STE WILLIAMS

Consumer VPN firm AnchorFree is touting mobile data cost saving through compression as well as Wi-Fi security as means to gain more users for its software: buts it’s likely that many of its users will be more interested in getting around regional media paywalls – or even national government firewalls.

David Gorodyansky, chief exec of AnchorFree, said downloads of its Android software (released in late May) are growing at a faster rate than Hotspot Shield for iOS, which was released in November 2011. The software is not available for Windows Mobile. Hotspot Shield Mobile has already been been downloaded 3 million times, which new installs coming at a run-rate of 25K/day. Pricing is $2.99 per month or $11.99 per year for paid-for mobile products – there are also ad-supported versions.

Hotspot Shield and Expat Shield desktop collectively boast more than 15 Million unique monthly users, with 3 billion page views secured per month, according to the company.

Access allowed

The technology offers travelers, business people, expats, and locals free access internet content without regional restrictions. Services like the BBC’s iPlayer are supposed to be only available to consumers in the UK but Expat Shield offers a way around that restriction. The technology also offers users a safe means to access web services, such as social networks, Skype and web mail, that might otherwise be unavailable locally.

Gorodyansky said that most web sites and services welcome the wider availability of their services in regions such as China and the Middle East where they might be blocked. Only the BBC and US streaming media service Hulu are exceptions to this general rule, he said. As more organisations offer region-restricted content, such as a move by the Daily Telegraph to restrict access to its website to UK surfers this week, the availability of services such as Hotspot Shield may become more of an issue for content providers.

The AnchorFree head honcho conceded that accessing content through the VPN may “sometimes cause a slowdown” but downplayed the issue as minor.

AnchorFree’s technology screens traffic for malware, phishing and spam across all platforms using a mix of in-house developed and third-party security technology.

Gorodyansky explained that although AnchorFree doesn’t store userIDs it wanted to discourage use of the technology as a means for people to download copyright-protected content without being tracked. He pointed out that there were other services expressly set up to do that, for people so inclined. Spammers are similarly unwelcome.

“AnchorFree is set up to protect travellers, students and business people who want to control their privacy,” Gorodyansky told El Reg. “We don’t want the technology to be used to download torrents and we discourage that.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/05/hotspot_shield/

One in seven home networks in North America are infected with malware, a recent study has revealed.

Half the threats detected during Q3 2012 were made up of spam-spewing zombies or banking Trojans while the remainder were mostly adware and other lesser threats, according to a study by Kindsight Security Labs. The study was based on data gathered from the security firm’s service provider customers.

Kindsight Security Labs offers Phorm-like deep packet inspection technology to consumers through its telco partners. Consumers get pushed behavioral advertising sweetened by the promise of malware screening. Kindsight therefore has a vested interest in talking up the malware threat so its figures need to be viewed with caution even though they present a interesting insight into the botnet landscape, which everyone agrees is pretty dire.

The one-in-seven (13 per cent) infection rate recorded by Kindsight in Q3 is actually a 1 percentage point improvement on figures recorded in Q2 2012.

Consumers most commonly get infected with malware after visiting websites contaminated with exploit kits via so-called drive-by attacks.

Kindsight names the ZeroAccess botnet as among the worst menaces to internet hygiene. ZeroAccess was the most active botnet in Q3, with more than 2 million infected users worldwide with 685,000 in the US alone.

“These bots are engaged in a sophisticated ad-click fraud scheme that each day generates about 140 million fraudulent ad-clicks and 260 terabytes of network traffic. ZeroAccess could be costing advertisers $900,000 per day,” according to Kindsight.

The second most active botnet in Q3 2012 was TDSS/Alureon family, also known as TDL-4.

The security firm’s Intrusion Detection System-based technology runs in the networks of both fixed line and mobile service providers, monitoring threats. This allows Kindsight to see attack traffic spewed out by infected handsets onto mobile networks.

The infection rate of Android smartphones is just over 3 per cent, according to Kindsight’s statistics. Mobile adware accounts for nine in 10 of these cyber-undesireables, it adds. More serious Android nasties the study detected were almost exclusively “Trojanised” apps, which steal information from smartphones or send SMS messages to premium-rate numbers without the permission of owners.

