Tag: website

Android apps let down Google's security

Android applications which have not been properly tested are opening the operating system up to malware, insecurity experts have found.

Researchers from Germany’s Leibniz University of Hannover and Philipps University of Marburg, found more than 41 applications in Google’s Play Market leak sensitive data as it travelled between handsets running the Ice Cream Sandwich version of Android and webservers for banks and other online services.

If you connect the devices to a local area network that used a variety of well-known exploits, some of them available online, it was a doddle to defeat the secure sockets layer and transport layer security protocols implemented by the apps.

The apps are popular and have been downloaded from 39.5 million and 185 million times, so there are a lot of insecure Android phones out there.

The researchers said that they could gather bank account information, payment credentials for PayPal, American Express and others.

Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted, they said.

The researchers say that the problems underscore the fragility of the SSL and TLS protocols, which together form the basis for virtually all encryption between websites and users, Ars Technica reports.

The technology itself is fairly secure, but its protection can be undermined when certificate authorities don’t secure their infrastructure.

The researchers downloaded 13,500 free apps from Google Play and checked whether the SSL implementations of the apps were potentially vulnerable to “man-in-the-middle” exploits.

The results identified 1,074 apps, or eight percent of the sample, that contained SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks.

From the list of the 1,074 potentially vulnerable apps, the researchers picked 100 of them to crack and from that list 41 of them were vulnerable.

One thing that does surprise objective viewers that that the researchers didn’t run a comparison with Apple apps.  

The researchers did say that the openness of the Google platform made it easier to perform static analysis and zero in on the apps with SSL implementations that exposed sensitive user data. In other words, it was easier to test which apps were vulnerable using a system they invented. Apple software could also be vulnerable, but it’s harder to come up with an accurate test for it.

However, the vulnerability to apps is possibly universal for smartphones generally and companies would have to be insane to allow DIY policies on that basis. 

Staff writer launches maternity style website

Staff writer Andrea-Marie Petrou has donned her heels and launched a maternity style website.

Does My Bump Look Good in This aims to help women style their growing bump for any occasion from the smart to casual, taking inspiration from the catwalks as well as designer and highstreet offerings, as well as advice after the birth on breastfeeding and nursing style. 

The site was born after Andrea found that, although there was an abundance of sites for mainstream fashion, they were almost non-existent for maternity. 

As a result she had to trawl the web to find ideas and brands that would help her dress in style and not be stuck in the stereotypical leggings and tracksuit bottoms.

Not only was this incredibly frustrating but also time consuming.

Although the site is in its early stages it has already garnered support from top maternity brands as well as highstreet stores, which are keen to be featured.

As well as freelancing in fashion, Andrea has written insights for us into Intel’s bizarre flagship CeBit announcement – the Ultrabag – recommended Mark Zuckerberg have a makeover, and provided us with an extensive rundown of 2010’s tech fashion brat pack.

Justin Bieber violated kids' privacy

Gyrating, puking and lip syncing popular beat combo artist Justin Bieber has been violating the privacy of those pre-pubescent girls who visit his website.

While many of his victims would be pleased to hand over their personal details, particularly if they thought Justin might actually know who they were, it seems that privacy watchdogs are less happy.

According to the Sydney Morning Herald, the company which makes official fan websites for Bieber and his chipmunk squeeze Selena Gomez has agreed to pay $1 million to settle charges that it illegally collected data about more than 100,000 children.

The Federal Trade Commission (FTC), in a complaint filed in a New York district court on Tuesday, had accused Artist Arena of failing to get parental consent before collecting data such as the names and email addresses of children.

FTC’s Bieber Basher, Claudia Bourne Farrell, who has one of the best surnames in the business for such a job, said the company agreed to settle for $US1 million. The settlement must be approved by a judge, she added.

The company improperly collected data from an estimated 101,000 children aged 12 and under, according to the FTC.

Under the Children’s Online Privacy Protection Act, websites are required to give special treatment to children aged 12 or younger. They must get parental permission before collecting information about the children.

The FTC is in the process of updating the rules to further restrict companies and websites that target youths or are geared to young audiences.

Artist Arena is not saying anything about the deal. Bieber said that he has a relationship with Jesus, talks to him and that “he’s the reason I’m here” which is another reason to hate organised religion.

Android Forums website hacked

Android fansite Phandroid has admitted that its website was hacked this week and details of more than 1,034,235 were exposed.

The data that was accessed includes usernames, e-mail addresses, hashed passwords, registration IP addresses, and some other less interesting stuff which was forum related.

In a post titled Important Notice – Security Breach, Android Forums administrator “Phases” said that the attack was a bog standard one using a known vulnerability.

The server has been checked for dodgy code, and hardened against similar attacks.

At the moment the advice is for users to change their passwords and if you have the same mail address and password combination elsewhere, you should change it there too.

Apparently no other sites in the network appear to have been accessed.

