adequately meet their business needs, or stripped-down versions of enterprise-level products that are cumbersome to manage and force businesses to pay for security features they will never use. Small business owners can find valuable resources, videos and tips for selecting the right security solution on Kaspersky Lab’s new small business web page.

Kaspersky Small Office Security is designed to cater solely to the needs of these small businesses, combining powerful protection from cybercrime with the features small businesses need to compete in the global economy. Most importantly, Kaspersky Small Office Security is simple to install and manage, and offers incredible value in both purchase costs and administration time. This simplicity allows business owners to equip themselves with world-class protection without taking their focus away from running their companies.

What’s New in Kaspersky Small Office Security

Kaspersky Lab solidified its commitment to the very small business segment in 2010 with the company’s first stand-alone version of Kaspersky Small Office Security. It was then the industry’s first complete security solution built specifically for startups and growing businesses, and it is a distinction that still remains true in 2013. Kaspersky Lab has continued to improve and refine its offering over the past several years, which has earned numerous awards from third-party test organizations, including Dennis Technology Labs in 2012 and 2013. In fact, Dennis Technology Labs’ latest report, published in October 2013, ranked Kaspersky Small Office Security as the most accurate and effective anti-malware solution for small businesses, well ahead of four competing products. Built on the same award-winning platform, the latest version of Kaspersky Small Office Security includes several brand new features, and a host of technology upgrades and improvements, including:

Safe Money to Protect Online Banking – By automatically activating new layers of protection when users are conducting financial transactions online, businesses can now pay invoices, make purchases, and access online financial data with peace of mind. Kaspersky Lab’s award-winning Safe Money technology automatically activates an ultra-secure web browser whenever the user visits a financial site, such as an online bank or payment service. The Safe Money browser ensures no unauthorized programs can run and on-screen data is protected from key-loggers and screen-capture malware. Safe Money will also verify that the website users are connected to is authentic and has a valid certification to defeat phishing attempts, and constantly monitors the connection to ensure information is not intercepted by cybercriminals.

Enhanced Mobile Device Support – Small businesses are not immune to the challenges of protecting a mobile workforce and the fast-growing BYOD trends. Kaspersky Small Office Security now includes support for Android tablets and smartphones, equipping these devices with an array of anti-malware, web browsing protection, and privacy controls. Most importantly, these devices will now have Kaspersky Lab’s latest anti-theft technologies, allowing employees to find missing mobile devices, or remotely wipe the data from stolen mobile devices.

Automatic Exploit Prevention – This unique technology prevents cybercriminals from using emerging vulnerabilities in legitimate software, commonly known as Zero Days, to launch malware attacks. By proactively monitoring the behavior of commonly-exploited software, such as Adobe and Java, Automatic Exploit Prevention will protect customers from undiscovered exploits and ensure customers are protected even if the latest updates to their legitimate programs have not yet been installed.

Password Manager – Secure passwords are a foundation for secure computing, yet all too often, users take the more convenient options of using simple passwords, reusing the same passwords for multiple accounts, or keeping a list of their passwords on a piece of paper next to their desk. With a password manager, employees can get back on track with good password habits, and only need to remember a single “master password.” Kaspersky Password Manager will store passwords in an encrypted vault, and automatically fill-in the correct password when needed. It can also create customized secure passwords for new accounts so employees won’t be tempted to re-use existing passwords, and enables employees to create a secure portable version of their password vault on a USB drive.

Online Backup – Small businesses can now automatically save their critical data securely in the cloud or to a local hard drive or server. By making the backup process simpler, small businesses can be assured their most important business plans, financial records, and customer data will remain accessible in case of equipment failure or accidental deletion.

Protection and Control with Ease

The most compelling feature of Kaspersky Small Office Security is its ease of use, which makes advanced protection technologies accessible and straightforward for small business owners. By de-mystifying features like data encryption and web policy controls through wizard-driven menus and one-click options, Kaspersky Small Office Security makes the benefits of web usage policies, data encryption, and central management available to businesses of all sizes.

Web Policy Management – Business owners can easily customize each employee’s ability to access websites, social networks, and applications. This can include individual websites, or entire categories of websites that are classified by Kaspersky Small Office Security.

Data Encryption and File Backup – Not only can business owners enable automatic file backups on each PC at scheduled intervals, but the files on both the PC and the backup storage can also be protected with powerful encryption settings. Data encryption ensures that the most sensitive data in a business – such as product designs and customer financial information – is never vulnerable to theft, unauthorized access, or accidental deletion.

