STE WILLIAMS

ioControl – hybrid storage performance leadership

Prize draw RSA Conference 2013 opens its doors in Amsterdam on October 29: wanna go?

The Register is a media partner for this top ranking IT security event, and we have two free delegate passes to give away.

We will select the winner by way of prize draw open to all subscribers to The Register‘s weekly IT security newsletter. On Wednesday 23 October we will send an email inviting subscribers to participate – and we will run the draw at close of play UK time on Thursday 24 October.

We appreciate that this is a tight turnaround, but we are lining up some more offers for your delectation.

You can sign up for El Reg‘s free IT security newsletter here. ®

ioControl – hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/21/rsa_conference_europe_prize_draw/

In case you missed any stories over the last seven days, here’s our weekly catch up.

Watch the top news in 60 seconds, and then check out the individual links to read in more detail.

Monday 14 October 2013

• Facebook’s “Who can look up your timeline by name” privacy tool bites the dust
• Microsoft “failed update” phish might well sound believable – watch out!
• Two telemetry projects should mean better testing and fewer false alarms
• Hackers left Adobe source code sitting on unprotected server

Tuesday 15 October 2013

• Yahoo (finally!) to make SSL encryption the default for webmail
• US cities increasingly ignoring privacy, gobbling up data on residents
• D-Link router flaw lets anyone login through “Joel’s Backdoor”
• How to remove your face from Google’s upcoming Shared Endorsement ads

Wednesday 16 October 2013

• Snapchat admits sharing images with US law enforcement
• 5 tips for hiring security-savvy IT professionals
• Lavabit reopens for brief window to let users get at their data
• Oracle releases 127 security fixes, 51 for Java alone
• 4 free tools for Cyber Security Awareness Month – and beyond!

Thursday 17 October 2013

• Dirty Dozen spam sending nations – find where you finished in our Q3 SPAMPIONSHIP chart
• Conservationists fear hacking of GPS collar data to cyberpoach rare tigers
• Two girls arrested after one allegedly brags on Facebook about cyber bullying suicide victim
• Organised drug gangs increasingly hooking up with hackers, warns Europol
• Twitter introducing new direct message options – to combat spam or invite more?

Friday 18 October 2013

• Making phishing more complex – on purpose
• Encouraging the next generation of cyber security experts
• How to risk your job in 7 security mistakes
• Security education cuts both ways – why marketers need retraining too
• Breach at PR Newswire linked to Adobe exploit
• CryptoLocker ransomware – see how it works, learn about prevention, cleanup and recovery
• Teens can now post publicly on Facebook. Should it be allowed? [POLL]

Saturday 19 October 2013

• Facebook privacy, Google ads, D-Link security, CryptoLocker ransom – 60 Sec Security [VIDEO]
• SSCC 119.5 – Tips for online safety from security expert Rob Slade

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fdArutbOe2E/

It’s now one month since BlackBerry’s ill-fated non-release of its BlackBerry Messenger (BBM) app for Android and iOS.

The beleaguered mobile phone maker was all set to launch BBM on the Android and iOS platforms last month, before pulling the product at the last minute.

In fact, the app did reach Android users, but only briefly, and not with BlackBerry’s blessing.

Ironically, even though BlackBerry enthused about “1.1 million active users in the first eight hours, without even launching the official Android app,” it was also forced to admit the the unofficial release “caused issues” – issues so severe that the product still isn’t out.

But the app, or numerous shabby imitations of it, are still popping up in the Play Store a full month later.

It’s not surprising to see cybercrooks trying to take advantage of heavily-anticipated product releases, but in this case the official product remains very publicly unreleased, which you might hope would make Google quadruply suspicious of imposter apps.

The situation is calmer now than when I checked last week, when there were dozens of apps looking just like #4 above.

But even a few bogus apps are too many, given that all of the ones I’ve looked at with green logos seem to have identical imagery and the same drivellous description, starting like this:

Blackberry Messenger Full Edition!!!

For All Android Devices and also it is FREE!!!

And this descirption is 100% BELEIVABLE, IS’NT IT?!?!?!?