Kindsight’s full report can be found here (PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/02/malware_infestation_us_survey/

A hactivist crew has launched a cyber-offensive against Russia with the leak of 2.5 million records, which it claims to have obtained from hacked government and corporate servers.

Team GhostShell said it was leaking the data in protest against the Russian government’s willingness to plough its revenues into espionage “even though the country is going through hard times and many people are starving”. In a notice accompanying the release, in which it describes Russia as “a state of tyranny and regret”, the group boasts that it is only releasing a sample of the huge cache of data it has pwned.

GhostShell is declaring war on Russia’s cyberspace, in “Project BlackStar”. The project is aimed at the Russian Government. We’ll start off with a nice greeting of 2.5 million accounts/records, from governmental, educational, academical, political, law enforcement, telecom, research institutes, medical facilities, large corporations (both national and international branches) in such fields as energy, petroleum, banks, dealerships and many more.

GhostShell currently has access to more Russian files than the FSB and we are very much eager to prove it. – DeadMellox

Many of the documents in the first tranche are purported to have originated from Russian metal working firm MetalProm and recruitment firm Rabota Izhevsk. Russian police and Lada-making auto firm AvtoVAZ account for a handful of files. Most of the documents seem to be system files or database dumps rather than login IDs. The authenticity of the data is, of course, hard to determine.

Team GhostShell, whose motto on Twitter is “forever owning China’s cyberspace for the lulz”, is lead by self-proclaimed black hat hacker DeadMellox. Its previous exploits have included hacking into the databases of banks, US government agencies and consultancy firms before leaking passwords and other documents back in August. The group has also to have accessed a Chinese technology vendor’s mainframe, a US stock exchange and the Department of Homeland Security. These boasts remain unsubstantiated.

Last month Team GhostShell attacked the world’s top 100 universities in a protest against tuition fees and what it reckons to be the falling quality of education across many countries. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/02/ghostshell_russia/

A Greek journalist who published the names of 2,000 suspected tax evaders has been cleared of privacy violations.

Kostas Vaxevanis, 46, was found not guilty of breaking data privacy laws for publishing the details of 2,059 Greeks reckoned to have bank accounts in Switzerland in Hot Doc, the weekly magazine he edits.

Tax evasion is widely seen as an important factor in Greek’s economic malaise and the failure of local politicians to crack down on alleged evaders implicated by the list has raised suspicions the this might go against the secret vested interests of those in power. The list was supplied to Greek and other European authorities by the IMF’s chief Christine Lagarde two years ago.

“It is quite clear the political system did everything not to publish this list,” said Vaxevanis, who had faced the prospect of a prison term of up to two years before he was cleared at a hearing before three judges in Athens on Thursday.

“If you look at the names, or the offshore companies linked to certain individuals, you see that these are all friends of those in power. Phoney lists had also begun to circulate. It was time for the truth,” Vaxevanis told The Guardian.

The list reportedly includes politicians, businessmen, shipping magnates, doctors and lawyers. None have complained of privacy violations. Greek daily Ta Nea reprinted the list on Monday three days before Vaxevanis’ trial.

The Guardian adds that 500 Britons whose name also appears on the list of secret bank accounts in Switzerland are under investigation by HM Revenue and Customs. The papers adds that these investigations are more likely to leads to settlements and fines, where suspicion of tex evasion is substantiated, than criminal prosecutions. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/02/tax_evader_privacy_breach/

French security researcher firm Vupen claim to have already developed a reliable windows 8 exploit, just days after the launch of latest edition of Microsoft’s flagship operating system.

The sometimes controversial firm, which sells the exploits it develops to Western government agencies and deliberately avoids sharing vulnerability details with vendors, said that the exploit it has cooked up allows it to take over Windows 8 machines running Internet Explorer 10.

“We welcome #Windows 8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations,” Vupen’s chief exec Chaouki Bekrar boasted in a Twitter update.

Windows 8 offers improved exploit mitigation technologies including DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization) while IE10 bundles improved sandboxing. Getting over these extra hurdles is no mean feat and doesn’t necessarily mean that exploits and malware from mainstream hackers will flood cyberspace anytime soon.

