Categories
Shared

Vulnerability In Fully Patched Android Phones Under Active Attack By Bank Thieves

An anonymous reader quotes a report from Ars Technica:

A vulnerability in millions of fully patched Android phones is being actively exploited by malware that’s designed to drain the bank accounts of infected users, researchers said on Monday. The vulnerability allows malicious apps to masquerade as legitimate apps that targets have already installed and come to trust, researchers from security firm Promon reported in a post. Running under the guise of trusted apps already installed, the malicious apps can then request permissions to carry out sensitive tasks, such as recording audio or video, taking photos, reading text messages or phishing login credentials. Targets who click yes to the request are then compromised.

Researchers with Lookout, a mobile security provider and a Promon partner, reported last week that they found 36 apps exploiting the spoofing vulnerability. The malicious apps included variants of the BankBot banking trojan. BankBot has been active since 2017, and apps from the malware family have been caught repeatedly infiltrating the Google Play Market. The vulnerability is most serious in versions 6 through 10, which account for about 80% of Android phones worldwide. Attacks against those versions allow malicious apps to ask for permissions while posing as legitimate apps. There’s no limit to the permissions these malicious apps can seek. Access to text messages, photos, the microphone, camera, and GPS are some of the permissions that are possible. A user’s only defense is to click “no” to the requests.”The vulnerability is found in a function known as TaskAffinity, a multitasking feature that allows apps to assume the identity of other apps or tasks running in the multitasking environment,” reports Ars Technica. While Google has removed the [unnamed] malicious apps from its Play Store, according to Promon, the vulnerability is still unfixed in all versions of Android.

“Promon is calling the vulnerability ‘StrandHogg,’ an old Norse term for the Viking tactic of raiding coastal areas to plunder and hold people for ransom,” the report adds. “Promon researchers said they identified StrandHogg after learning from an unnamed Eastern European security company for financial institutions that several banks in the Czech Republic reported money disappearing from customer accounts.”

As seen on: https://it.slashdot.org/story/19/12/02/230254/vulnerability-in-fully-patched-android-phones-under-active-attack-by-bank-thieves

Categories
Shared

It’s Way Too Easy To Get a .gov Domain Name

Brian Krebs:

Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org. But a recent experience suggests this trust may be severely misplaced, and that it is relatively straightforward for anyone to obtain their very own .gov domain. Earlier this month, KrebsOnSecurity received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a “.us” domain name, and impersonating the town’s mayor in the application.

“I used a fake Google Voice number and fake Gmail address,” said the source, who asked to remain anonymous for this story but who said he did it mainly as a thought experiment. “The only thing that was real was the mayor’s name.” The email from this source was sent from exeterri[.]gov, a domain registered on Nov. 14 that at the time displayed the same content as the .us domain it was impersonating — town.exeter.ri.us — which belongs to the town of Exeter, Rhode Island (the impostor domain is no longer resolving). “I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the source continued. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”

As found on Slashdot

Categories
Shared

Democrats Propose Sweeping Online Privacy Laws

mspohr quotes a report from The Guardian:

Top Democrats on Tuesday proposed tough new privacy laws to rein in the U.S.’s tech companies after a series of scandals that have shaken confidence in the companies and exposed the personal data of millions of consumers. The effort, led by Senator Maria Cantwell, the top Democrat on the Senate commerce, science and transportation committee, aims to “provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.” The Consumer Online Privacy Rights Act (Copra) comes after a series of failed attempts to rein in the tech giants in the U.S.

The act resembles Europe’s sweeping General Data Protection Regulation (GDPR) legislation, passed in 2016. It would force tech companies to disclose the personal information they have collected, delete or correct inaccurate or incomplete information and allow consumers to block the sale of their information. The bill’s sponsors are all Democrats and include presidential candidate Senator Amy Klobuchar. “Companies continue to profit off of the personal data they collect from Americans, but they leave consumers completely in the dark about how their personal information is being used,” she said. “It’s time for Congress to pass comprehensive privacy legislation.”

Categories
Shared

Apple Changes Crimea Map To Meet Russian Demands

ardmhacha writes:

Apple has complied with Russian demands to show the annexed Crimean peninsula as part of Russian territory on its apps. Russian forces annexed Crimea from Ukraine in March 2014, drawing international condemnation. The region, which has a Russian-speaking majority, is now shown as Russian territory on Apple Maps and its Weather app, when viewed from Russia. But the apps do not show it as part of any country when viewed elsewhere. The State Duma, the Russian parliament’s lower house, said in a statement: “Crimea and Sevastopol now appear on Apple devices as Russian territory.” Russia treats the naval port city of Sevastopol as a separate region. The BBC tested several iPhones in Moscow and it appears the change affects devices set up to use the Russian edition of Apple’s App Store. Apple had been in talks with Russia for several months over what the State Duma described as “inaccuracy” in the way Crimea was labelled.