It doesn’t say the last line, of course – I made that up – but it might as well.

Worse still, the descriptions generally end with keyword stuffing – padding the text with unrelated search terms in order to get search engines to recommend the false app under doubly false pretences.

Those keywords probably won’t do much to deter the average vistor, despite their peculiarity (they’re down at the bottom), but you’d have thought they’d trigger alarm bells at Google when it vetted the app, given that they include bogosities such as these:

Sadly, we’ve written about fake apps in the Play Store before, with similar surprise at how on earth the imposters could have got there at all.

For example, we’ve had fake Apple apps, which I’m sure you might have expected Google to spot proactively, given that Apple has something in the way of a rival mobile ecosystem, and doesn’t actually produce Android apps at all.

Same thing all over again with Nintendo, which doesn’t publish its games on Android, yet was the victim of bogus apps that surely should have been obvious.

And we’ve had companies that do produce Android apps targeted by imposters with apps that don’t even try to look like or behave like the original.

Of course, I’m not implying that it would be less dodgy if the crooks showed enough respect to rip off their victims more faithfully.

But it does make we wonder what Google is looking out for – I get a mental cartoon image of a bearded burglar, clad in prison garb and carrying a giant bag labelled “SWAG,” meeting Google as a policeman with a speech bubble saying, “Now then, ma’am, have you seen any suspicious looking characters round ‘ere?”

The Play Store isn’t supposed to be perfect – it’s meant to embrace big and small developers alike, and to bring lots of choice of free and paid apps.

But it is the official place to get apps, and if you want to install apps from anywhere else, Android makes it clear that “there be dragons”:

Judging by the dialog telling you that you have to take sole responsibility if you shop outside the Play Store, it certainly sounds as though Google officially claims at least some responsibility for what is inside it.

So it is a disappointment to see the Play Store apparently so easily abused like this, and Google really needs to clean up its patch.

Just about two years ago, Google’s Open Source Programs Manager, Chris DiBona, came out with am extraordinary claim.

He said that “if you work for a company selling virus protection for Android, RIM or iOS you should be ashamed of yourself.”

DiBona seemed to think that protecting what got into Play Store in the first place that was the right way to attack the problem:

All the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets.

But when screensful of fake BlackBerry apps can flood the Play Store at the same time, and apps from mobile market rival Apple can appear without any apparent sense of irony, Google obviously still has plenty of work to do.

(The silver lining, I suppose, is that I guess I no longer need to feel ashamed at working for a company that makes an Android Anti-Virus.)

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wRpmtbhxXjU/

Google has pledged to continue supporting its Chrome browser on Windows XP until at least April 2015, a full year after Microsoft officially ends support for the legacy platform in April 2014.

Google’s rationale behind the decision is that some people will find the transition away from XP a difficult process, and that allowing them to ensure their browsers are kept free of vulnerabilities will ease that transition.

But could its decision end up dissuading people from moving away from XP in a prompt and timely manner?

Windows XP has now been superseded by three separate, fully-fledged Windows versions (if, that is, one counts the widely despised Vista). Its mainstream support phase ended way back in 2009, and the current extended, patch-only support period is rapidly drawing to a close.

This end of life has been described as a “perpetual zero-day”, leaving lingering XP users exposed to all manner of dangers, many of which will likely be easy to reverse-engineer from bugs publicised by Microsoft itself after they are spotted and fixed on later Windows versions.

So the best advice is for anyone still clinging to XP to bite the bullet and move on to something else if at all possible. The deadline for the end-of-life has been well-known for a long time, so there’s no excuse to be taken by surprise.

There are plenty of options available – people not keen to pay for newer and safer Windows versions can take their pick from all manner of well-built, well-supported and user-friendly Linux distros these days, and some have even suggested that Google’s decision to extend Chrome support may be a sneaky tactic to persuade people to move to its Chrome OS.

But the main message a lot of people are going to pick up from Google’s announcement is, don’t worry, there’s no big rush, you’ve now got an extra year to think about your options and finally get moving.