Central Management – From any PC on the network, owners can remotely manage the security settings described above on every employee computer, along with additional management capabilities such as license renewal, monitoring of security settings, and more.

Kaspersky Small Office Security supports up to 25 user licenses per business, which includes PCs (Windows XP through Windows 8), file servers, and Android smartphones and tablets. Each user license includes protection of 1 PC and 1 mobile device, so businesses that purchase protection for 10 employees can protect 10 PCs and 10 mobile devices. Kaspersky Small Office Security also supports popular Windows file servers, including Windows Server 2008 R2; Small Business Server 2011 Essentials/Standard; and Windows Server 2012 Foundation/Essentials/Standard. Kaspersky Lab will include support for Windows 8.1 and Windows Server 2012 R2 later in Q4 2013.

Kaspersky Small Office Security is available for purchase at computer retailers and the Kaspersky Lab e-store. Kaspersky Small Office Security can also be purchased through local authorized Kaspersky Lab resellers, who can provide hands-on assistance with installation and configuration, as well as future support.

QUOTES:

Chris Doggett, Senior Vice President of Corporate Sales

Kaspersky Lab North America

“Small and mid-sized businesses are primary drivers of the North American economy, and unfortunately, cybercriminals have ‘followed the money’ by targeting even the smallest businesses which often lack the necessary protection to secure their finances and business data. With Kaspersky Small Office Security, we’re eliminating any barriers that could make a very small business owner think our premium protection is too advanced or too costly for them to use. Kaspersky Lab remains committed to providing the best protection for SMBs and Enterprises alike, and this latest product for very small businesses remains a truly unique offering in the market.”

Nikolay Grebennikov, Chief Technology Officer

Kaspersky Lab

“Kaspersky Small Office Security is one of our company’s best examples of combining the IT security industry’s best protection technologies into a form that anyone with even modest computer knowledge can easily understand. Shortening the learning curve has always been a priority for our small business products, and the latest version of Kaspersky Small Office Security ensures business owners can purchase the product on their lunch break, and have it fully installed across their business by end of day.”

Article source: http://www.darkreading.com/end-user/new-security-software-for-businesses-wit/240163592

As IT security leaders try to base more of their day-to-day decisions on statistical analysis of relevant data coming from IT infrastructure and business processes, they’re running into a skills and resource gap. Often times security teams have lots of specialists with deep technical knowledge of attack techniques and trends, but they frequently lack the skills to aggregate and manipulate data in order to draw meaningful conclusions from statistical trends. As the speed and volume of security data continues to mount, so will that gap, which is why many within the industry believe that in the coming years an IT security team will not be complete without at least one data scientist among its ranks.

“In the past, it’s always been us who’s been behind the game, trying to catch up with the attackers’ techniques,” says Dan Mitchell, product manager of data sciences for RSA The Security Division of EMC. “I think data science gives us the opportunity to get ahead of the attackers and have them be behind for a change.”

Mitchell is among a growing legion of data scientists growing active within the IT security community and one of several that Dark Reading caught up with to get their views on the value that their colleagues bring to the table, why enterprises need to employ more and how organizations can develop talent and embed these experts into their security practices.

The complex chain of techniques that attackers today use to infiltrate IT resources and steal data makes it absolutely critical that security teams spot trends and connect behaviors that span across IT infrastructure, user groups and geographical locations.

In order to do that, it requires security to have experts that can manipulate data, visualize it and draw conclusions from it. Not only that, the team needs to be able to build infrastructure to store data, normalize it and develop modeling that can answer the burning questions security analysts have about anomalies that may indicate compromise—and that infrastructure should preferably be designed to do it all automatically.

This is the exact kind of expertise a data scientist brings to the table, says Ram Keralapura, data scientist for Netskope, a cloud apps analytics and policy creation company., who explains that the CISO and data scientist have the opportunity to form a symbiotic relationship.

“Security officers have a very good understanding of the outcome they want and have identified their problems—they want to know specific kinds of information about certain kinds of anomalies or activities that are happening in their enterprise, but they don’t always know how to get that information,” says Keralapura. “Data scientists are the right people to bridge this gap and provide the insights that these security officers need in order to make more informed decisions.”

What’s more, Mitchell explains that someone with his type of expertise can help break down a lot of the silos that currently exist in the security realm.

“So, because the security industry has become so fractionalized in terms of specialty areas, data science offers a way to bring specific domain expertise and then combine that with things like machine learning, mathematical modeling and manipulating data to solve problems that extend across all specialties,” he says. “It’s really about creating the whole picture.”