The organisation believes this was an e-mail harvesting attempt and the hackers were looking for e-mail addresses to spam at a later time. 

Austria arrests former neo-Nazi leader, again

The Former Austrian neo-Nazi leader Gottfried Kuessel has been arrested after Inspector Knacker of the Austrian Yard had a look at the alpen-donau.info website.

Since the last war, both the Germans and the Austrians have strict censorship of material related to the Nazis and their methods of operating.

Kuessel, who is a modern neo-Nazi, has fallen foul of these laws before. He was the former leader of the now-banned neo-Nazi group Volkstreue Ausserparlamentarische Opposition (VAPO).

VAPO described itself as an “extra-parliamentary opposition” probably because its skinheaded “politicians” could not even get their mums to vote for them. It was declared illegal in the 1990s.

Inspector Knacker was very interested in Kuessel’s involvement in alpen-donau.info which is a key forum for Austria’s neo-Nazi movement.

The site was shut down in March and house searches were conducted in Vienna and the southern Styria province. Inspector Knacker seized documents, computers, hard-disks, weapons and Nazi paraphernalia.

In a statement, Vienna prosecution spokesman Thomas Vecsey said Kuessel and a second person were arrested.

A key part of the arrest was the help that the Germans received from US investigators, who helped them gain access to the website’s servers which were based in the United States.

To be fair, Kuessel has never tried to hide his beliefs and has been a martyr to them. He describes himself as a “national socialist”, and claims that the Holocaust never happened.

Famously he once said that the diary of Anne Frank was a fabrication.

He was sentenced to 10 years in prison in 1993 for Nazi propaganda, but was released in 1999 after six years. Now it looks like he will be back inside for another stretch, but then again Nazis are not famous for being rational, learning from mistakes, being flexible or adapting.

Baidu culls three million books to appease angry authors

Baidu has panicked and deleted about three million pieces of literature to prove it’s doing its best to appease copyright holders.

After an ongoing copyright dispute with writers, the Chinese search engine has gone on a three day rampage and deleted nearly three million “potentially infringing” works from its online literary section – Baidu Wenku.

According to AFP this leaves the service, which was created to allow users to read, share or download texts for free, with just under 1,000 works to leaf through. Baidu says any uploads in the future will be carefully vetted before going public.

The Chinese site has taken the measures after over 40 authors signed a letter which painted Baidu as allowing their works to be available as free downloads without their permission.

Despite disagreements and break downs, Baidu saw the light and bowed down to the group at the weekend

The service worked by allowing users to upload texts and books from authors, which of course led to copyright complaints. However authors had faced a brick wall in trying to get these taken down, being referred to a complaints site, which promised deletion of the texts within 48 hours.

This often didn’t happen, but Baidu covered itself by posting a disclaimer online which made users who uploaded the content responsible. The writers had insisted the firm should bear responsibility.

Census data security called into question

The deadline to fill out the census is coming to a close this weekend and information will be stored and used by the government to help and fund services like transport, education and health.

Taking part in the census is compulsory and anyone who does not participate or supplies false information could face a fine.

However the database and security of the information has come into question. A security professor, who wished to remain anonymous, tells us: “Yes, the census isn’t new but any extra database is ludicrous. The government has proven time and time again that it can’t be trusted with a laptop, let alone the details of millions of people.

“And it’s not just the Office of National Statistics staff we have to be concerned about, with the fact that this data will be shared out with the police, MI5 and other “security” bodies all of which will be able to see the information.

“The question here is – how can they successfully transfer and share this information and how can they ensure it doesn’t leak?”

The professor added that this is just another sneaky way to keep all of our information on record and to spy on us. “There’s no doubt we’ll be hearing soon that our details have been hacked,” he said.

A spokesperson for the National Statistics told us there’s “a lot of misinformation in the media.”

He said claims that the information would be shared are – “no one gets access to the records”.

“What they do get is statistics, for example genders, by age etc,” he told TechEye.

“Any personal information is kept secret, we don’t share it with people and we have a 200 year record for keeping the census information secure,” he added.

The information is also legally restricted, with the spokesperson adding that the office is bound by law to respect individual rights to confidentiality.

When it comes to website security we were told: “Information submitted online is protected by strong encryption and identity protection. All data processing will be carried out in UK  No data will leave or be held at any point outside the UK.”

Security may be performing, according to the census spokesperson, but when we were reassured that the website wouldn’t crash – like the Tax site did when it was under pressure – we’ve had comments from readers reporting bugs.

But The National Statistics Office has said: “We weren’t aware and haven’t had any complaints.”

Spammers capitalise on Ireland's unemployment rate

One of Ireland’s largest job websites, RecruitIreland.com, has been hacked and user details seized.

At 1.50pm yesterday afternoon the website managers of the recruitment site were alerted to the breach. They shut down the website and database ten minutes later and reported the incident to the Gardaí and the Data Protection Commissioner. It is also being investigated internally by RecruitIreland and externally by a security expert.