Don’t fall for this. OK, so during that extra year there will be at least one browser being maintained and patched, but the rest of the OS, and likely most of the other software you’re running on it, will be falling ever deeper into obsolescence and vulnerability.

The availability of a fully-patched Chrome could be more of a danger than a help – it could be giving a false sense of security and further delaying the switch to more modern platforms.

Patching shouldn’t be a partial process – you should be keeping everything running on your system fully up to date. That means anti-malware products, browsers, office suites and PDF readers, and anything else you use, but most of all the core operating system itself.

Don’t be lulled into thinking a well-patched browser is all you need to keep you safe. I know many people out there have developed a trust and fondness for XP that’s going to be hard to break, but break it you must.

If you’re still putting off upgrading from XP for no other reason than that you’ve got it, you’re used to it and you like it, don’t be tempted to keep delaying, just hurry up and move on.

It may be, of course, that you really have no choice. You may have XP embedded in some vital system which continues to run fine and isn’t due to be replaced for many years to come, or you may have some legacy apps which will only run on XP.

In these edge cases there’s not a whole lot you can do. But really, if such systems do need to stay in operation, you don’t really need to use them to check your Gmail, keep up with your friends’ holiday snaps on Facebook, or watch amusing cat videos.

Keep them running if you really must, but minimise their interaction with the web and keep them as secure as possible.

Follow @VirusBtn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bfFd_DM1Ayw/

A report by a European expert group on the commercialisation of child sex abuse online suggests that sexual images and videos shared between youngsters may become a major target for traffickers, who are using increasingly aggressive tactics to gain remote power over vulnerable kids.

The study was put together by the European Financial Coalition against the Commercial Sexual Exploitation of Children Online (EFC), a group headed by Europol’s European Cybercrime Centre (EC3) with members including child protection organisations and commercial firms such as Google, Microsoft and PayPal as well as law enforcement bodies.

It focuses on more than just paid-for online child sex abuse material, which is thought to make up only around 7.5% of the total out there, but may be becoming more widespread and more sophisticated.

The bulk of material is currently shared freely between offenders, some of whom are highly sophisticated and tech-savvy, making use of all manner of techniques to cover their tracks and remain hidden from law enforcement.

Tor is mentioned as a widely used stealth technique, while BitCoins and other online money-transfer systems are also common. Sharing is mostly done over peer-to-peer networks, but many other methods are used including cloud file storage services and more old-school networks such as BBS, newsgroups, IRC and private forums.

There are also less cautious players, using traceable credit cards to make payments and relying on search engines as an “entry level” means of finding material.

As we’ve seen in the past, not everyone involved in online child abuse is particularly bright.

At the commercial end of the scale, some of the more worrying trends include a cluster of prolific and organised “Top Level Distributor” groups, responsible for a large number of “brands” hosted on multiple websites. Free hosting services are popular, with the bulk of sites hosted in the US, and Russia and Kazakhstan also making a notable contribution.

There is also a nasty trend towards “pay-per-view” live streaming of abuse, mainly from South East Asia. This represents a tricky issue for law enforcement as images and video are often not retained by the viewer, or even the abuser, circumventing the most common laws prohibiting the ownership or distribution of abuse material.

One area highlighted as a place for likely future growth is linked to the growing tendency among young people to share sexual images between themselves, and the steady increase in young people’s access to webcams and mobile phone cameras.

The problem of blackmail and “sextortion” – using images intended to be private – has been around for some time, with services such as Snapchat offering a spurious sense of safety and hacking of webcams also common.

Child abusers have also long been known to “groom” targets over time, posing as other youngsters, but lately these techniques have evolved, with an increase in “the use of aggression and coercive tactics to ensure victim compliance.”

It seems grooming has become much faster and more efficient, putting ever more young people at risk.

There’s also a growing trend of using so-called “lover boys”, real kids hired to befriend victims and persuade or coerce them into performing sexual acts on camera, the footage or images then being passed on to the online child abusers.

It’s feared that all these trends may become increasingly widespread and commercialised in future.