[How do you know if you’ve been breached? See Top 15 Indicators of Compromise.]

Whereas in the past a lot of the mathematical minds in security tended to gravitate towards specialties like encryption or authentication, Mitchell believes that many will be diverted into data science.

“There’s so much more we can do mathematically to solve our problems,” he says. “I think you’re going to see more and more of that. It’s a larger trend.”

Many vendors have already been leading the trend of hiring and training more data scientists to develop analytics-based security products, but the role of the data scientist should also be a staple within enterprise IT security teams.

“The reason I think that businesses also have to be hiring data scientists is that in security especially, a large component of the practice is data about your particular environment,” says Michael Roytman, data scientist for Risk I/O, a vulnerability threat monitoring vendor. “A lot can be done to use that data to narrow down where you should be focusing on your security risks and that’s where an in-house data scientist plays a part.”

And, says Keralapura, it really should be a full-time role. There are several big reasons for this, he says. First, in order to develop predictive models about the enterprise’s specific data, the data scientists need to develop long-term relationships with security experts on staff and deal with data on a day-to-day basis. Second, in order to accomplish real-time detection, they’ll need to be around to help with response in real-time. And third, a full-time data scientist is crucial to helping forensics problems that could pop up at any time.

“When a problem happens and you need to look at data right away in order to identify what it was, why did it happen, how did it happen, and all of these different dimensions that need to be answered,” says Keralapura. “These things keep happening all the time.”

As enterprises seek out those with a data science background, there are two big skill sets they should be looking for. The most obvious is a high degree of mathematics and statistical analysis. The second is the coding chops of a hacker.

“You are going to want people that have some hacking ability to put things together quickly. A lot of it is going to be about changing the view quickly and some developers may know how to program well in a long development cycle,” says George Ng, data scientist for YarcData, a Cray company that focuses on graph analytics. “But if someone is trying to steal your data, the pattern isn’t something you already have in production to look for—it’s something you develop on the fly.”

Next page: The insider data scientist

Article source: http://www.darkreading.com/it-security-from-the-eyes-of-data-scient/240163616

Advertising supports a large chunk of the apps we use on our mobile devices. A raft of simple advertising frameworks are available that allow even the most basic app developer to make a few pennies by dropping adverts into their apps.

But without oversight, the behaviour of these frameworks risks crossing all manner of privacy and security lines, so perhaps it’s time to pin down just what is acceptable from mobile advertising, and what we would consider inappropriate.

While many people are OK with paying for some apps, particularly professional tools and high-grade games, for most simple apps we expect there to be at least one free alternative to the more feature-rich paid items.

Advertising makes this massive free ecosystem possible. We have to accept this, and most people are happy to allow a reasonable level of advertising in return for not paying (at least directly) for their apps.

The mobile app space has developed at an incredible rate though, with limited controls imposed on how things work and what is permitted – at the moment, beyond some limited rules from the platform providers who manage the main app sources, pretty much anything goes.

This has allowed advertisers free rein to design their advertising as best suits them. Whatever can be done will be done soon, if it hasn’t already been tried, with the only real check being feedback from users, who may or may not fight back against the most egregious and intrusive techniques by not using bad apps, or giving them bad reviews on the app stores.

In many cases this is not a sufficiently strong deterrent against bad behaviour though. App store operators seem unwilling to take action against aggressive advertisers, at least until they’ve already hit millions of devices for their valuable data.

For the most part it’s quite clear what advertising is doing. When we see periodic splash screens, or advert bars showing up on certain sections of the screen when an app is running, it’s pretty obvious that those ads relate to the app we’re using at the time.

Advertising can be much less clearly sourced though, with some ad frameworks changing homescreens or other settings, placing icons in prominent places or making other changes which are not clearly linked to the app they are supposed to be supporting.

The information gathered by in-app advertising is also less than transparent, despite efforts by platform makers to enforce clear requests for data and setting access.

Some advertising may try to read contact lists, messaging and call history, even device-specific data such as IMEI numbers to ensure they can keep tracking us even if apps are removed.

Requests to access this data can be easily confused with the requirements of the underlying app, so users may be tricked into granting sensitive data access to people they do not intend to.

Advertising frameworks may also include updating systems so their functionality can change over time, and these updates may run alongside or even separately from the updates to the apps they are supposed to be part of.

There are also potential issues with data handling, with little insight available into how advertisers store and share the information they harvest from our phones and tablets.