It was revealed that certain user details were compromised in the attack, including first and last names along with email addresses. It is not believed any other information was obtained, such as CVs, usernames or passwords.

However, the data that was obtained can easily be used for spam and there have already been reports of such. The spam messages use the full name of the individual and present a fake job opportunity. RecruitIreland has urged users to take extra care and not respond to such messages if they manage to escape the anti-spam filter. It is believed that acquiring data for spam was the sole purpose of the attack.

More and more people are using these kinds of websites in Ireland as the unemployment rate remains considerably high at 13.4 percent, according to recent figures for January by the Central Statistics Office. This is a sharp increase from the rate of 4.4 percent five years ago in the heart of Ireland’s Celtic Tiger economic boom.

This attack is the latest in a string of website hacks and data breaches in Ireland. The website of one of the main political parties, Fine Gael, was hacked by Anonymous, while a Northern Ireland political party website was hacked by an Irish language activist. Laptops have also been stolen from the Irish tax office and the Irish government is being investigated for sending unsolicited emails

With an election at the end of February, it doesn’t look like these problems will go away any time soon.

Anonymous issues warning to UK government

Anonymous has released an open letter to the UK government in response to the arrest of five of its members yesterday, labelling the arrests as “a sad mistake” and “a serious declaration of war”.

Anonymous claimed that the arrests reveal that the UK government does not understand the political and technological reality of the modern world and considers the move a declaration of war against Anonymous.

Anonymous said that traditional forms of protest, such as picketing and sit-ins, are now little more than “an empty, ritualised gesture of discontent”. It said that people are looking for new ways to make politicians wake up and hear the cry of the people.

It claimed that the use of Distributed Denial of Service (DdoS) attacks is simply the technological equivalent to blocking access to a building in a traditional form of protest. It said that it was “irrelevant” where the infrastructure was located, either in the real world or in cyberspace.

Anonymous also said that their DDoS attacks do not constitute as hacking, since they only flood a server with traffic and don’t gain unauthorised access to a computer or network, the definition of hacking used in law.

It claimed that arresting someone for a DDoS attack is like arresting someone for a peaceful demonstration, a view which is unlikely to wash with the police. It also accused the UK government of being hypocritical in hunting down Anonymous DDoSers but ignoring those who previously DDoSed Wikileaks, and it said that it has concluded that the arrests are “politically motivated”.

Of course, it’s not the ringleaders of Anonymous who get arrested, but the Average Joes who are invited to download and employ DDoS tools, often without the use of a proxy server or other forms of online identity protection. These individuals face up to 10 years in jail and a fine of £5,000 ($7,957), a sentence which Anonymous labelled as “ridiculous”.

This means that the attacks can still be masterminded and orchestrated by hackers who know how to keep their identity secret, with disgruntled citizens taking the fall. “You can easily arrest individuals, but you cannot arrest an ideology,” Anonymous stated, suggesting that it will continue its attacks regardless of how many people get arrested.

If any of the head honchos do get caught, they can always use that in their defence, that they can’t be one of the ringleaders or they wouldn’t have gotten caught. That doesn’t stop them from receiving a potentially hefty fine and prison sentence though.

Anonymous said that it will cross any borders to achieve its aim and that the UK government should take its message as a “serious warning”. It requested that its fellow members be released.

With the FBI issuing 40 warrants today as part of its investigation into the attacks, this situation is likely to escalate even further.

Northern Ireland political party websites hacked by Irish language activist

Three websites of the Democratic Unionist Party (DUP) in Northern Ireland were recently hacked and translated into Irish.

The hack was carried out by an Irish language activist who goes by the name Hector O’Hackatdawn, a play on the name of a prominent Irish presenter, Hector Ó hEochagáin. The hacker took over the party’s main website and the websites of the party’s leading members, First Minister Peter Robinson and Jeffrey Donaldson.

On Robinson’s website a message was posted, which said: “Is mise Peadar Robinson agus tugaim tacaiocht don Acht na Gaelige.” This is Irish for “I am Peter Robinson and I support an Irish Language Act.”

Irish is not officially recognised in Northern Ireland, where the official language is English, but there have been multiple attempts over the years to get this recognition. The proposed Irish Language Act was repeatedly vetoed by the DUP, stirring much hatred of the party among Nationalists and other supporters of the Irish language.

The DUP reported the incident to the police and the website has since been brought back online. This may not be the end of the attacks, however, as Hector said that he previously hacked the DUP website on New Years Eve using the same security hole, which he claims has not been fixed.

The hack follows attacks on the website of one of the largest parties in the Republic of Ireland, Fine Gael, earlier this week. That attack put up to 4,000 supporter details in the hands of Anonymous, the group behind attacks on PayPal, Visa, MasterCard and Amazon over their removal of services for Wikileaks.

This latest attack does not appear to be connected, but it does raise serious questions about the security features political parties are investing in for their websites.