Jailbroken Phones Targeted by Hacker Jammers

 One of the problems the BYOD trend poses is jailbreaking -- and then hiding it. "Jailbroken and rooted phones are super dangerous in the enterprise," said Marble Security Chairman and CTO Dave Jevans. "They have no security. They can also have backdoors installed on them, which is why people want to detect and block them from accessing the enterprise network."

Smartphones hacked to run unauthorized programs or unlock features are being targeted by hackers and can pose a threat to enterprise networks, warned Marble Security.

Modifying a smartphone to enable unauthorized behavior -- called "rooting" in the Android world and "jailbreaking" in the iOS realm -- makes the mobile vulnerable to infected jammer software, the firm said.
After jailbreaking or rooting a phone, a user may not be able to use it at work because networks often contain security tools that reject modified phones. To skirt those security measures, a user will install jammer software to hide the fact that a phone is modified.
"A significant percentage of jailbroken and rooted phones have these jammers," Marble Chairman and CTO Dave Jevans told TechNewsWorld.
"We're starting to see them included in rooting and jailbreaking kits," he added.

Evolving Threat

With organizations increasingly allowing employees to use their own devices to perform corporate chores, jammers can pose a serious threat to an enterprise.
Experience shows us that even just one compromised device eventually can lead to a massive breach, Jevans said.
While jammers aren't a new phenomenon, their use is evolving.
"What we're seeing is more of them and they're getting more sophisticated," Jevans observed. "They're actually directly attacking MDM and other systems."
MDM, or Mobile Device Management systems, have been installed by many organizations with BYOD -- Bring Your Own Device -- programs. Those programs can detect jailbroken or rooted devices and prevent them from coming onto the network.
That protection often can be defeated by a jammer, thus allowing jailbroken or rooted devices full connectivity privileges to a network.

Free Apps Have Security Costs

Because free applications for Android smartphones are so popular, developers often resort to building their programs around SDK frameworks provided by advertisers to generate revenues from an app.
Many of these SDKs have been rapped for collecting more information from a user's phone than necessary to accomplish their goals.
That's not the only downside to those SDKs. They also can expose a smartphone to man-in-the-middle attacks.
An SDK installed with an application "calls home," looks for a new version of the SDK, and then downloads it to a phone. It does that to keep the SDK up to date.
"That's where the security issue comes in," Bogdan Botezatu, a senior e-threat analyst with Bitdefender, told TechNewsWorld. "It's being done over HTTP without encryption."
"Anyone listening to that communication can intercept the request to the home server and send malicious information to the phone," Botezatu said.
Making matters worse, no verification of information is done at the phone's end of things. "It just takes whatever's delivered to it from the Internet," Botezatu added.

Phishing Paradigm Change

Phishing ain't what it used to be.
That's the verdict handed down last week by Websense in a special report on phishing.
"Long gone are the days when users are faced almost exclusively with banking phishing," Websense Senior Research Manager Carl Leonard told TechNewsWorld.
"Phishing has become more targeted," he added.
In the past, phishers were content with the low success rates they achieved from massive mailings. "Now they can get higher rates of return through spear phishing," Leonard noted. "They can get high rates of return because the content they send to their targets is very tailored and appealing to them."
The Websense report also identified the five most common subject lines found in phishing emails. They include an invitation to connect on LinkedIn, a mail delivery failed message, a "dear bank customer" letter, an "important communication!" message and a "return to sender" notification.