When security solutions try to categorise mobile apps, in some cases it’s quite clear which are malicious and which are innocuous. In many cases though the line is blurred and hazy.

Apps may be mostly harmless in and of themselves, but the advertising they carry may be considered intrusive or aggressive. In these cases there can be problems for security firms, as they face the possibility of legal action from app developers whose apps they flag as dangerous.

So it seems like some sort of system is required to make it clear to app and advertising framework developers just what they should be doing, and what actions will mark them out as bad actors, giving security apps license to alert on them.

We’ve been here before in the PC world of course, with the blossoming adware/spyware boom of the mid-2000s.

In that case, a collective of security experts, privacy advocates, platform developers and others got together as the Anti-Spyware Coalition, and defined a set of rules on what was considered acceptable.

Now it’s relatively straightforward for security firms to select what can be flagged as malicious and what can be labelled no more than “potentially unwanted”. The coalition has more or less retired, with its work done.

In the mobile space, a radically different categorisation system is required, but perhaps a similar approach is needed to define a new set of rules.

At last week’s meeting of the Anti-Malware Testing Standards Organisation (AMTSO) in Montreal, a session was devoted to this topic, in conjunction with the IEEE Standards Association and other experts in the area.

There remains much to be done, but it seems like the work will be taken forward, either under the auspices of AMTSO, the IEEE or possibly even a standalone single-purpose body, to address the issue and start pinning down a standard.

SophosLabs Android guru and Naked Security contributor Vanja Svajcer presented a proposed categorisation system for mobile advertising and potentially unwanted apps at the recent VB conference in Berlin, which could be a good starting place for building such a standard.

The project received wide support from across the security industry, as well as from the testers, academics and IEEE members present at the meeting, so there are strong grounds to expect good progress soon.

Once advertisers know what they can get away with, hopefully we’ll all be able to choose our apps based on their intrinsic quality, without worrying what nasty extras might be thrown in by advertising frameworks.

Follow @VirusBtn
Follow @NakedSecurity

Image of hand holding mobile courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mti7XRi0BYY/

Last week saw the first Workshop on Anti-Malware Testing Research (WATeR), a conference bringing together security and testing experts from industry and academia to discuss testing related matters, held in Montréal, Canada.

Among the papers presented were several looking at the sort of things current tests of anti-malware solutions reveal, and some things they do not.

Several of the papers updated topics that were previously discussed at Virus Bulletin conferences and elsewhere.

There was an in-depth talk analysing just how many samples or “test cases” a test needs to include to provide a statistically significant picture of performance against the huge numbers of new threats appearing each day (the short answer – a lot), and what aspects of sample selection may bias results.

There was also a description of the methods used by the École Polytechnique de Montréal (who hosted the conference) in a “field trial” of anti-malware.

This mirrored techniques used in clinical trials, by handing out laptops to real-world users, letting them do what they wanted with them, then periodically checking the machines out to see what threats they’d been hit with, and what, if anything, got past the defences installed.

One of the more thought-provoking talks came from Florida Institute of Technology professor and AMTSO president Dr Richard Ford, who asked “Do we measure resilience?”

Ford differentiated between “robustness”, defined as the ability of solutions to prevent malware from penetrating systems at all, which is covered by most anti-malware tests, and “resilience”, by which he meant the ability of protection and protected systems to recover from attacks which do manage to get through the border controls and establish a foothold on the machine.

He argued that the resilience side of things is important to end users and sysadmins, but is rarely covered in much depth in public tests.

For the most part, the leading comparative and certification tests look mainly at detection or protection metrics. We measure how many threats a product can pick up with its scanners, or how many it can block with the various other layers of filters and monitors included in most products these days.

These would all be robustness measures.

Resilience might perhaps be covered by a removal or clean-up test – seeing how well a product can deal with an infected machine. Some tests include these, but they tend to be performed separately from the “robustness” tests, as it’s hard to tell how well a product can clean something up if it doesn’t let the machine get infected in the first place.

Ideally, Ford argues, a clean-up test would be run as part of a protection test – any threats which are not blocked initially should be allowed to run to see if they are blocked or removed later on.

If a threat can disable the security product and take complete control of the machine permanently, that’s basically zero for resilience; however, if the threat can only run for a while before fresh updates allow the protection to recover and clean the infection up, that’s a little better.

Of course, most threats are about more than simply staying on the machine – it’s all about gathering up your data and sending it off to be abused by the bad guys. But how this is handled could also be considered a resilience measure.