Further readingApple Has No Backbone.

Categories
Shared

New Tracking Prevention in Microsoft’s Edge Will Hit Google the Hardest

Microsoft’s Edge browser is built on the same open source code as Google Chrome. But Ed Bott, writing for ZDNet, noticed something interesting:

On January 15, 2020, Microsoft is scheduled to roll out a completely revamped Edge browser to the general public. That browser, which is available for beta testing now on all supported versions of Windows and MacOS, includes a feature called Tracking Prevention. If that name sounds familiar, you’re not imagining things. Microsoft added a Tracking Protection feature to Internet Explorer 9, back in 2011; it used simple text files called Tracking Protection Lists (TPLs) to allow or block third-party requests from specific domains. That’s the same general principle behind Tracking Prevention in the new Edge, but the implementation is more usable and more sophisticated, with multiple Trust Protection Lists taking the place of a single TPL.

I’ve spent the past week looking closely at this feature… [A]lthough it’s aimed at the online advertising and tracking industries in general, my tests suggest that its effects are likely to be felt most directly by one company: Google.

Using the default Balanced setting, Tracking Prevention blocked a total of 2,318 trackers, or an average of 35 on each page. Of that total, 552 were from Google domains. That’s a mind-boggling 23.8% of the total. To put that into perspective, the second entry on the list of blocked trackers was Facebook, which represented 3.8% of the total.

Rather than an anti-Google conspiracy, the article suggests this is instead just a reflection of both Google’s ubiquity and its business model.

“Google Analytics and Google AdSense are embedded on a staggering number of web pages.”

As found on: https://tech.slashdot.org/story/19/11/24/2055219/new-tracking-prevention-in-microsofts-edge-will-hit-google-the-hardest

Categories
Shared

Apple exec says students who use Google’s ‘cheap’ laptops at school are ‘not going to succeed’

Apple’s marketing SVP Phil Schiller slammed Google’s Chromebooks in an interview with CNET published on Wednesday, saying that students who use them are not going to succeed.

The remarks are an escalation of Apple’s rhetoric about the competitive K-12 market in the United States where it is losing to Google and Microsoft.

“Chromebooks have gotten to the classroom because, frankly, they’re cheap testing tools for required testing,” Schiller said during an interview to promote a new $2,400 MacBook Pro. “If all you want to do is test kids, well, maybe a cheap notebook will do that. But they’re not going to succeed.”

In a tweet sent after this story published, Schiller said that “every child has the ability to succeed.”

Right now, there are far more Chromebooks being sold to schools than other kinds of computers. In 2018, 60% of all laptops and tablets purchased for U.S. K-12 classrooms were Chromebooks, with Microsoft Windows-powered computers coming in at second at 22%. Apple’s iOS and macOS had 18% of the market, according to stats from Futuresource Consulting.

“At the point where U.S. districts needed to purchase devices for online assessment on mass scale, Chromebooks were clearly significantly cheaper than competitive offerings,” Futuresource analyst Michael Boreham said in an email.

Schiller’s argument against Chromebooks goes like this: According to a study done “many many years ago” internally at Apple, kids learn the best when they’re engaged. To maximize engagement, schools need to buy “cutting-edge learning tools” like Apple’s iPad.

He also returned to an argument that Apple CEO Tim Cook has made previously: Google’s Chromebooks are “test machines.” That’s because Chromebooks are better suited for government-mandated “Common Core” tests, which require or heavily recommend keyboards. Apple’s iPad, which Schiller calls the “ultimate tool for a child to learn on,” doesn’t have a built-in keyboard and requires an additional accessory to add one.

The U.S. education market is expected to hit $43 billion in sales in 2019, according to an estimate from Technavio earlier this year. Students who get comfortable with a given company’s software in school may remain a customer when they grow up and buy their own computers.

The education market is important to Apple, which held a press event at a school in Chicago in early 2018 discussing its education strategy and the “Everyone Can Code” program in which Apple creates computer science curricula it distributes to schools for free. Last year, Apple announced that it would build a new course for Advanced Placement high school students focusing on Apple’s programming language, Swift.

Apple also announced an update to its entry-level iPad at the event and said it would sell it to schools for $300 after an educational discount.

Aside from cost, Google enjoys a competitive advantage over Apple with its Google Classroom software, according to Boreham. Google Classroom lets students log on to any Chromebook to pull up their profile and saved work. Google’s device management software is also better suited for IT administrators, he added.

“Both Microsoft and Apple have added and extended their solutions with upgraded and cheaper hardware, IT deployment tools and a wider range of apps and tools, but to date there are limited signs of a significant OS market share change,” Boreham said.

As found on CNBC, https://www.cnbc.com/2019/11/13/apple-exec-students-who-use-googles-cheap-laptops-wont-succeed.html

Categories
Rants

Stupid-ass TLDs 🙄

I like to think I’m not an overly opinionated person. That being said, when I saw the internet number authority’s list of TLDs, I felt full of opinions. Take a scroll through for yourself!
What do you find?