Breach Diary

• Dec. 9. Trend Micro releases security forecast for 2014 predicting one major data breach a month will occur next year.
• Dec. 9. Microsoft announces its online users will be able to see logs of their activity and lock down their accounts if they see suspicious activity.
• Dec. 9. AOL, Apple, Facebook, Google, LinkedIn, Twitter, Yahoo and Microsoft issue joint statement asking governments of the world to reform their surveillance laws and practices and ask the United States to lead the way for reform.
• Dec. 9. Southern University School of Medicine acknowledges personal and medical information of almost 1,900 patents is at risk from theft of a laptop in October or November from the private office of a physician at the university's Memorial Medical Center.
• Dec. 10. News reports reveal NSA uses cookies collected by companies like Google to identify targets for offensive hacking operations.
• Dec. 10. FireEye reports a Chinese hacking group infiltrated computer systems and spied on attendees during the G20 Summit held in September.
• Dec. 10. Trusteer releases survey of 755 IT practicitoners by Ponemon Institute showing organizations experienced an average of nine advanced persistent threats in the last year and the average time to discover an APT was 225 days.
• Dec. 10. Los Angeles Gay & Lesbian Center reveals its notifying some 59,000 current and former clients that their personal information may have been compromised during a series of attacks by hackers on the organization's computer systems over a two month period.
• Dec. 11. Arxan reports 100 percent of the top 100 paid Android apps and 56 percent of the top 100 paid Apple iOS apps have been compromised in some way.
• Dec. 11. Boston Globe reports hundreds of attendees at two conventions held in the city in the fall are complaining that their credit card numbers are being used to make unauthorized purchases across the country. Source of the data theft is being investigated by local law enforcement authorities.
• Dec. 11. SailPoint reports in annual survey of 400 IT leaders that 50 percent of them experienced situations where workers tried to access company data or applications after employment termination.
• Dec. 11. Kaiser Permanente acknowledges it's notifying nearly 50,000 patients that their personal information may have been compromised when a USB drive containing the data went missing from the organization's Anaheim Medical Center in California.
• Dec. 11. University of Connecticut Health Center acknowledges medical records of 164 patients may have been compromised when an employee inappropriately accessed the records. Institution says it had no evidence that the information accessed by the employee was misused or misappropriated.
• Dec. 12. Microsoft joins board of directors of the FIDO Alliance, a group developing an alternative to onliine authentication using passwords.

Upcoming Security Events

• Dec. 18. Security Predictions. 1 p.m. ET. Webinar sponsored by WatchGuard. Free with registration.
• Dec. 19. The InfoSec Year in Review. 2-3 p.m. ET. Black Hat Webcast Series. Free with registration.
J
• Jan. 20-21, 2014. Suits and Spooks. Waterview Conference Center, Washington, D.C. Registration: Sept. 20-Oct. 20, US$415; Oct. 21-Dec. 1, $575; after Dec. 1, $725.
• Jan. 27-29. CyberTech 2014. The Israel Trade Fairs & Convention Center, Tel Aviv. Registration: Until Jan. 1, $350; Jan. 2-26, $450; on-site, $550.
• Feb. 6, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• Feb. 9-13. Kaspersky Security Analyst Summit. Hard Rock Hotel and Casino Punta Cana, Domincan Republic.
• Feb. 17-20, 2014. 30th General Meeting of Messaging, Malware and Mobile Anti-Abuse Working Group. Westin Market Street, San Francisco. Members only.
• Feb. 25, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• March 20-21, 2014. Suits and Spooks Singapore. Mandarin Oriental, 5 Raffles Ave., Marina Square, Singapore, and ITU-IMPACT Headquarters and Global Response Center, Cyberjaya, Malaysia. Registration: Singapore and Malaysia, by Jan. 19, $415; after Jan. 19, $575. Singapore only, by Jan. 19, $275; after Jan. 19, $395.
• March 25, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• March 25-28, 2014. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.
• April 8, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• April 11-12, 2014. Women in Cybersecurity Conference. Nashville, Tenn.
• April 29, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• May 20, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• June 3, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
• June 24, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.

Read More

When Freemium's Good, It's Very Good and When It's Bad, It's Horrid

All too often in freemium games, kids will download the game and then start playing. They are having fun and the game is fantastic. In all likelihood, the developer has worked in a series of minor challenges and rewards to start creating actions -- cues -- associated with rewards -- pleasure response -- that train a kid to not only enjoy and like a game ... but become addicted to it.

When I read a new report on app store trends for 2013 recently, my most irritating fear was confirmed: The freemium app business model has not only won the app sales model, it has handily crushed the paid app model -- squeezed it down into a tiny sliver of relative revenue.

The results are so tilted toward free apps with in-app purchases as a business model, in fact, that even more new apps will apparently be written entirely with the freemium model in mind. That's why I'm sitting under my desk and rocking back and forth as I type this sentence.
Who was the messenger with this lousy news? Distimo, a global app analytics company that tracks more than 280,000 apps and 3.2 billion downloads per quarter. Distimo's 2013 Year in Review report contains a variety of insights into downloads, app leaders and revenue volumes around the world, but the part that really caught my attention was the clear reign of the freemium model.

A Slim Slice of the Pie

Among the discouraging figures from the report are that revenue based on in-app purchases increased from 77 percent to 92 percent in the Apple App Store. Also, revenues based on in-app purchases increased from 89 percent to 98 percent for Android apps on Google Play.
When Distimo put this data into a pie chart, paid app and paid apps with in-app purchase options resulted in overall revenue that resembled a slim slice of pie compared to free apps with in-app purchases.
Namely, in the U.S. at the Apple App Store, paid apps brought in just 4 percent of all revenue, while paid apps with in-app purchase options brought in another 4 percent, for a total of 8 percent. In Japan, those figures each dropped to just 1 percent, and Distimo indicates that the freemium model is even more successful in Asian countries than in western markets.
I had no idea the numbers were this bad.