If a machine gets infected with a keylogger, which is not initially spotted, some products might then detect it when it starts trying to read your bank account login details, or when it tries to send that information out to the internet.

In the case of the CryptoLocker threat currently grabbing the headlines, it might be that the malware is allowed to run, but blocked when it starts trying to make changes to files you’ve marked out as sensitive.

An analogy might be that robbers manage to break into a bank, but a security guard manages to pin them in the staff canteen until reinforcements arrive.

How well a product copes in these kinds of situations might well be very important, but it’s rather tricky to measure.

It means first of all getting systems infected with malware, which means finding items which defeat the “robustness” layer, then leaving them infected, ideally with realistic everyday actions going on, until such a time as the product under test either does something about them, or gives up the ghost.

That’s pretty labour-intensive work, and tricky to automate. There’s also a need for caution, as running a machine infected with unknown malware risks creating unnecessary dangers to the outside world – the machine could start spewing out spam for example. So the tester needs to ensure the risks are kept as tightly controlled as possible.

Even if you do manage to do all that, there’s then a further issue of rating the relative successes of different products.

Resilience is highly dependent on the setting – in some situations, it might be fine for a system to go down completely as long as it bounces back quickly, while in others it’s OK for the recovery to take a long time if the initial outage is only minor.

So, a tough proposition for us testers to work on, but one that could have some useful outcomes. Testing should show where products are less than perfect; if the world requires resilience then we need to see if products are providing it, and encourage them to do so if not.

The meeting was rounded off by a talk suggesting that in certain circumstances, and with the proper caution, it might be considered appropriate to create new malware for testing purposes, which generated the expected controversy, and a panel debating what areas might be ripe for deeper analysis by academic researchers.

The panel’s conclusions were that there is room for much more active collaboration between industry and academia, with the resulting cross-pollination of ideas and resources leading to good things for both sides, and indeed the world at large.

On the evidence so far, I’d be inclined to agree. Events like WATeR can shift our thinking in all kinds of interesting new directions.

Follow @NakedSecurity

Image of clipboard courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wBptDzC4pW8/

Tesco, the UK’s largest supermarket chain, is set to install facial recognition technology in all 450 of its petrol station forecourts.

The face-scanning technology will be used to serve tailored advertisements to an estimated weekly audience of five million adults.

The company will install OptimEyes screens, developed by Lord Alan Sugar’s Amscreen, in a five year deal according to The Grocer.

Amscreen says that the cameras, placed at the tills, are capable of collecting the following data:

• Number of possible viewers (those people within the close vicinity of the screen)
• Number of actual viewers (the true audience)
• Gender (male/female)
• Age class (with the age brackets being as follows):
  • Child : 0- 15 years old
  • Young adult: 15 – 35
  • Adult: 35 – 65
  • Senior: 65+

The system uses several different indicators to determine the sex and age of the customer. For instance, long hair would most likely indicate that the person in front of the camera was female but such an assumption could lead to several false positives. Therefore other key traits are accounted for in order to make a final decision.

Amscreen say the system has a detection rate of greater than 98% and that identification typically takes less than 0.2 seconds.

Once the system has identified the demographic group in front of the till it will then play suitable adverts of up to 10 seconds in length on a 100-second loop. I can already imagine large groups of party-goers swaying around at 2 am and being served adverts for coffee to help with their hangovers the next morning!

Simon Sugar, the chief executive of Amscreen and son of Lord Sugar, believes companies have a right not only to know how many people are viewing their adverts but also to know who they are:

It is time for a step-change in advertising – brands deserve to know not just an estimation of how many eyeballs are viewing their adverts, but who they are too.

Yes it’s like something out of Minority Report, but this could change the face of British retail and our plans are to expand the screens into as many supermarkets as possible.

Peter Cattell, category director for Tesco petrol stations, also seems to see nothing but benefits with OptimEyes, saying:

The ability to tailor content based on time and location means it can be extremely useful and timely for our customers.

Most Naked Security readers already wake each morning to a world in which they are tracked all day long – CCTV cameras are everywhere; designed to ‘protect us’ from the bad guys and thus ensure that we can maintain the standard of life and ‘freedom’ we have now.

The 21st century is a period of time like no other: information is the new currency and we happily give it away to social media moguls, e-commerce web sites and just about anyone who asks, nicely or not.

Do we need to be far more choosy about the information we give out and somewhat more discerning about whom we give it to? Or am I, perhaps, a little paranoid?