Wonderful-sounding, generic, general-purpose top level domains that you might want, such as:

.CalvinKlein, .BestBuy, and .BlockBuster

Internet Assigned Number Authority, List of Top-Level Domains (capitalization added for ease of recognition)
“Version 2019110300, Last Updated Sun Nov 3 07:07:01 2019 UTC”

Those sound great! Especially that last one. At last, I can run my own livestreaming.blockbuster website! Hopefully you see the problem here. It appears anyone with a budget (even long-failed movie rental companies) can officiate a TLD of their own. I like to think that a good top level domain is one that caters to a niche without being too specific. A category of business, group, or anything that might indicate a site’s purpose without naming a specific entity, to allow others who might fit under that TLD to leverage it as their own.

A few of my favorites (new[ish] TLDs that I actually like):

.Academy, .US, .Sucks

Cited from the same place as the last few… IANA of course! ‘Sucks’ is just plain fun.

I can use Academy for anything I feel teaches people. Country codes as TLDs? Just plain great. Countries will be here long enough to warrant an entry. How about “.Republican”? Of course not! Countries are here to stay (probably), political parties are so numerous and fickle that it’d be like having a .Fidgetspinner. On top of that, having group-specific TLDs opens up the door to impersonation (unless their never publicly traded — that’s fun too) by nefarious parties, scammers.

Now, that’s just my opinion. How’d I get here anyway? Well, I was hoping to find a .cyber TLD! Much to my surprise (this is a LONG list, surely they have internet stuff…) it’s not there. Go figure!

Maybe someday. 🤷‍♀️

Categories
Shared

AWS Customers Rack Up Hefty Bills For Moving Data

An anonymous reader quotes a report from The Information:

There are a lot of ways companies can rack up high bills for using cloud services, sometimes unexpectedly. One particularly stiff expense is the cost of shifting data from one cloud provider’s servers to another provider, or to a company’s own data center. The Information has learned just how much some companies have had to pay for these “data transfer” costs, as they’re called. The chart above shows how much 10 of the top customers of Amazon Web Services — the dominant cloud provider — paid for data transfer services in 2017 and 2018. The chart, which is based on internal AWS sales figures obtained by The Information, show that data transfer charges for one customer, Apple, approached $50 million in 2017. That represented about 6.5% of Apple’s total AWS bill of $775 million for that year, the sales figures show. Seven of the 10 companies saw increases of at least 50% in their AWS data transfer bills last year compared to the year before.

The reason for the high bills could “stem from growth in the number of users on a company’s web service, longer-than-average usage sessions and the addition of data-intensive features such as video,” the report says.

Categories
Shared

Bank of America Says It Saves $2 Billion Per Year By Ignoring Amazon and Microsoft and Building Its Own Cloud Instead

Bank of America has bucked the Wall Street trend by building its own private cloud software rather than outsourcing to companies like Amazon, Microsoft, and Google. From a report:

The investment, including a $350 million charge in 2017, hasn’t been cheap, but it has had a striking payoff, CEO Brian Moynihan said during the company’s third-quarter earnings call. He said the decision helped reduce the firm’s servers to 70,000 from 200,000 and its data centers to 23 from 60, and it has resulted in $2 billion in annual infrastructure savings.

As found on Slashdot: https://slashdot.org/story/362412

Categories
Shared

Tim Cook Defends Decision To Remove Hong Kong Maps App In Memo

On Thursday, Apple CEO Tim Cook defended the company’s decision to remove a mapping app in Hong Kong, saying that the company received “credible information” from authorities indicating the software was being used “maliciously” to attack police. Bloomberg reports:

Apple pulled HKmap.live from its App Store on Wednesday after flip-flopping between rejecting it and approving it earlier this month. Apple made the decision after consulting with local authorities, because it could endanger law enforcement and city residents. Cook echoed that sentiment in an email to Apple employees. “Over the past several days we received credible information, from the Hong Kong Cybersecurity and Technology Crime Bureau, as well as from users in Hong Kong, that the app was being used maliciously to target individual officers for violence and to victimize individuals and property where no police are present,” Cook wrote in the memo, a copy of which was obtained by Bloomberg News. He also said the app violates local laws.

The company has been criticized for the move, and Cook addressed that. “These decisions are never easy, and it is harder still to discuss these topics during moments of furious public debate,” the CEO wrote. “National and international debates will outlive us all, and, while important, they do not govern the facts. In this case, we thoroughly reviewed them, and we believe this decision best protects our users.”

Apple’s reversal came after the Chinese Communist Party’s flagship newspaper criticized Apple for letting the app into its store.

As found on: https://apple.slashdot.org/story/19/10/10/212202/tim-cook-defends-decision-to-remove-hong-kong-maps-app-in-memo