What's So Wrong With Freemium?

The great thing about free apps is that users can download them and start using them to really see how they look, feel and work. Freemium apps have functionality that works, and users can figure out if they want to really start using the apps for a long time -- or delete them and keep looking for something else, with no loss of money.
Isn't that cool?
Yes, yes it is.
But?
The problem I have with freemium apps -- and in particular, freemium games -- is how nefarious the apps have become. Let's consider games, which bug me the most because they prey on the least savvy and weakest of us all: kids and people with highly addictive personalities.
All too often in freemium games, kids will download the game and then start playing. They are having fun and the game is fantastic. In all likelihood, the developer has worked in a series of minor challenges and rewards to start creating actions (cues) associated with rewards (pleasure response) that train a kid to not only enjoy and like a game ... but become addicted to it.
Like drugs, the initial pleasure response comes from minimal stimulation; also like drugs, however, if the games scale with bigger and better rewards and actions, that can only be satisfied with in-app purchases. Suddenly, kids (and addicted adults) are paying money to progress into the game and even "win" it. In effect, they are powerless to do otherwise.
Hyperbole? No way. What's the first step in the original 12 steps of the Alcoholics Anonymous program? Admit that you are powerless over alcohol and that your life has become unmanageable because of it.
Do you know people who waste an astonishing amount of time on their iPhones? Who have a hard time engaging with the world around them if they aren't holding their iPhone? People who have forgotten how to unplug and have fun without constantly looking at a screen?
Now imagine a world where small children and teenagers always have screens ... and most every app is free -- not just free, but programmed specifically and intentionally for maximum enticement where suddenly it's normal to string you along a series of purposely addictive steps until it seems natural to tap and pay, tap and pay, tap and pay ... in order to "win."
That pains me. It's bad enough that teenage girls are losing their ability to bend their necks up to look and see the sky. As freemium reigns supreme, it's just going to get worse.

Why Is Freemium Evil?

Freemium is not exactly evil -- it just throws open the closet door. The problem I see is that when game developers start purposely using the freemium business model to create apps, it trains their creative minds to think in a certain way. That way is all about inviting someone into the closet and keeping them there, feasting on their soul as long as there is an active credit card still connected to an iTunes account.
OK, that was a little hyperbole, but hey, it's not so far from the truth: The success of freemium will inexorably change how developers approach the features and functionality that they build into all apps, not just games. Instead of buying an app and using it, they'll be created in such a way that features will be offered and withheld in manners of dubious clarity and honesty.
If the app provides true value, if it's up front in what is free and what is not free, if it doesn't implement underhanded, confusing tactics that trick or bait-and-switch users into buying things they did not intend, then freemium is cool.

There Has to Be a Better Way

I wish I could say I had a better solution than the freemium app model. I don't. When it's done well -- when users get to really dive into an app and understand its value, if not get a constant small-but-free taste, then buy more when they really appreciate it -- that's good. I like that.
But the bad -- how can we deal with the bad?
Even if Apple elevated apps that were simply paid, I don't think that would change the freemium landslide. A brief full-access trial before purchase might be workable -- and preferable -- but I doubt developers are willing to turn it into a standard practice en masse. Subscription models, I fear, face an even bigger uphill battle these days.
The only thing I think we can do right now -- and teach our children to do -- is to be utterly ruthless with reviews on sneaky tactics and poorly implemented freemium tricks. Let others know. If buttons are placed to encourage accidental in-app buys, get ruthless. If apps imply one thing but deliver another when you actually buy, get ruthless. If apps start out fun but become obnoxious, say so. Get ruthless.
We have to train our game developers to take pride and care in the product every step of the way. Only then will a "market voice" matter. To me, the freemium business model is not a game. It has reach and consequences.
Personally, I rarely review apps through the App Store -- I tend to write only about the apps I appreciate most -- but now I'm thinking I should review them. Heck, it might even be my duty as an iPhone-toting citizen of the world.
If bad (but always honest) reviews hold power, then it's time for all of us to wield them whenever we can.