I asked Nick Pickles, director of Big Brother Watch, for his views on the need for businesses to boost their profits versus the rights of their customers to retain a degree of privacy. In reply, he said:

There are two fundamental problems here; not least the fact that the only way you can ensure your face is not scanned is to not go into the shop. Firstly, should we really be increasing the amount of surveillance we’re under so some companies can sell more advertising? Secondly, the technology isn’t going to stay the same and always be used in the same way.

As businesses like Google collect vast amounts of data about us online and can target us with very specific adverts, the race is on to catch up tracking our offline lives. Loyalty cards were the start of the process, but as the race for data intensifies, the surveillance is becoming more intensive.

This won’t stop at age and gender – the long game is about identifying individuals, and facial recognition technology is getting close to enabling them to do it.

Given the number of CCTV cameras across Britain that could be adapted to use this technology, the potential to track people in real-time is huge. Equally, the commercial temptation to expand the data being collected is clear – knowing which other shops someone goes in for example.

Pickles believes that the only way that such systems can be ethically employed is if consumers have the ability to opt into having their image scanned, rather than having no choice in the matter.

Are you happy to be scanned and advertised to by this technology or do you think it is yet another erosion of what little privacy we have left in society today? Let us know by leaving a comment below.

Follow @Security_FAQs
Follow @NakedSecurity

Image of Tesco courtesy of JuliusKielaitis / Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Z2FVu9yigAE/

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Crybercrooks behind the infamous file-encrypting CryptoLocker ransomware have begun offering a late payment option, which costs victim five times as much to “buy” the decryption key necessary to unscramble their encrypted files.

Previously, victims who failed to pay a $300+ ransom (up to 2 Bitcoins, $460) within three days would lose the ability to ability to retrieve a private key necessary to retrieve the encrypted files. Crooks behind the scam deleted the key or at least no longer offered it for sale. Victims without recent backups would be stuffed.

Recently the cybercrooks behind the scam set up a “CryptoLocker Decryption Service”, hosted on one of the command-and-control server’s IP addresses, and hosted in the Ukraine, according to antivirus firm Malwarebytes. This online “service” page can also be accessed through the “anonymous” Tor network on a “.onion” address, a move designed to give the site a longer lifespan and protection against DNS sinkholes.

Victims can upload one of their encrypted files in order to find the corresponding private decryption key. Only encrypted files are accepted. When a match is found, a confirmation page is displayed, along with the demand for payment of 10 Bitcoins ($2,300). The development was first reported on the Bleeping Computer’s forums last weekend.

Antivirus programs attempting to remove the infection from compromised machines remove the registry key that is required to pay the ransom and decrypt the files. It seems the crooks behind the scam have latched on a way to extort even more from such individuals as well as late payers in general.

The sophisticated miscreants behind the scam are going to some lengths to avoid detection by investigators looking to identify them by following the money trail.

“For each victim, a unique Bitcoin address (where the money will be sent) is generated,” writes Jerome Segura, senior security researcher at Malwarebytes. “In fact, even if you upload the same encrypted file twice, you will receive a new Bitcoin address.”

The new “service” offers decryption keys after a wait of up to 24 hours.

“We’re guessing that the delay is because the crooks have to run a brute force attack against themselves,” writes anti-virus veteran Paul Ducklin, in a post on Sophos’s Naked Security blog. “Without your public key to help them match up your keypair in their database, it sounds as though they have to try to decrypt your data with every stored private key until they hit one that produces a plausible result.”

As previously reported, CryptoLocker is a particularly aggressive ransomware Trojan. It normally arrives in email as an executable file disguised as a PDF file, packed into a zip attachment.

For example, one Reg reader told us back in September that variants of the malware were spreading in the UK via email purporting to come from Companies House.

More recently CryptoLocker has been spreading as a secondary infection through the infamous ZeuS botnet.

If opened, the malware attempts to encrypt the user’s documents across both local and mapped network hard drives. The malware uses a key that is generated on a command-and-control server and sent to the infected computer. If successful, CryptoLocker will encrypt users’ files using asymmetric encryption, featuring a public and private key pair.

The owner then receives a ransom demand, payable within 72 hours. Payment is made via either an anonymous pre-paid cash voucher or Bitcoin.

Victims were previously told encryption keys would be destroyed after a three-day deadline, leaving them no way to retrieve the files. “CryptoLocker is easier and cheaper to block than to heal,” Malwarebytes’ Segura advises. “Please exercise extreme caution before opening email attachments (one of the main infection vectors), keep your PC up-to-date, and make sure you have antivirus and anti-malware protection with real-time detection installed. Also, backing up your important data can be a life-saver.” ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/05/cryptolocker_late_payment_option/

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

EU Justice Commissioner Viviane Reding has re-floated the idea the European nations should team up to create their own intelligence service by 2020, as a counterbalance against overarching US spying.