So parents, please, make sure your children know about these dangers. Remind them that there is no real privacy on the internet, and that anything they share, even with people they think are their friends, may leak out to the wider world and possibly get into the hands of some seriously nasty people.

Above all, make sure you keep yourself educated on the dangers and what you can do to minimise your family’s risk.

And kids, please, try not to succumb to peer pressure or bullying. The need to “fit in” and keep up with your peers may be important, but try to take the long view and think about your future.

If someone’s trying to make you do something that makes you uncomfortable or that you really don’t want to do, don’t give in to them, tell someone about it and get some help.

Learn and follow good advice on staying safe online – be careful out there.

Follow @VirusBtn
Follow @NakedSecurity

Image of girl on laptop courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/x2MmvzNxcmI/

A 15-year-old Canadian girl from Nova Scotia has pleaded guilty to a vicious, planned attack on a female, autistic student, and an attorney is seeking to ban her from social media as part of her sentencing.

Steve Drake, Novia Scotia Crown attorney, said that the girl should be barred from online venues including Facebook, Twitter and Instagram, lest she perpetrate cyber bullying, according to CBC News:

Social media is a reality. Facebook might be a staple in the social lives of young people but if it’s used as a vehicle for the commission of crime, what I said to the court is that someone should take away the key.

Drake said that the 15-year-old – whom, Drake said, police described as the “bully of all bullies” – planned the attack for lunchtime.

She forced a second student to film the attack and to post it on Facebook.

The prosecutor’s description of the assault, which took place at Sherwood Park Education Centre in Sydney earlier this year:

The accused stood and waited for the victim to come through the hall at lunchtime, stated her name and then sucker punched her, knocked her on the floor and proceeded to grab her by the hair and kick her in the head and facial area.

It all happened in approximately 10 to 12 seconds. It was brutal.

It was mere luck that the victim only suffered bruises, Drake said.

CBC News reports that the Crown and defence have requested a lengthy probation period for the girl. A sentence is expected on 30 October.

Nova Scotia has been shaken in the past year by cyber bullying, including the tragic death of Rehtaeh Parsons.

Rehtaeh, of Nova Scotia, committed suicide in April at the age of 17 after allegedly being gang-raped by four boys.

Two 18-year-old Canadian men were arrested in August and charged with child abuse images crimes over allegedly cyber bullying the young woman.

Three weeks after Rehtaeh’s death, Nova Scotia legislators announced the new Cyber-Safety Act.

Part of the act was an anti-cyber bullying law, put into effect in August, that enables victims to apply for protection orders and gives them the ability to identify and sue alleged cyber bullies.

The law’s intent, of course, is to protect victims and to hold bullies – and even their parents – responsible.

It has come under fire, however, for being overly broad, threatening the rights of free expression, and for giving already difficult children the tools to financially ruin their parents.

Jesse Brown, writing for Macleans, said this is how the Cyber Safety Act will attempt to stop online abuse:

Someone feels that you’re cyberbullying them. They visit or phone the court and request a protection order against you (minors, or some reason, cannot do so, only adults). A judge decides if their claim meets the law’s definition. The definition of cyberbullying, in this particular bill, includes ‘any electronic communication’ that ‘ought reasonably be expected’ to ‘humiliate’ another person, or harm their ’emotional well-being, self-esteem or reputation.’

If this is the standard, I don’t know a person who isn’t a cyberbully.

Drake believes this is the first time in Nova Scotia that a social media ban has been requested in such a case, but said that a judge ordered a 12-year-old Manitoba girl to stay off Facebook while she spends a year on probation for online threats against two other girls.

As far as whether social media bans are enforceable, Drake likened it to banning a drunk driver from climbing back behind the wheel or from taking another drink.

In this case, social media can be monitored by a vigilant public, he said:

At some point in time if you’re on Facebook, people will know and if someone who’s interested in making sure that this probation order is enforced sees that the person’s on Facebook, no different than someone driving along the highway and calling in a drunk driver.

There are many well-intentioned efforts at play in this case. It’s a relief to see such efforts devoted to protecting children before a victim turns into yet another suicide, such as the recent, heartbreaking case of Rebecca Ann Sedwick.