Read More

iBangle puts the iPod on the wrist

When it comes to iPods and other MP3 players, not much has changed about them in the past few years. Sure, the memory is getting better all the time, but the design is the same: they clip on the belt and the obligatory wired earplugs.
This iBangle design concept is a little bit daring as the design fits right on your wrist instead of clipping to your belt. Don’t let its loose look fool you, the iBangle won’t easily slip off like other “clip-on” MP3 players. Apparently, that tiny blue button that you see in the illustration somehow fills the blue area with air, so it fits snug, but hopefully not too snug.
As for the earphones, forget about it! The audio sound is transmitted via wireless earbuds. So how do you navigate through tracks, you may ask? Just use the multi-touch track pad.
Now, if only it had a way to play video files. Perhaps a screen could be put on it, and the iBangle could pass for a watch.
Too bad this iBangle remains only a concept from designer Gopinath Prasana. Apple, this could easily be the next big thing for MP3 Players, so please feel free to put one million iBangles into production.

Read More

iPhone 6 could get refocus-able light field camera

A company the size of Apple puts in for a staggering amount of patents, many of which amount to nothing, but there's a recent patent that has people thinking that the iPhone 6 could have a different type of camera than we've seen on a smartphone before.

Reported by 9to5Mac is a patent granted to Apple for a light field camera, which allows people to refocus their shots after they’ve been taken.

The technology works by capturing light fields, rather than a single 2D capture of the moment. The net result is that a photo is no longer a fixed capture, but one where you can select a part of the picture to completely refocus the im


age.

This technology is most famously used in the Lytro Light Field camera. While an interesting technology demo (you can see a sample shot that you can refocus below), the low-resolution photos weren't much use for printing or using on high-resolution devices.

While the Lytro camera may only be of interest, if Apple can apply the same kind of technology to a higher-resolution sensor, then it could offer a completely different type of smartphone photography experience. It remains to be seen what Apple can do, as the patent refers to both a high-resolution and low-resolution mode, with the patent stating that it covers "A digital camera system configurable to operate in a low-resolution refocusable mode and a high-resolution non-refocusable mode".

As well as being smart technology, refocussing tools would fit in well with iOS. As Apple has shown with its intelligent Slo-Mo editing tools in the iPhone 5S, adding smart tools for refocussing shouldn't be a problem.

Part of the patent is listed as being prior art, which is likely down to the work done by Lytro. Of course, as with all patents, there's no indication of a launch date of the product. We've also got no further information on how Apple can or will slim down the light field sensor to fit into a smartphone. We can only hope that the company is already hard at work and we'll see something new for the iPhone 6's camera.

Read More

Apple objects to high legal fee in ebooks antitrust case

SAN FRANCISCO: Apple wants to rein in the pay and power of a monitor hired to watch over the company as punishment for conviction in an ebook price-fixing case.
In court paperwork available online Apple objected to being billed more than $1,000 an hour for the services of former US prosecutor Michael Bromwich.

The Northern California-based maker of iPads, iPods, iPhones and Macintosh computers also protested Bromwich's intent to question chief executive Tim Cook, lead designer Jony Ive, board member Al Gore and other top executives who aren't involved in day-to-day operations.
"Michael Bromwich is already operating in an unfettered and inappropriate manner," Apple argued in an objection filed with the federal judge in Manhattan who presided over the ebook trial.
"The $1,100 hourly rate he proposes for himself and the $1,025 rate for his legal support team are higher than Apple has ever encountered for any task," the filing maintained.
In a letter to an Apple attorney, Bromwich countered that it is up to the judge to decide whether his pay is reasonable and contended that he has encountered resistance from the Cupertino, California-based firm.
"We have seen little reciprocity and instead a consistent pattern of delay, unresponsiveness and lack of cooperation," Bromwich said in a letter on file with the court.
"We very much hope that changes with our trip to Cupertino the week of December 2."
In September, the judge who found Apple guilty of illegal price-fixing for e-books ordered the tech giant to steer clear of new contracts with publishers which could violate antitrust law.
US District Judge Denise Cote ordered Apple to refrain from any agreement with publishers "where such agreement will likely fix, or set the price at which other e-book retailers can acquire or sell e-books."
The order followed the judge's July ruling that Apple illegally conspired with publishers to boost the price of electronic books.
A separate trial will be held next year to determine damages, but the injunction blocks Apple from making any similar moves to reshape the price structure in the e-books market.
Apple can still sell e-books through its online channels, but cannot make any special arrangements or collude with publishers to fix prices.
The company also must pay for an antitrust compliance officer who answers to the court.
The trial focused on a six-week period in late 2009 and early 2010 during which Apple negotiated contracts with publishers ahead of its iPad launch and proposed a new and more profitable business model.

Read More