In an interview with Greek daily Naftemporiki on the ongoing controversy about the NSA’s dragnet surveillance programme, Reding argued “we need is to strengthen Europe in this field, so we can level the playing field with our US partners.”

“I would therefore wish to use this occasion to negotiate an agreement on stronger secret service co-operation among the EU member states – so that we can speak with a strong common voice to the US. The NSA needs a counterweight. My long-term proposal would therefore be to set up a European Intelligence Service by 2020,” she added, EUobserver reports.

The comments follow recent Snowden revelations that the NSA routinely records call record and internet metadata of millions of Europeans in Germany, France and Spain. US spies have also been exposed for running surveillance ops against 35 world leaders, including German Chancellor Angela Merkel.

Reding, a Luxembourg politician who’s a strong advocate of EU integration more generally, has gone out of her way to criticise US snooping on Europe’s political leaders. “Friends and partners do not spy on each other.We expect to see action from the US to rebuild trust,” she said in an update to her Twitter account late last month.

EU countries’ intelligence services already co-operate up to a point, for example by sharing information on terrorist threats through IntCen, a branch of the EU foreign service. But the level of co-operation is minuscule compared to the tight alliance of five English speaking countries spearheaded by the NSA and its little Big Brother ally, GCHQ.

The idea of creating a European Intelligence Service has come up before, most notably in 2004 in the aftermath of the Madrid train bombings that killed almost 200. Austria and Belgium proposed creating an EU intelligence service but failed to get anywhere because none of the major countries (France, Germany or the UK) in the EU wanted to have anything to do with the idea.

Nine years on there’s no real sign that anything has changed about countries wanted to control their own intelligence efforts, for obvious national security and foreign policy reasons.

An EU official told EUobserver that Reding spoke “off the cuff” and has not even talked through the idea of a European intelligence agency with fellow commissioners.

Any European Intelligence Service would need an EU treaty change, the official added.

GCHQ is involved in a a loose but growing European eavesdropping alliance involving co-operation with German, French, Spanish and Swedish intelligence. This involves the exchange of techniques for mass surveillance of internet and phone traffic through fibre taps from GCHQ in exchange for the sharing of covert relationships with telecommunications companies. The level of cooperation varies, however, in much the same way as it we see with the EU’s group crime-fighting effort, Europol, with cop agencies in the various member states not always keen to share evidence with police in other countries. It is nothing like as close as the five eyes alliance that ties together the UK, US, Australia, New Zealand and Canada. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/05/the_nsa_needs_a_counterweight/

Triumfant Monday launched a new product designed to prevent the growing number of cyberexploits that elude current defenses by attacking computers in their volatile memory.

The Memory Process Scanner, which is bundled free with Triumfant’s newly available 5.0 anti-malware product suite, combines Triumfant’s patented malware detection software with new tools that can accurately track malware functionality operating in the volatile memory of the endpoint machine.

Advanced Volatile Threats are malware attacks that take place in a computer’s random access memory (RAM) or other volatile memory and are difficult to detect because they are never stored to the hard disk.

Unlike advanced persistent threats (APTs) that create a pathway into the system and then automatically execute every time a machine is rebooted, an advanced volatile threat enters a machine in volatile, real-time memory, exfiltrates the data, then immediately wipes its fingerprints clean — leaving no trace behind as the computer is shut down.

“We can detect processes that manipulate objects in memory, such as the installation of a rootkit, and stop them before any damage is done,” says John Prisco, CEO of Triumfant.

A key aspect of the Memory Process Scanner is its ability to detect volatile exploits. In the case of an exploit, the malware injects itself into a normal process. Once the malware is running, it may migrate to a different process and download other tools to be used by the attacker. Catching the initial exploit allows the earliest possible detection and identifies the vulnerable process that is being compromised, Triumfant says.

The Memory Scanner also offers the ability to detect the installation of anomalous applications and can detect in-memory delays that may indicate irregular processes.

“Innovations like Triumfant’s memory scanning approach are an important and significant step forward in fighting the battle where it occurs — on the endpoint,” says Adrian Sanabria, senior security analyst at 451 Research. “The industry desperately needs more approaches that address problems at the root, and will force attackers to spend significantly more time and effort to achieve their goals.”