Vupen doesn’t go into details about the security bugs it has identified, logically enough, since the value of the exploits it markets depends on their effectiveness and longevity. Spilling the details on a vulnerability makes it more likely that vendors will come up with patches sooner rather than later, something that works against the “government-grade exploit” side of Vupen’s business.

The French security firm previously promised to come up with Windows 8 exploits at the same time as the launch of the operating system. Bekrar told Forbes details of the Windows 8 attack would be supplied to its customers in a carefully worded answer that failed to rule out the use of the exploit as an offensive tool.

“The in-depth technical details of the flaws will be shared with our customers and they can use them to protect their critical infrastructures against potential attacks or for national security purposes,” Bekrar said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/01/win8_exploited_already/

Japanese cops have arrested five developers accused of planting malware in smartphone applications.

A video app for Android phones created by the group allegedly harvested information from 90,000 smartphones. Details in early reports are sketchy but thehackernews.com reports that the apps were marketed to customers by adding the phrase “The Movie” to popular game titles.

English language daily Yomiuri Shimbun reported that the malware harvested an estimated 10 million pieces of personal information from compromised devices before the police started taking an interest. The malware was allegedly distributed via Google Play with the aid of a Tokyo-based IT firm. The head of the firm and four other unnamed suspects have been arrested in connection with the case.

Japanese police describe the case as the biggest case of information theft of its type to hit the country to date.

Separately, police in Osaka arrested an executive of online dating agency for distributing smartphone malware that posed as a battery-saving utility. Kazuhiro Ri of Osaka, an executive of MobyDick, faces accusations that he distributed five smartphone Trojans that harvested personal information from the compromised devices of marks. The dodgy apps were downloaded by 3,500 people across Japan, Yomiuri Shimbun reports. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/01/japan_android_malware/

Freebie mobile applications come with a higher privacy and security risk, according to an 18-month long study by Juniper Networks.

The networking giant ran an audit of 1.7 million applications on the Android market and discovered that free applications are five times more likely to track user location and a whopping 314 per cent more likely to access user address books than paid counterparts.

Around one in four (24.1 per cent) free apps require permission to track location, while only 6 per cent of paid apps request this ability. Around 6.7 per cent of freebie Android apps have permission to access user’s address book, a figure that drops to just 2.1 per cent for paid apps.

It’s commonly assumed that free apps collect information in order to serve ads from third-party ad networks. While this is true in some cases, Juniper found that the percentage of apps with the top five ad networks (9 per cent) is much less than the total number tracking location (24.1 per cent).

Around 4.1 per cent of apps feature ads from the AirPush network, with a total of nearly 5 per cent of freebie Android apps hooked into either the AdMob, Millennial Media, AdWhirl or the Leadbolt ad networks.

“This leads us to believe there are several apps collecting information for reasons less apparent than advertising,” Juniper said.

The spy in your pocket

Many applications solicit personal information or perform functions not needed for the apps to work. The lack of transparency about who is collecting information and how it is used poses a long term threat for the development of the mobile applications marketplace.

Some apps request permission to clandestinely initiate outgoing calls, send SMS messages and use a device camera. An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device, Juniper warns. Similarly, access to the device camera could enable a third party to obtain video and pictures, as illustrated by the recent proof-of-concept Spyware PlaceRaider 3D mapping app.

One in 40 (2.64 per cent) of free apps request permission to send text messages without notifying users (a figure than drops to just 1.45 per cent for paid apps). Meanwhile, 5.53 per cent of free apps have permission to access the device camera, a statistic that drops to just 2.11 per cent for paid apps. And 6.4 per cent of free apps have permission to clandestinely initiate background calls, a figure that drops to just 1.88 per cent for paid apps.

Gambling on privacy

Certain apps categories were particularly bad for privacy, most notably racing games, which are often thinly disguised malware. Card and casino games occupy another problematic category, with the 94 per cent bundling the ability to make outbound calls and 84.5 per cent including the ability to silently send SMS messages, for example.

After actually installing apps, and in some cases contacting developers, Juniper researchers discovered that permissions or data collection was justified, even though the reasons were not immediately obvious.