It strikes me as common sense that the earlier the intervention, the more likely that cyber bullying won’t result in suicide.

It might be a natural reaction to vent fury at the parents of bullies, but perhaps a more effective approach to cyber bullying would be to demand that social networks such as Facebook or Tumblr respond quickly and decisively to shut it down as soon as it’s discovered.

I’m thinking here of a 2011 case wherein a Facebook page was set up to bully a New Zealand college student.

As the New Zealand Herald reported at the time, the page – called “Putting your stick away after a hard day of being a social outcast” – was set up by a fellow student and featured a photo of the targeted boy.

It was taken down after sparking internet furor, the paper reported.

Supporters and anti-bullying campaigners took to online parenting forums, urging people to contact Facebook to have the page removed. The supporters posted hundreds of responses decrying the bullying, resulting in the Facebook page being taken down.

That happened, the paper said, within the span of 3 hours.

Unfortunately, many of the anti-bullying posters themselves used bullying language on the bullies.

This has been a hard week, between this case and the arrest of two Florida girls, one of whom bragged about cyber-bullying Rebecca Sedwick.

Before you vent your fury at this 15-year-old Nova Scotia girl, or at her parents, or the Florida girl or her parents, or anybody, for that matter, please, maintain calm.

Remember people can be good.

It’s up to all of us to keep an eye out for bullying and to address it quickly, firmly, and to do so without becoming bullies ourselves.

Follow @LisaVaas

Follow @NakedSecurity

Image of no entry sign courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/u2rGTYdH7pk/

If you like to stand out from the crowd then you may have taken the decision to set yourself apart from the legions of Android users and iOS fans when it came to choosing a tablet.

Over the weekend those of you using a Windows RT device were probably looking forward to the thought of the impending update to version 8.1 of the operating system. That is, right up until the time you actually installed it.

Alas, with the majority of aspiring Windows RT 8.1 users being in possession of a Surface tablet, the update proved to be a major fail on Microsoft’s part.

Soon after the 8.1 update was released, it was subsequently pulled from the Windows store with the company saying:

Microsoft is investigating a situation affecting a limited number of users updating their Windows RT devices to Windows RT 8.1. As a result, we have temporarily removed the Windows RT 8.1 update from the Windows Store. We are working to resolve the situation as quickly as possible and apologize for any inconvenience. We will provide updates as they become available.

Whilst the company did not expand upon what it meant by a “situation” it is widely believed that the issue appears to be centered around the update corrupting certain boot data which in turn leads to the device crashing as it starts up.

Users who have encountered this problem were faced with a blue screen of death (BSOD) that displayed the following message:

Recovery
Your PC needs to be repaired
The Boot Configuration Data file is missing some required information
File: BCD
Error code: 0xc000000d

You’ll need to use the recovery tools on your installation media. If you don’t have any installation media (like a disc or USB device), contact your system administrator or PC manufacturer.

If you reach out to the Microsoft support team then it is likely that you will be advised to put an image of Windows RT onto a USB flash drive and then use it as a recovery disc.

This can be achieved by either using another RT device (but not a x86 PC) to create the recovery disc or by using an ISO supplied by Microsoft. (Hopefully you’ll have more success than Mashable’s Editor-in-Chief Lance Ulanoff who was unable to actually download said ISO.)

If that solution sounds complicated then there may be an easier alternative thanks to a detailed 11 point guide from kickthatcomputer that just about everyone will be able to follow. This method circumvents the need for a RT recovery disc and merely requires a USB recovery device prepped on any machine using Windows XP or above.

If neither of those solutions get you back up and running with Windows RT, and your device remains “bricked”, then you may have to wait for an official update or how-to guide from Microsoft.

With Windows RT making up a minuscule part of the overall Windows 8 user base, Microsoft will be extremely relieved that this issue only affects ARM-based devices – there are no reports of non-RT users of laptops, netbooks and desktops experiencing blue screens so they should remain confident in updating to Windows 8.1 straight away.