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/perimeter/new-tool-promises-to-stop-in-memory-atta/240163554

SAN FRANCISCO, Nov. 5, 2013 /PRNewswire/ — Today, Black Hat, the world’s leading family of information security events, announced the opening of registration for Black Hat Asia 2014. Returning to Asia for the first time since 2008, this four-day event will bring together the world’s brightest information security professionals and researchers to reveal vulnerabilities that impact everything from popular consumer devices to critical international infrastructure and everything in between. These world class Briefings will come after two days of high intensity and deeply technical Training courses taught by the industry’s most renowned instructors. Black Hat Asia will take place March 25-28, 2014 at the Marina Bay Sands in Singapore. For more information and to register, please visit: http://www.blackhat.com/asia-14/.

(Logo: http://photos.prnewswire.com/prnh/20131105/SF10082LOGO)

“We couldn’t be more thrilled about returning to Asia in 2014,” explained Trey Ford, General Manager, Black Hat. “Black Hat held its first event in Singapore back in 2000, and has watched the information security community grow into an industrial powerhouse. After three great years in Abu Dhabi, we’re excited to gather the industry’s best in beautiful Singapore.”

Starting the week with hands-on Training courses (March 25-26), attendees have the option to register for individual technical deep-dives on topics ranging from the latest in penetration testing to exploiting web applications and even defending and building SCADA systems. Industry and subject matter experts from all over the world will teach these courses in an effort to help define and defend tomorrow’s information security landscape. For information on course pricing and registration, please check the individual Training pages here: http://www.blackhat.com/asia-14/training/index.html.

Following the two days of Trainings, internationally leading security researchers will take the stage to share their latest work and exploits with attendees through Black Hat’s esteemed Briefings (March 27-28). The Black Hat Briefings were created more than 16 years ago to provide computer security professionals a place to learn the very latest in information security risks, research and trends. Black Hat is seeking groundbreaking research to fill both 25 and 50 minute speaking slots. If interested in submitting, please visit our Call for Papers page: http://blackhat.com/asia-14/call-for-papers.html. The deadline for submissions is Nov. 8, 2014.

Last but certainly not least, the Black Hat Arsenal is back by popular demand and will be coming to Singapore for Black Hat Asia 2014. This special event provides researchers and the open source community a venue to demonstrate their recent work and weapons live. Running concurrently with the Briefings (March 27-28), all Black Hat Asia delegates will have access to the Arsenal’s latest tools. Be on the lookout for a detailed schedule.

For more information and to register, please visit: http://www.blackhat.com/asia-14/registration.html.

Sponsors of Black Hat Asia 2014 include Diamond Sponsor: Juniper Networks and Gold Sponsor: Qualys.

Future Black Hat Dates and Events

Black Hat Regional Summit, Sao Paulo, Brazil, November 26-27, 2013

Black Hat Trainings, Seattle, Washington, December 9-12, 2013

Black Hat Asia 2014, Singapore, March 25-28, 2014

Black Hat USA 2014, Las Vegas, Nevada, August 2-7, 2014

Black Hat Europe 2014, Amsterdam, The Netherlands, October 14-17, 2014

Connect with Black Hat

Twitter: https://twitter.com/BlackHatEvents – hashtag #BlackHat

Facebook: http://www.facebook.com/blackhat

LinkedIn Group: http://www.linkedin.com/groups?home=gid=37658

Flickr: http://www.flickr.com/photos/blackhatevents/

About Black Hat

For more than 16 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and Asia, and are produced by UBM Tech. More information is available at: http://www.blackhat.com.

About UBM Tech

UBM Tech is a global media business that brings together the world’s technology communities through live events, online properties and custom services. UBM Tech’s community-focused approach provides it’s users and clients with expertly curated research, education, training, community advocacy, user-generated content and peer-to-peer engagement opportunities that serve the Electronics, Security, Enterprise Communications, Network Infrastructure and Applications, Game and App Developers, and Tech Marketing communities. UBM Tech’s brands include Black Hat,DesignCon, EE Times, Enterprise Connect, Game Developers Conference (GDC), HDI, InformationWeek, Interop, and Light Reading.Create, a UBM Tech full range marketing services division, includes custom events, content marketing solutions, community development and demand generation programs based on its content and technology market expertise. UBM Tech is a part of UBM (UBM.L), a global provider of media and information services with a market capitalization of more than $2.5 billion. For more information, go to http://tech.ubm.com; follow us on Twitter at @UBMTech.

Article source: http://www.darkreading.com/black-hat-black-hat-asia-2014-registrati/240163578