For example, cards and casino apps from a specific developer that had the ability to use a smartphone’s camera. This was not explained by reading In the app descriptions and installing the application. However the developer was able to explain to Juniper that the premium version of the app allowed users to take a picture to use as a background for the game, a legitimate (if inadequately explained) use of the camera functionality.

Juniper researchers also discovered that 12.5 per cent of free finance apps had the ability to initiate a phone call without going through the dialer interface. Two thirds (63.2 per cent) didn’t provide a description of this capability within the app. However, after installing a number of these applications, it became clear that this capability was legitimately used by the app to contact local financial institutions.

Time for a revamp

The issue of mobile app privacy is not new. However Juniper’s research is one of the most comprehensive looks at the state of privacy across the entire Android application ecosystem.

“The analysis of the Google Play market shows the pervasiveness of mobile tracking and where apps could do a better job of disclosing why they need information up front and highlight functionality as a genuine user benefit,” Juniper’s research team concludes.

Smartphone users who install apps often fail to understand that they end up sharing personal information in the process. Even though a list of permissions is commonly presented when installing an app, most people fail to make an informed decision because they don’t bother to read the small print or because aspects of app functionality are not explained by developers.

Permissions requested by mobile applications should be correlated to the functionality on offer, Juniper recommends. “Simply saying an app has the permission to track location, read contacts or silently perform an outgoing call doesn’t provide the necessary context of why this functionality is necessary for a specific app,” the security researchers explain.

In addition there should be better differentiation between permissions. “There is a big difference between a spyware app clandestinely placing an outgoing call to listen to ambient conversations within hearing distance of the device, and a financial app that provides the convenience of calling local branches from within an application. The manner in which permissions are currently presented does not provide a means for users to differentiate between the two,” according to Juniper’s team.

Lastly, consumers should be realistic about accepting some private information exposure with free apps. “There is no such thing as a free lunch in mobile,” the security researchers point out.

Juniper’s methodology involved statistical analysis of application metadata, analysis of application manifests, review of application descriptions for Android apps as well as trying applications out to see how they actually behave. Its research was restricted to the Android market because Apple does not disclose related information about its apps. The study was carried out over 18 months between March 2011 and September 2012.

More details on the results of the study and its methodology can be found in a blog post by Juniper Networks here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/01/android_app_privacy_audit/

Home Secretary Theresa May appeared before peers and MPs in Westminster on Wednesday afternoon to face questions about her proposed communications data bill, which has been almost universally rejected by people outside the security services bubble.

Excellent Hallowe’en vampire makeup, Minister

Her Hallowe’en session was the final one to provide evidence on the supposed merits of the draft legislation that could see British citizens’ web activity much more heavily spied upon by spooks and police. The agents of the state would, of course, be acting to protect the public from the threat of terrorism and other criminality.

The cabinet minister’s appearance served as something of a bookend to her grilling by the Home Affairs select committee in April this year when May trotted out similar justifications for increasing the powers of security services and other government bodies on surveillance of the internet.

May, suffering from a heavy cold, was quizzed in a packed session. Politicos expressed clear concerns that the Home Secretary was providing far too much wriggle room within a number of clauses that could, in the Home Sec’s language, “future proof” the government’s powers as technology continues to adapt and develop.

That concept was largely pooh-poohed by the panel, however, who repeatedly asked the minister to provide clear assurances about the Home Office’s intentions by effectively recognising the need to re-draft some aspects of the proposals.

As in April this year, May repeated her belief that some aspects of the planned legislative overhaul had been “misinterpreted” by civil liberties campaigners and reports in the press.

May said in relation to content and not communications data:

“We don’t want to look at the content of these emails – this is sadly one of the myths that has appeared in public.”

The Home Secretary went on to claim that her department had “had a number of discussions with a number of CSPs [communications service providers] about the who, where, when and how”.

She further claimed: “There is limited scope for the data we want to have access to. The bill is not intended to take us any further than that.”

May said that “flexibility” needed to be built into any such legislation to prevent the Home Office having “to constantly come back because of too tight a definition”.

When pushed about the UK potentially becoming the first democracy to collect data via ISPs through Deep Packet Inspection (DPI) probes – colloquially dubbed black boxes – which have only been implemented on a national scale in China, Iran and Kazakhstan to date, the Home Sec was somewhat uncommunicative.