Follow @Security_FAQs

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UXvMGOKTKVI/

ioControl – hybrid storage performance leadership

A defibrillator fitted to US vice president Dick Cheney had its wireless functions removed in the factory, in order to ensure hackers – or terrorists – could not kill him by attacking the device.

Defibrillators and their close cousins the pacemaker have been fingered as a security risk before. Last year we reported that radio interference could set them off under some circumstances. Back in 2008 similar concerns were raised by The Medical Device Security Centre.

It now appears that US security authorities were aware of the potential problem in 2007, the year then-Veep Dick Cheney was fitted with a new defibrillator by Dr. Jonathan Reiner.

In a video posted here and embdeded below, Dr Reiner says “It seemed to me to be a bad idea for the vice-president of the United States to have a device that maybe someone on a rope line or someone in the next hotel room or somebody downstairs might be able to get into, hack into.”

Turning to Cheney he says: ”I worried that someone could kill you.”

Cheney responds: “I was aware of the danger.”

The idea of a vice-presidential implant being used to attack the holder of the office often said to have only one function – having a heartbeat – was later used in an episode of US television drama Homeland. Cheney says in the video that episode featuring the attack “was an accurate portrayal of what was possible.” ®

ioControl – hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/21/us_veeps_wireless_heart_implant_disabled_to_stop_terrorist_hackers/

ioControl – hybrid storage performance leadership

Google’s bold claims that Android doesn’t have a malware problem and is more secure than Apple’s iOS have singularly failed to convince security researchers.

No less a figure than Eric Schmidt, Google’s executive chairman, declared Android to be “more secure” than the iPhone, during the Gartner Symposium/ITxpo in Orlando, Florida. The claim drew hoots of derision from the tech savvy crowd, USA Today reports. Schmidt’s remarks are recorded in a YouTube clip here.

The apparent charm offensive continued with Android security chief, Adrian Ludwig, presenting a last-minute paper at the Virus Bulletin conference in Berlin last week entitled Android – practical security from the ground up, and summarised by Steven Max Patterson of Networkworld in a story complete with explanatory diagrams here.

Ludwig used Google’s unparalleled access to data about app installs on Android devices to put forward the argument that only 0.001 per cent of apps are able to get past the “multiple layers of security” that Android puts in their way and eventually cause harm to the user. The claim is hard to square with reports from anti-virus firms, such as Trend Micro, that mobile malware strains recently crossed the one million mark, and the vast majority of the problem is tied to Android. Google’s smartphone and tablet platform is widely targeted by criminals, anti-malware firms unanimously agree.

According to the presentation, Google’s various security layers are: Google Play, unknown sources warning, install confirmation, Verify Apps consent, Verify Apps warning, Runtime analysis and the permissions-based sandbox that each app must operate within.

This might sound impressive at first but a closer inspection of these various layers of defence in a blog post by Rik Ferguson, global veep of security research at Trend Micro, reveals that they are more likely to be treated as irksome pop-ups that users blindly click through.

If I understand the slides correctly then, in user terms, that equates to; Google Play, a dialogue box, a dialogue box, Verify Apps, a dialogue box, runtime analysis and a dialogue box.

While Google’s Verify Apps technology represents a great leap forward, particularly now that it has been decoupled from the OS itself, there are plenty of malicious apps that make it out there into Google Play’s storefront. In fact, at last count (12th October 2013) just over 46 per cent of the apps that Trend Micro has classified as “malicious” (leaving aside the high risk ones) were sourced directly from Google Play.

When it comes to the unknown sources warning, the install confirmation dialogue and the permissions/sandbox warnings, it is fair to say that not only do app developers often massively over-request but also end-users rarely read the questions they are being asked, and even less often understand the potential implications of the permissions that they are granting. Who needs an exploit when you have permission? The questions regarding app permissions are only asked once, and they cannot be subsequently revoked in any granular fashion. It’s all or nothing and app developers are often going for the kitchen sink, encouraging the same “next, next, next” culture that we see in the traditional computing world.

Ferguson’s description recalls the behaviour of User Account Control (UAC) prompts on Windows Vista that were supposed to make the computing experience more secure but only really succeeded in annoying users before the feature was modified and watered down in later versions of Windows.