“There’s been quite a lot of discussion about the technicalities … I’m willing to go into more technical detail in writing or for another private session,” she retorted.

The committee’s chair Lord Blencathra agreed to this plan, but asked May to get her facts together “as urgently as possible”.

The Secretary went on to insist that comms data could be separated out from content, though some experts have questioned how such sifting of information on such a large scale might be achieved without revealing some sensitive data to the CSPs who would be required under such a law to retain much more info on their subscribers.

May went on to admit, however, that “at some point in the future if it became the case that you couldn’t divide comms data from content [because of the development of technology] then we’d need to look at that”.

Sadly, at that point the committee failed to ask what this meant for those well-known websites such as Google, Facebook and Twitter that are now moving to encrypt their pages.

The minister was repeatedly pressed about the talks the Home Office has claimed already to have had with CSPs – many of whom have said there has been little or no consultation to date by May’s department on the bill.

She said: “We have had good discussions with a number of CSPs in the run up to this bill being published. Going forward we would expect that to be much more detailed.”

When asked about security concerns relating to the retention of data held by private companies to help police and spooks access information about alleged crims, May appeared relieved to note that such data would not be in the hands of public sector – which has an abysmal track record on data protection.

She added: “CSPs are holding significant amounts of data about people’s communications as we speak. This is not a new concept.”

May further asserted that the concept of corporations ring-fencing such data would “not be changed by the nature of this bill”.

After a break in the session, the Home Sec returned to respond only briefly to questions about cost savings of £6bn over the next 10 years, which was described by the committee’s chair as “fanciful”.

Perhaps unsurprisingly, May struggled to explain how her department had calculated that the proposals would cost £1.8bn from the public purse over the next decade.

She told MPs and peers that the Home Office had not been sitting around “totting up” such figures, and that she would be able to justify the costs in due course.

The chair brought the session to an end by asking May if large parts of the draft bill would have to be rewritten in light of the committee hearings, the evidence gathered and the level of opposition to the current plan.

The Home Sec said she would only comment on that after the cross-parliamentary reports from the sessions had been published. May did concede that elements of the bill – which she claimed had been misinterpreted – would be addressed, however.

She was then dismissed and advised to take a swig of hot water, whiskey and honey to fix that nasty cold. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/01/theresa_may_draft_communications_data_bill_committee_hearing/

Actress Lindsay Lohan has blamed hackers for posting a frankly-odd Hitler themed Twitter update to her profile.

The deleted tweet stated: “How does Hitler tie his shoes? from @oatmeal”, SecurityFAQs reports. Later on Wednesday LiLo apologised to the 4.5 million plus followers to her micro-blogging feed.

“My twitter was hacked, please ignore the last tweet,” she said.

The Hitler tweet followed a comment on Hurricane Sandy that Lohan has not deleted from her timeline, and that some victims of the storm might easily finds either clueless or dismissive:

“WHY is everyone in SUCH a panic about hurricane (i’m calling it Sally)..? Stop projecting negativity! Think positive and pray for peace.”

Some cynical souls have suggested that the earlier Hurricane Sally tweet and the Hitler tweet were both sent by LiLo, perhaps when she was feeling a little tired and emotional, and that the supposed hack never happened. If a hacker was to blame then he’s managed to come up with a disappointingly unimaginative prank.

Whatever happened, the El Reg security desk advises Lohan to change her password. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/01/lohan_twitter_hack/

EMC has signed a deal to acquire web fraud detection specialists Silver Tail Systems. Financial terms of the deal, announced Tuesday, were undisclosed.

In a statement, EMC said that Silver Tail’s technology bolsters RSA’s position in the web fraud detection market because its technology complements RSA’s anti-fraud products and services for banks and online retailers. The acquired technology will also fit with RSA’s strategy of using data analytics and adaptive risk-based controls to fight cybercrime targeted at both enterprises and consumers.

Privately-held Silver Tail Systems real-time web session intelligence and behavioural analysis technology is already used by various e-commerce and online banking providers worldwide. Its software detects anomalies, IT security threats, fraud, insider threats, business logic abuse and other malicious activity using Big Data-based analytics technology. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/01/silver_tail/