Aside from the effectiveness of the dialogue boxes Google has put in place, Google’s argument fails to note how many malicious apps are sloshing around in the Android ecosystem. This is a serious deficiency, Ferguson argues.

Aside from the fact that a large number of these security layers are left entirely at the discretion of the end-user in the form of a dialogue box, there lurks another potential pitfall. Nowhere in the data available have I seen an indication of how many apps Google actually recognise as being malicious in the first place, or how widely those apps are proactively sourced. Of course if your library of malicious and high-risk apps is limited, then the number of malicious installations that you notice will be consequently lower. I’m not saying that Google do not have a reliable library of such apps, I wouldn’t know. I am saying though, that presenting the figure of recognised malicious installs, without the context of the malware library leaves a pretty large hole in the conclusion that malicious apps are not being successful in the wild.

Trend Micro have so far analysed 3.7 million Android apps and updates, a figure that’s growing every day. Nearly one in five (18 per cent) of these apps have been classed as malicious while a further 13 per cent are “high risk”, according to figures from the net security firm. That works out at 670,000 malicious apps and a further 480,000 “high risk” apps and counting.

Nearly half (46 per cent) of the outright malicious apps were sourced directly from Google Play.

Ferguson defers to renowned hacker Charlie Miller for a response to Schmidt’s headline claim that Android is more secure than Apple’s iOS.

“As someone who has written exploits for both platforms, let me say ‘no’,” Miller said in a Twitter update. ®

ioControl – hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/21/android_ios_security_comparison/

[The following is excerpted from “Understanding Severity and Criticality In Threat Reporting,” a new report posted this week on Dark Reading’s Vulnerabilities and Threats Tech Center.]

“Does this vulnerability pose risk to my organization? Arriving at the answer to this question isn’t easy. Indeed, the answer, at least partially, is a measure of your own internal visibility into the technology in use inside and, in some cases, outside your network.

It all comes back to how well you know the technology you rely on every day. Put simply, you can’t mitigate a threat if you don’t know it’s a threat.

Indeed, before any (or much) attention can be paid to threat reporting and vulnerability disclosure, security professionals must spend a great deal of effort to gain thorough visibility into their networks, systems and data. A number of automated tools can reach into the depths of your network to help with this process, but, as with anything in the IT world, success depends on an effective combination of people, processes and technology.

OK, now that we have complete visibility into our technology and data, we can get started evaluating the latest Microsoft vulnerability, right? Not even close.

What is your scale of risk? How about your mitigation plan? How does your actual risk relate to applied ratings from vendors? Is there a difference?

In the past, organizations have used a number of risk metric formulas, methodologies and other “plug and play” methods for creating a vulnerability management system. The problem is that technology and business evolve, and in the last decade they have evolved at a dizzying pace. Vulnerability rating and management systems should be evolving at the same pace and along the same paths (think cloud computing, mobileand so on), but they often don’t.

One of the biggest challenges companies face is reconciling their metrics with those of a particular threat intelligence group, standard or vendor.

Let’s take a look at the Common Vulnerability Scoring System, which is used by Mitre’s Common Vulnerabilities and Exposures, or CVE, a dictionary of publicly known information

security vulnerabilities and exposures. One of the first things you’ll notice about the CVSS is that it isn’t just a simple matrix of connecting dots. Rather, it comprises multiple scoring categories that are compiled to produce an overall score. These categories take into account variables regarding vulnerability,threat and risk.

The base metric group includes data such as impact to the CIA triad (confidentiality, integrity and availability) and the vectors in which the vulnerability applies. These variables tend not to change.

The temporal metric group focuses on variables that will change over time.

The environmental metric group is geared toward components that will be unique to each company or organization. This is where your time will likely be focused when applying a risk rating system for your own network.

To see how the CVE rating system differs from those of Microsoft and others — and to find out how you can use these rating systems to help you prioritize your response to newly-disclosed vulnerabilities — download the free report.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/understanding-severity-and-criticality-i/240162861